Skip to content
CHANGES 116 KiB
Newer Older
                                                         -*- coding: utf-8 -*-
Jim Jagielski's avatar
Jim Jagielski committed

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.3

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) SECURITY: CVE-2012-2687 (cve.mitre.org)
     mod_negotiation: Escape filenames in variant list to prevent an
     possible XSS for a site where untrusted users can upload files to
     a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]

  *) mod_authnz_ldap: Don't try a potentially expensive nested groups
     search before exhausting all AuthLDAPGroupAttribute checks on the
     current group. PR52464 [Eric Covener]

  *) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
     authorization provider in lua. [Stefan Fritsch]

  *) core: Be less strict when checking whether Content-Type is set to 
     "application/x-www-form-urlencoded" when parsing POST data, 
     or we risk losing data with an appended charset. PR 53698
     [Petter Berntsen <petterb gmail.com>]

  *) httpd.conf: Added configuration directives to set a bad_DNT environment
     variable based on User-Agent and to remove the DNT header field from
     incoming requests when a match occurs. This currently has the effect of
     removing DNT from requests by MSIE 10.0 because it deliberately violates
     the current specification of DNT semantics for HTTP. [Roy T. Fielding]

  *) mod_socache_shmcb: Fix bus error due to a misalignment
     in some 32 bit builds, especially on Solaris Sparc.
     PR 53040.  [Rainer Jung]

Jim Jagielski's avatar
Jim Jagielski committed
  *) mod_cache: Set content type in case we return stale content.
     [Ruediger Pluem]

  *) Windows: Fix SSL failures on windows with AcceptFilter https none.
  *) ab: Fix read failure when targeting SSL server.  [Jeff Trawick]

  *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
     - mod_auth_digest: shared memory file
  *) htpasswd: Use correct file mode for checking if file is writable.
     PR 45923. [Stefan Fritsch]

  *) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T.
     <mi apache aldan algebra com>]

  *) mod_ssl: Add new directive SSLCompression to disable TLS-level
     compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]

Rainer Jung's avatar
Rainer Jung committed
  *) mod_lua: Add a few missing request_rec fields. Rename remote_ip to
     client_ip to match conn_rec. [Stefan Fritsch]

  *) mod_lua: Change prototype of vm_construct, to work around gcc bug which
     causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>]

Rainer Jung's avatar
Rainer Jung committed
  *) mpm_event: Don't count connections in lingering close state when
     calculating how many additional connections may be accepted.
     [Stefan Fritsch]

  *) mod_ssl: If exiting during initialization because of a fatal error,
     log a message to the main error log pointing to the appropriate
     virtual host error log. [Stefan Fritsch]

  *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
     one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]

  *) mod_proxy_balancer: Restore balancing after a failed worker has
     recovered when using lbmethod_bybusyness.  PR 48735.  [Jeff Trawick]

  *) mod_setenvif: Compile some global regex only once during startup.
     This should save some memory, especially with .htaccess.
     [Stefan Fritsch]

Rainer Jung's avatar
 
Rainer Jung committed
  *) core: Add the port number to the vhost's name in the scoreboard.
     [Stefan Fritsch]

Joe Orton's avatar
Joe Orton committed
  *) mod_proxy: Fix ProxyPassReverse for balancer configurations.
  *) mod_lua: Add the parsebody function for parsing POST data. PR 53064.
     [Daniel Gruno]

  *) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS.
     [Stefan Fritsch]

  *) mod_proxy: Fix memory leak or possible corruption in ProxyBlock
     implementation.  [Ruediger Pluem, Joe Orton]

  *) mod_proxy: Check hostname from request URI against ProxyBlock list,
     not forward proxy, if ProxyRemote* is configured.  [Joe Orton]

  *) mod_proxy_connect: Avoid DNS lookup on hostname from request URI 
     if ProxyRemote* is configured.  PR 43697.  [Joe Orton]

