Newer
Older
Martin Kraemer
committed
Changes with Apache 2.3.0
[Remove entries to the current 2.0 and 2.2 section below, when backported]
*) SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling. For some RewriteRules this could lead to a pointer being
written out of bounds. Reported by Mark Dowd of McAfee.
[Mark Cox]
*) mod_cache: While serving a cached entity ensure that filters that have
been applied to this cached entity before saving it to the cache are not
applied again. PR 40090. [Ruediger Pluem]
*) mod_proxy_ajp: Added cping/cpong support for the AJP protocol.
A new worker directive ping=timeout will cause CPING packet
to be send expecting CPONG packet within defined timeout.
In case the backend is too busy this will fail instead
sending the full header. [Mladen Turk]
Ruediger Pluem
committed
*) core: Do not allow internal redirects like the DirectoryIndex of mod_dir
Ruediger Pluem
committed
to circumvent the symbolic link checks imposed by FollowSymLinks and
SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem, William Rowe]
*) mod_proxy: Support environment variable interpolation in reverse
proxying directives [Nick Kew]
*) mod_proxy_balancer: Workers can now be defined as "hot standby" which
will only be used if all other workers are unusable (eg: in
error or disabled). Also, the balancer-manager displays the election
count and I/O counts of all workers. [Jim Jagielski]
*) core: Add the filename of the configuration file to the warning message
about the useless use of AllowOverride. PR 39992.
[Darryl Miles <darryl darrylmiles.org>]
*) mod_proxy_balancer: Retry worker chosen by route / redirect worker if
it is in error state before sending "Service Temporarily Unavailable".
PR 38962. [Christian Boitel <cboitel lfdj.com>]
*) mod_proxy_balancer: Add information about the route, the sticky session
and the worker used during a request as environment variables. PR 39806.
[Brian <brectanu gmail.com>]
*) mod_isapi: Avoid double trailing slashes in HSE_REQ_MAP_URL_TO_PATH
support. Also corrects the slashes for Windows. PR 15993 [William Rowe]
*) mod_isapi: Handle "HTTP/1.1 200 OK" style status lines correctly, the
token parser worked while the resulting length was misinterpreted.
PR 29098 [Brock Bland <bbland serena.com>]
*) mod_isapi: Return 0 (failure) for more of the various ap_pass_brigade
attempts to stream the response at the client. PR 30022 [William Rowe]
William A. Rowe Jr
committed
*) mod_isapi: Ensure we walk through all the methods the developer may have
employed to report their HTTP status result code.
PR 16637 30033 28089 [Matt Lewandowsky <matt iamcode.net>, William Rowe]
*) New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ]
configures the I/O Dump of SSL traffic, when LogLevel is set to Debug.
The default is none as this is far greater debugging resolution than
the typical administrator is prepared to untangle. [William Rowe]
*) mod_disk_cache: If possible, check if the size of an object to cache is
within the configured boundaries before actually saving data.
[Niklas Edmundsson <nikke acc.umu.se>]
*) mod_cache: Convert all values to seconds before comparing them when
checking whether to send a Warning header for a stale response.
PR 39713. [Owen Taylor <otaylor redhat.com>]
Ruediger Pluem
committed
*) mod_disk_cache: Delete temporary files if they cannot be renamed to their
final name. [Davi Arnaut <davi haxent.com.br>]
*) Worker and event MPMs: Remove improper scoreboard updates which were
performed in the event of a fork() failure. [Chris Darroch]
*) Add support for fcgi:// proxies to mod_rewrite.
[Markus Schiegl <ms schiegl.com>]
*) Remove incorrect comments from scoreboard.h regarding conditional
loading of worker_score structure with mod_status, and remove unused
definitions relating to old life_status field.
[Chris Darroch <chrisd pearsoncmg.com>]
*) Remove allocation of memory for unused array of lb_score pointers
in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>]
*) Add mod_proxy_fcgi, a FastCGI back end for mod_proxy.
[Garrett Rooney, Jim Jagielski, Paul Querna]
*) Event MPM: Fill in the scoreboard's tid field. PR 38736.
[Chris Darroch <chrisd pearsoncmg.com>]
*) mod_charset_lite: Remove Content-Length when output filter can
invalidate it. Warn when input filter can invalidate it.
