Newer
Older
*) SECURITY: CVE-2011-3348 (cve.mitre.org)
mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
recognized. [Jean-Frederic Clere]
*) SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Fix handling of byte-range requests to use less memory, to avoid
denial of service. If the sum of all ranges in a request is larger than
the original file, ignore the ranges and send the complete file.
William A. Rowe Jr
committed
PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
<lowprio20 gmail.com>]
Stefan Fritsch
committed
*) core, mod_actions, mod_asis: Downgrade error log messages which accompany
a 404 request status from loglevel error to info. PR: 35768. [Stefan
Fritsch]
Stefan Fritsch
committed
*) core: Fix hook sorting with perl modules. PR: 45076. [Torsten Foertsch
<torsten foertsch gmx net>]
*) core: Enforce LimitRequestFieldSize after multiple headers with the same
name have been merged. [Stefan Fritsch]
*) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory
usage. PR 51618. [Cristian Rodríguez <crrodriguez opensuse org>,
Stefan Fritsch]
*) mod_ssl: At startup, when checking a server certificate whether it
matches the configured ServerName, also take dNSName entries in the
subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand]
*) mod_substitute: Reduce memory usage and copying of data. PR 50559.
[Stefan Fritsch]
*) mod_ssl/proxy: enable the SNI extension for backend TLS connections
[Kaspar Brand]
*) Add wrappers for malloc, calloc, realloc that check for out of memory
situations and use them in many places. PR 51568, PR 51569, PR 51571.
[Stefan Fritsch]
*) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is
false but RLIMIT_* are defined. PR51371. [Eric Covener]
*) core: Correctly obey ServerName / ServerAlias if the Host header from the
request matches the VirtualHost address.
PR 51709. [Micha Lenk <micha lenk.info>]
*) mod_unique_id: Use random number generator to initialize counter.
PR 45110. [Stefan Fritsch]
*) core: Add convenience API for apr_random. [Stefan Fritsch]
*) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control
the number of overlapping and reversing ranges (respectively) permitted
before returning the entire resource, with a default limit of 20.
[Jim Jagielski]
*) mod_ldap: Optional function uldap_ssl_supported(r) always returned false
if called from a virtual host with mod_ldap directives in it. Did not
affect mod_authnz_ldap's usage of mod_ldap. [Eric Covener]
*) mod_filter: Instead of dropping the Accept-Ranges header when a filter
registered with AP_FILTER_PROTO_NO_BYTERANGE is present,
set the header value to "none". [Eric Covener, Ruediger Pluem]
*) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'
in the case Ranges are being ignored with MaxRanges none.
[Eric Covener]
*) mod_ssl: revamp CRL-based revocation checking when validating
certificates of clients or proxied servers. Completely delegate
CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck
directive for controlling the revocation checking mode. [Kaspar Brand]
*) core: Add MaxRanges directive to control the number of ranges permitted
before returning the entire resource, with a default limit of 200.
[Eric Covener]
*) mod_cache: Ensure that CacheDisable can correctly appear within
a LocationMatch. [Graham Leggett]
*) mod_cache: Fix the moving of the CACHE filter, which erroneously
stood down if the original filter was not added by configuration.
[Graham Leggett]
*) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]
*) mod_authz_groupfile: Increase length limit of lines in the group file to
16MB. PR 43084. [Stefan Fritsch]
*) core: Increase length limit of lines in the configuration file to 16MB.
PR 45888. PR 50824. [Stefan Fritsch]
*) core: Add API for resizable buffers. [Stefan Fritsch]
Eric Covener
committed
*) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have
LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such
as Tivoli Directory Server 6.3 and later. [Eric Covener]
*) mod_ldap: Change default number of retries from 10 to 3, and add
Eric Covener
committed
an LDAPRetries and LDAPRetryDelay directives. [Eric Covener]
*) mod_authnz_ldap: Don't retry during authentication, because this just
multiplies the ample retries already being done by mod_ldap. [Eric Covener]
*) configure: Allow to explicitly disable modules even with module selection
'reallyall'. [Stefan Fritsch]
*) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the
RewriteEngine is disabled in server context, avoiding a crash while
referencing the invalid int: map at runtime. PR 50994.
[Ben Noordhuis <info noordhuis nl>]
*) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]
*) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
*) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
[Kaspar Brand]
*) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the
cookie is set when modules such as mod_rewrite trigger a redirect. Also
use r->err_headers_out for the cookie, for the same reason. PR29755.
[Sami J. Mäkinen <sjm almamedia fi>, Eric Covener]
Stefan Fritsch
committed
*) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and
'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch]
Stefan Fritsch
committed
*) configure: Enable ldap modules in 'all' and 'most' selections if ldap
is compiled into apr-util. [Stefan Fritsch]
*) core: Add ap_check_cmd_context()-check if a command is executed in
.htaccess file. [Stefan Fritsch]
*) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590.
