You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2015/07/10 22:32:52 UTC
svn commit: r9743 - /dev/httpd/
Author: jim
Date: Fri Jul 10 20:32:51 2015
New Revision: 9743
Log:
pretest tarballs
Added:
dev/httpd/CHANGES_2.4.16
dev/httpd/httpd-2.4.16-deps.tar.bz2 (with props)
dev/httpd/httpd-2.4.16-deps.tar.bz2.asc (with props)
dev/httpd/httpd-2.4.16-deps.tar.bz2.md5
dev/httpd/httpd-2.4.16-deps.tar.bz2.sha1
dev/httpd/httpd-2.4.16-deps.tar.gz (with props)
dev/httpd/httpd-2.4.16-deps.tar.gz.asc (with props)
dev/httpd/httpd-2.4.16-deps.tar.gz.md5
dev/httpd/httpd-2.4.16-deps.tar.gz.sha1
dev/httpd/httpd-2.4.16.tar.bz2 (with props)
dev/httpd/httpd-2.4.16.tar.bz2.asc (with props)
dev/httpd/httpd-2.4.16.tar.bz2.md5
dev/httpd/httpd-2.4.16.tar.bz2.sha1
dev/httpd/httpd-2.4.16.tar.gz (with props)
dev/httpd/httpd-2.4.16.tar.gz.asc (with props)
dev/httpd/httpd-2.4.16.tar.gz.md5
dev/httpd/httpd-2.4.16.tar.gz.sha1
Modified:
dev/httpd/CHANGES_2.4
Modified: dev/httpd/CHANGES_2.4
==============================================================================
--- dev/httpd/CHANGES_2.4 (original)
+++ dev/httpd/CHANGES_2.4 Fri Jul 10 20:32:51 2015
@@ -1,5 +1,23 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.4.16
+
+ *) http: Fix LimitRequestBody checks when there is no more bytes to read.
+ [Michael Kaufmann <mail michael-kaufmann.ch>]
+
+ *) mod_alias: Revert expression parser support for Alias, ScriptAlias
+ and Redirect due to a regression (introduced in 2.4.13, not released).
+
+ *) mod_reqtimeout: Don't let pipelining checks and keep-alive times interfere
+ with the timeouts computed for subsequent requests. PR 56729.
+ [Eric Covener, Yann Ylavic]
+
+ *) core: Avoid a possible truncation of the faulty header included in the
+ HTML response when LimitRequestFieldSize is reached. [Yann Ylavic]
+
+ *) mod_ldap: In some case, LDAP_NO_SUCH_ATTRIBUTE could be returned instead
+ of an error during a compare operation. [Eric Covener]
+
Changes with Apache 2.4.15
*) mod_ext_filter, mod_charset_lite: Avoid inadvertent filtering of protocol
Added: dev/httpd/CHANGES_2.4.16
==============================================================================
--- dev/httpd/CHANGES_2.4.16 (added)
+++ dev/httpd/CHANGES_2.4.16 Fri Jul 10 20:32:51 2015
@@ -0,0 +1,292 @@
+ -*- coding: utf-8 -*-
+
+Changes with Apache 2.4.16
+
+ *) http: Fix LimitRequestBody checks when there is no more bytes to read.
+ [Michael Kaufmann <mail michael-kaufmann.ch>]
+
+ *) mod_alias: Revert expression parser support for Alias, ScriptAlias
+ and Redirect due to a regression (introduced in 2.4.13, not released).
+
+ *) mod_reqtimeout: Don't let pipelining checks and keep-alive times interfere
+ with the timeouts computed for subsequent requests. PR 56729.
+ [Eric Covener, Yann Ylavic]
+
+ *) core: Avoid a possible truncation of the faulty header included in the
+ HTML response when LimitRequestFieldSize is reached. [Yann Ylavic]
+
+ *) mod_ldap: In some case, LDAP_NO_SUCH_ATTRIBUTE could be returned instead
+ of an error during a compare operation. [Eric Covener]
+
+Changes with Apache 2.4.15
+
+ *) mod_ext_filter, mod_charset_lite: Avoid inadvertent filtering of protocol
+ data during read of chunked request bodies. PR 58049.
