Skip to content
CHANGES 104 KiB
Newer Older
                                                         -*- coding: utf-8 -*-
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.1

  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
     Fix an issue in error responses that could expose "httpOnly" cookies
     when no custom ErrorDocument is specified for status code 400.  
     [Eric Covener]

Joe Orton's avatar
Joe Orton committed
  *) core: Fix memory consumption in core output filter with streaming
     bucket types like CGI or PIPE.  [Joe Orton, Stefan Fritsch]

  *) configure: Disable modules at configure time if a prerequisite module
     is not enabled. PR 52487. [Stefan Fritsch]

  *) Rewrite and proxy now decline what they don't support rather
     than fail the request. [Joe Orton]
Changes with Apache 2.4.0

  *) SECURITY: CVE-2012-0031 (cve.mitre.org)
     Fix scoreboard issue which could allow an unprivileged child process
     could cause the parent to crash at shutdown rather than terminate
     cleanly.  [Joe Orton]
  *) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch]

  *) SECURITY: CVE-2012-0021 (cve.mitre.org)
     mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
     string is in use and a client sends a nameless, valueless cookie, causing
     a denial of service. The issue existed since version 2.2.17 and 2.3.3.
Stefan Fritsch's avatar
Stefan Fritsch committed
     PR 52256.  [Rainer Canavan <rainer-apache 7val com>]
Stefan Fritsch's avatar
Stefan Fritsch committed

Kaspar Brand's avatar
Kaspar Brand committed
  *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
     control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive.
     [Kaspar Brand]

Kaspar Brand's avatar
Kaspar Brand committed
  *) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
     or later, to improve binary compatibility with future OpenSSL releases.
     [Kaspar Brand]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass,
     but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime
     behave identically in both cases. PR52342. [Graham Leggett]

Graham Leggett's avatar
Graham Leggett committed
  *) Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with
     corresponding man pages. [Graham Leggett]

Graham Leggett's avatar
Graham Leggett committed
  *) Distinguish properly between the bindir and sbindir directories when
     installing binaries. Previously all binaries were silently installed to
     sbindir, whether they were system administration commands or not.
     [Graham Leggett]
Changes with Apache 2.3.16
  *) SECURITY: CVE-2011-4317 (cve.mitre.org)
     Resolve additional cases of URL rewriting with ProxyPassMatch or
     RewriteRule, where particular request-URIs could result in undesired
     backend network exposure in some configurations.
     [Joe Orton]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) core: Limit line length in .htaccess to 8K like in 2.2.x, to avoid
     additional DoS potential. [Stefan Fritsch]

  *) core, all modules: Add unique tag to most error log messages. [Stefan
     Fritsch]

  *) mod_socache_memcache: Change provider name from "mc" to "memcache" to
     match module name. [Stefan Fritsch]

  *) mod_slotmem_shm: Change provider name from "shared" to "shm" to match
     module name. [Stefan Fritsch]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_ldap: Fix segfault with Solaris LDAP when enabling ldaps. This
     requires an apr-util fix in which is available in apr-util >= 1.4.0.
     PR 42682. [Stefan Fritsch]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible
     for RewriteRules to be placed in .htaccess files that match the directory
     with no trailing slash. PR 48304.
     [Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_session_crypto: Add a SessionCryptoPassphraseFile directive so that
     the administrator can hide the keys from the configuration. [Graham
     Leggett]

Graham Leggett's avatar
Graham Leggett committed
  *) Introduce a per request version of the remote IP address, which can be
     optionally modified by a module when the effective IP of the client
     is not the same as the real IP of the client (such as a load balancer).
     Introduce a per connection "peer_ip" and a per request "client_ip" to
     distinguish between the raw IP address of the connection and the effective
     IP address of the request. [Graham Leggett]

Jim Jagielski's avatar
Jim Jagielski committed
  *) ap_pass_brigade_fchk() function added. [Jim Jagielski]