[Torsten Foertsch <torsten foertsch gmx net>]
*) mod_authn_socache: Fix to work in .htaccess if not configured anywhere
in httpd.conf, and introduce an AuthnCacheEnable directive.
PR 51991 [Nick Kew]
*) mod_proxy_ajp: Improve trace logging. [Rainer Jung]
*) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets.
[Rainer Jung]
*) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse,
e.g. to reverse proxy "Location: https://other-internal-server/login"
[Nick Kew]
*) prefork, worker, event: Make sure crashes are logged to the error log if
httpd has already detached from the console. [Stefan Fritsch]
Stefan Fritsch
committed
*) prefork, worker, event: Reduce period during startup/restart where a
successive signal may be lost. PR 43696. [Arun Bhalla <arun shme net>]
*) mod_allowmethods: Correct Merging of "reset" and do not allow an
empty parameter list for the AllowMethods directive. [Rainer Jung]
*) configure: Update selection of modules for 'all' and 'most'. 'all' will
now enable all modules except for example and test modules. Make the
selection for 'most' more useful (including ssl and proxy). Both 'all'
and 'most' will now disable modules if dependencies are missing instead
of aborting. If a specific module is requested with --enable-XXX=yes,
missing dependencies will still cause configure to exit with an error.
[Stefan Fritsch]
*) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done
in 2.3.13. [Stefan Fritsch]
*) core: For '*' or '_default_' vhosts, use a wildcard address of any
address family, rather than IPv4 only. [Joe Orton]
*) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable
include [ ] for literal IPv6 addresses, as mandated by RFC 3875.
PR 26005. [Stefan Fritsch]
*) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203.
[Nagae Hidetake <nagae eagan jp>]
*) core: Add more logging to ap_scan_script_header_err* functions. Add
ap_scan_script_header_err*_ex functions that take a module index for
logging.
mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the
new functions in order to make logging configurable per-module.
[Stefan Fritsch]
*) mod_dir: Add DirectoryIndexRedirect to send an external redirect to
the proper index. [Eric Covener]
*) mod_deflate: Don't try to compress requests with a zero sized body.
PR 51350. [Stefan Fritsch]
*) core: Fix startup on IP6-only systems. PR 50592. [Joe Orton,
<root linkage white-void net>]
*) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX,
REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the
whitelist in suexec. PR 51499. [Graham Laverty <graham reg ca>,
Stefan Fritsch]
*) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch]
*) mod_log_debug: New module that allows to log custom messages at various
phases in the request processing. [Stefan Fritsch]
*) mod_ssl: Add some debug logging when loading server certificates.
PR 37912. [Nick Burch <nick burch alfresco com>]
*) configure: Support reallyall option also for --enable-mods-static.
[Rainer Jung]
*) mod_socache_dc: add --with-distcache to configure for choosing
the distcache installation directory. [Rainer Jung]
*) mod_socache_dc: use correct build variable MOD_SOCACHE_DC_LDADD
instead of MOD_SOCACHE_LDADD in build macro. [Rainer Jung]
*) mod_lua, mod_deflate: respect platform specific runpath linker
flag. [Rainer Jung]
*) configure: Only link the httpd binary against PCRE. No other support
binary needs PCRE. [Rainer Jung]
*) configure: tolerate dependency checking failures for modules if
they have been enabled implicitely. [Rainer Jung]
*) configure: Allow to specify module specific custom linker flags via
the MOD_XXX_LDADD variables. [Rainer Jung]
*) ab: Support specifying the local address to use. PR 48930.
[Peter Schuller <scode spotify com>]
*) core: Add support to ErrorLogFormat for logging the system unique
thread id under Linux. [Stefan Fritsch]
*) event: New AsyncRequestWorkerFactor directive to influence how many
connections will be accepted per process. [Stefan Fritsch]
Stefan Fritsch
committed
*) prefork, worker, event: Rename MaxClients to MaxRequestWorkers which
describes more accurately what it does. [Stefan Fritsch]
*) rotatelogs: Add -p argument to specify custom program to invoke
after a log rotation. PR 51285. [Sven Ulland <sveniu ifi.uio.no>,
*) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand]
*) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0.
PR 48215. [Kaspar Brand]
*) mod_status: Display information about asynchronous connections in the
server-status. PR 44377. [Stefan Fritsch]
*) mpm_event: If the number of connections of a process is very high, or if
all workers are busy, don't accept new connections in that process.
[Stefan Fritsch]
*) mpm_event: Process lingering close asynchronously instead of tying up
worker threads. [Jeff Trawick, Stefan Fritsch]
*) mpm_event: If MaxMemFree is set, limit the number of pools that is kept
around. [Stefan Fritsch]
*) mpm_event: Fix graceful restart aborting connections. PR 43359.
[Takashi Sato <takashi lans-tv com>]
*) mod_ssl: Disable AECDH ciphers in example config. PR 51363.