+ [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_ldap: Stop leaking LDAP connections when 'LDAPConnectionPoolTTL 0'
+ is configured. PR 58037. [Ted Phelps <phelps gnusto.com>]
+
+ *) core: Allow spaces after chunk-size for compatibility with implementations
+ using a pre-filled buffer. [Yann Ylavic, Jeff Trawick]
+
+ *) mod_ssl: Remove deprecated SSLCertificateChainFile warning.
+ [Yann Ylavic]
+
+Changes with Apache 2.4.14
+
+ *) SECURITY: CVE-2015-3183 (cve.mitre.org)
+ core: Fix chunk header parsing defect.
+ Remove apr_brigade_flatten(), buffering and duplicated code from
+ the HTTP_IN filter, parse chunks in a single pass with zero copy.
+ Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
+ authorized characters. [Graham Leggett, Yann Ylavic]
+
+ *) SECURITY: CVE-2015-3185 (cve.mitre.org)
+ Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
+ with new ap_some_authn_required and ap_force_authn hook. [Ben Reser]
+
+Changes with Apache 2.4.13
+
+ *) SECURITY: CVE-2015-0253 (cve.mitre.org)
+ core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
+ with the INCLUDES filter active, introduced in 2.4.11. PR 57531.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2015-0228 (cve.mitre.org)
+ mod_lua: A maliciously crafted websockets PING after a script
+ calls r:wsupgrade() can cause a child process crash.
+ [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_proxy: Don't put the worker in error state for 500 or 503 errors
+ returned by the backend unless failonstatus is configured to. PR 56925.
+ [Yann Ylavic]
+
+ *) core: Don't lowercase the argument to SetHandler if it begins with
+ "proxy:unix". PR 57968. [Eric Covener]
+
+ *) mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
+ the OCSP response for a different certificate. mod_ssl has an additional
+ global mutex, "ssl-stapling-refresh". PR 57131 (partial fix).
+ [Jeff Trawick]
+
+ *) mod_authz_dbm: Fix crashes when "dbm-file-group" is used and
+ authz modules were loaded in the "wrong" order. [Joe Orton]
+
+ *) mod_authn_dbd, mod_authz_dbd, mod_session_dbd, mod_rewrite: Fix lifetime
+ of DB lookup entries independently of the selected DB engine. PR 46421.
+ [Steven whitson <steven.whitson gmail com>, Jan Kaluza, Yann Ylavic].
+
+ *) In alignment with RFC 7525, the default recommended SSLCipherSuite
+ and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
+ default recommended SSLProtocol and SSLProxyProtocol directives now
+ exclude SSLv3. Existing configurations must be adjusted by the
+ administrator. [William Rowe]
+
+ *) mod_ssl: Add support for extracting subjectAltName entries of type
+ rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
+ environment variables. Also addresses PR 57207. [Kaspar Brand]
+
+ *) dav_validate_request: avoid validating locks and ETags when there are
+ no If headers providing them on a resource we aren't modifying.
+ [Ben Reser]
+
+ *) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
+ response header to be used by the application, for when the application
+ or framework is unable to return Location in the internal-redirect
+ form. [Jeff Trawick]
+
+ *) core: Cleanup the request soon/even if some output filter fails to
+ handle the EOR bucket. [Yann Ylavic]
+
+ *) mpm_event: Allow for timer events duplicates. [Jim Jagielski, Yann Ylavic]
+
+ *) mod_proxy, mod_ssl, mod_cache_socache, mod_socache_*: Support machine
+ readable server-status produced when using the "?auto" query string.
+ [Rainer Jung]
+
+ *) mod_status: Add more data to machine readable server-status produced
+ when using the "?auto" query string. [Rainer Jung]
+
+ *) mod_ssl: Check for the Entropy Gathering Daemon (EGD) availability at
+ configure time (RAND_egd), and complain if SSLRandomSeed requires using
+ it otherwise. [Bernard Spil <pil.oss gmail com>, Stefan Sperling,
+ Kaspar Brand]
+
+ *) mod_ssl: make sure to consistently output SSLCertificateChainFile
+ deprecation warnings, when encountered in a VirtualHost block.
