Skip to content
CHANGES 224 KiB
Newer Older
     Note: Not present in 2.4.7 CHANGES

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.6

Jim Jagielski's avatar
Jim Jagielski committed
  *) Revert a broken fix for PR54948 that was applied to 2.4.5 (which was
     not released) and found post-2.4.5 tagging.
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.5

  *) SECURITY: CVE-2013-1896 (cve.mitre.org)
     mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
     the source href (sent as part of the request body as XML) pointing to a
     URI that is not configured for DAV will trigger a segfault. [Ben Reser
     <ben reser.org>]

Jim Jagielski's avatar
Jim Jagielski committed
  *) SECURITY: CVE-2013-2249 (cve.mitre.org)
     mod_session_dbd: Make sure that dirty flag is respected when saving
     sessions, and ensure the session ID is changed each time the session
     changes. This changes the format of the updatesession SQL statement.
     Existing configurations must be changed.
     [Takashi Sato, Graham Leggett]
  *) mod_auth_basic: Add a generic mechanism to fake basic authentication
     using the ap_expr parser. AuthBasicFake allows the administrator to 
     construct their own username and password for basic authentication based 
     on their needs. [Graham Leggett]

  *) mpm_event: Check that AsyncRequestWorkerFactor is not negative. PR 54254.
     [Jackie Zhang <jackie qq zhang gmail com>]

  *) mod_proxy: Ensure we don't attempt to amend a table we are iterating
     through, ensuring that all headers listed by Connection are removed.
     [Graham Leggett, Co-Advisor <coad measurement-factory.com>]

  *) mod_proxy_http: Make the proxy-interim-response environment variable
     effective by formally overriding origin server behaviour. [Graham
     Leggett, Co-Advisor <coad measurement-factory.com>]
  *) mod_proxy: Fix seg-faults when using the global pool on threaded
     MPMs [Thomas Eckert <thomas.r.w.eckert gmail.com>, Graham Leggett,
     Jim Jagielski]

  *) mod_deflate: Remove assumptions as to when an EOS bucket might arrive.
     Gracefully step aside if the body size is zero. [Graham Leggett]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Fix possible truncation of OCSP responses when reading from the
     server.  [Joe Orton]

  *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
     on Linux kernel versions 3.x and above.  PR 55121.  [Bradley Heilbrun
     <apache heilbrun.org>]

  *) mod_cache_socache: Make sure the CacheSocacheMaxSize directive is merged
     correctly. [Jens Låås <jelaas gmail.com>]

Rainer Jung's avatar
Rainer Jung committed
  *) rotatelogs: add -n number-of-files option to rotate through a number
     of fixed-name logfiles. [Eric Covener]

  *) mod_proxy: Support web-socket tunnels via mod_proxy_wstunnel.
     [Jim Jagielski]

  *) mod_cache_socache: Use the name of the socache implementation when performing
     a lookup rather than using the raw arguments. [Martin Ksellmann
     <martin@ksellmann.de>]

  *) core: Add dirwalk_stat hook.  [Jeff Trawick]
  *) core: Add post_perdir_config hook.
     [Steinar Gunderson <sgunderson bigfoot.com>]

  *) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
     [Christophe Jaillet]

  *) mod_remoteip: close file in error path. [Christophe Jaillet]

  *) core: make the "default" parameter of the "ErrorDocument" option case
     insensitive. PR 54419 [Tianyin Xu <tixu cs ucsd edu>]

  *) mod_proxy_html: make the "ProxyHTMLFixups" options case insensitive.
     PR 54420 [Tianyin Xu <tixu cs ucsd edu>]

  *) mod_cache: Make option "CacheDisable" in mod_cache case insensitive.
     PR 54462 [Tianyin Xu <tixu cs ucsd edu>]
  *) mod_cache: If a 304 response indicates an entity not currently cached, then
     the cache MUST disregard the response and repeat the request without the
     conditional. [Graham Leggett, Co-Advisor <coad measurement-factory.com>]

  *) mod_cache: Ensure that we don't attempt to replace a cached response
     with an older response as per RFC2616 13.12. [Graham Leggett, Co-Advisor
     <coad measurement-factory.com>]

  *) core, mod_cache: Ensure RFC2616 compliance in ap_meets_conditions()
     with weak validation combined with If-Range and Range headers. Break
     out explicit conditional header checks to be useable elsewhere in the
     server. Ensure weak validation RFC compliance in the byteranges filter.
     Ensure RFC validation compliance when serving cached entities. PR 16142
     [Graham Leggett, Co-Advisor <coad measurement-factory.com>]

  *) core: Add the ability to do explicit matching on weak and strong ETags
     as per RFC2616 Section 13.3.3. [Graham Leggett, Co-Advisor
     <coad measurement-factory.com>]

  *) mod_cache: Ensure that updated responses to HEAD requests don't get
     mistakenly paired with a previously cached body. Ensure that any existing
     body is removed when a HEAD request is cached. [Graham Leggett,
     Co-Advisor <coad measurement-factory.com>]

  *) mod_cache: Honour Cache-Control: no-store in a request. [Graham Leggett]

  *) mod_cache: Make sure that contradictory entity headers present in a 304
     Not Modified response are caught and cause the entity to be removed.
     [Graham Leggett]

  *) mod_cache: Make sure Vary processing handles multivalued Vary headers and
     multivalued headers referred to via Vary. [Graham Leggett]