[Rob Stradling <rob comodo com>]
*) core: Introduce new function ap_get_conn_socket() to access the socket of
a connection. [Stefan Fritsch]
*) mod_data: Introduce a filter to support RFC2397 data URLs. [Graham
Leggett]
*) mod_userdir/mod_alias/mod_vhost_alias: Correctly set DOCUMENT_ROOT,
CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX. PR 26052. PR 46198.
[Stefan Fritsch]
*) core: Allow to override document_root on a per-request basis. Introduce
new context_document_root and context_prefix which provide information
about non-global URI-to-directory mappings (from e.g. mod_userdir or
mod_alias) to scripts. PR 49705. [Stefan Fritsch]
Stefan Fritsch
committed
*) core: Add <ElseIf> and <Else> to complement <If> sections.
[Stefan Fritsch]
*) mod_ext_filter: Remove DebugLevel option in favor of per-module loglevel.
[Stefan Fritsch]
*) mod_include: Make the "#if expr" element use the new "ap_expr" expression
parser. The old parser can still be used by setting the new directive
SSILegacyExprParser. [Stefan Fritsch]
*) core: Add some features to ap_expr for use by mod_include: a restricted
mode that does not allow to bypass request access restrictions; new
variables DOCUMENT_URI (alias for REQUEST_URI), LAST_MODIFIED; -A as an
alias for -U; an additional data entry in ap_expr_eval_ctx_t for use by
the consumer; an extensible ap_expr_exec_ctx() API that allows to use that
data entry. [Stefan Fritsch]
*) mod_include: Merge directory configs instead of one SSI* config directive
causing all other per-directory SSI* config directives to be reset.
[Stefan Fritsch]
*) mod_charset_lite: Remove DebugLevel option in favour of per-module
loglevel. [Stefan Fritsch]
*) core: Add ap_regexec_len() function that works with non-null-terminated
strings. PR 51231. [Yehezkel Horowitz <horowity checkpoint com>]
*) mod_authnz_ldap: If the LDAP server returns constraint violation,
don't treat this as an error but as "auth denied". [Stefan Fritsch]
*) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO
for SCGI/FCGI. PR 50880, 50851. [Mark Montague <mark catseye.org>,
Jim Jagielski]
*) mod_cache: When content is served stale, and there is no means to
revalidate the content using ETag or Last-Modified, and we have
mandated no stale-on-error behaviour, stand down and don't cache.
Saves a cache write that will never be read.
[Graham Leggett]
*) mod_reqtimeout: Fix a timed out connection going into the keep-alive
state after a timeout when discarding a request body. PR 51103.
[Stefan Fritsch]
*) core: Add various file existance test operators to ap_expr.
[Stefan Fritsch]
*) mod_proxy_express: New mass reverse-proxy switch extension for
mod_proxy. [Jim Jagielski]
*) configure: Fix script error when configuring module set "reallyall".
[Rainer Jung]
*) configure, core: Provide easier support for APR's hook probe
capability. [Jim Jagielski, Jeff Trawick]
*) Silence autoconf 2.68 warnings. [Rainer Jung]
*) mod_authnz_ldap: Resolve crash when LDAP is used for authorization only
[Scott Hill <shill genscape.com>]
*) support: Make sure check_forensic works with mod_unique_id loaded
[Joe Schaefer]
*) Add child_status hook for tracking creation/termination of MPM child
processes. Add end_generation hook for notification when the last
MPM child of a generation exits. [Jeff Trawick]
*) mod_ldap: Make LDAPSharedCacheSize 0 create a non-shared-memory cache per
process as opposed to disabling caching completely. This allows to use
the non-shared-memory cache as a workaround for the shared memory cache
not being available during graceful restarts. PR 48958. [Stefan Fritsch]
*) Add new ap_reserve_module_slots/ap_reserve_module_slots_directive API,
necessary if a module (like mod_perl) registers additional modules late
in the startup phase. [Stefan Fritsch]
*) core: Prevent segfault if DYNAMIC_MODULE_LIMIT is reached. PR 51072.
[Torsten Förtsch <torsten foertsch gmx net>]
*) WinNT MPM: Improve robustness under heavy load. [Jeff Trawick]
*) MinGW build improvements. PR 49535. [John Vandenberg
*) core: Support module names with colons in loglevel configuration.
[Torsten Förtsch <torsten foertsch gmx net>]
*) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
[Stefan Fritsch]
*) core: Abort if the MPM is changed across restart. [Jeff Trawick]
*) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
[Peter Pramberger <peter pramberger.at>, Jim Jagielski]
*) mod_proxy_fcgi: Add support for 'ProxyErrorOverride on'. PR 50913.
[Mark Montague <mark catseye.org>, Jim Jagielski]
*) core: Change the APIs of ap_cfg_getline() and ap_cfg_getc() to return an
error code. Abort with a nice error message if a config line is too long.