[Jeff Trawick]
*) mod_ssl: Fix spurious hostname mismatch warning for valid
wildcard certificates. PR 37911. [Nick Burch <nick torchbox.com>]
*) Authz: Add the new module mod_authn_core that will provide common
authn directives such as 'AuthType', 'AuthName'. Move the directives
'AuthType' and 'AuthName' out of the core module and merge mod_authz_alias
into mod_authn_core. [Brad Nicholes]
Ruediger Pluem
committed
*) Authz: Mark the directives 'Order', 'Allow', 'Deny' and 'Satisfy' as
deprecated and move them into the new module mod_access_compat which
can be loaded to provide backwards compatibility for these directives.
[Brad Nicholes]
Ruediger Pluem
committed
*) Authz: Move the 'Require' directive from the core module as well as
add the directives '<SatisfyAll>', '<SatisfyOne>', '<RequireAlias>'
and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR'
logic into the authorization processing. [Brad Nicholes]
Ruediger Pluem
committed
*) Authz: Add the new module mod_authz_core which acts as the
authorization provider vector and contains common authz
directives. [Brad Nicholes]
*) Authz: Renamed mod_authz_dbm authz providers from 'group' and
'file-group' to 'dbm-group' and 'dbm-file-group'. [Brad Nicholes]
*) Authz: Added the new authz providers 'env', 'ip', 'host', 'all' to handle
host-based access control provided by mod_authz_host and invoked
through the 'Require' directive. [Brad Nicholes]
*) Authz: Convert all of the authz modules from hook based to
provider based. [Brad Nicholes]
Ruediger Pluem
committed
Ruediger Pluem
committed
*) mod_cache: Add CacheMinExpire directive to set the minimum time in
seconds to cache a document.
[Brian Akins <brian.akins turner.com>, Ruediger Pluem]
*) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]
*) Fix typo in ProxyStatus syntax error message.
[Christophe Jaillet <christophe.jaillet wanadoo.fr>]
*) Asynchronous write completion for the Event MPM. [Brian Pane]
*) Added an End-Of-Request bucket type. The logging of a request and
the freeing of its pool are now done when the EOR bucket is destroyed.
This has the effect of delaying the logging until right after the last
of the response is sent; ap_core_output_filter() calls the access logger
indirectly when it destroys the EOR bucket. [Brian Pane]
*) Rewrite of logresolve support utility: IPv6 addresses are now supported
and the format of statistical output has changed. [Colm MacCarthaigh]
*) Rewrite of ap_coreoutput_filter to do nonblocking writes [Brian Pane]
*) Added new connection states for handler and write completion
[Brian Pane]
*) mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264.
[Justin Erenkrantz]
*) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive,
allowing string-valued client certificate attributes to be used for
access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1")
[Martin Kraemer, David Reid]
*) mod_authn_alias: Add a check to make sure that the base provider and the
alias names are different and also that the alias has not been registered
before. PR 40051. [Brad Nicholes]
*) mod_authnz_ldap: Fix a problem with invalid auth error detection for LDAP
client SDKs that don't support the LDAP_SECURITY_ERROR macro. PR 39529.
[Ray Price <dohrayme yahoo.com>, Josh Fenlason <jfenlason ptc.com>]
*) mod_cache: Do not overwrite the Content-Type in the cache, for
successfully revalidated cached objects. PR 39647. [Ruediger Pluem]
*) mod_speling: Add directive to deal with case corrections only
and ignore other misspellings [Olivier Thereaux <ot w3.org>]
*) mod_dbd: Fix dependence on virtualhost configuration in
defining prepared statements (possible segfault at startup
in user modules such as mod_authn_dbd). [Nick Kew]
*) Add optional 'scheme://' prefix to ServerName directive,
allowing correct determination of the canonical server URL
for use behind a proxy or offload device handling SSL; fixing
redirect generation in those cases. PR 33398. [Sander Temme]
*) Added server_scheme field to server_rec for above. Minor MMN bump.
[Sander Temme]
*) mod_cache: Make caching of reverse SSL proxies possible again. PR 39593.
[Ruediger Pluem, Joe Orton]
*) Worker MPM: On graceless shutdown or restart, send signals to
each worker thread to wake them up if they're polling on a
Keep-Alive connection. PR 38737. [Chris Darroch]
*) worker and event MPMs: fix excessive forking if fork() or child_init
Loading full blame...