Skip to content
CHANGES 98.7 KiB
Newer Older
                                                         -*- coding: utf-8 -*-
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.3.16

  *) core: Set MaxMemFree 2048 by default. [Stefan Fritsch]

  *) mpm_event: Fix assertion failure during very high load. [Stefan Fritsch]

  *) configure: Additional modules loaded by default: mod_headers.
     Modules moved from module set "few" to "most" and no longer loaded
     by default: mod_actions, mod_allowmethods, mod_auth_form, mod_buffer,
     mod_cgi(d), mod_include, mod_negotiation, mod_ratelimit, mod_request,
     mod_userdir. [Rainer Jung]

  *) mod_lua: Use the right lua scope when used as a hook. [Rainer Jung]

  *) configure: Only load the really imporant modules (i.e. those enabled by
     the 'few' selection) by default. Don't handle modules enabled with
     --enable-foo specially. [Stefan Fritsch]

  *) end-generation hook: Fix false notification of end-of-generation for
     temporary intervals with no active MPM children.  [Jeff Trawick]

  *) mod_ssl: Add support for RFC 5077 TLS Session tickets.
     [Paul Querna]

  *) mod_usertrack: Use random value instead of remote IP address.
     [Stefan Fritsch]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.3.15

  *) SECURITY: CVE-2011-3348 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
     recognized.  [Jean-Frederic Clere]

  *) SECURITY: CVE-2011-3192 (cve.mitre.org)
     core: Fix handling of byte-range requests to use less memory, to avoid
     denial of service. If the sum of all ranges in a request is larger than
     the original file, ignore the ranges and send the complete file.
     PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
     <lowprio20 gmail.com>]
  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
     core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
     with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]

  *) configure: Load all modules in the generated default configuration
     when using --enable-load-all-modules. [Rainer Jung]

  *) mod_reqtimeout: Change the default to set some reasonable timeout
     values. [Stefan Fritsch]

  *) core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove
     the inode. PR 49623. [Stefan Fritsch]

  *) mod_lua: Expose SSL variables via r:ssl_var_lookup().  [Eric Covener]

  *) mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName}
     can now additionally be run as "early" or "late" relative to other modules.
     [Eric Covener]

  *) configure: By default, only load those modules that are either required
     or explicitly selected by a configure --enable-foo argument. The
     LoadModule statements for modules enabled by --enable-mods-shared=most
     and friends will be commented out. [Stefan Fritsch]

  *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and 
     LuaHookQuickHandler) from being configured in <Directory>, <Files>, 
     and htaccess where the configuration would have been ignored.
     [Eric Covener]

  *) mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors
     in LuaMapHandler scripts [Eric Covener]

  *) mod_log_debug: Rename optional argument from if= to expr=, to be more
     in line with other config directives. [Stefan Fritsch]

  *) mod_headers: Require an expression to be specified with expr=, to be more
     in line with other config directives. [Stefan Fritsch]

  *) mod_substitute: To prevent overboarding memory usage, limit line length
     to 1MB. [Stefan Fritsch]

  *) mod_lua: Make the query string (r.args) writable. [Eric Covener]

  *) mod_include: Add support for application/x-www-form-urlencoded encoding
     and decoding. [Graham Leggett]

  *) rotatelogs: Add -c option to force logfile creation in every rotation 
     interval, even if empty.  [Jan Kaluža <jkaluza redhat.com>]
 
  *) core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings.
     [Stefan Fritsch]

  *) mod_session_crypto: Refactor to support the new apr_crypto API.
     [Graham Leggett]

  *) http: Add missing Location header if local URL-path is used as
     ErrorDocument for 30x. [Stefan Fritsch]

  *) mod_buffer: Make sure we step down for subrequests, but not for internal
     redirects triggered by mod_rewrite. [Graham Leggett]

  *) mod_lua: add r:construct_url as a wrapper for ap_construct_url.
     [Eric Covener]
 
  *) mod_remote_ip: Fix configuration of internal proxies. PR 49272.
     [Jim Riggs <jim riggs me>]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific
     server IP endpoint and remote client IP upon connection.  [William Rowe]

  *) mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with
     PeerExtList(). [Stefan Fritsch]

  *) mpm_prefork, mpm_worker, mpm_event: If a child is created just before
     graceful restart and then exits because of a missing lock file, don't
     shutdown the whole server. PR 39311. [Shawn Michael
     <smichael rightnow com>]

  *) mpm_event: Check the return value from ap_run_create_connection.
     PR: 41194. [Davi Arnaut]

  *) mod_mime_magic: Add signatures for PNG and SWF to the example config.
     PR: 48352. [Jeremy Wagner-Kaiser <jwagner-kaiser adknowledge com>]

  *) core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items
     from the parsed (or default) config. This is useful for init scripts that
     need to setup temporary directories and permissions. [Stefan Fritsch]

  *) core, mod_actions, mod_asis: Downgrade error log messages which accompany
     a 404 request status from loglevel error to info. PR: 35768. [Stefan
     Fritsch]

Jeff Trawick's avatar
Jeff Trawick committed
  *) core: Fix hook sorting with Perl modules. PR: 45076. [Torsten Foertsch
  *) core: Enforce LimitRequestFieldSize after multiple headers with the same
     name have been merged. [Stefan Fritsch]

  *) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory
     usage.  PR 51618. [Cristian Rodríguez <crrodriguez opensuse org>,
  *) mod_ssl: At startup, when checking a server certificate whether it
     matches the configured ServerName, also take dNSName entries in the
     subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand]

  *) mod_substitute: Reduce memory usage and copying of data. PR 50559.
     [Stefan Fritsch]

  *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
     [Kaspar Brand]

  *) Add wrappers for malloc, calloc, realloc that check for out of memory
     situations and use them in many places. PR 51568, PR 51569, PR 51571.
     [Stefan Fritsch]

  *) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is 
     false but RLIMIT_* are defined.  PR51371. [Eric Covener]

  *) core: Correctly obey ServerName / ServerAlias if the Host header from the
     request matches the VirtualHost address.
     PR 51709. [Micha Lenk <micha lenk.info>]

  *) mod_unique_id: Use random number generator to initialize counter.
     PR 45110. [Stefan Fritsch]

  *) core: Add convenience API for apr_random. [Stefan Fritsch]

  *) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control
     the number of overlapping and reversing ranges (respectively) permitted
     before returning the entire resource, with a default limit of 20.
     [Jim Jagielski]

  *) mod_ldap: Optional function uldap_ssl_supported(r) always returned false
     if called from a virtual host with mod_ldap directives in it.  Did not
     affect mod_authnz_ldap's usage of mod_ldap.  [Eric Covener]

  *) mod_filter: Instead of dropping the Accept-Ranges header when a filter
     registered with AP_FILTER_PROTO_NO_BYTERANGE is present,
     set the header value to "none". [Eric Covener, Ruediger Pluem]

  *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'
     in the case Ranges are being ignored with MaxRanges none.
     [Eric Covener]

  *) mod_ssl: revamp CRL-based revocation checking when validating
     certificates of clients or proxied servers. Completely delegate
     CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck
     directive for controlling the revocation checking mode. [Kaspar Brand]

  *) core: Add MaxRanges directive to control the number of ranges permitted
     before returning the entire resource, with a default limit of 200.
  *) mod_cache: Ensure that CacheDisable can correctly appear within
     a LocationMatch. [Graham Leggett]

  *) mod_cache: Fix the moving of the CACHE filter, which erroneously
     stood down if the original filter was not added by configuration.
Loading full blame...