Skip to content
CHANGES 646 KiB
Newer Older
  [Remove entries to the current 2.0 and 2.2 section below, when backported]
Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CAN-2005-2700 (cve.mitre.org)
     mod_ssl: Fix a security issue where "SSLVerifyClient" was not
     enforced in per-location context if "SSLVerifyClient optional"
     was configured in the vhost configuration.  [Joe Orton]

Colm MacCarthaigh's avatar
 
Colm MacCarthaigh committed
  *) mod_cgid: run the get_suexec_identity hook within the request-handler 
     instead of within cgid. PR36410. [Colm MacCarthaigh]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Correct mod_cgid's argv[0] so that the full path can be delved by the
     invoked cgi application, to conform to the behavior of mod_cgi.
     [Pradeep Kumar S <pradeep.smani gmail.com>]

  *) Doxygen fixup [Neale Ranns <neale ranns.org>, Ian Holsman]
Colm MacCarthaigh's avatar
 
Colm MacCarthaigh committed
  *) prefork, worker and event MPMs: Support a graceful-stop procedure:
Colm MacCarthaigh's avatar
 
Colm MacCarthaigh committed
     Server will wait until existing requests are finished or until  
     "GracefulShutdownTimeout" number of seconds before exiting. 
     [Colm MacCarthaigh, Ken Coar, Bill Stoddard]
Colm MacCarthaigh's avatar
 
Colm MacCarthaigh committed

Colm MacCarthaigh's avatar
 
Colm MacCarthaigh committed
  *) mod_cgid: Append .PID to the script socket filename and remove the
     script socket on exit. [Colm MacCarthaigh]

Colm MacCarthaigh's avatar
 
Colm MacCarthaigh committed
  *) prefork, worker and event MPMs: Prevent children from holding open 
     listening ports upon graceful restart or stop. PR28167. 
Colm MacCarthaigh's avatar
 
Colm MacCarthaigh committed
     [Colm MacCarthaigh, Brian Pinkerton <bp thinkpink.com>]

  *) Linux 2.0: remove support for threaded MPM's due to linuxthreads use
     of SIGUSR1 clashing with graceful restart signal. [Colm MacCarthaigh]

Colm MacCarthaigh's avatar
 
Colm MacCarthaigh committed
  *) mod_cache: Enhance CacheEnable/CacheDisable to control caching on a
     per-protocol, per-host and per-path basis. Intended for proxy
     configurations. [Colm MacCarthaigh]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive,
     allowing string-valued client certificate attributes to be used for
     access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1")
     [Martin Kraemer, David Reid]

Changes with Apache 2.1.7
  *) SECURITY: CAN-2005-2491 (cve.mitre.org): 
     Fix integer overflows in PCRE in quantifier parsing which could
     be triggered by a local user through use of a carefully-crafted 
     regex in an .htaccess file.  [Philip Hazel]

  *) mod_proxy/mod_proxy_balancer: Provide a simple, functional
     interface to add additional balancer lb selection methods
     without requiring code changes to mod_proxy/mod_proxy_balancer;
     these can be implemented via sub-modules now. [Jim Jagielski]

  *) mod_cache: Fix incorrectly served 304 responses when expired cache
     entity is valid, but cache is unwritable and headers cannot be
     updated.  [Colm MacCarthaigh <colm stdlib.net>]

  *) mod_cache: Remove entities from the cache when re-validation
     receives a 404 or other content-no-longer-present error.
     [Rüdiger Plüm ruediger.pluem vodafone.com]

  *) mod_disk_cache: Properly remove files from cache when needed.
     [Rüdiger Plüm ruediger.pluem vodafone.com]

  *) mod_disk_cache: Support htcacheclean removing directories.
     [Andreas Steinmetz]

  *) htcacheclean: Add -t option to remove empty directories.
     [Colm MacCarthaigh <colm stdlib.net>]

  *) Remove the base href tag from mod_proxy_ftp, as it breaks relative
     links for clients not using an Authorization header. [Graham Leggett,
     Jon Snow <jsnow27 gatesec.net>]

  *) mod_cache: Restore the HTTP status of cached responses.
     [Hansjoerg Pehofer <hansjoerg.pehofer uibk.ac.at>]

  *) mod_cache: Store varied contents all in the same prefix for a varied URI.
     [Paul Querna]

  *) mod_cache: Run the CACHE_SAVE and CACHE_OUT Filters after other content
     filters. [Paul Querna]

  *) mod_negotiation: Correctly report 404 instead of 403 for missing files.
     [Paul Querna]