Partial fix for PR 50824. [Stefan Fritsch]
*) mod_info: Dump config to stdout during startup if -DDUMP_CONFIG is
specified. PR 31956. [Stefan Fritsch]
*) Restore visibility of DEFAULT_PIDLOG to core and modules. MPM
helper function ap_remove_pid() added. [Jeff Trawick]
*) Enable DEFAULT_REL_RUNTIMEDIR on Windows and NetWare. [various]
*) Correct C++ incompatibility with http_log.h. [Stefan Fritsch, Jeff
Trawick]
*) mod_log_config: Prevent segfault. PR 50861. [Torsten Förtsch
<torsten.foertsch gmx.net>]
Daniel Earl Poirier
committed
*) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
in request URL path info but not decode them. Change behavior of option
"On" to decode the encoded slashes as 2.0 and 2.2 do. PR 35256,
PR 46830. [Dan Poirier]
*) mod_ssl: Check SNI hostname against Host header case-insensitively.
PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>]
*) mod_ldap: Add LDAPConnectionPoolTTL to give control over lifetime
of bound backend LDAP connections. PR47634 [Eric Covener]
*) mod_cache: Make CacheEnable and CacheDisable configurable per
directory in addition to per server, making them work from within
a LocationMatch. [Graham Leggett]
*) worker, event, prefork: Correct several issues when built as
DSOs; most notably, the scoreboard was reinitialized during graceful
restart, such that processes of the previous generation were not
observable. [Jeff Trawick]
*) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
Win32's cscript interpreter can only use a single quote as comment char.
[Guenter Knauf]
*) mod_proxy: balancer-manager now uses POST instead of GET.
[Jim Jagielski]
*) core: new util function: ap_parse_form_data(). Previously,
this capability was tucked away in mod_request. [Jim Jagielski]
*) core: new hook: ap_run_pre_read_request. [Jim Jagielski]
*) mod_cache: When a request other than GET or HEAD arrives, we must
invalidate existing cache entities as per RFC2616 13.10. PR 15868.
[Graham Leggett]
Stefan Fritsch
committed
*) modules: Fix many modules that were not correctly initializing if they
were not active during server startup but got enabled later during a
graceful restart. [Stefan Fritsch]
*) core: Create new ap_state_query function that allows modules to determine
if the current configuration run is the initial one at server startup,
and if the server is started for testing/config dumping only.
[Stefan Fritsch]
*) mod_proxy: Runtime configuration of many parameters for existing
balancers via the balancer-manager. [Jim Jagielski]
*) mod_proxy: Runtime addition of new workers (BalancerMember) for existing
balancers via the balancer-manager. [Jim Jagielski]
*) mod_cache: When a bad Expires date is present, we need to behave as if
the Expires is in the past, not as if the Expires is missing. PR 16521.
[Co-Advisor <coad@measurement-factory.com>]
*) mod_cache: We must ignore quoted-string values that appear in a
Cache-Control header. PR 50199. [Graham Leggett]
*) mod_dav: Revert change to send 501 error if unknown Content-* header is
received for a PUT request. PR 42978. [Stefan Fritsch]
*) mod_cache: Respect s-maxage as described by RFC2616 14.9.3, which must
take precedence if present. PR 35247. [Graham Leggett]
*) mod_ssl: Fix a possible startup failure if multiple SSL vhosts
are configured with the same ServerName and private key file.
[Masahiro Matsuya <mmatsuya redhat.com>, Joe Orton]
*) mod_socache_dc: Make module compile by fixing some typos.
PR 50735 [Mark Montague <mark catseye.org>]
*) prefork: Update MPM state in children during a graceful stop or
restart. PR 41743. [Andrew Punch <andrew.punch 247realmedia.com>]
*) mod_mime: Ignore leading dots when looking for mime extensions.
PR 50434 [Stefan Fritsch]
*) core: Add support to set variables with the 'Define' directive. The
variables that can then be used in the config using the ${VAR} syntax
known from envvar interpolation. [Stefan Fritsch]
*) mod_proxy_http: make adding of X-Forwarded-* headers configurable.
ProxyAddHeaders defaults to On. [Vincent Deffontaines]
*) mod_slotmem_shm: Increase memory alignment for slotmem data.
[Rainer Jung]
*) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout,
SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew.
[Kaspar Brand <httpd-dev.2011 velox.ch>]
*) mod_ssl: Revamp output buffering to reduce network overhead for
output fragmented into many buckets, such as chunked HTTP responses.
Stefan Fritsch
committed
*) core: Apply <If> sections to all requests, not only to file base requests.
Allow to use <If> inside <Directory>, <Location>, and <Files> sections.
The merging of <If> sections now happens after the merging of <Location>
sections, even if an <If> section is embedded inside a <Directory> or
<Files> section. [Stefan Fritsch]
*) mod_proxy: Refactor usage of shared data by dropping the scoreboard
and using slotmem. Create foundation for dynamic growth/changes of
members within a balancer. Remove BalancerNonce in favor of a
per-balancer 'nonce' parameter. [Jim Jagielski]
*) mod_status: Don't show slots which are disabled by MaxClients as open.
