Newer
Older
-*- coding: utf-8 -*-
Martin Kraemer
committed
Changes with Apache 2.3.0
[Remove entries to the current 2.0 and 2.2 section below, when backported]
*) mod_speling: Add directive to deal with case corrections only
and ignore other misspellings [Olivier Thereaux <ot w3.org>]
*) mod_disk_cache: If possible, check if the size of an object to cache is
within the configured boundaries before actually saving data.
[Niklas Edmundsson <nikke acc.umu.se>]
*) mod_cache: Convert all values to seconds before comparing them when
checking whether to send a Warning header for a stale response.
PR 39713. [Owen Taylor <otaylor redhat.com>]
Ruediger Pluem
committed
*) mod_authnz_ldap: Fix a problem with invalid auth error detection for
LDAP client SDKs that don't support LDAP_SECURITY_ERROR macro. PR 39529.
[Ray Price <dohrayme yahoo.com>, Josh Fenlason <jfenlason ptc.com>]
*) mod_cache: Do not overwrite the Content-Type in the cache, for
successfully revalidated cached objects. PR 39647. [Ruediger Pluem]
*) mod_disk_cache: Delete temporary files if they cannot be renamed to their
final name. [Davi Arnaut <davi haxent.com.br>]
*) Worker MPM: On graceless shutdown or restart, send signals to
each worker thread to wake them up if they're polling on a
Keep-Alive connection. PR 38737. [Chris Darroch]
*) Worker and event MPMs: Remove improper scoreboard updates which were
performed in the event of a fork() failure. [Chris Darroch]
Ruediger Pluem
committed
*) mod_cache: Make caching of reverse SSL proxies possible again. PR 39593.
[Ruediger Pluem, Joe Orton]
Ruediger Pluem
committed
*) Add support for fcgi:// proxies to mod_rewrite.
[Markus Schiegl <ms schiegl.com>]
*) Remove incorrect comments from scoreboard.h regarding conditional
loading of worker_score structure with mod_status, and remove unused
definitions relating to old life_status field.
[Chris Darroch <chrisd pearsoncmg.com>]
*) Remove allocation of memory for unused array of lb_score pointers
in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>]
*) core, mod_http: add optional 'scheme://' prefix to ServerName directive.
For 'https', mod_http returns "https" for the ap_hook_http_scheme and
DEFAULT_HTTPS_PORT for ap_hook_default_port. This fixes Redirect
responses to requests for directories without a trailing slash when
httpd runs behind a proxy or offload device that processes SSL. It
also enables support for Subversion in that configuration. This change is
completely backwards compatible and passes the perl-framework. Minor
mmn bump because I add a field to server_rec. [Sander Temme]
*) worker and event MPMs: fix excessive forking if fork() or child_init
take a long time. PR 39275.
[Greg Ames, Jeff Trawick, Chris Darroch <chrisd pearsoncmg.com> ]
*) Add mod_proxy_fcgi, a FastCGI back end for mod_proxy.
[Garrett Rooney, Jim Jagielski, Paul Querna]
*) Event MPM: Fill in the scoreboard's tid field. PR 38736.
[Chris Darroch <chrisd pearsoncmg.com>]
*) mod_charset_lite: Remove Content-Length when output filter can
invalidate it. Warn when input filter can invalidate it.
[Jeff Trawick]
*) mod_ssl: Fix spurious hostname mismatch warning for valid
wildcard certificates. PR 37911. [Nick Burch <nick torchbox.com>]
*) Authz: Add the new module mod_authn_core that will provide common
authn directives such as 'AuthType', 'AuthName'. Move the directives
'AuthType' and 'AuthName' out of the core module and merge mod_authz_alias
into mod_authn_core. [Brad Nicholes]
Ruediger Pluem
committed
*) Authz: Mark the directives 'Order', 'Allow', 'Deny' and 'Satisfy' as
deprecated and move them into the new module mod_access_compat which
can be loaded to provide backwards compatibility for these directives.