  *) mod_cache: When serving from cache, only the last header of a multivalued
     header was taken into account. Fixed. Ensure that Warning headers are
     correctly handled as per RFC2616. [Graham Leggett]

  *) mod_cache: Ignore response headers specified by no-cache=header and
     private=header as specified by RFC2616 14.9.1 What is Cacheable. Ensure
     that these headers are still processed when multiple Cache-Control
     headers are present in the response. PR 54706 [Graham Leggett,
     Yann Ylavic <ylavic.dev gmail.com>]

  *) mod_cache: Invalidate cached entities in response to RFC2616 Section
     13.10 Invalidation After Updates or Deletions. PR 15868 [Graham
     Leggett]

  *) mod_dav: Improve error handling in dav_method_put(), add new
     dav_join_error() function.  PR 54145.  [Ben Reser <ben reser.org>]

  *) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]

  *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
     property on a resource for which there is no dead property in the same
     namespace httpd segfaults. PR 52559 [Diego Santa Cruz
     <diego.santaCruz spinetix.com>]

  *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
     result in a 412 Precondition Failed for a COPY operation. PR54610
     [Timothy Wood <tjw omnigroup.com>]
  *) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
     we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]

Jim Jagielski's avatar
Jim Jagielski committed
  *) mod_deflate: Remove assumptions as to when an EOS bucket might arrive.
     Gracefully step aside if the body size is zero. [Graham Leggett]

  *) 'AuthGroupFile' and 'AuthUserFile' do not accept anymore the optional
     'standard' keyword . It was unused and not documented.
     PR54463 [Tianyin Xu <tixu cs.ucsd.edu> and Christophe Jaillet]

  *) core: Do not over allocate memory within 'ap_rgetline_core' for
     the common case. [Christophe Jaillet]

  *) core: speed up (for common cases) and reduce memory usage of
     ap_escape_logitem(). This should save 70-100 bytes in the request
     pool for a default config. [Christophe Jaillet]

  *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
     [Timothy Wood <tjw omnigroup.com>]

  *) mod_proxy: Reject invalid values for Max-Forwards. [Graham Leggett,
     Co-Advisor <coad measurement-factory.com>]

  *) mod_cache: RFC2616 14.9.3 The s-maxage directive also implies the
     semantics of the proxy-revalidate directive. [Graham Leggett]

  *) mod_ssl: add support for subjectAltName-based host name checking
     in proxy mode (SSLProxyCheckPeerName). PR 54030. [Kaspar Brand]
  *) core: Use the proper macro for HTTP/1.1. [Graham Leggett]

  *) event MPM: Provide error handling for ThreadStackSize. PR 54311
     [Tianyin Xu <tixu cs.ucsd.edu>, Christophe Jaillet]

  *) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]

  *) core: Improve error message where client's request-line exceeds
     LimitRequestLine. PR 54384 [Christophe Jaillet]

  *) mod_macro: New module that provides macros within configuration files.
     [Fabien Coelho]

  *) mod_cache_socache: New cache implementation backed by mod_socache
     that replaces mod_mem_cache known from httpd 2.2. [Graham
  *) htpasswd: Add -v option to verify a password. [Stefan Fritsch]

  *) mod_proxy: Add BalancerInherit and ProxyPassInherit to control
     whether Proxy Balancers and Workers are inherited by vhosts
     (default is On). [Jim Jagielski]

  *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
     password.  [Daniel Ruggeri]

  *) Added balancer parameter failontimeout to allow server admin
     to configure an IO timeout as an error in the balancer.
     [Daniel Ruggeri]

  *) mod_auth_digest: Fix crashes if shm initialization failed. [Stefan
     Fritsch]

  *) htpasswd, htdbm: Fix password generation. PR 54735. [Stefan Fritsch]

  *) core: Add workaround for gcc bug on sparc/64bit. PR 52900.
     [Stefan Fritsch]

  *) mod_setenvif: Fix crash in case SetEnvif and SetEnvIfExpr are used
     together. PR 54881. [Ruediger Pluem]

  *) htdigest: Fix buffer overflow when reading digest password file
     with very long lines. PR 54893. [Rainer Jung]

  *) ap_expr: Add the ability to base64 encode and base64 decode
     strings and to generate their SHA1 and MD5 hash.
     [Graham Leggett, Stefan Fritsch]

  *) mod_log_config: Fix crash when logging request end time for a failed
     request.  PR 54828 [Rainer Jung]

  *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
     with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
     [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]

  *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
     in the error log to debug level.  [William Rowe]

  *) mod_cache_disk: CacheMinFileSize and CacheMaxFileSize were always
     using compiled in defaults of 1000000/1 respectively. [Eric Covener]

  *) mod_lbmethod_heartbeat, mod_heartmonitor: Respect DefaultRuntimeDir/
     DEFAULT_REL_RUNTIMEDIR for the heartbeat storage file.  [Jeff Trawick]

Christophe Jaillet's avatar
Christophe Jaillet committed
  *) mod_include: Use new ap_expr for 'elif', like 'if', 
     if legacy parser is not specified.  PR 54548 [Tom Donovan]
  *) mod_lua: Add some new functions: r:htpassword(), r:mkdir(), r:mkrdir(),
     r:rmdir(), r:touch(), r:get_direntries(), r.date_parse_rfc().
     [Guenter Knauf]

