Skip to content
CHANGES 60 KiB
Newer Older
Paul Querna's avatar
Paul Querna committed

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.3.9

  *) mod_authz_host: Add 'local' provider that matches connections originating
     on the local host. PR 19938. [Stefan Fritsch]

  *) Event MPM: Fix crash accessing pollset on worker thread when child
     process is exiting.  [Jeff Trawick]

  *) core: For process invocation (cgi, fcgid, piped loggers and so forth)
     pass the system library path (LD_LIBRARY_PATH or platform-specific
     variables) along with the system PATH, by default.  Both should be 
     overridden together as desired using PassEnv etc; see mod_env.
     [William Rowe]

  *) mod_cache: Introduce CacheStoreExpired, to allow administrators to
     capture a stale backend response, perform If-Modified-Since requests
     against the backend, and serving from the cache all 304 responses.
     This restores pre-2.2.4 cache behavior.  [William Rowe]

  *) mod_rewrite: Introduce <=, >= string comparison operators, and integer
     comparators -lt, -le, -eq, -ge, and -gt.  To help bash users and drop
     the ambiguity of the symlink test "-ltest", introduce -h or -L as
     symlink test operators.  [William Rowe]

  *) mod_cache: Give the cache provider the opportunity to choose to cache
     or not cache based on the buckets present in the brigade, such as the
     presence of a FILE bucket.
     [Graham Leggett]

  *) mod_authz_core: Allow authz providers to check args while reading the
     config and allow to cache parsed args. Move 'all' and 'env' authz
     providers from mod_authz_host to mod_authz_core. Add 'method' authz
     provider depending on the HTTP method.  [Stefan Fritsch]
  *) mod_include: Move the request_rec within mod_include to be
     exposed within include_ctx_t. [Graham Leggett]

  *) mod_include: Reinstate support for UTF-8 character sets by allowing a
     variable being echoed or set to be decoded and then encoded as separate
     steps. PR47686 [Graham Leggett]

  *) mod_cache: Add a discrete commit_entity() provider function within the
     mod_cache provider interface which is called to indicate to the
     provider that caching is complete, giving the provider the opportunity
     to commit temporary files permanently to the cache in an atomic
     fashion. Replace the inconsistent use of error cleanups with a formal
     set of pool cleanups attached to a subpool, which is destroyed on error.
     [Graham Leggett]
  *) mod_cache: Change the signature of the store_body() provider function
     within the mod_cache provider interface to support an "in" brigade
     and an "out" brigade instead of just a single input brigade. This
     gives a cache provider the option to consume only part of the brigade
     passed to it, rather than the whole brigade as was required before.
     This fixes an out of memory and a request timeout condition that would
     occur when the original document was a large file. Introduce
     CacheReadSize and CacheReadTime directives to mod_disk_cache to control
     the amount of data to attempt to cache at a time. [Graham Leggett]
  *) core: Add ErrorLogFormat to allow configuring error log format, including
     additional information that is logged once per connection or request. Add
     error log IDs for connections and request to allow correlating error log
     lines and the corresponding access log entry. [Stefan Fritsch]
  *) core: Disable sendfile by default. [Stefan Fritsch]

  *) mod_cache: Check the request to determine whether we are allowed
     to return cached content at all, and respect a "Cache-Control:
     no-cache" header from a client. Previously, "no-cache" would
     behave like "max-age=0". [Graham Leggett]

  *) mod_cache: Use a proper filter context to hold filter data instead
     of misusing the per-request configuration. Fixes a segfault on trunk
     when the normal handler is used. [Graham Leggett]

  *) mod_cgid: Log a warning if the ScriptSock path is truncated because
     it is too long. PR 49388.  [Stefan Fritsch]

  *) vhosts: Do not allow _default_ in NameVirtualHost, or mixing *
     and non-* ports on NameVirtualHost, or multiple NameVirtualHost
     directives for the same address:port, or NameVirtualHost
     directives with no matching VirtualHosts, or multiple ip-based
     VirtualHost sections for the same address:port.  These were
     previously accepted with a warning, but the behavior was
     undefined.  [Dan Poirier]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_remoteip: Fix a segfault when using mod_remoteip in conjunction with
     Allow/Deny. PR 49838.  [Andrew Skalski <voltara gmail.com>]

