Skip to content
CHANGES 108 KiB
Newer Older
                                                         -*- coding: utf-8 -*-
Jim Jagielski's avatar
Jim Jagielski committed

Jim Jagielski's avatar
Jim Jagielski committed

Changes with Apache 2.4.3

Changes with Apache 2.4.2

  *) SECURITY: CVE-2012-0883 (cve.mitre.org)
     envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
     current working directory to be searched for DSOs. [Stefan Fritsch]
Stefan Fritsch's avatar
Stefan Fritsch committed

  *) mod_slotmem_shm: Honor DefaultRuntimeDir [Jim Jagielski]

  *) mod_ssl: Fix crash with threaded MPMs due to race condition when
     initializing EC temporary keys. [Stefan Fritsch]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_proxy: Add the forcerecovery balancer parameter that determines if
     recovery for balancer workers is enforced. [Ruediger Pluem]

  *) Fix MPM DSO load failure on AIX.  [Jeff Trawick]

  *) mod_proxy: Correctly set up reverse proxy worker. PR 52935.
     [Petter Berntsen <petterb gmail.com>]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_sed: Don't define PATH_MAX to a potentially undefined value, causing
     compile problems on GNU hurd. [Stefan Fritsch]

Graham Leggett's avatar
Graham Leggett committed
  *) core: Add ap_runtime_dir_relative() and DefaultRuntimeDir.
     [Jeff Trawick]

Graham Leggett's avatar
Graham Leggett committed
  *) core: Fix breakage of Listen directives with MPMs that use a
     per-directory config. PR 52904. [Stefan Fritsch]

Graham Leggett's avatar
Graham Leggett committed
  *) core: Disallow directives in AllowOverrideList which are only allowed
     in VirtualHost or server context. These are usually not prepared to be
     called in .htaccess files. [Stefan Fritsch]

Graham Leggett's avatar
Graham Leggett committed
  *) core: In AllowOverrideList, do not allow 'None' together with other
     directives. PR 52823. [Stefan Fritsch]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_slotmem_shm: Support DEFAULT_REL_RUNTIMEDIR for file-based shm.
     [Jim Jagielski]

Eric Covener's avatar
Eric Covener committed
  *) core: Fix merging of AllowOverrideList and ContentDigest.
     [Stefan Fritsch]

Eric Covener's avatar
Eric Covener committed
  *) mod_request: Fix validation of the KeptBodySize argument so it
     doesn't always throw a configuration error. PR 52981 [Eric Covener]

  *) core: Add filesystem paths to access denied / access failed messages
     AH00035 and AH00036. [Eric Covener]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_dumpio: Properly handle errors from subsequent input filters.
     PR 52914. [Stefan Fritsch]
Joe Orton's avatar
Joe Orton committed
  *) Unix MPMs: Fix small memory leak in parent process if connect()
     failed when waking up children.  [Joe Orton]

  *) "DirectoryIndex disabled" now undoes DirectoryIndex settings in
     the current configuration section, not just previous config sections.
Stefan Fritsch's avatar
Stefan Fritsch committed
     PR 52845. [Eric Covener]
  *) mod_xml2enc: Fix broken handling of EOS buckets which could lead to
     response headers not being sent. PR 52766. [Stefan Fritsch]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_ssl: Properly free the GENERAL_NAMEs. PR 32652. [Kaspar Brand]
Jim Jagielski's avatar
Jim Jagielski committed

  *) core: Check during config test that directories for the access
Stefan Fritsch's avatar
Stefan Fritsch committed
     logs actually exist. PR 29941. [Stefan Fritsch]
Jim Jagielski's avatar
Jim Jagielski committed

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_xml2enc, mod_proxy_html: Enable per-module loglevels.
     [Stefan Fritsch]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_filter: Fix segfault with AddOutputFilterByType. PR 52755.
     [Stefan Fritsch]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_session: Sessions are encoded as application/x-www-form-urlencoded
     strings, however we do not handle the encoding of spaces properly.
     Fixed. [Graham Leggett]
Graham Leggett's avatar
Graham Leggett committed

  *) Configuration: Example in comment should use a path consistent
     with the default configuration. PR 52715.
     [Rich Bowen, Jens Schleusener, Rainer Jung]

  *) Configuration: Switch documentation links from trunk to 2.4.
     [Rainer Jung]

  *) configure: Fix out of tree build using apr and apr-util in srclib.
     [Rainer Jung]

