Newer
Older
*) SECURITY: CVE-2012-2687 (cve.mitre.org)
mod_negotiation: Escape filenames in variant list to prevent an
possible XSS for a site where untrusted users can upload files to
a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
*) core: Add missing HTTP status codes registered with IANA.
[Julian Reschke <julian.reschke gmx.de>, Rainer Jung]
*) mod_ldap: Treat the "server unavailable" condition as a transient
error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>]
*) core: Fix spurious "not allowed here" error returned when the Options
directive is used in .htaccess and "AllowOverride Options" (with no
specific options restricted) is configured. PR 53444. [Eric Covener]
*) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
PR 53048. [Stefan Fritsch]
*) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
PR 53104. [Greg Ames]
*) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
*) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
[Paul Wouters <pwouters redhat.com>, Joe Orton]
*) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
the chosen listener is configured for https. [Joe Orton]
*) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. PR 53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
*) mod_info: Display all registered providers. [Stefan Fritsch]
*) mod_ssl: Send the error message for speaking http to an https port using
HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
using SNI. PR 50823. [Stefan Fritsch]
*) core: Fix segfault in logging if r->useragent_addr or c->client_addr is
*) log_server_status: Bring Perl style forward to the present, use
standard modules, update for new format of server-status output.
PR 45424. [Richard Bowen, Dave Brondsema, and others]
*) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups.
[Joe Orton, André Malo]
*) core: Prevent "httpd -k restart" from killing server in presence of
config error. [Joe Orton]
*) mod_proxy_fcgi: If there is an error reading the headers from the
backend, send an error to the client. PR 52879. [Stefan Fritsch]
Changes with Apache 2.4.2
*) SECURITY: CVE-2012-0883 (cve.mitre.org)
envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
current working directory to be searched for DSOs. [Stefan Fritsch]
*) mod_slotmem_shm: Honor DefaultRuntimeDir [Jim Jagielski]
*) mod_ssl: Fix crash with threaded MPMs due to race condition when
initializing EC temporary keys. [Stefan Fritsch]
*) mod_rewrite: Fix RewriteCond integer checks to be parsed correctly.
PR 53023. [Axel Reinhold <apache freakout.de>, André Malo]
*) mod_proxy: Add the forcerecovery balancer parameter that determines if
recovery for balancer workers is enforced. [Ruediger Pluem]
*) Fix MPM DSO load failure on AIX. [Jeff Trawick]
*) mod_proxy: Correctly set up reverse proxy worker. PR 52935.
[Petter Berntsen <petterb gmail.com>]
*) mod_sed: Don't define PATH_MAX to a potentially undefined value, causing
compile problems on GNU hurd. [Stefan Fritsch]
*) core: Add ap_runtime_dir_relative() and DefaultRuntimeDir.
[Jeff Trawick]
*) core: Fix breakage of Listen directives with MPMs that use a
per-directory config. PR 52904. [Stefan Fritsch]
*) core: Disallow directives in AllowOverrideList which are only allowed
in VirtualHost or server context. These are usually not prepared to be
called in .htaccess files. [Stefan Fritsch]
*) core: In AllowOverrideList, do not allow 'None' together with other
directives. PR 52823. [Stefan Fritsch]
*) mod_slotmem_shm: Support DEFAULT_REL_RUNTIMEDIR for file-based shm.
[Jim Jagielski]
*) core: Fix merging of AllowOverrideList and ContentDigest.
[Stefan Fritsch]
*) mod_request: Fix validation of the KeptBodySize argument so it
doesn't always throw a configuration error. PR 52981 [Eric Covener]
*) core: Add filesystem paths to access denied / access failed messages
AH00035 and AH00036. [Eric Covener]
*) mod_dumpio: Properly handle errors from subsequent input filters.
PR 52914. [Stefan Fritsch]
*) Unix MPMs: Fix small memory leak in parent process if connect()
failed when waking up children. [Joe Orton]
*) "DirectoryIndex disabled" now undoes DirectoryIndex settings in
the current configuration section, not just previous config sections.
*) mod_xml2enc: Fix broken handling of EOS buckets which could lead to
response headers not being sent. PR 52766. [Stefan Fritsch]
*) mod_ssl: Properly free the GENERAL_NAMEs. PR 32652. [Kaspar Brand]
*) core: Check during config test that directories for the access
*) mod_xml2enc, mod_proxy_html: Enable per-module loglevels.
[Stefan Fritsch]
*) mod_filter: Fix segfault with AddOutputFilterByType. PR 52755.
[Stefan Fritsch]
*) mod_session: Sessions are encoded as application/x-www-form-urlencoded
strings, however we do not handle the encoding of spaces properly.
Fixed. [Graham Leggett]
*) Configuration: Example in comment should use a path consistent
with the default configuration. PR 52715.
[Rich Bowen, Jens Schleusener, Rainer Jung]
*) Configuration: Switch documentation links from trunk to 2.4.
[Rainer Jung]
*) configure: Fix out of tree build using apr and apr-util in srclib.
[Rainer Jung]
*) SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
*) mod_proxy_balancer: Fix crash on Windows. PR 52402 [Mladen Turk]
*) core: Check during configtest that the directories for error logs exist.
PR 29941 [Stefan Fritsch]
*) Core configuration: add AllowOverride option to treat syntax
errors in .htaccess as non-fatal. PR 52439 [Nick Kew, Jim Jagielski]
*) core: Fix memory consumption in core output filter with streaming
bucket types like CGI or PIPE. [Joe Orton, Stefan Fritsch]
*) configure: Disable modules at configure time if a prerequisite module
is not enabled. PR 52487. [Stefan Fritsch]
*) Rewrite and proxy now decline what they don't support rather
than fail the request. [Joe Orton]
*) Fix building against external apr plus ap-util if apr is not installed
in a system default path. [Rainer Jung]
*) Doxygen fixes and improvements. [Joe Orton, Igor Galić]
*) core: Fix building against PCRE 8.30 by switching from the obsolete
pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]
*) SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
could cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]
*) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch]
*) SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17 and 2.3.3.
PR 52256. [Rainer Canavan <rainer-apache 7val com>]
*) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive.
[Kaspar Brand]
*) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
Loading full blame...