  *) core: DirectoryMatch can now match on the end of line character ($),
     and sub-directories of matched directories are no longer implicitly
     matched.  PR49809 [Eric Covener]
  *) Regexps: introduce new higher-level regexp utility including parsing
     and executing perl-style regexp ops (e.g s/foo/bar/i) and regexp memory
     [Nick Kew]

Changes with Apache 2.3.8

  *) suexec: Support large log files. PR 45856. [Stefan Fritsch]

  *) core: Abort with sensible error message if no or more than one MPM is
     loaded. [Stefan Fritsch]

  *) mod_proxy: Rename erroronstatus to failonstatus.
     [Daniel Ruggeri <DRuggeri primary.net>]
  *) mod_dav_fs: Fix broken "creationdate" property.
     Regression in version 2.3.7. [Rainer Jung]

Changes with Apache 2.3.7

  *) SECURITY: CVE-2010-1452 (cve.mitre.org)
     mod_dav, mod_cache, mod_session: Fix Handling of requests without a path 
     segment. PR: 49246 [Mark Drayton, Jeff Trawick]

  *) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076.
     [Stefan Fritsch]

  *) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639.
     [Stefan Fritsch]

  *) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers
     via leveraging 100-Continue as the initial "request".
     [Jim Jagielski]

  *) core/mod_authz_core: Introduce new access_checker_ex hook that enables
     mod_authz_core to bypass authentication if access should be allowed by
     IP address/env var/... [Stefan Fritsch]
 
  *) core: Introduce note_auth_failure hook to allow modules to add support
     for additional auth types. This makes ap_note_auth_failure() work with
     mod_auth_digest again. PR 48807. [Stefan Fritsch]

  *) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew]

Nick Kew's avatar
Nick Kew committed
  *) mod_authn_cache: new module [Nick Kew]

  *) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]

  *) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
Rainer Jung's avatar
Rainer Jung committed
  *) mod_rewrite: Allow to set environment variables without explicitly
  *) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung]

  *) mod_include: recognise "text/html; parameters" as text/html
     PR 49616 [Andrey Chernov <ache nagual.pp.ru>]

Nick Kew's avatar
Nick Kew committed
  *) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH
     PR 43906 [Nick Kew]

  *) Core: Extra robustness: don't try authz and segfault if authn
     fails to set r->user.  Log bug and return 500 instead.
     PR 42995 [Nick Kew]

  *) HTTP protocol filter: fix handling of longer chunk extensions
     PR 49474 [<tee.bee gmx.de>]

  *) Update SSL cipher suite and add example for SSLHonorCipherOrder.
     [Lars Eilebrecht, Rainer Jung]

  *) move AddOutputFilterByType from core to mod_filter.  This should
     fix nasty side-effects that happen when content_type is set
     more than once in processing a request, and make it fully
     compatible with dynamic and proxied contents. [Nick Kew]

Rainer Jung's avatar
Rainer Jung committed
  *) mod_log_config: Implement logging for sub second timestamps and
     request end time.  [Rainer Jung]

William A. Rowe Jr's avatar
William A. Rowe Jr committed
  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
     attack when compiled against OpenSSL version 0.9.8m or later. Introduces
     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
     and offer unsafe legacy renegotiation with clients which do not yet
     support the new secure renegotiation protocol, RFC 5746.
     [Joe Orton, and with thanks to the OpenSSL Team]

  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
     mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
     by rejecting any client-initiated renegotiations. Forcibly disable
     keepalive for the connection if there is any buffered data readable. Any
     configuration which requires renegotiation for per-directory/location
     access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
     [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]

  *) SECURITY: CVE-2010-0408 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
     when request headers indicate a request body is incoming; not a case of
     HTTP_INTERNAL_SERVER_ERROR.  [Niku Toivola <niku.toivola sulake.com>]

  *) SECURITY: CVE-2010-0425 (cve.mitre.org)
     mod_isapi: Do not unload an isapi .dll module until the request
     processing is completed, avoiding orphaned callback pointers.
     [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
Loading full blame...