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.1

  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
     Fix an issue in error responses that could expose "httpOnly" cookies
     when no custom ErrorDocument is specified for status code 400.  
     [Eric Covener]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_proxy_balancer: Fix crash on Windows. PR 52402 [Mladen Turk]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) core: Check during configtest that the directories for error logs exist.
     PR 29941 [Stefan Fritsch]

  *) Core configuration: add AllowOverride option to treat syntax
     errors in .htaccess as non-fatal. PR 52439 [Nick Kew, Jim Jagielski]

Joe Orton's avatar
Joe Orton committed
  *) core: Fix memory consumption in core output filter with streaming
     bucket types like CGI or PIPE.  [Joe Orton, Stefan Fritsch]

  *) configure: Disable modules at configure time if a prerequisite module
     is not enabled. PR 52487. [Stefan Fritsch]

  *) Rewrite and proxy now decline what they don't support rather
     than fail the request. [Joe Orton]
Rainer Jung's avatar
Rainer Jung committed
  *) Fix building against external apr plus ap-util if apr is not installed
     in a system default path. [Rainer Jung]

  *) Doxygen fixes and improvements. [Joe Orton, Igor Galić]

  *) core: Fix building against PCRE 8.30 by switching from the obsolete
     pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]

Changes with Apache 2.4.0

  *) SECURITY: CVE-2012-0031 (cve.mitre.org)
     Fix scoreboard issue which could allow an unprivileged child process
     could cause the parent to crash at shutdown rather than terminate
     cleanly.  [Joe Orton]
  *) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch]

  *) SECURITY: CVE-2012-0021 (cve.mitre.org)
     mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
     string is in use and a client sends a nameless, valueless cookie, causing
     a denial of service. The issue existed since version 2.2.17 and 2.3.3.
Stefan Fritsch's avatar
Stefan Fritsch committed
     PR 52256.  [Rainer Canavan <rainer-apache 7val com>]
Stefan Fritsch's avatar
Stefan Fritsch committed

Kaspar Brand's avatar
Kaspar Brand committed
  *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
     control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive.
     [Kaspar Brand]

Kaspar Brand's avatar
Kaspar Brand committed
  *) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
     or later, to improve binary compatibility with future OpenSSL releases.
     [Kaspar Brand]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass,
     but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime
     behave identically in both cases. PR52342. [Graham Leggett]

Graham Leggett's avatar
Graham Leggett committed
  *) Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with
     corresponding man pages. [Graham Leggett]

Graham Leggett's avatar
Graham Leggett committed
  *) Distinguish properly between the bindir and sbindir directories when
     installing binaries. Previously all binaries were silently installed to
     sbindir, whether they were system administration commands or not.
     [Graham Leggett]
Changes with Apache 2.3.16
  *) SECURITY: CVE-2011-4317 (cve.mitre.org)
     Resolve additional cases of URL rewriting with ProxyPassMatch or
     RewriteRule, where particular request-URIs could result in undesired
     backend network exposure in some configurations.
     [Joe Orton]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) core: Limit line length in .htaccess to 8K like in 2.2.x, to avoid
     additional DoS potential. [Stefan Fritsch]

  *) core, all modules: Add unique tag to most error log messages. [Stefan
     Fritsch]

  *) mod_socache_memcache: Change provider name from "mc" to "memcache" to
     match module name. [Stefan Fritsch]

  *) mod_slotmem_shm: Change provider name from "shared" to "shm" to match
     module name. [Stefan Fritsch]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_ldap: Fix segfault with Solaris LDAP when enabling ldaps. This
     requires an apr-util fix in which is available in apr-util >= 1.4.0.
     PR 42682. [Stefan Fritsch]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible
     for RewriteRules to be placed in .htaccess files that match the directory
     with no trailing slash. PR 48304.
     [Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_session_crypto: Add a SessionCryptoPassphraseFile directive so that
     the administrator can hide the keys from the configuration. [Graham
     Leggett]

Graham Leggett's avatar
Graham Leggett committed
  *) Introduce a per request version of the remote IP address, which can be
     optionally modified by a module when the effective IP of the client
     is not the same as the real IP of the client (such as a load balancer).
     Introduce a per connection "peer_ip" and a per request "client_ip" to
     distinguish between the raw IP address of the connection and the effective
     IP address of the request. [Graham Leggett]

Jim Jagielski's avatar
Jim Jagielski committed
  *) ap_pass_brigade_fchk() function added. [Jim Jagielski]

  *) core: Pass ap_errorlog_info struct to error log hook. [Stefan Fritsch]
Loading full blame...