Skip to content
CHANGES 121 KiB
Newer Older
                                                         -*- coding: utf-8 -*-
Jim Jagielski's avatar
Jim Jagielski committed

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.4
Joe Orton's avatar
Joe Orton committed

  *) mod_cache_disk: Resolve errors while revalidating disk-cached files on
     Windows ("...rename tempfile to datafile failed..."). PR 38827
     [Eric Covener]

  *) mod_proxy_balancer: Bring XML output up to date. [Jim Jagielski]

  *) htpasswd, htdbm: Optionally read passwords from stdin, as more
     secure alternative to -b.  PR 40243. [Adomas Paltanavicius <adomas
     paltanavicius gmail com>, Stefan Fritsch]

  *) htpasswd, htdbm: Add support for bcrypt algorithm (requires
     apr-util 1.5 or higher). PR 49288. [Stefan Fritsch]

  *) htpasswd, htdbm: Put full 48bit of entropy into salt, improve
     error handling. Add some of htpasswd's improvements to htdbm,
     e.g. warn if password is truncated by crypt(). [Stefan Fritsch]

  *) mod_auth_form: Support the expr parser in the
     AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and
     AuthFormLogoutLocation directives. [Graham Leggett]

  *) mod_ssl: Add support for TLS-SRP (Secure Remote Password key exchange
     for TLS, RFC 5054). PR 51075. [Quinn Slack <sqs cs stanford edu>,
     Christophe Renou, Peter Sylvester]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) mod_rewrite: Stop mergeing RewriteBase down to subdirectories
     unless new option 'RewriteOptions MergeBase' is configured.
     PR 53963. [Eric Covener]

  *) mod_status, mod_info, mod_proxy_ftp, mod_proxy_balancer, mod_imagemap,
     mod_ldap: Improve escaping of hostname and URIs HTML output.
     [Jim Jagielski, Stefan Fritsch]

  *) mod_header: Allow for exposure of loadavg and server load using new 
     format specifiers %l, %i, %b [Jim Jagielski]
  
Stefan Fritsch's avatar
Stefan Fritsch committed
  *) core: Make ap_regcomp() return AP_REG_ESPACE if out of memory.  Make
     ap_pregcomp() abort if out of memory. This raises the minimum PCRE
     requirement to version 6.0. [Stefan Fritsch]

  *) mod_proxy: Add ability to configure the sticky session separator.
     PR 53893. [<inu inusasha de>, Jim Jagielski]

  *) mod_dumpio: Correctly log large messages
     PR 54179 [Marek Wianecki <mieszek2 interia pl>]

  *) core: Don't fail at startup with AH00554 when Include points to 
     a directory without any wildcard character. [Eric Covener]

  *) core: Fail startup if the argument to ServerTokens is unrecognized.
     [Jackie Zhang  <jackie.qq.zhang gmail.com>]

  *) mod_log_forensic: Don't log a spurious "-" if a request has been rejected
     before mod_log_forensic could attach its id to it. [Stefan Fritsch]

Joe Orton's avatar
Joe Orton committed
  *) rotatelogs: Omit the second argument for the first invocation of
     a post-rotate program when -p is used, per the documentation.
     [Joe Orton]

  *) mod_session_dbd: fix a segmentation fault in the function dbd_remove.
Stefan Fritsch's avatar
Stefan Fritsch committed
     PR 53452. [<rebanerebane gmail com>, Reimo Rebane]
  *) core: Functions to provide server load values: ap_get_sload() and
     ap_get_loadavg(). [Jim Jagielski, Jan Kaluza <jkaluza redhat.com>,
     Jeff Trawick]

Joe Orton's avatar
Joe Orton committed
  *) mod_ldap: Fix regression in handling "server unavailable" errors on 
     Windows.  PR 54140.  [Eric Covener]
  *) syslog logging: Remove stray ", referer" at the end of some messages.
     [Jeff Trawick]

  *) "Iterate" directives: Report an error if no arguments are provided.
     [Jeff Trawick]

  *) mod_ssl: Change default for SSLCompression to off, as compression
     causes security issues in most setups. (The so called "CRIME" attack).
     [Stefan Fritsch]

  *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
     to more accurately report the negotiated protocol. PR 53916.
     [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]

  *) core: ErrorDocument now works for requests without a Host header.
     PR 48357.  [Jeff Trawick]

  *) prefork: Avoid logging harmless errors during graceful stop.
     [Joe Orton, Jeff Trawick]
  *) mod_proxy: When concatting for PPR, avoid cases where we
     concat ".../" and "/..." to create "...//..." [Jim Jagielski]

  *) mod_cache: Wrong content type and character set when
     mod_cache serves stale content because of a proxy error. 
     PR 53539.  [Rainer Jung, Ruediger Pluem]

  *) mod_proxy_ajp: Fix crash in packet dump code when logging
     with LogLevel trace7 or trace8.  PR 53730.  [Rainer Jung]

  *) httpd.conf: Removed the configuration directives setting a bad_DNT
     environment introduced in 2.4.3. The actual directives are commented
     out in the default conf file.