  *) mod_lua: Add multipart form data handling. [Daniel Gruno]

  *) mod_lua: If a LuaMapHandler doesn't return any value, log a warning
     and treat it as apache2.OK. [Eric Covener]

  *) mod_lua: Add bindings for apr_dbd/mod_dbd database access
     [Daniel Gruno]

  *) mod_lua: Add LuaInputFilter/LuaOutputFilter for creating content
     filters in Lua [Daniel Gruno]

  *) mod_lua: Allow scripts handled by the lua-script handler to return
     a status code to the client (such as a 302 or a 500) [Daniel Gruno]

  *) mod_lua: Decline handling 'lua-script' if the file doesn't exist,
     rather than throwing an internal server error. [Daniel Gruno]

  *) mod_lua: Add functions r:flush and r:sendfile as well as additional
     request information to the request_rec structure. [Daniel Gruno]

  *) mod_lua: Add a server scope for Lua states, which creates a pool of
     states with manageable minimum and maximum size. [Daniel Gruno]

  *) mod_lua: Add new directive, LuaMapHandler, for dynamically mapping
     URIs to Lua scripts and functions using regular expressions.
     [Daniel Gruno]

  *) mod_lua: Add new directive LuaCodeCache for controlling in-memory
     caching of lua scripts. [Daniel Gruno]

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.4
  *) SECURITY: CVE-2012-3499 (cve.mitre.org)
     Various XSS flaws due to unescaped hostnames and URIs HTML output in
William A. Rowe Jr's avatar
William A. Rowe Jr committed
     mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
     [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]

  *) SECURITY: CVE-2012-4558 (cve.mitre.org)
     XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
     Niels Heinen <heinenn google com>]

Rainer Jung's avatar
Rainer Jung committed
  *) mod_dir: Add support for the value 'disabled' in FallbackResource.
     [Vincent Deffontaines]
  *) mod_proxy_connect: Don't keepalive the connection to the client if the
     backend closes the connection. PR 54474. [Pavel Mateja <pavel netsafe cz>]

  *) mod_lua: Add bindings for mod_dbd/apr_dbd database access.
     [Daniel Gruno]
  *) mod_proxy: Allow for persistence of local changes made via the
     balancer-manager between graceful/normal restarts and power
     cycles. [Jim Jagielski]

  *) mod_proxy: Fix startup crash with mis-defined balancers.
     PR 52402. [Jim Jagielski]

  *) --with-module: Fix failure to integrate them into some existing
     module directories.  PR 40097.  [Jeff Trawick]

Joe Orton's avatar
Joe Orton committed
  *) htcacheclean: Fix potential segfault if "-p" is omitted.  [Joe Orton]

  *) mod_proxy_http: Honour special value 0 (unlimited) of LimitRequestBody
     PR 54435.  [Pavel Mateja <pavel netsafe.cz>]

Rainer Jung's avatar
Rainer Jung committed
  *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
     [Rainer Jung]

  *) htcacheclean: Fix list options "-a" and "-A".
     [Rainer Jung]
  *) mod_slotmem_shm: Fix mistaken reset of num_free for restored shm.
     [Jim Jagielski]

  *) mod_proxy: non-existence of byrequests is not an immediate error.
  *) mod_proxy_balancer: Improve output of balancer-manager (re: Drn,
     Dis, Ign, Stby). PR 52478 [Danijel <dt-ng rbfh de>]
  *) configure: Fix processing of --disable-FEATURE for various features.
     [Jeff Trawick]

  *) mod_dialup/mod_http: Prevent a crash in mod_dialup in case of internal
     redirect. PR 52230.

  *) various modules, rotatelogs: Replace use of apr_file_write() with
     apr_file_write_full() to prevent incomplete writes. PR 53131.
     [Nicolas Viennot <apache viennot biz>, Stefan Fritsch]

  *) ab: Support socket timeout (-s timeout).
     [Guido Serra <zeph fsfe org>]
  *) httxt2dbm: Correct length computation for the 'value' stored in the
     DBM file. PR 47650 [jon buckybox com]
Stefan Fritsch's avatar
Stefan Fritsch committed
  *) core: Be more correct about rejecting directives that cannot work in <If>
     sections. [Stefan Fritsch]

  *) core: Fix directives like LogLevel that need to know if they are invoked
     at virtual host context or in Directory/Files/Location/If sections to
     work properly in If sections that are not in a Directory/Files/Location.
     [Stefan Fritsch]
  *) mod_xml2enc: Fix problems with charset conversion altering the
     Content-Length. [Micha Lenk <micha lenk info>]

  *) ap_expr: Add req_novary function that allows HTTP header lookups
     without adding the name to the Vary header. [Stefan Fritsch]

  *) mod_slotmem_*: Add in new fgrab() function which forces a grab and
     slot allocation on a specified slot. Allow for clearing of inuse
     array. [Jim Jagielski]

  *) mod_proxy_ftp: Fix segfaults on IPv4 requests to hosts with DNS
     AAAA records. PR  40841. [Andrew Rucker Jones <arjones simultan
     dyndns org>, <ast domdv de>, Jim Jagielski]

  *) mod_auth_form: Make sure that get_notes_auth() sets the user as does
     get_form_auth() and get_session_auth(). Makes sure that REMOTE_USER
     does not vanish during mod_include driven subrequests. [Graham
     Leggett]