PR: 47022 [Jordi Prats <jordi prats gmail com>, Stefan Fritsch]
*) mpm_prefork: Fix ap_mpm_query results for AP_MPMQ_MAX_DAEMONS and
AP_MPMQ_MAX_THREADS.
*) mod_authz_core: Fix bug in merging logic if user-based and non-user-based
authorization directives were mixed. [Stefan Fritsch]
*) mod_authn_socache: change directive name from AuthnCacheProvider
to AuthnCacheProvideFor. The term "provider" is overloaded in
this module, and we should avoid confusion between the provider
of a backend (AuthnCacheSOCache) and the authn provider(s) for
which this module provides cacheing (AuthnCacheProvideFor).
[Nick Kew]
*) mod_proxy_http: Allocate the fake backend request from a child pool
of the backend connection, instead of misusing the pool of the frontend
request. Fixes a thread safety issue where buckets set aside in the
backend connection leak into other threads, and then disappear when
the frontend request is cleaned up, in turn causing corrupted buckets
to make other threads spin. [Graham Leggett]
*) mod_ssl: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
escape other special characters with backslashes. The old format can
still be used with the LegacyDNStringFormat argument to SSLOptions.
*) core, mod_rewrite: Make the REQUEST_SCHEME variable available to
scripts and mod_rewrite. [Stefan Fritsch]
*) mod_rewrite: Allow to use arbitrary boolean expressions (ap_expr) in
RewriteCond. [Stefan Fritsch]
*) mod_rewrite: Allow to unset environment variables using E=!VAR.
PR 49512. [Mark Drayton <mark markdrayton info>, Stefan Fritsch]
*) mod_headers: Restore the 2.3.8 and earlier default for the first
argument of the Header directive ("onsuccess"). [Eric Covener]
*) core: Disallow the mixing of relative and absolute Options PR 33708.
[Sönke Tesch <st kino-fahrplan.de>]
Stefan Fritsch
committed
*) core: When exporting request headers to HTTP_* environment variables,
drop variables whose names contain invalid characters. Describe in the
docs how to restore the old behaviour. [Malte S. Stretz <mss apache org>]
*) core: When selecting an IP-based virtual host, favor an exact match for
the port over a wildcard (or omitted) port instead of favoring the one
that came first in the configuration file. [Eric Covener]
*) core: Overlapping virtual host address/port combinations now implicitly
Eric Covener
committed
enable name-based virtual hosting for that address. The NameVirtualHost
directive has no effect, and _default_ is interpreted the same as "*".
Eric Covener
committed
[Eric Covener]
*) core: In the absence of any Options directives, the default is now
"FollowSymlinks" instead of "All". [Igor GaliÄ]
*) rotatelogs: Add -e option to write logs through to stdout for optional
further processing. [Graham Leggett]
*) mod_ssl: Correctly read full lines in input filter when the line is
incomplete during first read. PR 50481. [Ruediger Pluem]
Stefan Fritsch
committed
*) mod_authz_core: Add AuthzSendForbiddenOnFailure directive to allow
sending '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if authorization
fails for an authenticated user. PR 40721. [Stefan Fritsch]
*) mod_rewrite: Don't implicitly URL-escape the original query string
when no substitution has changed it. PR 50447. [Eric Covener]
*) core: Honor 'AcceptPathInfo OFF' during internal redirects,
such as per-directory mod_rewrite substitutions. PR 50349.
[Eric Covener]
*) mod_rewrite: Add 'RewriteOptions InheritBefore' to put the base
Eric Covener
committed
rules/conditions before the overridden rules/conditions. PR 39313.
[Jérôme Grandjanny <jerome.grandjanny cea.fr>]
*) mod_autoindex: add IndexIgnoreReset to reset the list of IndexIgnored
filenames in higher precedence configuration sections. PR 24243.
[Eric Covener]
*) mod_cgid: RLimit* directive support for mod_cgid. PR 42135
[Eric Covener]
*) core: Fail startup when the argument to ServerName looks like a glob
or a regular expression instead of a hostname (*?[]). PR 39863
[Rahul Nair <rahul.g.nair gmail.com>]
*) mod_userdir: Add merging of enable, disable, and filename arguments
to UserDir directive, leaving enable/disable of userlists unmerged.
Eric Covener
committed
*) httpd: When no -k option is provided on the httpd command line, the server
was starting without checking for an existing pidfile. PR 50350
[Eric Covener]
*) mod_proxy: Put the worker in error state if the SSL handshake with the
backend fails. PR 50332.
[Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
*) mod_cache_disk: Fix Windows build which was broken after renaming
the module. [Gregg L. Smith]
Stefan Fritsch
committed
*) SECURITY: CVE-2010-1623 (cve.mitre.org)
Fix a denial of service attack against mod_reqtimeout.