  *) core: Pass ap_errorlog_info struct to error log hook. [Stefan Fritsch]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_cache_disk: Make sure we check return codes on all writes and
     attempts to close, and clean up after ourselves in these cases.
     PR43589. [Graham Leggett]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_cache_disk: Remove the unnecessary intermediate brigade while
     writing to disk. Fixes a problem where mod_disk_cache was leaving
     buckets in the intermediate brigade and not passing them to out on
     exit. [Florian S. <f_los_ch yahoo.com>, Graham Leggett]
Graham Leggett's avatar
Graham Leggett committed

Kaspar Brand's avatar
Kaspar Brand committed
  *) mod_ssl: use a shorter setting for SSLCipherSuite in the default
     default configuration file, and add some more information about
     configuring a speed-optimized alternative.
     [Kaspar Brand]

Kaspar Brand's avatar
Kaspar Brand committed
  *) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand]

Eric Covener's avatar
Eric Covener committed
  *) mod_lua: Stop losing track of all but the most specific LuaHook* directives
     when multiple per-directory config sections are used.  Adds LuaInherit 
     directive to control how parent sections are merged.  [Eric Covener]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Server directive display (-L): Include directives of DSOs.
     [Jeff Trawick]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_cache: Make sure we merge headers correctly when we handle a
     non cacheable conditional response. PR52120. [Graham Leggett]

Rainer Jung's avatar
Rainer Jung committed
  *) Pre GA removal of components that will not be included:
     - mod_noloris was superseded by mod_reqtimeout
  *) core: Set MaxMemFree 2048 by default. [Stefan Fritsch]

  *) mpm_event: Fix assertion failure during very high load. [Stefan Fritsch]

  *) configure: Additional modules loaded by default: mod_headers.
     Modules moved from module set "few" to "most" and no longer loaded
     by default: mod_actions, mod_allowmethods, mod_auth_form, mod_buffer,
     mod_cgi(d), mod_include, mod_negotiation, mod_ratelimit, mod_request,
     mod_userdir. [Rainer Jung]

  *) mod_lua: Use the right lua scope when used as a hook. [Rainer Jung]

  *) configure: Only load the really imporant modules (i.e. those enabled by
     the 'few' selection) by default. Don't handle modules enabled with
     --enable-foo specially. [Stefan Fritsch]

  *) end-generation hook: Fix false notification of end-of-generation for
     temporary intervals with no active MPM children.  [Jeff Trawick]

  *) mod_ssl: Add support for configuring persistent TLS session ticket
     encryption/decryption keys (useful for clustered environments).
     [Paul Querna, Kaspar Brand]
  *) mod_usertrack: Use random value instead of remote IP address.
     [Stefan Fritsch]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.3.15

  *) SECURITY: CVE-2011-3348 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
     recognized.  [Jean-Frederic Clere]

  *) SECURITY: CVE-2011-3192 (cve.mitre.org)
     core: Fix handling of byte-range requests to use less memory, to avoid
     denial of service. If the sum of all ranges in a request is larger than
     the original file, ignore the ranges and send the complete file.
     PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
     <lowprio20 gmail.com>]
  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
     core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
     with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]

  *) SECURITY: CVE-2011-3368 (cve.mitre.org)
     Reject requests where the request-URI does not match the HTTP
     specification, preventing unexpected expansion of target URLs in
     some reverse proxy configurations.  [Joe Orton]

  *) configure: Load all modules in the generated default configuration
     when using --enable-load-all-modules. [Rainer Jung]

  *) mod_reqtimeout: Change the default to set some reasonable timeout
     values. [Stefan Fritsch]

  *) core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove
     the inode. PR 49623. [Stefan Fritsch]

  *) mod_lua: Expose SSL variables via r:ssl_var_lookup().  [Eric Covener]

  *) mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName}
     can now additionally be run as "early" or "late" relative to other modules.
     [Eric Covener]

  *) configure: By default, only load those modules that are either required
     or explicitly selected by a configure --enable-foo argument. The
     LoadModule statements for modules enabled by --enable-mods-shared=most
     and friends will be commented out. [Stefan Fritsch]

  *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and 
     LuaHookQuickHandler) from being configured in <Directory>, <Files>, 
     and htaccess where the configuration would have been ignored.
     [Eric Covener]
Loading full blame...