Newer
Older
-*- coding: utf-8 -*-
*) SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Fix handling of byte-range requests to use less memory, to avoid
denial of service. If the sum of all ranges in a request is larger than
the original file, ignore the ranges and send the complete file.
PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
*) mod_ldap: Optional function uldap_ssl_supported(r) always returned false
if called from a virtual host with mod_ldap directives in it. Did not
affect mod_authnz_ldap's usage of mod_ldap. [Eric Covener]
*) mod_filter: Instead of dropping the Accept-Ranges header when a filter
registered with AP_FILTER_PROTO_NO_BYTERANGE is present,
set the header value to "none". [Eric Covener, Ruediger Pluem]
*) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'
in the case Ranges are being ignored with MaxRanges none.
[Eric Covener]
*) mod_ssl: revamp CRL-based revocation checking when validating
certificates of clients or proxied servers. Completely delegate
CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck
directive for controlling the revocation checking mode. [Kaspar Brand]
*) Fix a regression in the CVE-2011-3192 byterange fix.
PR 51748. [low_priority <lowprio20 gmail.com>]
*) core: Add MaxRanges directive to control the number of ranges permitted
before returning the entire resource, with a default limit of 200.
[Eric Covener]
*) mod_cache: Ensure that CacheDisable can correctly appear within
a LocationMatch. [Graham Leggett]
*) mod_cache: Fix the moving of the CACHE filter, which erroneously
stood down if the original filter was not added by configuration.
[Graham Leggett]
*) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]
*) mod_authz_groupfile: Increase length limit of lines in the group file to
16MB. PR 43084. [Stefan Fritsch]
*) core: Increase length limit of lines in the configuration file to 16MB.
PR 45888. PR 50824. [Stefan Fritsch]
*) core: Add API for resizable buffers. [Stefan Fritsch]
Eric Covener
committed
*) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have
LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such
as Tivoli Directory Server 6.3 and later. [Eric Covener]
Eric Covener
committed
*) mod_ldap: Change default number of retries from 10 to 3, and add
an LDAPRetries and LDAPRetryDelay directives. [Eric Covener]
*) mod_authnz_ldap: Don't retry during authentication, because this just
multiplies the ample retries already being done by mod_ldap. [Eric Covener]
*) configure: Allow to explicitly disable modules even with module selection
'reallyall'. [Stefan Fritsch]
*) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the
RewriteEngine is disabled in server context, avoiding a crash while
referencing the invalid int: map at runtime. PR 50994.
[Ben Noordhuis <info noordhuis nl>]
*) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]
*) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
*) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
[Kaspar Brand]
*) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the
cookie is set when modules such as mod_rewrite trigger a redirect. Also
use r->err_headers_out for the cookie, for the same reason. PR29755.
[Sami J. Mäkinen <sjm almamedia fi>, Eric Covener]
Stefan Fritsch
committed
*) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and
'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch]
Stefan Fritsch
committed
*) configure: Enable ldap modules in 'all' and 'most' selections if ldap
is compiled into apr-util. [Stefan Fritsch]
*) core: Add ap_check_cmd_context()-check if a command is executed in
.htaccess file. [Stefan Fritsch]
*) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590.
[Torsten Foertsch <torsten foertsch gmx net>]
*) mod_proxy_ajp: Improve trace logging. [Rainer Jung]
*) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets.
[Rainer Jung]
*) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse,
e.g. to reverse proxy "Location: https://other-internal-server/login"
[Nick Kew]
*) prefork, worker, event: Make sure crashes are logged to the error log if
httpd has already detached from the console. [Stefan Fritsch]
Stefan Fritsch
committed
*) prefork, worker, event: Reduce period during startup/restart where a
successive signal may be lost. PR 43696. [Arun Bhalla <arun shme net>]
*) mod_allowmethods: Correct Merging of "reset" and do not allow an
empty parameter list for the AllowMethods directive. [Rainer Jung]
*) configure: Update selection of modules for 'all' and 'most'. 'all' will
now enable all modules except for example and test modules. Make the
selection for 'most' more useful (including ssl and proxy). Both 'all'
and 'most' will now disable modules if dependencies are missing instead
of aborting. If a specific module is requested with --enable-XXX=yes,
missing dependencies will still cause configure to exit with an error.
[Stefan Fritsch]
*) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done
in 2.3.13. [Stefan Fritsch]
*) core: For '*' or '_default_' vhosts, use a wildcard address of any
address family, rather than IPv4 only. [Joe Orton]
*) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable
include [ ] for literal IPv6 addresses, as mandated by RFC 3875.
PR 26005. [Stefan Fritsch]
*) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203.
[Nagae Hidetake <nagae eagan jp>]
*) core: Add more logging to ap_scan_script_header_err* functions. Add
ap_scan_script_header_err*_ex functions that take a module index for
logging.
mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the
new functions in order to make logging configurable per-module.
[Stefan Fritsch]
*) mod_dir: Add DirectoryIndexRedirect to send an external redirect to
the proper index. [Eric Covener]
*) mod_deflate: Don't try to compress requests with a zero sized body.
PR 51350. [Stefan Fritsch]
*) core: Fix startup on IP6-only systems. PR 50592. [Joe Orton,
<root linkage white-void net>]
*) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX,
REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the
whitelist in suexec. PR 51499. [Graham Laverty <graham reg ca>,
Stefan Fritsch]
*) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch]
*) mod_log_debug: New module that allows to log custom messages at various
phases in the request processing. [Stefan Fritsch]
*) mod_ssl: Add some debug logging when loading server certificates.
PR 37912. [Nick Burch <nick burch alfresco com>]
*) configure: Support reallyall option also for --enable-mods-static.
[Rainer Jung]
*) mod_socache_dc: add --with-distcache to configure for choosing
the distcache installation directory. [Rainer Jung]
*) mod_socache_dc: use correct build variable MOD_SOCACHE_DC_LDADD
instead of MOD_SOCACHE_LDADD in build macro. [Rainer Jung]
*) mod_lua, mod_deflate: respect platform specific runpath linker
flag. [Rainer Jung]
*) configure: Only link the httpd binary against PCRE. No other support
binary needs PCRE. [Rainer Jung]
*) configure: tolerate dependency checking failures for modules if
they have been enabled implicitely. [Rainer Jung]
*) configure: Allow to specify module specific custom linker flags via
the MOD_XXX_LDADD variables. [Rainer Jung]
*) ab: Support specifying the local address to use. PR 48930.
[Peter Schuller <scode spotify com>]
*) core: Add support to ErrorLogFormat for logging the system unique
thread id under Linux. [Stefan Fritsch]
*) event: New AsyncRequestWorkerFactor directive to influence how many
connections will be accepted per process. [Stefan Fritsch]
Stefan Fritsch
committed
*) prefork, worker, event: Rename MaxClients to MaxRequestWorkers which
describes more accurately what it does. [Stefan Fritsch]
*) rotatelogs: Add -p argument to specify custom program to invoke
after a log rotation. PR 51285. [Sven Ulland <sveniu ifi.uio.no>,
Joe Orton]
Loading full blame...