Skip to content
CHANGES 157 KiB
Newer Older
                                                         -*- coding: utf-8 -*-
Ruediger Pluem's avatar
Ruediger Pluem committed

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.10
  *) mod_proxy_balancer: Correctly encode user provided data in management
     interface. PR 56532 [Maksymilian, <max cert.cx>]
Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_proxy_fcgi: Support iobuffersize parameter.  [Jeff Trawick]

  *) mod_auth_form: Add a debug message when the fields on a form are not
     recognised. [Graham Leggett]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
     response. PR 55547.  [Yann Ylavic]

  *) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
     scheme. PR55320. [Alex Liu <alex.leo.ca gmail.com>]

  *) mod_socache_shmcb: Correct counting of expirations for status display.
     Expirations happening during retrieval were not counted. [Rainer Jung]

  *) mod_cache: Retry unconditional request with the full URL (including the
     query-string) when the origin server's 304 response does not match the
     conditions used to revalidate the stale entry.  [Yann Ylavic].

  *) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
     variables as a result of AliasMatch. [Eric Covener]
 
Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_cache: Don't add cached/revalidated entity headers to a 304 response.
     PR 55547.  [Yann Ylavic]

  *) mod_proxy_scgi: Support Unix sockets.  ap_proxy_port_of_scheme():
     Support default SCGI port (4000).  [Jeff Trawick]

  *) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
     is enabled.  [Eric Covener]

  *) mod_expires: don't add Expires header to error responses (4xx/5xx),
Yann Ylavic's avatar
Yann Ylavic committed
     be they generated or forwarded. PR 55669.  [Yann Ylavic]
  *) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
     (regression in 2.4.9 release) [Jeff Trawick]

  *) mod_authn_socache: Fix crash at startup in certain configurations.
     PR 56371. (regression in 2.4.7) [Jan Kaluza]

  *) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
     programs to the form used in releases up to 2.4.7, and emulate
     a backwards-compatible behavior for existing setups. [Kaspar Brand]

Daniel Gruno's avatar
Daniel Gruno committed
  *) mod_lua: Enforce the max post size allowed via r:parsebody()
     [Daniel Gruno]

  *) mod_lua: Use binary comparison to find boundaries for multipart 
     objects, as to not terminate our search prematurely when hitting
     a NULL byte. [Daniel Gruno]

  *) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
     versions before 0.9.8h and not specifying an SSLCertificateChainFile
     (regression introduced with 2.4.8). PR 56410. [Kaspar Brand]

Kaspar Brand's avatar
Kaspar Brand committed
  *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
     no longer send warning-level unrecognized_name(112) alerts,
     and limit startup warnings to cases where an OpenSSL version
     without TLS extension support is used. PR 56241. [Kaspar Brand]

  *) mod_proxy_html: Avoid some possible memory access violation in case of
     specially crafted files, when the ProxyHTMLMeta directive is turned on.
     Follow up of PR 56287 [Christophe Jaillet]

  *) mod_auth_form: Make sure the optional functions are loaded even when
     the AuthFormProvider isn't specified. [Graham Leggett]

  *) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
     (and logging garbled file names). PR 56306. [Kaspar Brand]

  *) mod_ssl: fix merging of global and vhost-level settings with the
     SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
     directives. PR 56353. [Kaspar Brand]

  *) mod_headers: Allow the "value" parameter of Header and RequestHeader to 
     contain an ap_expr expression if prefixed with "expr=". [Eric Covener]

Joe Orton's avatar
Joe Orton committed
  *) rotatelogs: Avoid creation of zombie processes when -p is used on
     Unix platforms.  [Joe Orton]

Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_authnz_fcgi: New module to enable FastCGI authorizer
     applications to authenticate and/or authorize clients.
     [Jeff Trawick]

  *) mod_proxy: Do not try to parse the regular expressions passed by
     ProxyPassMatch as URL as they do not follow their syntax.
     PR 56074. [Ruediger Pluem]

  *) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests 
     under the Event MPM. PR56216.  [Frank Meier <frank meier ergon ch>]

  *) mod_proxy_fcgi: Fix sending of response without some HTTP headers
     that might be set by filters.  [Jim Riggs <jim riggs.me>]

  *) mod_proxy_html: Do not delete the wrong data from HTML code when a
     "http-equiv" meta tag specifies a Content-Type behind any other
     "http-equiv" meta tag. PR 56287 [Micha Lenk <micha lenk info>]

Yann Ylavic's avatar
Yann Ylavic committed
  *) Don't reuse a SSL backend connection whose SNI differs. PR 55782.
     [Yann Ylavic]