  *) core: Apply length limit when logging Status header values.
     [Jeff Trawick, Chris Darroch]

  *) mod_proxy_balancer: The nonce is only derived from the UUID iff
     not set via the 'nonce' balancer param. [Jim Jagielski]

  *) mod_ssl: Match wildcard SSL certificate names in proxy mode.  
     PR 53006.  [Joe Orton]

  *) Windows: Fix output of -M, -L, and similar command-line options
     which display information about the server configuration.
     [Jeff Trawick]

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.3

Jim Jagielski's avatar
Jim Jagielski committed
  *) SECURITY: CVE-2012-3502  (cve.mitre.org)
     mod_proxy_ajp, mod_proxy_http: Fix an issue in back end
     connection closing which could lead to privacy issues due
     to a response mixup. PR 53727. [Rainer Jung]

Stefan Fritsch's avatar
Stefan Fritsch committed
  *) SECURITY: CVE-2012-2687 (cve.mitre.org)
Jeff Trawick's avatar
Jeff Trawick committed
     mod_negotiation: Escape filenames in variant list to prevent a
Stefan Fritsch's avatar
Stefan Fritsch committed
     possible XSS for a site where untrusted users can upload files to
     a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]

  *) mod_authnz_ldap: Don't try a potentially expensive nested groups
     search before exhausting all AuthLDAPGroupAttribute checks on the
Jim Jagielski's avatar
Jim Jagielski committed
     current group. PR 52464 [Eric Covener]
  *) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
     authorization provider in lua. [Stefan Fritsch]

  *) core: Be less strict when checking whether Content-Type is set to 
     "application/x-www-form-urlencoded" when parsing POST data, 
     or we risk losing data with an appended charset. PR 53698
     [Petter Berntsen <petterb gmail.com>]

  *) httpd.conf: Added configuration directives to set a bad_DNT environment
     variable based on User-Agent and to remove the DNT header field from
     incoming requests when a match occurs. This currently has the effect of
     removing DNT from requests by MSIE 10.0 because it deliberately violates
     the current specification of DNT semantics for HTTP. [Roy T. Fielding]

  *) mod_socache_shmcb: Fix bus error due to a misalignment
     in some 32 bit builds, especially on Solaris Sparc.
     PR 53040.  [Rainer Jung]

Jim Jagielski's avatar
Jim Jagielski committed
  *) mod_cache: Set content type in case we return stale content.
     [Ruediger Pluem]

  *) Windows: Fix SSL failures on windows with AcceptFilter https none.
  *) ab: Fix read failure when targeting SSL server.  [Jeff Trawick]

  *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
     - mod_auth_digest: shared memory file
  *) htpasswd: Use correct file mode for checking if file is writable.
     PR 45923. [Stefan Fritsch]

  *) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T.
     <mi apache aldan algebra com>]

  *) mod_ssl: Add new directive SSLCompression to disable TLS-level
     compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]

Rainer Jung's avatar
Rainer Jung committed
  *) mod_lua: Add a few missing request_rec fields. Rename remote_ip to
     client_ip to match conn_rec. [Stefan Fritsch]

  *) mod_lua: Change prototype of vm_construct, to work around gcc bug which
     causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>]

Rainer Jung's avatar
Rainer Jung committed
  *) mpm_event: Don't count connections in lingering close state when
     calculating how many additional connections may be accepted.
     [Stefan Fritsch]

  *) mod_ssl: If exiting during initialization because of a fatal error,
     log a message to the main error log pointing to the appropriate
     virtual host error log. [Stefan Fritsch]

  *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
     one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]

  *) mod_proxy_balancer: Restore balancing after a failed worker has
     recovered when using lbmethod_bybusyness.  PR 48735.  [Jeff Trawick]

  *) mod_setenvif: Compile some global regex only once during startup.
     This should save some memory, especially with .htaccess.
     [Stefan Fritsch]

Rainer Jung's avatar
 
Rainer Jung committed
  *) core: Add the port number to the vhost's name in the scoreboard.
Loading full blame...