[Brad Nicholes]
Ruediger Pluem
committed
*) Authz: Move the 'Require' directive from the core module as well as
add the directives '<SatisfyAll>', '<SatisfyOne>', '<RequireAlias>'
and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR'
logic into the authorization processing. [Brad Nicholes]
Ruediger Pluem
committed
*) Authz: Add the new module mod_authz_core which acts as the
authorization provider vector and contains common authz
directives. [Brad Nicholes]
*) Authz: Renamed mod_authz_dbm authz providers from 'group' and
'file-group' to 'dbm-group' and 'dbm-file-group'. [Brad Nicholes]
*) Authz: Added the new authz providers 'env', 'ip', 'host', 'all' to handle
host-based access control provided by mod_authz_host and invoked
through the 'Require' directive. [Brad Nicholes]
*) Authz: Convert all of the authz modules from hook based to
provider based. [Brad Nicholes]
Ruediger Pluem
committed
Ruediger Pluem
committed
*) mod_cache: Add CacheMinExpire directive to set the minimum time in
seconds to cache a document.
[Brian Akins <brian.akins turner.com>, Ruediger Pluem]
*) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]
*) Fix typo in ProxyStatus syntax error message.
[Christophe Jaillet <christophe.jaillet wanadoo.fr>]
*) Asynchronous write completion for the Event MPM. [Brian Pane]
*) Added an End-Of-Request bucket type. The logging of a request and
the freeing of its pool are now done when the EOR bucket is destroyed.
This has the effect of delaying the logging until right after the last
of the response is sent; ap_core_output_filter() calls the access logger
indirectly when it destroys the EOR bucket. [Brian Pane]
*) Rewrite of logresolve support utility: IPv6 addresses are now supported
and the format of statistical output has changed. [Colm MacCarthaigh]
*) Rewrite of ap_coreoutput_filter to do nonblocking writes [Brian Pane]
*) Added new connection states for handler and write completion
[Brian Pane]
*) mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264.
[Justin Erenkrantz]
*) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive,
allowing string-valued client certificate attributes to be used for
access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1")
[Martin Kraemer, David Reid]
*) Respect GracefulShutdownTimeout in the worker and event MPMs.
[Chris Darroch, Garrett Rooney]
*) mod_mem_cache: Set content type correctly when delivering data from
cache. PR 39266. [Ruediger Pluem]
*) mod_autoindex: Fix filename escaping with FancyIndexing disabled.
PR 38910. [Robby Griffin <rmg terc.edu>]
*) mod_charset_lite: Bypass translation when the source and dest charsets
are the same. [Jeff Trawick]
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
*) mod_deflate: Allow mod_deflate to handle internal redirects.
[Brian J. France <list firehawksystems.com>]
*) mod_proxy_balancer: Initialize members of a balancer correctly.
PR 38227. [James A. Robinson <jim.robinson stanford.edu>]
*) mod_proxy: Do not release connections from connection pool twice.
PR 38793. [Ruediger Pluem, matthias <mk-asf gigacodes.de>]
*) core: Prevent reading uninitialized memory while reading a line of
protocol input. PR 39282. [Davi Arnaut <davi haxent.com.br>]
*) mod_dbd: Update defaults, improve error reporting.
[Chris Darroch <chrisd pearsoncmg com>, Nick Kew]
*) mod_dbd: Create own pool and mutex to avoid problem use of
process pool in request processing.
[Chris Darroch <chrisd pearsoncmg com>]
*) HTML-escape the Expect error message. Not classed as security as
an attacker has no way to influence the Expect header a victim will
send to a target site. Reported by Thiago Zaninotti
<thiango nstalker.com>. [Mark Cox]
*) htdbm: Fix crash processing -d option in 64-bit mode on HP-UX.
[Jeff Trawick]
*) htdbm: Warn the user when adding a plaintext password on a platform
where it wouldn't work with the server (i.e., anywhere that has
crypt()). [Jeff Trawick]
*) mod_proxy: don't reuse a connection that may be to the wrong backend
PR 39253 [Ruediger Pluem]
*) Default handler: Don't return output filter apr_status_t values.
PR 31759. [Jeff Trawick, Ruediger Pluem, Joe Orton]
Changes with Apache 2.2.1
*) SECURITY: CVE-2005-3357 (cve.mitre.org)
mod_ssl: Fix a possible crash during access control checks if a
non-SSL request is processed for an SSL vhost (such as the
"HTTP request received on SSL port" error message when an 400
ErrorDocument is configured, or if using "SSLEngine optional").
PR 37791. [Rüdiger Plüm, Joe Orton]
*) SECURITY: CVE-2005-3352 (cve.mitre.org)
mod_imagemap: Escape untrusted referer header before outputting
in HTML to avoid potential cross-site scripting. Change also
made to ap_escape_html so we escape quotes. Reported by JPCERT.
Loading full blame...