[Stefan Fritsch]
*) mod_headers: Change default first argument of Header directive
from "onsuccess" to "always". [Eric Covener]
*) mod_include: Add the onerror attribute to the include element,
allowing an URL to be specified to include on error. [Graham
Leggett]
*) mod_cache_disk: mod_disk_cache renamed to mod_cache_disk, to be
consistent with the naming of other modules. [Graham Leggett]
*) mod_setenvif: Add SetEnvIfExpr directive to set env var depending on
expression. [Stefan Fritsch]
*) mod_proxy: Fix ProxyPassInterpolateEnv directive. PR 50292.
[Stefan Fritsch]
*) suEXEC: Add Suexec directive to disable suEXEC without renaming the
binary (Suexec Off), or force startup failure if suEXEC is required
but not supported (Suexec On). Change SuexecUserGroup to fail
startup instead of just printing a warning if suEXEC is disabled.
[Jeff Trawick]
*) core: Add Error directive for aborting startup or htaccess processing
with a specified error message. [Jeff Trawick]
*) mod_rewrite: Fix the RewriteEngine directive to work within a
location. Previously, once RewriteEngine was switched on globally,
it was impossible to switch off. [Graham Leggett]
Stefan Fritsch
committed
*) core, mod_include, mod_ssl: Move the expression parser derived from
mod_include back into mod_include. Replace ap_expr with a parser
derived from mod_ssl's parser. Make mod_ssl use the new parser. Rework
ap_expr's public interface and provide hooks for modules to add variables
and functions. [Stefan Fritsch]
*) core: Do the hook sorting earlier so that the hooks are properly sorted
for the pre_config hook and during parsing the config. [Stefan Fritsch]
Eric Covener
committed
*) core: In the absence of any AllowOverride directives, the default is now
"None" instead of "All". PR49823 [Eric Covener]
*) mod_proxy: Don't allow ProxyPass or ProxyPassReverse in
<Directory> or <Files>. PR47765 [Eric Covener]
*) prefork/worker/event MPMS: default value (when no directive is present)
of MaxConnectionsPerChild/MaxRequestsPerChild is changed to 0 from 10000
to match default configuration and manual. PR47782 [Eric Covener]
*) proxy_connect: Don't give up in the middle of a CONNECT tunnel
when the child process is starting to exit. PR50220. [Eric Covener]
*) mod_autoindex: Fix inheritance of mod_autoindex directives into
Eric Covener
committed
contexts that don't have any mod_autoindex directives. PR47766.
[Eric Covener]
*) mod_rewrite: Add END flag for RewriteRule to prevent further rounds
of rewrite processing when a per-directory substitution occurs.
[Eric Covener]
*) mod_ssl: Make sure to always log an error if loading of CA certificates
fails. PR 40312. [Paul Tiemann <issues apache org ourdetour com>]
*) mod_dav: Send 501 error if unknown Content-* header is received for a PUT
request (RFC 2616 9.6). PR 42978. [Stefan Fritsch]
*) mod_dav: Send 400 error if malformed Content-Range header is received for
a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
*) mod_proxy: Release the backend connection as soon as EOS is detected,
so the backend isn't forced to wait for the client to eventually
acknowledge the data. [Graham Leggett]
*) mod_proxy: Optimise ProxyPass within a Location so that it is stored
per-directory, and chosen during the location walk. Make ProxyPass
work correctly from within a LocationMatch. [Graham Leggett]
*) core: Fix segfault if per-module LogLevel is on virtual host
scope. PR 50117. [Stefan Fritsch]
Graham Leggett
committed
*) mod_proxy: Move the ProxyErrorOverride directive to have per
directory scope. [Graham Leggett]
*) mod_allowmethods: New module to deny certain HTTP methods without
interfering with authentication/authorization. [Paul Querna,
Igor GaliÄ, Stefan Fritsch]
*) mod_ssl: Log certificate information and improve error message if client
cert verification fails. PR 50093, PR 50094. [Lassi Tuura <lat cern ch>,
Stefan Fritsch]
*) htcacheclean: Teach htcacheclean to limit cache size by number of
inodes in addition to size of files. Prevents a cache disk from
running out of space when many small files are cached.
[Graham Leggett]
*) core: Rename MaxRequestsPerChild to MaxConnectionsPerChild, which
describes more accurately what the directive does. The old name
still works but logs a warning. [Stefan Fritsch]
*) mod_cache: Optionally serve stale data when a revalidation returns a
5xx response, controlled by the CacheStaleOnError directive.
[Graham Leggett]
*) htcacheclean: Allow the listing of valid URLs within the cache, with
the option to list entry metadata such as sizes and times. [Graham
Leggett]
*) mod_cache: correctly parse quoted strings in cache headers.
PR 50199 [Nick Kew]
*) mod_cache: Allow control over the base URL of reverse proxied requests
using the CacheKeyBaseURL directive, so that the cache key can be
calculated from the endpoint URL instead of the server URL. [Graham
Leggett]
*) mod_cache: CacheLastModifiedFactor, CacheStoreNoStore, CacheStorePrivate,
CacheStoreExpired, CacheIgnoreNoLastMod, CacheDefaultExpire,
CacheMinExpire and CacheMaxExpire can be set per directory/location.