+ [Falco Schwarz <hiding falco.me>]
+
+ *) mod_log_config: Add "%{UNIT}T" format to output request duration in
+ seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
+ [Ben Reser, Rainer Jung]
+
+ *) Allow FallbackResource to work when a directory is requested and
+ there is no autoindex nor DirectoryIndex.
+ [Jack <tjerk.meesters gmail.com>, Eric Covener]
+
+ *) mod_proxy_wstunnel: Bypass the handler while the connection is not
+ upgraded to WebSocket, so that other modules can possibly take over
+ the leading HTTP requests. [Yann Ylavic]
+
+ *) mod_http: Fix incorrect If-Match handling. PR 57358
+ [Kunihiko Sakamoto <ksakamoto google.com>]
+
+ *) mod_ssl: Add a warning if protocol given in SSLProtocol or SSLProxyProtocol
+ will override other parameters given in the same directive. This could be
+ a missing + or - prefix. PR 52820 [Christophe Jaillet]
+
+ *) core, modules: Avoid error response/document handling by the core if some
+ handler or input filter already did it while reading the request (causing
+ a double response body). [Yann Ylavic]
+
+ *) mod_proxy_ajp: Fix client connection errors handling and logged status
+ when it occurs. PR 56823. [Yann Ylavic]
+
+ *) mod_proxy: Use the correct server name for SNI in case the backend
+ SSL connection itself is established via a proxy server.
+ PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
+
+ *) mod_ssl: Fix possible crash when loading server certificate constraints.
+ PR 57694. [Paul Spangler <paul.spangler ni com>, Yann Ylavic]
+
+ *) build: Don't load both mod_cgi and mod_cgid in the default configuration
+ if they're both built. [olli hauer <ohauer gmx.de>]
+
+ *) mod_logio: Add LogIOTrackTTFB and %^FB logformat to log the time
+ taken to start writing response headers. [Eric Covener]
+
+ *) mod_ssl: Avoid compilation errors with LibreSSL related to
+ the use of ENGINE_CTRL_CHIL_SET_FORKCHECK.
+ [Stuart Henderson <sthen openbsd.org>]
+
+ *) mod_proxy_http: Use the "Connection: close" header for requests to
+ backends not recycling connections (disablereuse), including the default
+ reverse and forward proxies. [Yann Ylavic]
+
+ *) mod_proxy: Add ap_connection_reusable() for checking if a connection
+ is reusable as of this point in processing. [Jeff Trawick]
+
+ *) mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad
+ Gateway) when no response is ever received from the backend.
+ [Jan Kaluza]
+
+ *) core_filters: Restore/disable TCP_NOPUSH option after non-blocking
+ sendfile. [Yann Ylavic]
+
+ *) mod_buffer: Forward flushed input data immediately and avoid (unlikely)
+ access to freed memory. [Yann Ylavic, Christophe Jaillet]
+
+ *) core: Add CGIPassAuth directive to control whether HTTP authorization
+ headers are passed to scripts as CGI variables. PR 56855. [Jeff
+ Trawick]
+
+ *) core: Initialize scoreboard's used optional functions on graceful restarts
+ to avoid a crash when relocation occurs. PR 57177. [Yann Ylavic]
+
+ *) mod_dav: Avoid a potential integer underflow in the lock timeout value sent
+ back to a client. The answer to a LOCK request could be an extremly large
+ integer if the time needed to lock the resource was longer that the
+ requested timeout given in the LOCK request. In such a case, we now answer
+ "Second-0". PR55420
+ [Christophe Jaillet]
+
+ *) mod_cgid: Within the first minute of a server start or restart,
+ allow mod_cgid to retry connecting to its daemon process. Previously,
+ 'No such file or directory: unable to connect to cgi daemon...' could
+ be logged without an actual retry. PR57685.
+ [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_proxy: Use the original (non absolute) form of the request-line's URI
+ for requests embedded in CONNECT payloads used to connect SSL backends via
+ a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms <hendrik.harms
+ gmail com>, William Rowe, Yann Ylavic]
+
+ *) http: Make ap_die() robust against any HTTP error code and not modify
+ response status (finally logged) when nothing is to be done. PR 56035.
