Skip to content
CHANGES 49.9 KiB
Newer Older
                                                         -*- coding: utf-8 -*-
Paul Querna's avatar
Paul Querna committed

Changes with Apache 2.3.7

William A. Rowe Jr's avatar
William A. Rowe Jr committed
  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
     attack when compiled against OpenSSL version 0.9.8m or later. Introduces
     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
     and offer unsafe legacy renegotiation with clients which do not yet
     support the new secure renegotiation protocol, RFC 5746.
     [Joe Orton, and with thanks to the OpenSSL Team]

  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
     by rejecting any client-initiated renegotiations. Forcibly disable
     keepalive for the connection if there is any buffered data readable. Any
     configuration which requires renegotiation for per-directory/location
     access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
     [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]

  *) SECURITY: CVE-2010-0408 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
     when request headers indicate a request body is incoming; not a case of
     HTTP_INTERNAL_SERVER_ERROR.  [Niku Toivola <niku.toivola sulake.com>]

  *) SECURITY: CVE-2010-0425 (cve.mitre.org)
     mod_isapi: Do not unload an isapi .dll module until the request
     processing is completed, avoiding orphaned callback pointers.
     [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]

  *) mod_proxy_ajp: Really regard the operation a success, when the client
     aborted the connection. In addition adjust the log message if the client
     aborted the connection. [Ruediger Pluem]

  *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
     allows insecure renegotiation with clients which do not yet
     support the secure renegotiation protocol.  [Joe Orton]

  *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
     is configured for client cert auth. PR 46952.  [Joe Orton]

  *) core: Only log a 408 if it is no keepalive timeout. PR 39785
     [Ruediger Pluem,  Mark Montague <markmont umich.edu>]

  *) support/rotatelogs: Add -L option to create a link to the current
     log file.  PR 48761 [<lyndon orthanc.ca>, Dan Poirier]

  *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory
     setting only, matching most of the documentation and examples. 
     PR 46541 [Paul Reder, Eric Covener] 

  *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument 
     types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener]

  *) mod_negotiation: Preserve query string over multiviews negotiation.
     This buglet was fixed for type maps in 2.2.6, but the same issue
     affected multiviews and was overlooked.
     PR 33112 [Joergen Thomsen <apache jth.net>]

  *) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert
     when some are not password-protected. [Eric Covener]

  *) Fix startup segfault when the Mutex directive is used but no loaded 
     modules use httpd mutexes.  PR 48787.  [Jeff Trawick]

  *) Proxy: get the headers right in a HEAD request with
     ProxyErrorOverride, by checking for an overridden error
     before not after going into a catch-all code path.
     PR 41646.  [Nick Kew, Stuart Children]
  *) support/rotatelogs: Support the simplest log rotation case, log
     truncation. Useful when the log is being processed in real time
     using a command like tail. [Graham Leggett]

  *) support/htcacheclean: Teach it how to write a pid file (modelled on
     httpd's writing of a pid file) so that it becomes possible to run
     more than one instance of htcacheclean on the same machine.
     [Graham Leggett]

  *) Log command line on startup, so there's a record of command line
     arguments like -f.  PR 48752.  [Dan Poirier]
  *) Introduce mod_reflector, a handler capable of reflecting POSTed
     request bodies back within the response through the output filter
     stack. Can be used to turn an output filter into a web service.
     [Graham Leggett]

  *) mod_proxy_http: Make sure that when an ErrorDocument is served
     from a reverse proxied URL, that the subrequest respects the status
     of the original request. This brings the behaviour of proxy_handler
     in line with default_handler. PR 47106. [Graham Leggett]

  *) Support wildcards in both the directory and file components of
     the path specified by the Include directive. [Graham Leggett]

  *) mod_proxy, mod_proxy_http: Support remote https proxies
     by using HTTP CONNECT.  PR 19188.  
     [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
Paul Querna's avatar
Paul Querna committed
Changes with Apache 2.3.6

