Skip to content
CHANGES 165 KiB
Newer Older
Jeff Trawick's avatar
Jeff Trawick committed
                                                         -*- coding: utf-8 -*-
Ruediger Pluem's avatar
Ruediger Pluem committed

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.11

Eric Covener's avatar
 
Eric Covener committed
  *) SECURITY: CVE-2014-3581 (cve.mitre.org)
     mod_cache: Avoid a crash when Content-Type has an empty value.
     PR 56924.  [Mark Montague <mark catseye.org>, Jan Kaluza]

  *) SECURITY: CVE-2013-5704 (cve.mitre.org)
     core: HTTP trailers could be used to replace HTTP headers
     late during request processing, potentially undoing or
     otherwise confusing modules that examined or modified
     request headers earlier.  Adds "MergeTrailers" directive to restore
     legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]

Eric Covener's avatar
Eric Covener committed
  *) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC 
     systems. PR 57092 [Edward Lu <Chaosed0 gmail.com>]

Eric Covener's avatar
Eric Covener committed
  *) mod_cache: Avoid a 304 response to an unconditional requst when an AH00752
     CacheLock error occurs during cache revalidation. [Eric Covener]
 
  *) mod_ssl: Move OCSP stapling information from a per-certificate store to
     a per-server hash. PR 54357, PR 56919. [Alex Bligh <alex alex.org.uk>,
     Yann Ylavic, Kaspar Brand]

  *) mod_cache_socache: Change average object size hint from 32 bytes to
     2048 bytes.  [Rainer Jung]

  *) mod_cache_socache: Add cache status to server-status.  [Rainer Jung]

  *) event: Fix worker-listener deadlock in graceful restart.
     PR 56960.

  *) Concat strings at compile time when possible. PR 53741.

  *) mod_substitute: Restrict configuration in .htaccess to
     FileInfo as documented.  [Rainer Jung]

  *) mod_substitute: Make maximum line length configurable.  [Rainer Jung]

  *) mod_substitute: Fix line length limitation in case of regexp plus flatten.
     [Rainer Jung]
  
  *) mod_proxy: Truncated character worker names are no longer fatal
     errors. PR53218. [Jim Jagielski]

  *) mod_dav: Set r->status_line in dav_error_response. PR 55426.

  *) mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory.
     [Yann Ylavic, Christophe Jaillet]
  *) http_protocol: fix logic in ap_method_list_(add|remove) in order:
       - to correctly reset bits
       - not to modify the 'method_mask' bitfield unnecessarily
     [Christophe Jaillet]

  *) mod_slotmem_shm: Increase log level for some originally debug messages.
     [Jim Jagielski]

Eric Covener's avatar
Eric Covener committed
  *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with
     the wrong credentials when a backend connection is reused.
     [Eric Covener]

  *) mod_macro: Add missing APLOGNO for some Warning log messages.
     [Christophe Jaillet]

  *) mod_cache: Avoid sending 304 responses during failed revalidations
     PR56881. [Eric Covener]

  *) mod_status: Honor client IP address using mod_remoteip. PR 55886.
     [Jim Jagielski]

Jeff Trawick's avatar
Jeff Trawick committed
  *) cmake-based build for Windows: Fix incompatibility with cmake 2.8.12
     and later.  PR 56615.  [Chuck Liu <cliu81 gmail.com>, Jeff Trawick]

  *) mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade
     failed) messages from ERROR to TRACE1.  Other filters do not bother 
     re-reporting failures from lower level filters.  PR56832.  [Eric Covener]

  *) core: Avoid useless warning message when parsing a section guarded by
     <IfDefine foo> if $(foo) is used within the section.
Stefan Fritsch's avatar
Stefan Fritsch committed
     PR 56503 [Christophe Jaillet]
  *) mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the
     application.  PR 56858.  [Manuel Mausz <manuel-asf mausz.at>]

  *) mod_proxy_http: Proxy responses with error status and
     "ProxyErrorOverride On" hang until proxy timeout.
     PR53420 [Rainer Jung]

  *) mod_log_config: Allow three character log formats to be registered. For
     backwards compatibility, the first character of a three-character format
     must be the '^' (caret) character.  [Eric Covener]

  *) mod_lua: Don't quote Expires and Path values. PR 56734.
     [Keith Mashinter, <kmashint yahoo com>]
  *) mod_authz_core: Allow <AuthzProviderAlias>'es to be seen from auth
     stanzas under virtual hosts. PR 56870. [Eric Covener]