+ [Yann Ylavic]
+
+ *) mod_proxy_connect/wstunnel: If both client and backend sides get readable
+ at the same time, don't lose errors occuring while forwarding on the first
+ side when none occurs next on the other side, and abort. [Yann Ylavic]
+
+ *) mod_rewrite: Improve relative substitutions in per-directory/htaccess
+ context for directories found by mod_userdir and mod_alias. These no
+ longer require RewriteBase to be specified. [Eric Covener]
+
+ *) mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
+ finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
+ or force-proxy-request-1.0. [Yann Ylavic]
+
+ *) core: If explicitly configured, use the KeepaliveTimeout value of the
+ virtual host which handled the latest request on the connection, or by
+ default the one of the first virtual host bound to the same IP:port.
+ PR56226. [Yann Ylavic]
+
+ *) mod_lua: After a r:wsupgrade(), mod_lua was not properly
+ responding to a websockets PING but instead invoking the specified
+ script. PR57524. [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
+ a combination of certificate serialNumber and issuer as defined by
+ CertificateExactMatch in RFC4523. [Graham Leggett]
+
+ *) core: Add expression support to ErrorDocument. Switch from a fixed
+ sized 664 byte array per merge to a hash table. [Graham Leggett]
+
+ *) ab: Add missing longest request (100%) to CSV export.
+ [Marcin Fabrykowski <bugzilla fabrykowski.pl>]
+
+ *) mod_macro: Clear macros before initialization to avoid use-after-free
+ on startup or restart when the module is linked statically. PR 57525
+ [apache.org tech.futurequest.net, Yann Ylavic]
+
+ *) mod_alias: Introduce expression parser support for Alias, ScriptAlias
+ and Redirect. [Graham Leggett]
+
+ *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
+ PR 57100. [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
+ Yann Ylavic]
+
+ *) mpm_event: Avoid access to the scoreboard from the connection while
+ it is suspended (waiting for events). [Eric Covener, Jeff Trawick]
+
+ *) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument.
+ PR 57334. [Yann Ylavic].
+
+ *) mod_deflate: A misplaced check prevents limiting small bodies with the
+ new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic]
+
+ *) mod_proxy_ajp: Forward SSL protocol name (SSLv3, TLSv1.1 etc.) as a
+ request attribute to the backend. Recent Tomcat versions will extract
+ it and provide it as a servlet request attribute named
+ "org.apache.tomcat.util.net.secure_protocol_version". [Rainer Jung]
+
+ *) core: Optimize string concatenation in expression parser when evaluating
+ a string expression. [Rainer Jung]
+
+ *) acinclude.m4: Generate #LoadModule directive in default httpd.conf for
+ every --enable-mpms-shared. PR 53882. [olli hauer <ohauer gmx.de>,
+ Yann Ylavic]
+
+ *) mod_authn_dbd: Fix the error message logged in case of error while querying
+ the database. This is associated to AH01656 and AH01661. [Christophe Jaillet]
+
+ *) mod_authz_groupfile: Reduce the severity of AH01667 from ERROR to DEBUG,
+ because it may be evaluated inside <RequireAny>. PR55523. [Eric Covener]
+
+ *) mod_ssl: Fix small memory leak during initialization when ECDH is used.