  *) worker: Don't report server has reached MaxClients until it has.
     Add message when server gets within MinSpareThreads of MaxClients.
     PR 46996.  [Dan Poirier]

  *) mod_session: Session expiry was being initialised, but not updated
     on each session save, resulting in timed out sessions when there
     should not have been. Fixed. [Graham Leggett]

  *) mod_log_config: Add the R option to log the handler used within the
     request. [Christian Folini <christian.folini netnea com>]

  *) mod_include: Allow fine control over the removal of Last-Modified and
     ETag headers within the INCLUDES filter, making it possible to cache
     responses if desired. Fix the default value of the SSIAccessEnable
     directive.  [Graham Leggett]
  *) Add new UnDefine directive to undefine a variable. PR 35350.
     [Stefan Fritsch]
  *) Make ap_pregsub(), used by AliasMatch and friends, use the same syntax
     for regex backreferences as mod_rewrite and mod_include: Remove the use
     of '&' as an alias for '$0' and allow to escape any character with a
     backslash. PR 48351. [Stefan Fritsch]

  *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
     password to UTF-8. PR 45318.
     [Johannes Müller <joh_m gmx.de>, Stefan Fritsch]

  *) ab: Fix calculation of requests per second in HTML output. PR 48594.
     [Stefan Fritsch]

  *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
     password now result in an informational level log entry instead of 
     warning level.  [Eric Covener]

Changes with Apache 2.3.5
Paul Querna's avatar
Paul Querna committed

  *) SECURITY: CVE-2010-0434 (cve.mitre.org)
     Ensure each subrequest has a shallow copy of headers_in so that the
Jeff Trawick's avatar
Jeff Trawick committed
     parent request headers are not corrupted.  Eliminates a problematic
     optimization in the case of no request body.  PR 48359 
     [Jake Scott, William Rowe, Ruediger Pluem]
  *) Turn static function get_server_name_for_url() into public
     ap_get_server_name_for_url() and use it where appropriate. This
     fixes mod_rewrite generating invalid URLs for redirects to IPv6
     literal addresses. [Stefan Fritsch]

  *) mod_ldap: Introduce new config option LDAPTimeout to set the timeout
     for LDAP operations like bind and search. [Stefan Fritsch]

  *) mod_proxy, mod_proxy_ftp: Move ProxyFtpDirCharset from mod_proxy to
     mod_proxy_ftp. [Takashi Sato]

Takashi Sato's avatar
Takashi Sato committed
  *) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to
     mod_proxy_connect. [Takashi Sato]

  *) mod_cache: Do an exact match of the keys defined by
     CacheIgnoreURLSessionIdentifiers against the querystring instead of
     [Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem]

  *) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung]

  *) Core HTTP: disable keepalive when the Client has sent
     Expect: 100-continue
     but we respond directly with a non-100 response.
     Keepalive here led to data from clients continuing being treated as
     a new request.
     PR 47087 [Nick Kew]

  *) Core: reject NULLs in request line or request headers.
     PR 43039 [Nick Kew]

  *) Core: (re)-introduce -T commandline option to suppress documentroot
     check at startup.
     PR 41887 [Jan van den Berg <janvdberg gmail.com>]

  *) mod_autoindex: support XHTML as equivalent to HTML in IndexOptions,
                    ScanHTMLTitles, ReadmeName, HeaderName
     PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew]

  *) Proxy: Fix ProxyPassReverse with relative URL
     Derived (slightly erroneously) from PR 38864 [Nick Kew]
  *) mod_headers: align Header Edit with Header Set when used on Content-Type
     PR 48422 [Cyril Bonté <cyril.bonte free.fr>, Nick Kew>]

  *) mod_headers: Enable multi-match-and-replace edit option
     PR 47066 [Nick Kew]

  *) mod_filter: enable it to act on non-200 responses.
     PR 48377 [Nick Kew]

Changes with Apache 2.3.4
  *) Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex,
     and WatchdogMutexPath with a single Mutex directive.  Add APIs to
     simplify setup and user customization of APR proc and global mutexes.  
Loading full blame...