  *) Add suspend_connection and resume_connection hooks to notify modules
     when the thread/connection relationship changes.  (Should be implemented
     for any third-party async MPMs.)  [Jeff Trawick]

  *) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine 
     hangups from websockets origin servers. PR 56299
     [Yann Ylavic, Edward Lu <Chaosed0 gmail com>, Eric Covener] 

  *) mod_proxy_wstunnel: Don't pool backend websockets connections,
     because we need to handshake every time. PR 55890.
     [Eric Covener]

  *) mod_lua: Redesign how request record table access behaves,
     in order to utilize the request record from within these tables.
  *) mod_lua: Add r:wspeek for peeking at WebSocket frames. [Daniel Gruno]
  *) mod_lua: Log an error when the initial parsing of a Lua file fails.
Daniel Gruno's avatar
Daniel Gruno committed
     [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
  *) mod_lua: Reformat and escape script error output.
     [Daniel Gruno, Felipe Daragon <filipe syhunt com>]

  *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
     from causing response splitting.
     [Daniel Gruno, Felipe Daragon <filipe syhunt com>]

  *) mod_lua: Disallow newlines in table values inside the request_rec, 
     to prevent HTTP Response Splitting via tainted headers.
     [Daniel Gruno, Felipe Daragon <filipe syhunt com>]

  *) mod_lua: Remove the non-working early/late arguments for 
     LuaHookCheckUserID. [Daniel Gruno]

  *) mod_lua: Change IVM storage to use shm [Daniel Gruno]

  *) mod_lua: More verbose error logging when a handler function cannot be
     found. [Daniel Gruno]


Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.9

Jim Jagielski's avatar
Jim Jagielski committed
  *) mod_ssl: Work around a bug in some older versions of OpenSSL that
     would cause a crash in SSL_get_certificate for servers where the
     certificate hadn't been sent. [Stephen Henson]
Jim Jagielski's avatar
Jim Jagielski committed
  *) mod_lua: Add a fixups hook that checks if the original request is intended 
     for LuaMapHandler. This fixes a bug where FallbackResource invalidates the 
     LuaMapHandler directive in certain cases by changing the URI before the map 
     handler code executes [Daniel Gruno, Daniel Ferradal <dferradal gmail com>].
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.8

Jim Jagielski's avatar
Jim Jagielski committed
  *) SECURITY: CVE-2014-0098 (cve.mitre.org)
     Clean up cookie logging with fewer redundant string parsing passes.
     Log only cookies with a value assignment. Prevents segfaults when
Jim Jagielski's avatar
Jim Jagielski committed
     logging truncated cookies.
     [William Rowe, Ruediger Pluem, Jim Jagielski]

Jim Jagielski's avatar
Jim Jagielski committed
  *) SECURITY: CVE-2013-6438 (cve.mitre.org)
     mod_dav: Keep track of length of cdata properly when removing
     leading spaces. Eliminates a potential denial of service from
     specifically crafted DAV WRITE requests
     [Amin Tora <Amin.Tora neustar.biz>]
Jim Jagielski's avatar
Jim Jagielski committed

Jim Jagielski's avatar
Jim Jagielski committed
  *) core: Support named groups and backreferences within the LocationMatch,
     DirectoryMatch, FilesMatch and ProxyMatch directives. (Requires
     non-ancient PCRE library) [Graham Leggett]

  *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
     TE/CL conflicts. [Yann Ylavic, Jim Jagielski]

  *) core: Detect incomplete request and response bodies, log an error and
     forward it to the underlying filters. PR 55475 [Yann Ylavic]
  *) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping 
     execution when a handler is already set. PR53929. [Eric Covener]

  *) mod_ssl: Do not perform SNI / Host header comparison in case of a
     forward proxy request. [Ruediger Pluem]

  *) mod_ssl: Remove the hardcoded algorithm-type dependency for the
     SSLCertificateFile and SSLCertificateKeyFile directives, to enable
     future algorithm agility, and deprecate the SSLCertificateChainFile
     directive (obsoleted by SSLCertificateFile). [Kaspar Brand]

  *) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore, 
     and IgnoreInherit to allow RewriteRules to be pushed from parent scopes
     to child scopes without explicitly configuring each child scope.
     PR56153.  [Edward Lu <Chaosed0 gmail com>] 

  *) prefork: Fix long delays when doing a graceful restart.
     PR 54852 [Jim Jagielski, Arkadiusz Miskiewicz <arekm maven pl>]
Loading full blame...