+ [Jan Kaluza]
+
+
+ [Apache 2.3.0-dev includes those bug fixes and changes with the
+ Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
+
Added: dev/httpd/httpd-2.4.16-deps.tar.bz2
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.16-deps.tar.bz2
------------------------------------------------------------------------------
svn:mime-type = application/x-bzip2
Added: dev/httpd/httpd-2.4.16-deps.tar.bz2.asc
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.16-deps.tar.bz2.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp
Added: dev/httpd/httpd-2.4.16-deps.tar.bz2.md5
==============================================================================
--- dev/httpd/httpd-2.4.16-deps.tar.bz2.md5 (added)
+++ dev/httpd/httpd-2.4.16-deps.tar.bz2.md5 Fri Jul 10 20:32:51 2015
@@ -0,0 +1 @@
+c60b5504f7215abb585cd6b796f3b65c *httpd-2.4.16-deps.tar.bz2
Added: dev/httpd/httpd-2.4.16-deps.tar.bz2.sha1
==============================================================================
--- dev/httpd/httpd-2.4.16-deps.tar.bz2.sha1 (added)
+++ dev/httpd/httpd-2.4.16-deps.tar.bz2.sha1 Fri Jul 10 20:32:51 2015
@@ -0,0 +1 @@
+7bee08ad6cb5c2628a271e559cc3af368691c4a8 *httpd-2.4.16-deps.tar.bz2
Added: dev/httpd/httpd-2.4.16-deps.tar.gz
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.16-deps.tar.gz
------------------------------------------------------------------------------
svn:mime-type = application/x-gzip
Added: dev/httpd/httpd-2.4.16-deps.tar.gz.asc
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.16-deps.tar.gz.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp
Added: dev/httpd/httpd-2.4.16-deps.tar.gz.md5
==============================================================================
--- dev/httpd/httpd-2.4.16-deps.tar.gz.md5 (added)
+++ dev/httpd/httpd-2.4.16-deps.tar.gz.md5 Fri Jul 10 20:32:51 2015
@@ -0,0 +1 @@
+a23c7ed37524bc8b4480e75397f5da3d *httpd-2.4.16-deps.tar.gz
Added: dev/httpd/httpd-2.4.16-deps.tar.gz.sha1
==============================================================================
--- dev/httpd/httpd-2.4.16-deps.tar.gz.sha1 (added)
+++ dev/httpd/httpd-2.4.16-deps.tar.gz.sha1 Fri Jul 10 20:32:51 2015
@@ -0,0 +1 @@
+68a1025e245133a06052ff1a0d385bea11c68ba4 *httpd-2.4.16-deps.tar.gz
Added: dev/httpd/httpd-2.4.16.tar.bz2
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.16.tar.bz2
------------------------------------------------------------------------------
svn:mime-type = application/x-bzip2
Added: dev/httpd/httpd-2.4.16.tar.bz2.asc
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.16.tar.bz2.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp
Added: dev/httpd/httpd-2.4.16.tar.bz2.md5
==============================================================================
--- dev/httpd/httpd-2.4.16.tar.bz2.md5 (added)
+++ dev/httpd/httpd-2.4.16.tar.bz2.md5 Fri Jul 10 20:32:51 2015
@@ -0,0 +1 @@
+2b19cd338fd526dd5a63c57b1e9bfee2 *httpd-2.4.16.tar.bz2
Added: dev/httpd/httpd-2.4.16.tar.bz2.sha1
==============================================================================
--- dev/httpd/httpd-2.4.16.tar.bz2.sha1 (added)
+++ dev/httpd/httpd-2.4.16.tar.bz2.sha1 Fri Jul 10 20:32:51 2015
@@ -0,0 +1 @@
+9963e7482700dd50c53e47abfe2d1c5068875a9c *httpd-2.4.16.tar.bz2
Added: dev/httpd/httpd-2.4.16.tar.gz
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.16.tar.gz
------------------------------------------------------------------------------
svn:mime-type = application/x-gzip
Added: dev/httpd/httpd-2.4.16.tar.gz.asc
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.16.tar.gz.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp
Added: dev/httpd/httpd-2.4.16.tar.gz.md5
==============================================================================
--- dev/httpd/httpd-2.4.16.tar.gz.md5 (added)
+++ dev/httpd/httpd-2.4.16.tar.gz.md5 Fri Jul 10 20:32:51 2015
@@ -0,0 +1 @@
+e7b1d7761fcb5cafe9f95a955373dd7b *httpd-2.4.16.tar.gz
Added: dev/httpd/httpd-2.4.16.tar.gz.sha1
==============================================================================
--- dev/httpd/httpd-2.4.16.tar.gz.sha1 (added)
+++ dev/httpd/httpd-2.4.16.tar.gz.sha1 Fri Jul 10 20:32:51 2015
@@ -0,0 +1 @@
+a7c6859293f59b5066b09275c69ded42bbbaf100 *httpd-2.4.16.tar.gz