Skip to content
CHANGES 663 KiB
Newer Older
  [Remove entries to the current 2.0 and 2.2 section below, when backported]
  *) HTML-escape the Expect error message.  Not classed as security as
     an attacker has no way to influence the Expect header a victim will
     send to a target site.  Reported by Thiago Zaninotti
     <thiango nstalker.com>. [Mark Cox]

  *) mod_proxy_balancer: Initialize members of a balancer correctly.
     PR 38227. [James A. Robinson <jim.robinson stanford.edu>]

  *) mod_proxy: Do not release connections from connection pool twice.
     PR 38793. [Ruediger Pluem, matthias <mk-asf gigacodes.de>]

  *) core: Prevent reading uninitialized memory while reading a line of
     protocol input.  PR 39282. [Davi Arnaut <davi haxent.com.br>]

  *) htdbm: Fix crash processing -d option in 64-bit mode on HP-UX.
     [Jeff Trawick]

  *) Event MPM: Fill in the scoreboard's tid field. PR 38736.
     [Chris Darroch <chrisd pearsoncmg.com>]

  *) mod_charset_lite: Remove Content-Length when output filter can 
     invalidate it.  Warn when input filter can invalidate it.
     [Jeff Trawick]

  *) mod_ssl: Fix spurious hostname mismatch warning for valid
     wildcard certificates.  PR 37911.  [Nick Burch <nick torchbox.com>]

  *) Respect GracefulShutdownTimeout in the worker and event MPMs.
     [Chris Darroch <chrisd pearsoncmg.com>, Garrett Rooney]

  *) Authz: Add the new module mod_authn_core that will provide common
     authn directives such as 'AuthType', 'AuthName'.  Move the directives
     'AuthType' and 'AuthName' out of the core module and merge mod_authz_alias 
     into mod_authn_core. [Brad Nicholes]
  *) Authz: Mark the directives 'Order', 'Allow', 'Deny' and 'Satisfy' as 
     deprecated and move them into the new module mod_access_compat which
     can be loaded to provide backwards compatibility for these directives.
     [Brad Nicholes]
  *) Authz: Move the 'Require' directive from the core module as well as 
     add the directives '<SatisfyAll>', '<SatisfyOne>', '<RequireAlias>' 
     and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR' 
     logic into the authorization processing. [Brad Nicholes]
  *) Authz: Add the new module mod_authz_core which acts as the 
     authorization provider vector and contains common authz 
     directives. [Brad Nicholes]

  *) Authz: Renamed mod_authz_dbm authz providers from 'group' and 
     'file-group' to 'dbm-group' and 'dbm-file-group'. [Brad Nicholes]

  *) Authz: Added the new authz providers 'env', 'ip', 'host', 'all' to handle
     host-based access control provided by mod_authz_host and invoked 
     through the 'Require' directive. [Brad Nicholes]

  *) Authz: Convert all of the authz modules from hook based to 
     provider based. [Brad Nicholes]
  *) mod_cache: Add CacheMinExpire directive to set the minimum time in
     seconds to cache a document.
     [Brian Akins <brian.akins turner.com>, Ruediger Pluem]

Nick Kew's avatar
Nick Kew committed
  *) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]

  *) Fix typo in ProxyStatus syntax error message.
     [Christophe Jaillet <christophe.jaillet wanadoo.fr>]

  *) Asynchronous write completion for the Event MPM.  [Brian Pane]

  *) Added an End-Of-Request bucket type.  The logging of a request and
     the freeing of its pool are now done when the EOR bucket is destroyed.
     This has the effect of delaying the logging until right after the last
     of the response is sent; ap_core_output_filter() calls the access logger
     indirectly when it destroys the EOR bucket.  [Brian Pane]

  *) Rewrite of logresolve support utility: IPv6 addresses are now supported
     and the format of statistical output has changed. [Colm MacCarthaigh]

  *) Rewrite of ap_coreoutput_filter to do nonblocking writes  [Brian Pane]

  *) Added new connection states for handler and write completion
     [Brian Pane]

Nick Kew's avatar
Nick Kew committed
  *) New module: mod_authn_dbd [Nick Kew]

  *) mod_cgid: Refuse to work on Solaris 10 due to OS bugs.  PR 34264.
     [Justin Erenkrantz]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive,
     allowing string-valued client certificate attributes to be used for
     access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1")
     [Martin Kraemer, David Reid]

Changes with Apache 2.2.2

  *) htdbm: Warn the user when adding a plaintext password on a platform
     where it wouldn't work with the server (i.e., anywhere that has
     crypt()).  [Jeff Trawick]