  *) mod_cache_disk: Resolve errors while revalidating disk-cached files on
     Windows ("...rename tempfile to datafile failed..."). PR 38827
     [Eric Covener]

  *) mod_proxy_balancer: Bring XML output up to date. [Jim Jagielski]

  *) htpasswd, htdbm: Optionally read passwords from stdin, as more
     secure alternative to -b.  PR 40243. [Adomas Paltanavicius <adomas
     paltanavicius gmail com>, Stefan Fritsch]

  *) htpasswd, htdbm: Add support for bcrypt algorithm (requires
     apr-util 1.5 or higher). PR 49288. [Stefan Fritsch]

  *) htpasswd, htdbm: Put full 48bit of entropy into salt, improve
     error handling. Add some of htpasswd's improvements to htdbm,
     e.g. warn if password is truncated by crypt(). [Stefan Fritsch]

  *) mod_auth_form: Support the expr parser in the
     AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and
     AuthFormLogoutLocation directives. [Graham Leggett]

  *) mod_ssl: Add support for TLS-SRP (Secure Remote Password key exchange
     for TLS, RFC 5054). PR 51075. [Quinn Slack <sqs cs stanford edu>,
     Christophe Renou, Peter Sylvester]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_rewrite: Stop mergeing RewriteBase down to subdirectories
     unless new option 'RewriteOptions MergeBase' is configured.
     PR 53963. [Eric Covener]

  *) mod_header: Allow for exposure of loadavg and server load using new 
     format specifiers %l, %i, %b [Jim Jagielski]
Stefan Fritsch's avatar
Stefan Fritsch committed
  *) core: Make ap_regcomp() return AP_REG_ESPACE if out of memory.  Make
     ap_pregcomp() abort if out of memory. This raises the minimum PCRE
     requirement to version 6.0. [Stefan Fritsch]

  *) mod_proxy: Add ability to configure the sticky session separator.
     PR 53893. [<inu inusasha de>, Jim Jagielski]

  *) mod_dumpio: Correctly log large messages
     PR 54179 [Marek Wianecki <mieszek2 interia pl>]

  *) core: Don't fail at startup with AH00554 when Include points to 
     a directory without any wildcard character. [Eric Covener]

  *) core: Fail startup if the argument to ServerTokens is unrecognized.
     [Jackie Zhang  <jackie.qq.zhang gmail.com>]

  *) mod_log_forensic: Don't log a spurious "-" if a request has been rejected
     before mod_log_forensic could attach its id to it. [Stefan Fritsch]

Joe Orton's avatar
Joe Orton committed
  *) rotatelogs: Omit the second argument for the first invocation of
     a post-rotate program when -p is used, per the documentation.
     [Joe Orton]

  *) mod_session_dbd: fix a segmentation fault in the function dbd_remove.
Stefan Fritsch's avatar
Stefan Fritsch committed
     PR 53452. [<rebanerebane gmail com>, Reimo Rebane]
  *) core: Functions to provide server load values: ap_get_sload() and
     ap_get_loadavg(). [Jim Jagielski, Jan Kaluza <jkaluza redhat.com>,
     Jeff Trawick]

Joe Orton's avatar
Joe Orton committed
  *) mod_ldap: Fix regression in handling "server unavailable" errors on 
     Windows.  PR 54140.  [Eric Covener]
  *) syslog logging: Remove stray ", referer" at the end of some messages.
     [Jeff Trawick]

  *) "Iterate" directives: Report an error if no arguments are provided.
     [Jeff Trawick]

  *) mod_ssl: Change default for SSLCompression to off, as compression
     causes security issues in most setups. (The so called "CRIME" attack).
     [Stefan Fritsch]

  *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
     to more accurately report the negotiated protocol. PR 53916.
     [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]

  *) core: ErrorDocument now works for requests without a Host header.
     PR 48357.  [Jeff Trawick]

  *) prefork: Avoid logging harmless errors during graceful stop.
     [Joe Orton, Jeff Trawick]
  *) mod_proxy: When concatting for PPR, avoid cases where we
     concat ".../" and "/..." to create "...//..." [Jim Jagielski]

  *) mod_cache: Wrong content type and character set when
     mod_cache serves stale content because of a proxy error. 
     PR 53539.  [Rainer Jung, Ruediger Pluem]

  *) mod_proxy_ajp: Fix crash in packet dump code when logging
     with LogLevel trace7 or trace8.  PR 53730.  [Rainer Jung]

  *) httpd.conf: Removed the configuration directives setting a bad_DNT
     environment introduced in 2.4.3. The actual directives are commented
     out in the default conf file.