  *) mpm_event, mpm_worker: Remain active amidst prevalent child process
     resource shortages.  [Jeff Trawick]

  *) Add "strict" and "warnings" pragmas to Perl scripts.  [Rich Bowen]

  *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
     - core: the scoreboard (ScoreBoardFile), pid file (PidFile), and
       mutexes (Mutex)
     [Jim Jagielski]

Joe Orton's avatar
Joe Orton committed
  *) ab: Fix bind() errors.  [Joe Orton]

  *) mpm_event: Don't do a blocking write when starting a lingering close
     from the listener thread. PR 52229. [Stefan Fritsch]

  *) mod_so: If a filename without slashes is specified for LoadFile or
     LoadModule and the file cannot be found in the server root directory,
     try to use the standard dlopen() search path. [Stefan Fritsch]

  *) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced
     after child process resource shortages.  [Jeff Trawick]

  *) mpm_prefork: Reduce spawn rate after a child process exits due to
     unexpected poll or accept failure.  [Jeff Trawick]

  *) core: Log value of Status header line in script responses rather
     than the fixed header name.  [Chris Darroch]

  *) mpm_ssl: Fix handling of empty response from OCSP server.
     [Jim Meyering <meyering redhat.com>, Joe Orton]

Rainer Jung's avatar
Rainer Jung committed
  *) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch]

  *) mod_authz_core: If an expression in "Require expr" returns denied and
     references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
     [Stefan Fritsch]

  *) core: Always log if LimitRequestFieldSize triggers.  [Stefan Fritsch]

  *) mod_deflate: Skip compression if compression is enabled at SSL level.
     [Stefan Fritsch]

  *) core: Add missing HTTP status codes registered with IANA.
     [Julian Reschke <julian.reschke gmx.de>, Rainer Jung]

Joe Orton's avatar
Joe Orton committed
  *) mod_ldap: Treat the "server unavailable" condition as a transient
     error with all LDAP SDKs.  [Filip Valder <filip.valder vsb.cz>]

  *) core: Fix spurious "not allowed here" error returned when the Options 
     directive is used in .htaccess and "AllowOverride Options" (with no 
     specific options restricted) is configured.  PR 53444. [Eric Covener]

  *) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
     PR 53048. [Stefan Fritsch]

  *) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
     PR 53104. [Greg Ames]

  *) mod_ext_filter: Fix error_log spam when input filters are configured.  
     [Joe Orton]

  *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). 
     [Paul Wouters <pwouters redhat.com>, Joe Orton]

  *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
     the chosen listener is configured for https. [Joe Orton]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
     forwarding to SSL backends. PR 53134.
     [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]

  *) mod_info: Display all registered providers. [Stefan Fritsch]

  *) mod_ssl: Send the error message for speaking http to an https port using
     HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
     using SNI. PR 50823. [Stefan Fritsch]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) core: Fix segfault in logging if r->useragent_addr or c->client_addr is
Stefan Fritsch's avatar
Stefan Fritsch committed
     unset. PR 53265. [Stefan Fritsch]
Stefan Fritsch's avatar
Stefan Fritsch committed

  *) log_server_status: Bring Perl style forward to the present, use
     standard modules, update for new format of server-status output.
     PR 45424. [Richard Bowen, Dave Brondsema, and others]

Joe Orton's avatar
Joe Orton committed
  *) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups. 
     [Joe Orton, André Malo]
  *) core: Prevent "httpd -k restart" from killing server in presence of
     config error. [Joe Orton]

  *) mod_proxy_fcgi: If there is an error reading the headers from the
     backend, send an error to the client. PR 52879. [Stefan Fritsch]

  *) SECURITY: CVE-2012-0883 (cve.mitre.org)
     envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
     current working directory to be searched for DSOs. [Stefan Fritsch]
Stefan Fritsch's avatar
Stefan Fritsch committed

  *) mod_slotmem_shm: Honor DefaultRuntimeDir [Jim Jagielski]

Loading full blame...