  *) mod_proxy: don't reuse a connection that may be to the wrong backend
     PR 39253 [Ruediger Pluem]

  *) Default handler: Don't return output filter apr_status_t values.
     PR 31759.  [Jeff Trawick, Ruediger Pluem, Joe Orton]

Changes with Apache 2.2.1

  *) SECURITY: CVE-2005-3357 (cve.mitre.org)
     mod_ssl: Fix a possible crash during access control checks if a
     non-SSL request is processed for an SSL vhost (such as the
     "HTTP request received on SSL port" error message when an 400 
     ErrorDocument is configured, or if using "SSLEngine optional").
     PR 37791.  [Rüdiger Plüm, Joe Orton]

  *) SECURITY: CVE-2005-3352 (cve.mitre.org)
     mod_imagemap: Escape untrusted referer header before outputting
     in HTML to avoid potential cross-site scripting.  Change also
     made to ap_escape_html so we escape quotes.  Reported by JPCERT.
     [Mark Cox]

  *) mod_proxy_ajp: Flushing of the output after each AJP chunk is now
     configurable at runtime via the 'flushpackets' and 'flushwait' worker
     params. Minor MMN bump. [Jim Jagielski]

  *) mod_proxy: Fix incorrect usage of local and shared worker init.
     PR 38403. [Jim Jagielski]

  *) mod_isapi: Fix compiler errors on Unix platforms.
     [William Rowe]

  *) mod_proxy_http: Send HTTP Keep-Alive Headers. PR 38524.
     [Rüdiger Plüm, Joe Orton]

  *) mod_disk_cache: Return the correct error codes from bucket read
     failures, instead of APR_EGENERAL.
     [Brian Akins <brian.akins turner.com>]

  *) Add APR/APR-Util Compiled and Runtime Version numbers to the
     output of 'httpd -V'. [William Rowe]

  *) http: If a connection is aborted while waiting for a chunked line,
     flag the connection as errored out.  [Justin Erenkrantz]

  *) core: Reject invalid Expect header immediately. PR 38123.
     [Ruediger Pluem]

  *) mod_proxy: Fix KeepAlives not being allowed and set to
     backend servers. PR 38602. [Ruediger Pluem, Jim Jagielski]

Jim Jagielski's avatar
Jim Jagielski committed
  *) mod_proxy: If we get an error reading the upstream response,
     close the connection.  [Justin Erenkrantz, Roy T. Fielding,
     Jim Jagielski, Ruediger Pluem]
Jim Jagielski's avatar
Jim Jagielski committed
  *) mod_proxy_ajp: Support common headers of the AJP protocol in responses.
     PR 38340. [Aleksey Pesternikov <apesternikov yahoo.com>]

  *) mod_proxy_balancer: Do not overwrite the status of initialized workers and
     respect the configured status of uninitilized workers when creating a new
     child process. [Ruediger Pluem]

  *) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of
     the ajp message to prevent mod_proxy_ajp from reading beyond the buffer
     boundaries and thus revealing possibly sensitive memory contents to the
     client. [Ruediger Pluem]

  *) Ensure that the proper status line is written to the client, fixing
     incorrect status lines caused by filters which modify r->status without 
     resetting r->status_line, such as the built-in byterange filter.
     [Jeff Trawick]

  *) mod_speling: Stop crashing with certain non-file requests.  [Jeff Trawick]

  *) mod_cache: Make caching of reverse proxies possible again. PR 38017.
     [Ruediger Pluem]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Modify apr[util] .h detection to avoid breakage on VPATH builds
     using Solaris make (amoung others) and avoid breakage in ./buildconf
     when srclib/apr[-util] are symlinks rather than directories proper.
     [William Rowe]

  *) Chunk filter: Fix chunk filter to create correct chunks in the case that
     a flush bucket is surrounded by data buckets. [Ruediger Pluem]

  *) Fix syntax error in httpd.h with strict compilers.  PR 38740.
     [Per Olausson <pao darkheim.freeserve.co.uk>]

  *) Preserve the Content-Length header for a proxied HEAD response.
     PR 18757.  [Greg Ames]

  *) Fix recursive ErrorDocument handling.  PR 36090.
     [Chris Darroch <chrisd pearsoncmg.com>]

  *) Don't hang on error return from post_read_request.  PR37790 [Nick Kew]

  *) Fix off-by-one error in proxy_balancer.  PR37753
Loading full blame...