  *) core: Apply length limit when logging Status header values.
     [Jeff Trawick, Chris Darroch]

  *) mod_proxy_balancer: The nonce is only derived from the UUID iff
     not set via the 'nonce' balancer param. [Jim Jagielski]

  *) mod_ssl: Match wildcard SSL certificate names in proxy mode.  
     PR 53006.  [Joe Orton]

  *) Windows: Fix output of -M, -L, and similar command-line options
     which display information about the server configuration.
     [Jeff Trawick]

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.3

Jim Jagielski's avatar
Jim Jagielski committed
  *) SECURITY: CVE-2012-3502  (cve.mitre.org)
     mod_proxy_ajp, mod_proxy_http: Fix an issue in back end
     connection closing which could lead to privacy issues due
     to a response mixup. PR 53727. [Rainer Jung]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) SECURITY: CVE-2012-2687 (cve.mitre.org)
Jeff Trawick's avatar
Jeff Trawick committed
     mod_negotiation: Escape filenames in variant list to prevent a
Stefan Fritsch's avatar
Stefan Fritsch committed
     possible XSS for a site where untrusted users can upload files to
     a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]

  *) mod_authnz_ldap: Don't try a potentially expensive nested groups
     search before exhausting all AuthLDAPGroupAttribute checks on the
Jim Jagielski's avatar
Jim Jagielski committed
     current group. PR 52464 [Eric Covener]
  *) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
     authorization provider in lua. [Stefan Fritsch]

  *) core: Be less strict when checking whether Content-Type is set to 
     "application/x-www-form-urlencoded" when parsing POST data, 
     or we risk losing data with an appended charset. PR 53698
     [Petter Berntsen <petterb gmail.com>]

  *) httpd.conf: Added configuration directives to set a bad_DNT environment
     variable based on User-Agent and to remove the DNT header field from
     incoming requests when a match occurs. This currently has the effect of
     removing DNT from requests by MSIE 10.0 because it deliberately violates
     the current specification of DNT semantics for HTTP. [Roy T. Fielding]

  *) mod_socache_shmcb: Fix bus error due to a misalignment
     in some 32 bit builds, especially on Solaris Sparc.
     PR 53040.  [Rainer Jung]

Jim Jagielski's avatar
Jim Jagielski committed
  *) mod_cache: Set content type in case we return stale content.
     [Ruediger Pluem]

  *) Windows: Fix SSL failures on windows with AcceptFilter https none.
  *) ab: Fix read failure when targeting SSL server.  [Jeff Trawick]

  *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
     - mod_auth_digest: shared memory file
  *) htpasswd: Use correct file mode for checking if file is writable.
     PR 45923. [Stefan Fritsch]

  *) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T.
     <mi apache aldan algebra com>]

  *) mod_ssl: Add new directive SSLCompression to disable TLS-level
     compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]

Rainer Jung's avatar
Rainer Jung committed
  *) mod_lua: Add a few missing request_rec fields. Rename remote_ip to
     client_ip to match conn_rec. [Stefan Fritsch]

  *) mod_lua: Change prototype of vm_construct, to work around gcc bug which
     causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>]

Rainer Jung's avatar
Rainer Jung committed
  *) mpm_event: Don't count connections in lingering close state when
     calculating how many additional connections may be accepted.
     [Stefan Fritsch]

  *) mod_ssl: If exiting during initialization because of a fatal error,
     log a message to the main error log pointing to the appropriate
     virtual host error log. [Stefan Fritsch]

  *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
     one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]

  *) mod_proxy_balancer: Restore balancing after a failed worker has
     recovered when using lbmethod_bybusyness.  PR 48735.  [Jeff Trawick]

  *) mod_setenvif: Compile some global regex only once during startup.
     This should save some memory, especially with .htaccess.
     [Stefan Fritsch]

Rainer Jung's avatar
 
Rainer Jung committed
  *) core: Add the port number to the vhost's name in the scoreboard.
     [Stefan Fritsch]

Joe Orton's avatar
Joe Orton committed
  *) mod_proxy: Fix ProxyPassReverse for balancer configurations.
Joe Orton's avatar
Joe Orton committed
     PR 45434.  [Joe Orton]
  *) mod_lua: Add the parsebody function for parsing POST data. PR 53064.
     [Daniel Gruno]

  *) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS.
     [Stefan Fritsch]

  *) mod_proxy: Fix memory leak or possible corruption in ProxyBlock
     implementation.  [Ruediger Pluem, Joe Orton]

  *) mod_proxy: Check hostname from request URI against ProxyBlock list,
     not forward proxy, if ProxyRemote* is configured.  [Joe Orton]

  *) mod_proxy_connect: Avoid DNS lookup on hostname from request URI 
     if ProxyRemote* is configured.  PR 43697.  [Joe Orton]

  *) mpm_event, mpm_worker: Remain active amidst prevalent child process
     resource shortages.  [Jeff Trawick]

  *) Add "strict" and "warnings" pragmas to Perl scripts.  [Rich Bowen]

  *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
     - core: the scoreboard (ScoreBoardFile), pid file (PidFile), and
       mutexes (Mutex)
     [Jim Jagielski]

Joe Orton's avatar
Joe Orton committed
  *) ab: Fix bind() errors.  [Joe Orton]

  *) mpm_event: Don't do a blocking write when starting a lingering close
     from the listener thread. PR 52229. [Stefan Fritsch]

  *) mod_so: If a filename without slashes is specified for LoadFile or
     LoadModule and the file cannot be found in the server root directory,
     try to use the standard dlopen() search path. [Stefan Fritsch]

  *) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced
     after child process resource shortages.  [Jeff Trawick]

  *) mpm_prefork: Reduce spawn rate after a child process exits due to
     unexpected poll or accept failure.  [Jeff Trawick]

  *) core: Log value of Status header line in script responses rather
     than the fixed header name.  [Chris Darroch]

Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_ssl: Fix handling of empty response from OCSP server.
     [Jim Meyering <meyering redhat.com>, Joe Orton]

Rainer Jung's avatar
Rainer Jung committed
  *) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch]

