Skip to content
CHANGES 58.6 KiB
Newer Older
                                                         -*- coding: utf-8 -*-
Paul Querna's avatar
Paul Querna committed

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.3.9

  *) mod_authz_core: Allow authz providers to check args while reading the
     config and allow to cache parsed args. [Stefan Fritsch]

  *) mod_include: Move the request_rec within mod_include to be
     exposed within include_ctx_t. [Graham Leggett]

  *) mod_include: Reinstate support for UTF-8 character sets by allowing a
     variable being echoed or set to be decoded and then encoded as separate
     steps. PR47686 [Graham Leggett]

  *) mod_cache: Add a discrete commit_entity() provider function within the
     mod_cache provider interface which is called to indicate to the
     provider that caching is complete, giving the provider the opportunity
     to commit temporary files permanently to the cache in an atomic
     fashion. Replace the inconsistent use of error cleanups with a formal
     set of pool cleanups attached to a subpool, which is destroyed on error.
     [Graham Leggett]
  *) mod_cache: Change the signature of the store_body() provider function
     within the mod_cache provider interface to support an "in" brigade
     and an "out" brigade instead of just a single input brigade. This
     gives a cache provider the option to consume only part of the brigade
     passed to it, rather than the whole brigade as was required before.
     This fixes an out of memory and a request timeout condition that would
     occur when the original document was a large file. Introduce
     CacheReadSize and CacheReadTime directives to mod_disk_cache to control
     the amount of data to attempt to cache at a time. [Graham Leggett]
  *) core: Add ErrorLogFormat to allow configuring error log format, including
     additional information that is logged once per connection or request. Add
     error log IDs for connections and request to allow correlating error log
     lines and the corresponding access log entry. [Stefan Fritsch]
  *) core: Disable sendfile by default. [Stefan Fritsch]

  *) mod_cache: Check the request to determine whether we are allowed
     to return cached content at all, and respect a "Cache-Control:
     no-cache" header from a client. Previously, "no-cache" would
     behave like "max-age=0". [Graham Leggett]

  *) mod_cache: Use a proper filter context to hold filter data instead
     of misusing the per-request configuration. Fixes a segfault on trunk
     when the normal handler is used. [Graham Leggett]

  *) mod_cgid: Log a warning if the ScriptSock path is truncated because
     it is too long. PR 49388.  [Stefan Fritsch]

  *) vhosts: Do not allow _default_ in NameVirtualHost, or mixing *
     and non-* ports on NameVirtualHost, or multiple NameVirtualHost
     directives for the same address:port, or NameVirtualHost
     directives with no matching VirtualHosts, or multiple ip-based
     VirtualHost sections for the same address:port.  These were
     previously accepted with a warning, but the behavior was
     undefined.  [Dan Poirier]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_remoteip: Fix a segfault when using mod_remoteip in conjunction with
     Allow/Deny. PR 49838.  [Andrew Skalski <voltara gmail.com>]

  *) core: DirectoryMatch can now match on the end of line character ($),
     and sub-directories of matched directories are no longer implicitly
     matched.  PR49809 [Eric Covener]
  *) Regexps: introduce new higher-level regexp utility including parsing
     and executing perl-style regexp ops (e.g s/foo/bar/i) and regexp memory
     [Nick Kew]

Changes with Apache 2.3.8

  *) suexec: Support large log files. PR 45856. [Stefan Fritsch]

  *) core: Abort with sensible error message if no or more than one MPM is
     loaded. [Stefan Fritsch]

  *) mod_proxy: Rename erroronstatus to failonstatus.
     [Daniel Ruggeri <DRuggeri primary.net>]
  *) mod_dav_fs: Fix broken "creationdate" property.
     Regression in version 2.3.7. [Rainer Jung]

Changes with Apache 2.3.7

  *) SECURITY: CVE-2010-1452 (cve.mitre.org)
     mod_dav, mod_cache, mod_session: Fix Handling of requests without a path 
     segment. PR: 49246 [Mark Drayton, Jeff Trawick]