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.10
  *) SECURITY: CVE-2014-0117 (cve.mitre.org)
     mod_proxy: Fix crash in Connection header handling which allowed a denial
     of service attack against a reverse proxy with a threaded MPM.
     [Ben Reser]

  *) SECURITY: CVE-2014-3523 (cve.mitre.org)
     Fix a memory consumption denial of service in the WinNT MPM, used in all
     Windows installations. Workaround: AcceptFilter <protocol> {none|connect}
Jeff Trawick's avatar
Jeff Trawick committed
     [Jeff Trawick]

Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CVE-2014-0226 (cve.mitre.org)
     Fix a race condition in scoreboard handling, which could lead to
Joe Orton's avatar
Joe Orton committed
     a heap buffer overflow.  [Joe Orton, Eric Covener]
  *) SECURITY: CVE-2014-0118 (cve.mitre.org)
     mod_deflate: The DEFLATE input filter (inflates request bodies) now
     limits the length and compression ratio of inflated request bodies to
Rainer Jung's avatar
Rainer Jung committed
     avoid denial of service via highly compressed bodies.  See directives
     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
     and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]

  *) SECURITY: CVE-2014-0231 (cve.mitre.org)
     mod_cgid: Fix a denial of service against CGI scripts that do
     not consume stdin that could lead to lingering HTTPD child processes
     filling up the scoreboard and eventually hanging the server.  By
     default, the client I/O timeout (Timeout directive) now applies to
     communication with scripts.  The CGIDScriptTimeout directive can be
     used to set a different timeout for communication with scripts.
     [Rainer Jung, Eric Covener, Yann Ylavic]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
     resumed by TLS session resumption (RFC 5077). [Rainer Jung]

  *) mod_deflate: Don't fail when flushing inflated data to the user-agent
     and that coincides with the end of stream ("Zlib error flushing inflate
     buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]

Rainer Jung's avatar
Rainer Jung committed
  *) mod_proxy_ajp: Forward local IP address as a custom request attribute
     like we already do for the remote port. [Rainer Jung]

Jeff Trawick's avatar
Jeff Trawick committed
  *) core: Include any error notes set by modules in the canned error
     response for 403 errors.  [Jeff Trawick]

Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_ssl: Set an error note for requests rejected due to
     SSLStrictSNIVHostCheck.  [Jeff Trawick]

  *) mod_ssl: Fix issue with redirects to error documents when handling
     SNI errors.  [Jeff Trawick]

  *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
     larger keys and support up to 8192-bit keys.  [Ruediger Pluem,
     Joe Orton]

Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_dav: Fix improper encoding in PROPFIND responses.  PR 56480.
     [Ben Reser]

  *) WinNT MPM: Improve error handling for termination events in child.
     [Jeff Trawick]

  *) mod_proxy: When ping/pong is configured for a worker, don't send or
     forward "100 Continue" (interim) response to the client if it does
     not expect one. [Yann Ylavic]

  *) mod_ldap: Be more conservative with the last-used time for
     LDAPConnectionPoolTTL. PR54587 [Eric Covener]

  *) mod_ldap: LDAP connections used for authn were not respecting
     LDAPConnectionPoolTTL. PR54587 [Eric Covener]

Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.
     [Jeff Trawick]

  *) event MPM: Fix possible crashes (third-party modules accessing c->sbh) 
     or occasional missed mod_status updates under load. PR 56639.
     [Edward Lu <Chaosed0 gmail com>]

Eric Covener's avatar
Eric Covener committed
  *) mod_authnz_ldap: Support primitive LDAP servers do not accept
     filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
     filter "none" to be specified in AuthLDAPURL. [Eric Covener]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
     [Lukas Bezdicka <social v3.sk>]

  *) mod_deflate: Handle Zlib header and validation bytes received in multiple
     chunks. PR 46146. [Yann Ylavic]

Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_proxy: Allow reverse-proxy to be set via explicit handler.
     [ryo takatsuki <ryotakatsuki gmail com>]

Jeff Trawick's avatar
Jeff Trawick committed
  *) ab: support custom HTTP method with -m argument. PR 56604.
     [Roman Jurkov <winfinit gmail.com>]

  *) mod_proxy_balancer: Correctly encode user provided data in management
     interface. PR 56532 [Maksymilian, <max cert.cx>]
Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_proxy_fcgi: Support iobuffersize parameter.  [Jeff Trawick]

  *) mod_auth_form: Add a debug message when the fields on a form are not
Loading full blame...