  *) mod_authz_core: If an expression in "Require expr" returns denied and
     references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
     [Stefan Fritsch]

  *) core: Always log if LimitRequestFieldSize triggers.  [Stefan Fritsch]

  *) mod_deflate: Skip compression if compression is enabled at SSL level.
     [Stefan Fritsch]

  *) core: Add missing HTTP status codes registered with IANA.
     [Julian Reschke <julian.reschke gmx.de>, Rainer Jung]

Joe Orton's avatar
Joe Orton committed
  *) mod_ldap: Treat the "server unavailable" condition as a transient
     error with all LDAP SDKs.  [Filip Valder <filip.valder vsb.cz>]

  *) core: Fix spurious "not allowed here" error returned when the Options 
     directive is used in .htaccess and "AllowOverride Options" (with no 
     specific options restricted) is configured.  PR 53444. [Eric Covener]

  *) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
     PR 53048. [Stefan Fritsch]

  *) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
     PR 53104. [Greg Ames]

  *) mod_ext_filter: Fix error_log spam when input filters are configured.  
     [Joe Orton]

  *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). 
     [Paul Wouters <pwouters redhat.com>, Joe Orton]

  *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
     the chosen listener is configured for https. [Joe Orton]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
     forwarding to SSL backends. PR 53134.
     [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]

  *) mod_info: Display all registered providers. [Stefan Fritsch]

  *) mod_ssl: Send the error message for speaking http to an https port using
     HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
     using SNI. PR 50823. [Stefan Fritsch]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) core: Fix segfault in logging if r->useragent_addr or c->client_addr is
Stefan Fritsch's avatar
Stefan Fritsch committed
     unset. PR 53265. [Stefan Fritsch]
Stefan Fritsch's avatar
Stefan Fritsch committed

  *) log_server_status: Bring Perl style forward to the present, use
     standard modules, update for new format of server-status output.
     PR 45424. [Richard Bowen, Dave Brondsema, and others]

Joe Orton's avatar
Joe Orton committed
  *) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups. 
     [Joe Orton, André Malo]
  *) core: Prevent "httpd -k restart" from killing server in presence of
     config error. [Joe Orton]

  *) mod_proxy_fcgi: If there is an error reading the headers from the
     backend, send an error to the client. PR 52879. [Stefan Fritsch]

  *) SECURITY: CVE-2012-0883 (cve.mitre.org)
     envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
     current working directory to be searched for DSOs. [Stefan Fritsch]
Stefan Fritsch's avatar
Stefan Fritsch committed

  *) mod_slotmem_shm: Honor DefaultRuntimeDir [Jim Jagielski]

  *) mod_ssl: Fix crash with threaded MPMs due to race condition when
     initializing EC temporary keys. [Stefan Fritsch]

  *) mod_rewrite: Fix RewriteCond integer checks to be parsed correctly.
     PR 53023. [Axel Reinhold <apache freakout.de>, André Malo]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_proxy: Add the forcerecovery balancer parameter that determines if
     recovery for balancer workers is enforced. [Ruediger Pluem]

  *) Fix MPM DSO load failure on AIX.  [Jeff Trawick]

  *) mod_proxy: Correctly set up reverse proxy worker. PR 52935.
     [Petter Berntsen <petterb gmail.com>]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_sed: Don't define PATH_MAX to a potentially undefined value, causing
     compile problems on GNU hurd. [Stefan Fritsch]

Graham Leggett's avatar
Graham Leggett committed
  *) core: Add ap_runtime_dir_relative() and DefaultRuntimeDir.
     [Jeff Trawick]

Graham Leggett's avatar
Graham Leggett committed
  *) core: Fix breakage of Listen directives with MPMs that use a
     per-directory config. PR 52904. [Stefan Fritsch]

Graham Leggett's avatar
Graham Leggett committed
  *) core: Disallow directives in AllowOverrideList which are only allowed
     in VirtualHost or server context. These are usually not prepared to be
     called in .htaccess files. [Stefan Fritsch]

Graham Leggett's avatar
Graham Leggett committed
  *) core: In AllowOverrideList, do not allow 'None' together with other
     directives. PR 52823. [Stefan Fritsch]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_slotmem_shm: Support DEFAULT_REL_RUNTIMEDIR for file-based shm.
     [Jim Jagielski]

Eric Covener's avatar
Eric Covener committed
  *) core: Fix merging of AllowOverrideList and ContentDigest.
     [Stefan Fritsch]

Eric Covener's avatar
Eric Covener committed
  *) mod_request: Fix validation of the KeptBodySize argument so it
     doesn't always throw a configuration error. PR 52981 [Eric Covener]

  *) core: Add filesystem paths to access denied / access failed messages
     AH00035 and AH00036. [Eric Covener]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_dumpio: Properly handle errors from subsequent input filters.
     PR 52914. [Stefan Fritsch]
Joe Orton's avatar
Joe Orton committed
  *) Unix MPMs: Fix small memory leak in parent process if connect()
     failed when waking up children.  [Joe Orton]

  *) "DirectoryIndex disabled" now undoes DirectoryIndex settings in
     the current configuration section, not just previous config sections.
Stefan Fritsch's avatar
Stefan Fritsch committed
     PR 52845. [Eric Covener]
  *) mod_xml2enc: Fix broken handling of EOS buckets which could lead to
     response headers not being sent. PR 52766. [Stefan Fritsch]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_ssl: Properly free the GENERAL_NAMEs. PR 32652. [Kaspar Brand]
Jim Jagielski's avatar
Jim Jagielski committed