  *) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076.
     [Stefan Fritsch]

  *) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639.
     [Stefan Fritsch]

  *) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers
     via leveraging 100-Continue as the initial "request".
     [Jim Jagielski]

  *) core/mod_authz_core: Introduce new access_checker_ex hook that enables
     mod_authz_core to bypass authentication if access should be allowed by
     IP address/env var/... [Stefan Fritsch]
 
  *) core: Introduce note_auth_failure hook to allow modules to add support
     for additional auth types. This makes ap_note_auth_failure() work with
     mod_auth_digest again. PR 48807. [Stefan Fritsch]

  *) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew]

Nick Kew's avatar
Nick Kew committed
  *) mod_authn_cache: new module [Nick Kew]

  *) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]

  *) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
Rainer Jung's avatar
Rainer Jung committed
  *) mod_rewrite: Allow to set environment variables without explicitly
  *) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung]

  *) mod_include: recognise "text/html; parameters" as text/html
     PR 49616 [Andrey Chernov <ache nagual.pp.ru>]

Nick Kew's avatar
Nick Kew committed
  *) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH
     PR 43906 [Nick Kew]

  *) Core: Extra robustness: don't try authz and segfault if authn
     fails to set r->user.  Log bug and return 500 instead.
     PR 42995 [Nick Kew]

  *) HTTP protocol filter: fix handling of longer chunk extensions
     PR 49474 [<tee.bee gmx.de>]

  *) Update SSL cipher suite and add example for SSLHonorCipherOrder.
     [Lars Eilebrecht, Rainer Jung]

  *) move AddOutputFilterByType from core to mod_filter.  This should
     fix nasty side-effects that happen when content_type is set
     more than once in processing a request, and make it fully
     compatible with dynamic and proxied contents. [Nick Kew]

Rainer Jung's avatar
Rainer Jung committed
  *) mod_log_config: Implement logging for sub second timestamps and
     request end time.  [Rainer Jung]

William A. Rowe Jr's avatar
William A. Rowe Jr committed
  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
     attack when compiled against OpenSSL version 0.9.8m or later. Introduces
     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
     and offer unsafe legacy renegotiation with clients which do not yet
     support the new secure renegotiation protocol, RFC 5746.
     [Joe Orton, and with thanks to the OpenSSL Team]

  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
     by rejecting any client-initiated renegotiations. Forcibly disable
     keepalive for the connection if there is any buffered data readable. Any
     configuration which requires renegotiation for per-directory/location
     access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
     [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]

  *) SECURITY: CVE-2010-0408 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
     when request headers indicate a request body is incoming; not a case of
     HTTP_INTERNAL_SERVER_ERROR.  [Niku Toivola <niku.toivola sulake.com>]

  *) SECURITY: CVE-2010-0425 (cve.mitre.org)
     mod_isapi: Do not unload an isapi .dll module until the request
     processing is completed, avoiding orphaned callback pointers.
     [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]

  *) core: Filter init functions are now run strictly once per request
     before handler invocation.  The init functions are no longer run
     for connection filters.  PR 49328.  [Joe Orton]

  *) core: Adjust the output filter chain correctly in an internal
     redirect from a subrequest, preserving filters from the main
     request as necessary.  PR 17629.  [Joe Orton]

  *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
     Response if they so choose to do so. Previously an attempt to cache a 206
     was arbitrarily allowed if the response contained an Expires or
     Cache-Control header, and arbitrarily denied if both headers were missing.
     [Graham Leggett]

  *) core: Add microsecond timestamp fractions, process id and thread id
     to the error log. [Rainer Jung]

Rainer Jung's avatar
Rainer Jung committed
  *) configure: The "most" module set gets build by default.  [Rainer Jung]

  *) configure: Building dynamic modules (DSO) by default.  [Rainer Jung]

  *) configure: Fix broken VPATH build when using included APR.
     [Rainer Jung]

  *) mod_session_crypto: Fix configure problem when building
     with APR 2 and for VPATH builds with included APR.
     [Rainer Jung]

Loading full blame...