Skip to content
CHANGES 93.1 KiB
Newer Older
                                                         -*- coding: utf-8 -*-
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.3.15

  *) SECURITY: CVE-2011-3348 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
     recognized.  [Jean-Frederic Clere]

  *) SECURITY: CVE-2011-3192 (cve.mitre.org)
     core: Fix handling of byte-range requests to use less memory, to avoid
     denial of service. If the sum of all ranges in a request is larger than
     the original file, ignore the ranges and send the complete file.
     PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
     <lowprio20 gmail.com>]
  *) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory
     usage.  PR 51618. [Cristian Rodríguez <crrodriguez opensuse org>,
     Stefan Fritsch]

  *) mod_ssl: At startup, when checking a server certificate whether it
     matches the configured ServerName, also take dNSName entries in the
     subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand]

  *) mod_substitute: Reduce memory usage and copying of data. PR 50559.
     [Stefan Fritsch]

  *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
     [Kaspar Brand]

  *) Add wrappers for malloc, calloc, realloc that check for out of memory
     situations and use them in many places. PR 51568, PR 51569, PR 51571.
     [Stefan Fritsch]

  *) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is 
     false but RLIMIT_* are defined.  PR51371. [Eric Covener]

  *) core: Correctly obey ServerName / ServerAlias if the Host header from the
     request matches the VirtualHost address.
     PR 51709. [Micha Lenk <micha lenk.info>]

  *) mod_unique_id: Use random number generator to initialize counter.
     PR 45110. [Stefan Fritsch]

  *) core: Add convenience API for apr_random. [Stefan Fritsch]

  *) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control
     the number of overlapping and reversing ranges (respectively) permitted
     before returning the entire resource, with a default limit of 20.
     [Jim Jagielski]

  *) mod_ldap: Optional function uldap_ssl_supported(r) always returned false
     if called from a virtual host with mod_ldap directives in it.  Did not
     affect mod_authnz_ldap's usage of mod_ldap.  [Eric Covener]

  *) mod_filter: Instead of dropping the Accept-Ranges header when a filter
     registered with AP_FILTER_PROTO_NO_BYTERANGE is present,
     set the header value to "none". [Eric Covener, Ruediger Pluem]

  *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'
     in the case Ranges are being ignored with MaxRanges none.
     [Eric Covener]

  *) mod_ssl: revamp CRL-based revocation checking when validating
     certificates of clients or proxied servers. Completely delegate
     CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck
     directive for controlling the revocation checking mode. [Kaspar Brand]

  *) core: Add MaxRanges directive to control the number of ranges permitted
     before returning the entire resource, with a default limit of 200.
  *) mod_cache: Ensure that CacheDisable can correctly appear within
     a LocationMatch. [Graham Leggett]

  *) mod_cache: Fix the moving of the CACHE filter, which erroneously
     stood down if the original filter was not added by configuration.
     [Graham Leggett]

Kaspar Brand's avatar
Kaspar Brand committed
  *) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]

  *) mod_authz_groupfile: Increase length limit of lines in the group file to
     16MB. PR 43084. [Stefan Fritsch]

  *) core: Increase length limit of lines in the configuration file to 16MB.
     PR 45888. PR 50824. [Stefan Fritsch]

  *) core: Add API for resizable buffers. [Stefan Fritsch]

  *) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have
     LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such
     as Tivoli Directory Server 6.3 and later. [Eric Covener]

  *) mod_ldap: Change default number of retries from 10 to 3, and add
     an LDAPRetries and LDAPRetryDelay directives. [Eric Covener]

  *) mod_authnz_ldap: Don't retry during authentication, because this just
     multiplies the ample retries already being done by mod_ldap. [Eric Covener]

  *) configure: Allow to explicitly disable modules even with module selection
     'reallyall'. [Stefan Fritsch]

  *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the
     RewriteEngine is disabled in server context, avoiding a crash while
     referencing the invalid int: map at runtime. PR 50994.
     [Ben Noordhuis <info noordhuis nl>]
  *) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]

  *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]

  *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
     [Kaspar Brand]

  *) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the
     cookie is set when modules such as mod_rewrite trigger a redirect. Also
     use r->err_headers_out for the cookie, for the same reason.  PR29755.
     [Sami J. Mäkinen <sjm almamedia fi>, Eric Covener]

  *) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and
     'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch]

  *) configure: Enable ldap modules in 'all' and 'most' selections if ldap
     is compiled into apr-util. [Stefan Fritsch]

  *) core: Add ap_check_cmd_context()-check if a command is executed in
     .htaccess file. [Stefan Fritsch]

  *) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590.
     [Torsten Foertsch <torsten foertsch gmx net>]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.3.14

  *) mod_proxy_ajp: Improve trace logging.  [Rainer Jung]

  *) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets.
     [Rainer Jung]

  *) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse,
     e.g. to reverse proxy "Location: https://other-internal-server/login"
     [Nick Kew]

  *) prefork, worker, event: Make sure crashes are logged to the error log if
     httpd has already detached from the console. [Stefan Fritsch]

  *) prefork, worker, event: Reduce period during startup/restart where a
     successive signal may be lost. PR 43696. [Arun Bhalla <arun shme net>]

  *) mod_allowmethods: Correct Merging of "reset" and do not allow an
     empty parameter list for the AllowMethods directive. [Rainer Jung]

  *) configure: Update selection of modules for 'all' and 'most'. 'all' will
     now enable all modules except for example and test modules. Make the
     selection for 'most' more useful (including ssl and proxy). Both 'all'
     and 'most' will now disable modules if dependencies are missing instead
     of aborting. If a specific module is requested with --enable-XXX=yes,
     missing dependencies will still cause configure to exit with an error.
     [Stefan Fritsch]

  *) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done
     in 2.3.13. [Stefan Fritsch]

  *) core: For '*' or '_default_' vhosts, use a wildcard address of any
     address family, rather than IPv4 only.  [Joe Orton]

  *) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable
     include [ ] for literal IPv6 addresses, as mandated by RFC 3875.
     PR 26005. [Stefan Fritsch]

  *) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203.
     [Nagae Hidetake <nagae eagan jp>]

  *) core: Add more logging to ap_scan_script_header_err* functions. Add
     ap_scan_script_header_err*_ex functions that take a module index for
     logging.
     mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the
     new functions in order to make logging configurable per-module.
     [Stefan Fritsch]

  *) mod_dir: Add DirectoryIndexRedirect to send an external redirect to
     the proper index.  [Eric Covener]

  *) mod_deflate: Don't try to compress requests with a zero sized body.
     PR 51350. [Stefan Fritsch]

  *) core: Fix startup on IP6-only systems. PR 50592. [Joe Orton,
     <root linkage white-void net>]

  *) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX,
     REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the
     whitelist in suexec. PR 51499. [Graham Laverty <graham reg ca>,
     Stefan Fritsch]

  *) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch]

  *) mod_log_debug: New module that allows to log custom messages at various
     phases in the request processing. [Stefan Fritsch]

  *) mod_ssl: Add some debug logging when loading server certificates.
     PR 37912. [Nick Burch <nick burch alfresco com>]
  *) configure: Support reallyall option also for --enable-mods-static.
Loading full blame...