  *) core: Check during config test that directories for the access
Stefan Fritsch's avatar
Stefan Fritsch committed
     logs actually exist. PR 29941. [Stefan Fritsch]
Jim Jagielski's avatar
Jim Jagielski committed

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_xml2enc, mod_proxy_html: Enable per-module loglevels.
     [Stefan Fritsch]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_filter: Fix segfault with AddOutputFilterByType. PR 52755.
     [Stefan Fritsch]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_session: Sessions are encoded as application/x-www-form-urlencoded
     strings, however we do not handle the encoding of spaces properly.
     Fixed. [Graham Leggett]
Graham Leggett's avatar
Graham Leggett committed

  *) Configuration: Example in comment should use a path consistent
     with the default configuration. PR 52715.
     [Rich Bowen, Jens Schleusener, Rainer Jung]

  *) Configuration: Switch documentation links from trunk to 2.4.
     [Rainer Jung]

  *) configure: Fix out of tree build using apr and apr-util in srclib.
     [Rainer Jung]

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.1

  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
     Fix an issue in error responses that could expose "httpOnly" cookies
     when no custom ErrorDocument is specified for status code 400.  
     [Eric Covener]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_proxy_balancer: Fix crash on Windows. PR 52402 [Mladen Turk]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) core: Check during configtest that the directories for error logs exist.
     PR 29941 [Stefan Fritsch]

  *) Core configuration: add AllowOverride option to treat syntax
     errors in .htaccess as non-fatal. PR 52439 [Nick Kew, Jim Jagielski]

Joe Orton's avatar
Joe Orton committed
  *) core: Fix memory consumption in core output filter with streaming
     bucket types like CGI or PIPE.  [Joe Orton, Stefan Fritsch]

  *) configure: Disable modules at configure time if a prerequisite module
     is not enabled. PR 52487. [Stefan Fritsch]

  *) Rewrite and proxy now decline what they don't support rather
     than fail the request. [Joe Orton]
Rainer Jung's avatar
Rainer Jung committed
  *) Fix building against external apr plus apr-util if apr is not installed
Rainer Jung's avatar
Rainer Jung committed
     in a system default path. [Rainer Jung]

  *) Doxygen fixes and improvements. [Joe Orton, Igor Galić]

  *) core: Fix building against PCRE 8.30 by switching from the obsolete
     pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]

Changes with Apache 2.4.0

  *) SECURITY: CVE-2012-0031 (cve.mitre.org)
     Fix scoreboard issue which could allow an unprivileged child process
Jeff Trawick's avatar
Jeff Trawick committed
     to cause the parent to crash at shutdown rather than terminate
  *) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch]

  *) SECURITY: CVE-2012-0021 (cve.mitre.org)
     mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
     string is in use and a client sends a nameless, valueless cookie, causing
     a denial of service. The issue existed since version 2.2.17 and 2.3.3.
Stefan Fritsch's avatar
Stefan Fritsch committed
     PR 52256.  [Rainer Canavan <rainer-apache 7val com>]
Stefan Fritsch's avatar
Stefan Fritsch committed

Kaspar Brand's avatar
Kaspar Brand committed
  *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
     control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive.
     [Kaspar Brand]

Kaspar Brand's avatar
Kaspar Brand committed
  *) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
     or later, to improve binary compatibility with future OpenSSL releases.
     [Kaspar Brand]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass,
     but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime
     behave identically in both cases. PR52342. [Graham Leggett]

Graham Leggett's avatar
Graham Leggett committed
  *) Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with
     corresponding man pages. [Graham Leggett]

Graham Leggett's avatar
Graham Leggett committed
  *) Distinguish properly between the bindir and sbindir directories when
     installing binaries. Previously all binaries were silently installed to
     sbindir, whether they were system administration commands or not.
     [Graham Leggett]
Changes with Apache 2.3.16
  *) SECURITY: CVE-2011-4317 (cve.mitre.org)
     Resolve additional cases of URL rewriting with ProxyPassMatch or
     RewriteRule, where particular request-URIs could result in undesired
     backend network exposure in some configurations.
     [Joe Orton]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) core: Limit line length in .htaccess to 8K like in 2.2.x, to avoid
     additional DoS potential. [Stefan Fritsch]

  *) core, all modules: Add unique tag to most error log messages. [Stefan
     Fritsch]

  *) mod_socache_memcache: Change provider name from "mc" to "memcache" to
     match module name. [Stefan Fritsch]

  *) mod_slotmem_shm: Change provider name from "shared" to "shm" to match
     module name. [Stefan Fritsch]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_ldap: Fix segfault with Solaris LDAP when enabling ldaps. This
     requires an apr-util fix in which is available in apr-util >= 1.4.0.
     PR 42682. [Stefan Fritsch]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible
     for RewriteRules to be placed in .htaccess files that match the directory
     with no trailing slash. PR 48304.
     [Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_session_crypto: Add a SessionCryptoPassphraseFile directive so that
     the administrator can hide the keys from the configuration. [Graham
     Leggett]

Graham Leggett's avatar
Graham Leggett committed
  *) Introduce a per request version of the remote IP address, which can be
     optionally modified by a module when the effective IP of the client
     is not the same as the real IP of the client (such as a load balancer).
     Introduce a per connection "peer_ip" and a per request "client_ip" to
     distinguish between the raw IP address of the connection and the effective
     IP address of the request. [Graham Leggett]