[Graham Leggett]
*) mod_disk_cache: CacheMaxFileSize, CacheMinFileSize, CacheReadSize and
CacheReadTime can be set per directory/location. [Graham Leggett]
*) core: Speed up config parsing if using a very large number of config
files. PR 50002 [andrew cloudaccess net]
*) mod_cache: Support the caching of HEAD requests. [Graham Leggett]
*) htcacheclean: Allow the option to round up file sizes to a given
block size, improving the accuracy of disk usage. [Graham Leggett]
Stefan Fritsch
committed
*) mod_ssl: Add authz providers for use with mod_authz_core and its
RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL),
'ssl-verify-client' (for use with 'SSLVerifyClient optional'), and
'ssl-require' (expressions with same syntax as SSLRequire).
[Stefan Fritsch]
Stefan Fritsch
committed
*) mod_ssl: Make the ssl expression parser thread-safe. It now requires
bison instead of yacc. [Stefan Fritsch]
*) mod_disk_cache: Change on-disk header file format to support the
link of the device/inode of the data file to the matching header
file, and to support the option of not writing a data file when
the data file is empty. [Graham Leggett]
Stefan Fritsch
committed
*) core/mod_unique_id: Add generate_log_id hook to allow to use
the ID generated by mod_unique_id as error log ID for requests.
[Stefan Fritsch]
Stefan Fritsch
committed
*) mod_cache: Make sure that we never allow a 304 Not Modified response
that we asked for to leak to the client should the 304 response be
uncacheable. PR45341 [Graham Leggett]
*) mod_cache: Add the cache_status hook to register the final cache
decision hit/miss/revalidate. Add optional support for an X-Cache
and/or an X-Cache-Detail header to add the cache status to the
response. PR48241 [Graham Leggett]
*) mod_authz_host: Add 'local' provider that matches connections originating
on the local host. PR 19938. [Stefan Fritsch]
*) Event MPM: Fix crash accessing pollset on worker thread when child
process is exiting. [Jeff Trawick]
William A. Rowe Jr
committed
*) core: For process invocation (cgi, fcgid, piped loggers and so forth)
pass the system library path (LD_LIBRARY_PATH or platform-specific
variables) along with the system PATH, by default. Both should be
William A. Rowe Jr
committed
overridden together as desired using PassEnv etc; see mod_env.
[William Rowe]
*) mod_cache: Introduce CacheStoreExpired, to allow administrators to
capture a stale backend response, perform If-Modified-Since requests
against the backend, and serving from the cache all 304 responses.
This restores pre-2.2.4 cache behavior. [William Rowe]
*) mod_rewrite: Introduce <=, >= string comparison operators, and integer
comparators -lt, -le, -eq, -ge, and -gt. To help bash users and drop
the ambiguity of the symlink test "-ltest", introduce -h or -L as
symlink test operators. [William Rowe]
*) mod_cache: Give the cache provider the opportunity to choose to cache
or not cache based on the buckets present in the brigade, such as the
presence of a FILE bucket.
[Graham Leggett]
*) mod_authz_core: Allow authz providers to check args while reading the
config and allow to cache parsed args. Move 'all' and 'env' authz
providers from mod_authz_host to mod_authz_core. Add 'method' authz
provider depending on the HTTP method. [Stefan Fritsch]
*) mod_include: Move the request_rec within mod_include to be
exposed within include_ctx_t. [Graham Leggett]
*) mod_include: Reinstate support for UTF-8 character sets by allowing a
variable being echoed or set to be decoded and then encoded as separate
steps. PR47686 [Graham Leggett]
*) mod_cache: Add a discrete commit_entity() provider function within the
mod_cache provider interface which is called to indicate to the
provider that caching is complete, giving the provider the opportunity
to commit temporary files permanently to the cache in an atomic
fashion. Replace the inconsistent use of error cleanups with a formal
set of pool cleanups attached to a subpool, which is destroyed on error.
[Graham Leggett]
*) mod_cache: Change the signature of the store_body() provider function
within the mod_cache provider interface to support an "in" brigade
and an "out" brigade instead of just a single input brigade. This
gives a cache provider the option to consume only part of the brigade
passed to it, rather than the whole brigade as was required before.