Paul Querna's avatar
Paul Querna committed
  *) new hook (request_status) that gets ran in proxy_handler just before 
     the final return.  This gives modules an opportunity to do something 
     based on the proxy status. (minor MMN bump)
     [Brian Akins <bakins turner.com>, Ian Holsman]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) SECURITY: CAN-2005-2088
     proxy: Correctly handle the Transfer-Encoding and Content-Length
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     headers.  Discard the request Content-Length whenever T-E: chunked
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     is used, always passing one of either C-L or T-E: chunked whenever 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     the request includes a request body.  Resolves an entire class of
     proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Added TraceEnable [on|off|extended] per-server directive to alter
     the behavior of the TRACE method.  This addresses a flaw in proxy
     conformance to RFC 2616 - previously the proxy server would accept
     a TRACE request body although the RFC prohibited it.  The default
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     remains 'TraceEnable on'.  [William Rowe]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) Add additional SSLSessionCache option, 'nonenotnull', which is
     similar to 'none' (disabling any external shared cache) but forces
     OpenSSL to provide a non-null session ID.  [Jim Jagielski]
  *) Add httxt2dbm to support/ for creating RewriteMap DBM Files.
     [Paul Querna]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note
     the negotiated compression.  [Georg v. Zezschwitz <gvz 2scale.de>]

  *) Fixed complaints about unpackaged files within the RPM build
     after changes to the config files. [Graham Leggett]

  *) Fix shutdown for the Worker MPM when an Accept Filter is used. Instead of 
     just closing the socket, a HTTP request is made, to make sure the child is 
     always awakened. [Paul Querna]

Paul Querna's avatar
Paul Querna committed
Changes with Apache 2.1.6

  *) Fix htdbm password validation for records which included comments.
     [Eric Covener <covener gmail.com>]

  *) mod_cgid: Fix buffer overflow processing ScriptSock directive.
     [Steve Kemp <steve steve.org.uk>]

Paul Querna's avatar
Paul Querna committed
Changes with Apache 2.1.5

  *) mod_ssl: Setting the Protocol to 'https' can replace the use of the 
     'SSLEngine on' command. [Paul Querna]

  *) core: Refactor the mapping of Accept Filters to Sockets. Add the 
     AcceptFilter and Protocol directives to aid in mapping filter types.
     Extend the Listen directive to optionally take a protocol name.
     [Paul Querna]

  *) mod_disk_cache: Support storing multiple variations of one URL. PR 35211.
     [Paul Querna]

  *) mod_disk_cache: Atomically create the header data file. [Paul Querna]

  *) mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125. 
     [Paul Querna]

  *) mod_cache: Rename 'generate_name' to 'ap_cache_generate_name'. 
     [Paul Querna]

  *) proxy FTP: Fix confusion about globbing characters which could lead
     to getting a directory listing when a file was requested.  PR 34512.
     [Sean <infamous41md hotmail.com>]

  *) mod_mime_magic: Handle CRLF-format magic files so that it works with
     the default installation on Windows.  [Jeff Trawick]

  *) core: Allow multiple modules to register interest in a single 
     configuration command. [Paul Querna]

  *) EBCDIC: Handle chunked input from client or, with proxy, origin
     server.  [Jeff Trawick]

  *) authn_provider_alias: Adds the configuration block tag
     <AuthnProviderAlias baseProvider Alias>
     Authentication directives contained within this block can be
     referenced as a new authProvider using the AuthBasicProvider or
     AuthDigestProvider directive.  These directives will be merged in to
     the per_dir configuration just before the base provider is called.
     [Brad Nicholes]

  *) ap_getword_conf: Fix backslashes at the end of configuration directives. 
     PR 34834. [Timo Viipuri <viipuri dlc.fi>]

Nick Kew's avatar
Nick Kew committed
  *) mod_dbd: New additions: mod_dbd.c, mod_dbd.h, mod_dbd.xml
     Provide module hooks for apr_dbd; optimise for httpd
     threaded and non-threaded arch [Nick Kew]

  *) ab: SSL support rewritten, improved, and enabled if SSL is enabled
     during the build; -f and -Z arguments added to specify SSL protocol
     options.  [Masaoki Kobayashi <masaoki techfirm.co.jp>]

  *) Support the suppress-error-charset setting, as with Apache 1.3.x.
     PR 31274.  [Jeff Trawick]

  *) Prevent hangs of child processes when writing to piped loggers at
     the time of graceful restart.  PR 26467.  [Jeff Trawick]
  
  *) mod_info: Show the Quick Handler [Paul Querna]
  *) mod_ldap: Add the directive LDAPVerifyServerCert to specify 
     whether to force verification of the server certificate when
     establishing an SSL connection to the LDAP server. 
     [Brad Nicholes]
     
  *) mod_proxy: Run mod_rewrite before mod_proxy in the translate_name
  *) Add AP_INIT_TAKE_ARGV for configuration commands. (minor MMN bump) 
     [Paul Querna]
Loading full blame...