Jim Jagielski's avatar
Jim Jagielski committed
  *) ap_pass_brigade_fchk() function added. [Jim Jagielski]

  *) core: Pass ap_errorlog_info struct to error log hook. [Stefan Fritsch]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_cache_disk: Make sure we check return codes on all writes and
     attempts to close, and clean up after ourselves in these cases.
     PR43589. [Graham Leggett]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_cache_disk: Remove the unnecessary intermediate brigade while
     writing to disk. Fixes a problem where mod_disk_cache was leaving
     buckets in the intermediate brigade and not passing them to out on
     exit. [Florian S. <f_los_ch yahoo.com>, Graham Leggett]
Graham Leggett's avatar
Graham Leggett committed

Kaspar Brand's avatar
Kaspar Brand committed
  *) mod_ssl: use a shorter setting for SSLCipherSuite in the default
     default configuration file, and add some more information about
     configuring a speed-optimized alternative.
     [Kaspar Brand]

Kaspar Brand's avatar
Kaspar Brand committed
  *) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand]

Eric Covener's avatar
Eric Covener committed
  *) mod_lua: Stop losing track of all but the most specific LuaHook* directives
     when multiple per-directory config sections are used.  Adds LuaInherit 
     directive to control how parent sections are merged.  [Eric Covener]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Server directive display (-L): Include directives of DSOs.
     [Jeff Trawick]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_cache: Make sure we merge headers correctly when we handle a
     non cacheable conditional response. PR52120. [Graham Leggett]

Rainer Jung's avatar
Rainer Jung committed
  *) Pre GA removal of components that will not be included:
     - mod_noloris was superseded by mod_reqtimeout
  *) core: Set MaxMemFree 2048 by default. [Stefan Fritsch]

  *) mpm_event: Fix assertion failure during very high load. [Stefan Fritsch]

  *) configure: Additional modules loaded by default: mod_headers.
     Modules moved from module set "few" to "most" and no longer loaded
     by default: mod_actions, mod_allowmethods, mod_auth_form, mod_buffer,
     mod_cgi(d), mod_include, mod_negotiation, mod_ratelimit, mod_request,
     mod_userdir. [Rainer Jung]

  *) mod_lua: Use the right lua scope when used as a hook. [Rainer Jung]

  *) configure: Only load the really imporant modules (i.e. those enabled by
     the 'few' selection) by default. Don't handle modules enabled with
     --enable-foo specially. [Stefan Fritsch]

  *) end-generation hook: Fix false notification of end-of-generation for
     temporary intervals with no active MPM children.  [Jeff Trawick]

  *) mod_ssl: Add support for configuring persistent TLS session ticket
     encryption/decryption keys (useful for clustered environments).
     [Paul Querna, Kaspar Brand]
  *) mod_usertrack: Use random value instead of remote IP address.
     [Stefan Fritsch]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.3.15

  *) SECURITY: CVE-2011-3348 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
     recognized.  [Jean-Frederic Clere]

  *) SECURITY: CVE-2011-3192 (cve.mitre.org)
     core: Fix handling of byte-range requests to use less memory, to avoid
     denial of service. If the sum of all ranges in a request is larger than
     the original file, ignore the ranges and send the complete file.
     PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
     <lowprio20 gmail.com>]
  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
     core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
     with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]

  *) SECURITY: CVE-2011-3368 (cve.mitre.org)
     Reject requests where the request-URI does not match the HTTP
     specification, preventing unexpected expansion of target URLs in
     some reverse proxy configurations.  [Joe Orton]

  *) configure: Load all modules in the generated default configuration
     when using --enable-load-all-modules. [Rainer Jung]

  *) mod_reqtimeout: Change the default to set some reasonable timeout
     values. [Stefan Fritsch]

  *) core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove
     the inode. PR 49623. [Stefan Fritsch]

  *) mod_lua: Expose SSL variables via r:ssl_var_lookup().  [Eric Covener]

  *) mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName}
     can now additionally be run as "early" or "late" relative to other modules.
     [Eric Covener]

  *) configure: By default, only load those modules that are either required
     or explicitly selected by a configure --enable-foo argument. The
     LoadModule statements for modules enabled by --enable-mods-shared=most
     and friends will be commented out. [Stefan Fritsch]

  *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and 
     LuaHookQuickHandler) from being configured in <Directory>, <Files>, 
     and htaccess where the configuration would have been ignored.
     [Eric Covener]

  *) mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors
     in LuaMapHandler scripts [Eric Covener]

  *) mod_log_debug: Rename optional argument from if= to expr=, to be more
     in line with other config directives. [Stefan Fritsch]

  *) mod_headers: Require an expression to be specified with expr=, to be more
     in line with other config directives. [Stefan Fritsch]

  *) mod_substitute: To prevent overboarding memory usage, limit line length
     to 1MB. [Stefan Fritsch]

  *) mod_lua: Make the query string (r.args) writable. [Eric Covener]

  *) mod_include: Add support for application/x-www-form-urlencoded encoding
     and decoding. [Graham Leggett]

  *) rotatelogs: Add -c option to force logfile creation in every rotation 
     interval, even if empty.  [Jan Kaluža <jkaluza redhat.com>]