This fixes an out of memory and a request timeout condition that would
occur when the original document was a large file. Introduce
CacheReadSize and CacheReadTime directives to mod_disk_cache to control
the amount of data to attempt to cache at a time. [Graham Leggett]
Stefan Fritsch
committed
*) core: Add ErrorLogFormat to allow configuring error log format, including
additional information that is logged once per connection or request. Add
error log IDs for connections and request to allow correlating error log
lines and the corresponding access log entry. [Stefan Fritsch]
Stefan Fritsch
committed
*) core: Disable sendfile by default. [Stefan Fritsch]
*) mod_cache: Check the request to determine whether we are allowed
to return cached content at all, and respect a "Cache-Control:
no-cache" header from a client. Previously, "no-cache" would
behave like "max-age=0". [Graham Leggett]
*) mod_cache: Use a proper filter context to hold filter data instead
of misusing the per-request configuration. Fixes a segfault on trunk
when the normal handler is used. [Graham Leggett]
*) mod_cgid: Log a warning if the ScriptSock path is truncated because
it is too long. PR 49388. [Stefan Fritsch]
*) vhosts: Do not allow _default_ in NameVirtualHost, or mixing *
and non-* ports on NameVirtualHost, or multiple NameVirtualHost
directives for the same address:port, or NameVirtualHost
directives with no matching VirtualHosts, or multiple ip-based
VirtualHost sections for the same address:port. These were
previously accepted with a warning, but the behavior was
undefined. [Dan Poirier]
*) mod_remoteip: Fix a segfault when using mod_remoteip in conjunction with
Allow/Deny. PR 49838. [Andrew Skalski <voltara gmail.com>]
*) core: DirectoryMatch can now match on the end of line character ($),
and sub-directories of matched directories are no longer implicitly
matched. PR49809 [Eric Covener]
*) Regexps: introduce new higher-level regexp utility including parsing
and executing perl-style regexp ops (e.g s/foo/bar/i) and regexp memory
[Nick Kew]
*) Proxy: support setting source address. PR 29404
[Multiple contributors iterating through bugzilla,
Aron Ujvari <xanco nikhok.hu>, Aleksey Midenkov <asm uezku.kemsu.ru>,
<dan listening-station.net; trunk version Nick Kew]
*) HTTP protocol: return 400 not 503 if we have to abort due to malformed
chunked encoding. [Nick Kew]
*) suexec: Support large log files. PR 45856. [Stefan Fritsch]
*) core: Abort with sensible error message if no or more than one MPM is
loaded. [Stefan Fritsch]
*) mod_proxy: Rename erroronstatus to failonstatus.
[Daniel Ruggeri <DRuggeri primary.net>]
*) mod_dav_fs: Fix broken "creationdate" property.
Regression in version 2.3.7. [Rainer Jung]
Paul Querna
committed
*) SECURITY: CVE-2010-1452 (cve.mitre.org)
mod_dav, mod_cache, mod_session: Fix Handling of requests without a path
Paul Querna
committed
segment. PR: 49246 [Mark Drayton, Jeff Trawick]
Stefan Fritsch
committed
*) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076.
[Stefan Fritsch]
*) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639.
[Stefan Fritsch]
*) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers
via leveraging 100-Continue as the initial "request".
[Jim Jagielski]
*) core/mod_authz_core: Introduce new access_checker_ex hook that enables
mod_authz_core to bypass authentication if access should be allowed by
IP address/env var/... [Stefan Fritsch]
*) core: Introduce note_auth_failure hook to allow modules to add support
for additional auth types. This makes ap_note_auth_failure() work with
mod_auth_digest again. PR 48807. [Stefan Fritsch]
*) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew]
*) mod_authn_socache: new module [Nick Kew]
*) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]
*) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
*) mod_rewrite: Allow to set environment variables without explicitly
giving a value. [Rainer Jung]
*) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung]
*) mod_include: recognise "text/html; parameters" as text/html
PR 49616 [Andrey Chernov <ache nagual.pp.ru>]
*) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH
PR 43906 [Nick Kew]
*) Core: Extra robustness: don't try authz and segfault if authn
fails to set r->user. Log bug and return 500 instead.
PR 42995 [Nick Kew]
*) HTTP protocol filter: fix handling of longer chunk extensions
PR 49474 [<tee.bee gmx.de>]
*) Update SSL cipher suite and add example for SSLHonorCipherOrder.
[Lars Eilebrecht, Rainer Jung]
*) move AddOutputFilterByType from core to mod_filter. This should
fix nasty side-effects that happen when content_type is set
more than once in processing a request, and make it fully
compatible with dynamic and proxied contents. [Nick Kew]
*) mod_log_config: Implement logging for sub second timestamps and
request end time. [Rainer Jung]
Changes with Apache 2.3.6
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
attack when compiled against OpenSSL version 0.9.8m or later. Introduces
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
and offer unsafe legacy renegotiation with clients which do not yet
support the new secure renegotiation protocol, RFC 5746.
[Joe Orton, and with thanks to the OpenSSL Team]
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
by rejecting any client-initiated renegotiations. Forcibly disable
keepalive for the connection if there is any buffered data readable. Any
configuration which requires renegotiation for per-directory/location
access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
[Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
*) SECURITY: CVE-2010-0408 (cve.mitre.org)
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
when request headers indicate a request body is incoming; not a case of
HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
*) SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
*) core: Filter init functions are now run strictly once per request
before handler invocation. The init functions are no longer run
for connection filters. PR 49328. [Joe Orton]
*) core: Adjust the output filter chain correctly in an internal