git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610749 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610748 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610745 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610741 13f79535-47bb-0310-9956-ffa450edef68

one-liner down first ;)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610738 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610737 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610736 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610733 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610704 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610701 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610691 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610670 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610661 13f79535-47bb-0310-9956-ffa450edef68

SECURITY (CVE-2014-3523): Fix a memory consumption denial of
service in the WinNT MPM used in all Windows installations.
Workaround: AcceptFilter <protocol> {none|connect}

Submitted by: trawick
Reviewed by: jorton, covener, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610653 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610641 13f79535-47bb-0310-9956-ffa450edef68

r1610518 in trunk

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610522 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610517 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610516 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610514 13f79535-47bb-0310-9956-ffa450edef68

    *) SECURITY: CVE-2014-0231 (cve.mitre.org)
       mod_cgid: Fix a denial of service against CGI scripts that do
       not consume stdin that could lead to lingering HTTPD child processes
       filling up the scoreboard and eventually hanging the server.
       [Rainer Jung, Eric Covener, Yann Ylavic]

Submitted By: rjung, covener, ylavic
Reviewed By: trawick, jorton, covener, jim




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610512 13f79535-47bb-0310-9956-ffa450edef68

      *) SECURITY: CVE-2014-0118 (cve.mitre.org)
         mod_deflate: The DEFLATE input filter (inflates request bodies) now
         limits the length and compression ratio of inflated request bodies to avoid
         denial of sevice via highly compressed bodies.  See directives
         DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
         and DeflateInflateRatioBurst.

    Thanks to Giancarlo Pellegrino and Davide Balzarotti for reporting the issue.

Submitted By: ylavic, covener
Reviewed By: jorton, covener, jim 



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610503 13f79535-47bb-0310-9956-ffa450edef68

SECURITY (CVE-2014-0226): Fix a race condition in scoreboard handling,
which could lead to a heap buffer overflow.  Thanks to Marek Kroemeke
working with HP's Zero Day Initiative for reporting this.

* include/scoreboard.h: Add ap_copy_scoreboard_worker.

* server/scoreboard.c (ap_copy_scoreboard_worker): New function.

* modules/generators/mod_status.c (status_handler): Use it.

* modules/lua/lua_request.c (lua_ap_scoreboard_worker): Likewise.

Reviewed by: trawick, jorton, covener, jim
Submitted by: jorton, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610499 13f79535-47bb-0310-9956-ffa450edef68

This issue affected httpd versions 2.4.5 and 2.4.6 only.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610495 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610400 13f79535-47bb-0310-9956-ffa450edef68

Extend the scope of SSLSessionCacheTimeout to sessions
resumed by TLS session resumption (RFC 5077).

Submitted by: rjung
Reviewed by: rjung, ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610399 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610398 13f79535-47bb-0310-9956-ffa450edef68

mod_deflate:
Don't fail when asked to flush inflated data to the user-agent and that
coincides with the end of stream ("Zlib error flushing inflate buffer").
PR 56196.

Submitted By: [Christoph Fausak <christoph.fausak glueckkanja com>]
Committed By: ylavic


mod_deflate: follows up r1572896.
Be safe from successive or post end-of-stream flush buckets.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610397 13f79535-47bb-0310-9956-ffa450edef68

PR54587: LDAP connections used for authn were not respecting 
LDAPConnectionPoolTimeout due to confusion over what "bound" means.

Added some LDAP trace at TRACE5 to track how LDAP connections are
reused and rebound.



make LDAPConnectionPoolTTL more conservative, use r->request_time rather than
end-of-request time, and only update it after a round-trip with the LDAP
server rather than every time we check back into the pool.


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610396 13f79535-47bb-0310-9956-ffa450edef68

Forward local IP address as a custom request attribute
like we already do for the remote port.

Both were forgotten in the original AJP 13 spec
but are needed by the Servlet spec. Until now,
Tomcat simply returns for getLocalAddr() the same as
for getLocalName().

The next round of Tomcat releases will look for the
optional new request attribute.

See also Tomcat BZ 56661.

Submitted by: rjung
Reviewed by: trawick, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610340 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610331 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610330 13f79535-47bb-0310-9956-ffa450edef68

core: Include any error notes set by modules in the canned error
response for 403 errors.

Submitted by: trawick
Reviewed by: minfrin, rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610328 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Set an error note for requests rejected due to
SSLStrictSNIVHostCheck

Submitted by: trawick
Reviewed by: minfrin, rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610327 13f79535-47bb-0310-9956-ffa450edef68

SNI errors.

Submitted by: trawick
Reviewed by: minfrin, rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610326 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610321 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610319 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610312 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610263 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610221 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610179 13f79535-47bb-0310-9956-ffa450edef68