Skip to content
CHANGES 97.1 KiB
Newer Older
                                                         -*- coding: utf-8 -*-
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.3.15

  *) SECURITY: CVE-2011-3348 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
     recognized.  [Jean-Frederic Clere]

  *) SECURITY: CVE-2011-3192 (cve.mitre.org)
     core: Fix handling of byte-range requests to use less memory, to avoid
     denial of service. If the sum of all ranges in a request is larger than
     the original file, ignore the ranges and send the complete file.
     PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
     <lowprio20 gmail.com>]
  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
     core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
     with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]

  *) configure: By default, only load those modules that are either required
     or explicitly selected by a configure --enable-foo argument. The
     LoadModule statements for modules enabled by --enable-mods-shared=most
     and friends will be commented out. [Stefan Fritsch]

  *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and 
     LuaHookQuickHandler) from being configured in <Directory>, <Files>, 
     and htaccess where the configuration would have been ignored.
     [Eric Covener]

  *) mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors
     in LuaMapHandler scripts [Eric Covener]

  *) mod_log_debug: Rename optional argument from if= to expr=, to be more
     in line with other config directives. [Stefan Fritsch]

  *) mod_headers: Require an expression to be specified with expr=, to be more
     in line with other config directives. [Stefan Fritsch]

  *) mod_substitute: To prevent overboarding memory usage, limit line length
     to 1MB. [Stefan Fritsch]

  *) mod_lua: Make the query string (r.args) writable. [Eric Covener]

  *) mod_include: Add support for application/x-www-form-urlencoded encoding
     and decoding. [Graham Leggett]

  *) rotatelogs: Add -c option to force logfile creation in every rotation 
     interval, even if empty.  [Jan Kaluža <jkaluza redhat.com>]
 
  *) core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings.
     [Stefan Fritsch]

  *) mod_session_crypto: Refactor to support the new apr_crypto API.
     [Graham Leggett]

  *) http: Add missing Location header if local URL-path is used as
     ErrorDocument for 30x. [Stefan Fritsch]

  *) mod_buffer: Make sure we step down for subrequests, but not for internal
     redirects triggered by mod_rewrite. [Graham Leggett]

  *) mod_lua: add r:construct_url as a wrapper for ap_construct_url.
     [Eric Covener]
 
  *) mod_remote_ip: Fix configuration of internal proxies. PR 49272.
     [Jim Riggs <jim riggs me>]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific
     server IP endpoint and remote client IP upon connection.  [William Rowe]

  *) mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with
     PeerExtList(). [Stefan Fritsch]

  *) mpm_prefork, mpm_worker, mpm_event: If a child is created just before
     graceful restart and then exits because of a missing lock file, don't
     shutdown the whole server. PR 39311. [Shawn Michael
     <smichael rightnow com>]

  *) mpm_event: Check the return value from ap_run_create_connection.
     PR: 41194. [Davi Arnaut]

  *) mod_mime_magic: Add signatures for PNG and SWF to the example config.
     PR: 48352. [Jeremy Wagner-Kaiser <jwagner-kaiser adknowledge com>]

  *) core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items
     from the parsed (or default) config. This is useful for init scripts that
     need to setup temporary directories and permissions. [Stefan Fritsch]

  *) core, mod_actions, mod_asis: Downgrade error log messages which accompany
     a 404 request status from loglevel error to info. PR: 35768. [Stefan
     Fritsch]

Jeff Trawick's avatar
Jeff Trawick committed
  *) core: Fix hook sorting with Perl modules. PR: 45076. [Torsten Foertsch
  *) core: Enforce LimitRequestFieldSize after multiple headers with the same
     name have been merged. [Stefan Fritsch]

  *) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory
     usage.  PR 51618. [Cristian Rodríguez <crrodriguez opensuse org>,
  *) mod_ssl: At startup, when checking a server certificate whether it
     matches the configured ServerName, also take dNSName entries in the
     subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand]

  *) mod_substitute: Reduce memory usage and copying of data. PR 50559.
     [Stefan Fritsch]

  *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
     [Kaspar Brand]

  *) Add wrappers for malloc, calloc, realloc that check for out of memory
     situations and use them in many places. PR 51568, PR 51569, PR 51571.
     [Stefan Fritsch]

  *) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is 
     false but RLIMIT_* are defined.  PR51371. [Eric Covener]

  *) core: Correctly obey ServerName / ServerAlias if the Host header from the
     request matches the VirtualHost address.
     PR 51709. [Micha Lenk <micha lenk.info>]

  *) mod_unique_id: Use random number generator to initialize counter.
     PR 45110. [Stefan Fritsch]

  *) core: Add convenience API for apr_random. [Stefan Fritsch]

  *) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control
     the number of overlapping and reversing ranges (respectively) permitted
     before returning the entire resource, with a default limit of 20.
     [Jim Jagielski]

  *) mod_ldap: Optional function uldap_ssl_supported(r) always returned false
     if called from a virtual host with mod_ldap directives in it.  Did not
     affect mod_authnz_ldap's usage of mod_ldap.  [Eric Covener]

  *) mod_filter: Instead of dropping the Accept-Ranges header when a filter
     registered with AP_FILTER_PROTO_NO_BYTERANGE is present,
     set the header value to "none". [Eric Covener, Ruediger Pluem]

  *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'
     in the case Ranges are being ignored with MaxRanges none.
     [Eric Covener]

  *) mod_ssl: revamp CRL-based revocation checking when validating
     certificates of clients or proxied servers. Completely delegate
     CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck
     directive for controlling the revocation checking mode. [Kaspar Brand]

  *) core: Add MaxRanges directive to control the number of ranges permitted
     before returning the entire resource, with a default limit of 200.
  *) mod_cache: Ensure that CacheDisable can correctly appear within
     a LocationMatch. [Graham Leggett]

  *) mod_cache: Fix the moving of the CACHE filter, which erroneously
     stood down if the original filter was not added by configuration.
     [Graham Leggett]

Kaspar Brand's avatar
Kaspar Brand committed
  *) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]

  *) mod_authz_groupfile: Increase length limit of lines in the group file to
     16MB. PR 43084. [Stefan Fritsch]

  *) core: Increase length limit of lines in the configuration file to 16MB.
     PR 45888. PR 50824. [Stefan Fritsch]

  *) core: Add API for resizable buffers. [Stefan Fritsch]

  *) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have
     LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such
     as Tivoli Directory Server 6.3 and later. [Eric Covener]

  *) mod_ldap: Change default number of retries from 10 to 3, and add
     an LDAPRetries and LDAPRetryDelay directives. [Eric Covener]

  *) mod_authnz_ldap: Don't retry during authentication, because this just
     multiplies the ample retries already being done by mod_ldap. [Eric Covener]

  *) configure: Allow to explicitly disable modules even with module selection
     'reallyall'. [Stefan Fritsch]

  *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the
     RewriteEngine is disabled in server context, avoiding a crash while
     referencing the invalid int: map at runtime. PR 50994.
     [Ben Noordhuis <info noordhuis nl>]
  *) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]

  *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]

  *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
     [Kaspar Brand]

  *) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the
     cookie is set when modules such as mod_rewrite trigger a redirect. Also
     use r->err_headers_out for the cookie, for the same reason.  PR29755.
     [Sami J. Mäkinen <sjm almamedia fi>, Eric Covener]

Loading full blame...