You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2017/07/06 17:42:48 UTC

svn commit: r20343 [1/3] - /dev/httpd/

Author: jim
Date: Thu Jul  6 17:42:48 2017
New Revision: 20343

Log:
Make test tarballs available

Added:
    dev/httpd/CHANGES_2.4.27
    dev/httpd/httpd-2.4.27-deps.tar.bz2   (with props)
    dev/httpd/httpd-2.4.27-deps.tar.bz2.asc   (with props)
    dev/httpd/httpd-2.4.27-deps.tar.bz2.md5
    dev/httpd/httpd-2.4.27-deps.tar.bz2.sha1
    dev/httpd/httpd-2.4.27-deps.tar.bz2.sha256
    dev/httpd/httpd-2.4.27-deps.tar.gz   (with props)
    dev/httpd/httpd-2.4.27-deps.tar.gz.asc   (with props)
    dev/httpd/httpd-2.4.27-deps.tar.gz.md5
    dev/httpd/httpd-2.4.27-deps.tar.gz.sha1
    dev/httpd/httpd-2.4.27-deps.tar.gz.sha256
    dev/httpd/httpd-2.4.27.tar.bz2   (with props)
    dev/httpd/httpd-2.4.27.tar.bz2.asc   (with props)
    dev/httpd/httpd-2.4.27.tar.bz2.md5
    dev/httpd/httpd-2.4.27.tar.bz2.sha1
    dev/httpd/httpd-2.4.27.tar.bz2.sha256
    dev/httpd/httpd-2.4.27.tar.gz   (with props)
    dev/httpd/httpd-2.4.27.tar.gz.asc   (with props)
    dev/httpd/httpd-2.4.27.tar.gz.md5
    dev/httpd/httpd-2.4.27.tar.gz.sha1
    dev/httpd/httpd-2.4.27.tar.gz.sha256
Removed:
    dev/httpd/CHANGES_2.4.26
    dev/httpd/httpd-2.4.26-deps.tar.bz2
    dev/httpd/httpd-2.4.26-deps.tar.bz2.asc
    dev/httpd/httpd-2.4.26-deps.tar.bz2.md5
    dev/httpd/httpd-2.4.26-deps.tar.bz2.sha1
    dev/httpd/httpd-2.4.26-deps.tar.bz2.sha256
    dev/httpd/httpd-2.4.26-deps.tar.gz
    dev/httpd/httpd-2.4.26-deps.tar.gz.asc
    dev/httpd/httpd-2.4.26-deps.tar.gz.md5
    dev/httpd/httpd-2.4.26-deps.tar.gz.sha1
    dev/httpd/httpd-2.4.26-deps.tar.gz.sha256
    dev/httpd/httpd-2.4.26.tar.bz2
    dev/httpd/httpd-2.4.26.tar.bz2.asc
    dev/httpd/httpd-2.4.26.tar.bz2.md5
    dev/httpd/httpd-2.4.26.tar.bz2.sha1
    dev/httpd/httpd-2.4.26.tar.bz2.sha256
    dev/httpd/httpd-2.4.26.tar.gz
    dev/httpd/httpd-2.4.26.tar.gz.asc
    dev/httpd/httpd-2.4.26.tar.gz.md5
    dev/httpd/httpd-2.4.26.tar.gz.sha1
    dev/httpd/httpd-2.4.26.tar.gz.sha256
Modified:
    dev/httpd/CHANGES_2.4

Modified: dev/httpd/CHANGES_2.4
==============================================================================
--- dev/httpd/CHANGES_2.4 (original)
+++ dev/httpd/CHANGES_2.4 Thu Jul  6 17:42:48 2017
@@ -1,7 +1,66 @@
                                                          -*- coding: utf-8 -*-
 
+Changes with Apache 2.4.27
+
+  *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
+     global variable when using Lua 5.2 or later. This was exported as a
+     side effect from luaL_register, which is no longer supported as of
+     Lua 5.2 which deprecates pollution of the global namespace.
+     [Rainer Jung]
+
+  *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
+     The server will continue to run, but HTTP/2 will no longer be negotiated.
+     [Stefan Eissing]
+
+  *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
+     default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
+     [Jacob Champion, Jim Jagielski]
+
+  *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
+     PR58188, PR60831, PR61245. [Rainer Jung]
+  
+  *) mod_http2: Simplify ready queue, less memory and better performance. Update
+     mod_http2 version to 1.10.7. [Stefan Eissing]
+  
+  *) Allow single-char field names inadvertantly disallowed in 2.4.25.
+     PR 61220. [Yann Ylavic]
+
+  *) htpasswd / htdigest: Do not apply the strict permissions of the temporary
+     passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]
+
+  *) core: Avoid duplicate HEAD in Allow header.
+     This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
+     PR 61207. [Christophe Jaillet]
+
 Changes with Apache 2.4.26
 
+  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+     mod_mime can read one byte past the end of a buffer when sending a
+     malicious Content-Type response header.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+     bug in token list parsing, which allows ap_find_token() to search past
+     the end of its input string. By maliciously crafting a sequence of
+     request headers, an attacker may be able to cause a segmentation fault,
+     or to force ap_find_token() to return an incorrect value.
+     [Jacob Champion]
+
+  *) SECURITY: CVE-2017-7659 (cve.mitre.org)
+     A maliciously constructed HTTP/2 request could cause mod_http2 to
+     dereference a NULL pointer and crash the server process.
+
+  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
+     mod_ssl may dereference a NULL pointer when third-party modules call
+     ap_hook_process_connection() during an HTTP request to an HTTPS port.
+     [Yann Ylavic]
+
+  *) SECURITY: CVE-2017-3167 (cve.mitre.org)
+     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+     authentication phase may lead to authentication requirements being
+     bypassed.
+     [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+
   *) HTTP/2 support no longer tagged as "experimental" but is instead considered
      fully production ready.
 
@@ -9,8 +68,6 @@ Changes with Apache 2.4.26
      the session in continuous check for state changes that never happen. 
      [Stefan Eissing]
 
-  *) mod_mime: Fix error checking for quoted pairs.  [Yann Ylavic]
-
   *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
      protocols.  [Jean-Frederic Clere]
 
@@ -18,10 +75,6 @@ Changes with Apache 2.4.26
      a possible crash if a signal is caught during (graceful) restart.
      PR 60487.  [Yann Ylavic]
 
-  *) core: Deprecate ap_get_basic_auth_pw() and add
-     ap_get_basic_auth_components().
-     [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
-
   *) mod_rewrite: When a substitution is a fully qualified URL, and the 
      scheme/host/port matches the current virtual host, stop interpreting the 
      path component as a local path just because the first component of the 
@@ -38,9 +91,6 @@ Changes with Apache 2.4.26
   *) core: EBCDIC fixes for interim responses with additional headers.
      [Eric Covener]
 
-  *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
-     to ssl_io_filter_error(). [Yann Ylavic]
-
   *) mod_env: when processing a 'SetEnv' directive, warn if the environment
      variable name includes a '='. It is likely a configuration error.
      PR 60249 [Christophe Jaillet]
@@ -122,11 +172,6 @@ Changes with Apache 2.4.26
      variables just before invoking the FastCGI. [Eric Covener,
      Jacob Champion]
 
-  *) mod_proxy: Allow the per-request environment variable "no-proxy" to
-     be used as an alternative to ProxyPass /path !. This is primarily
-     to set exceptions for ProxyPass specified in <Location> context.
-    Use SetEnvIf, not SetEnv. [Eric Covener]
-
   *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
      a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
      default.  Add ProxyFCGIBackendType to allow the type of backend to be