You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2015/07/11 16:19:05 UTC
svn commit: r9761 - in /dev/httpd: CHANGES_2.2 CHANGES_2.2.30
httpd-2.2.30.tar.bz2 httpd-2.2.30.tar.bz2.asc httpd-2.2.30.tar.bz2.md5
httpd-2.2.30.tar.bz2.sha1 httpd-2.2.30.tar.gz httpd-2.2.30.tar.gz.asc
httpd-2.2.30.tar.gz.md5 httpd-2.2.30.tar.gz.sha1
Author: wrowe
Date: Sat Jul 11 14:19:05 2015
New Revision: 9761
Log:
Add 2.2.30 tarballs
Added:
dev/httpd/CHANGES_2.2.30
dev/httpd/httpd-2.2.30.tar.bz2 (with props)
dev/httpd/httpd-2.2.30.tar.bz2.asc (with props)
dev/httpd/httpd-2.2.30.tar.bz2.md5
dev/httpd/httpd-2.2.30.tar.bz2.sha1
dev/httpd/httpd-2.2.30.tar.gz (with props)
dev/httpd/httpd-2.2.30.tar.gz.asc (with props)
dev/httpd/httpd-2.2.30.tar.gz.md5
dev/httpd/httpd-2.2.30.tar.gz.sha1
Modified:
dev/httpd/CHANGES_2.2
Modified: dev/httpd/CHANGES_2.2
==============================================================================
--- dev/httpd/CHANGES_2.2 (original)
+++ dev/httpd/CHANGES_2.2 Sat Jul 11 14:19:05 2015
@@ -1,4 +1,123 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.2.30
+
+ *) SECURITY: CVE-2015-3183 (cve.mitre.org)
+ core: Fix chunk header parsing defect.
+ Remove apr_brigade_flatten(), buffering and duplicated code from
+ the HTTP_IN filter, parse chunks in a single pass with zero copy.
+ Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
+ authorized characters. [Graham Leggett, Yann Ylavic]
+
+ *) http: Fix LimitRequestBody checks when there is no more bytes to read.
+ [Michael Kaufmann <mail michael-kaufmann.ch>]
+
+ *) core: Allow spaces after chunk-size for compatibility with implementations
+ using a pre-filled buffer. [Yann Ylavic, Jeff Trawick]
+
+ *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
+ no longer send warning-level unrecognized_name(112) alerts. PR 56241.
+ [Kaspar Brand]
+
+ *) http: Make ap_die() robust against any HTTP error code and not modify
+ response status (finally logged) when nothing is to be done. PR 56035.
+ [Yann Ylavic]
+
+ *) core, modules: Avoid error response/document handling by the core if some
+ handler or input filter already did it while reading the request (causing
+ a double response body). [Yann Ylavic]
+
+ *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
+ 5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick,
+ Olli Hauer <ohauer gmx de>]
+
+ *) mod_proxy: use the original (non absolute) form of the request-line's URI
+ for requests embedded in CONNECT payloads used to connect SSL backends via
+ a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms <hendrik.harms
+ gmail com>, William Rowe, Yann Ylavic]
+
+ *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
+ internationalization. [William Rowe]
+
+ *) mod_log_config: Implement logging for sub second timestamps and
+ request end time. [Rainer Jung]
+
+ *) mod_log_config: Ensure that time data is consistent if multiple
+ duration patterns are used in combination, e.g. %D and %{ms}T.
+ [Rainer Jung]
+
+ *) mod_log_config: Add "%{UNIT}T" format to output request duration in
+ seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
+ [Ben Reser, Rainer Jung]
+
+ *) In alignment with RFC 7525, the default recommended SSLCipherSuite
+ and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
+ default recommended SSLProtocol and SSLProxyProtocol directives now
+ exclude SSLv3. Existing configurations must be adjusted by the
+ administrator. [William Rowe]
+
+ *) core: Avoid potential use of uninitialized (NULL) request data in
+ request line error path. [Yann Ylavic]
+
+ *) mod_proxy_http: Use the "Connection: close" header for requests to
+ backends not recycling connections (disablereuse), including the default
+ reverse and forward proxies. [Yann Ylavic]
+
+ *) mod_proxy: Add ap_connection_reusable() for checking if a connection
+ is reusable as of this point in processing. [Jeff Trawick]
+
+ *) mod_proxy: Reuse proxy/balancer workers' parameters and scores across
+ graceful restarts, even if new workers are added, old ones removed, or
+ the order changes. [Jan Kaluza, Yann Ylavic]
+
+ *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
+ PR 57100. [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
+ Yann Ylavic]
+
+ *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
+ allowing custom parameters to be configured via SSLCertificateFile,
+ and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
+ Unless custom parameters are configured, the standardized parameters
+ are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
+
+ *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
+ keys, and unconditionally disable aNULL, eNULL and EXP ciphers
+ (not overridable via SSLCipherSuite). [Kaspar Brand]
+
+ *) mod_ssl: Add support for configuring persistent TLS session ticket
+ encryption/decryption keys (useful for clustered environments).
+ [Paul Querna, Kaspar Brand]
+
+ *) SSLProtocol and SSLCipherSuite recommendations in the example/default
+ conf/extra/httpd-ssl.conf file are now global in scope, affecting all
+ VirtualHosts (matching 2.4 default configuration). [William Rowe]
+
+ *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the
+ selected DB engine. PR 46421. [Jan Kaluza].
+
+ *) Turn static function get_server_name_for_url() into public
+ ap_get_server_name_for_url() and use it where appropriate. This
+ fixes mod_rewrite generating invalid URLs for redirects to IPv6
+ literal addresses. PR 52831 [Stefan Fritsch]
+
+ *) dav_validate_request: avoid validating locks and ETags when there are
+ no If headers providing them on a resource we aren't modifying.
+ [Ben Reser]
+
+ *) mod_ssl: New directive SSLSessionTickets (On|Off).
+ The directive controls the use of TLS session tickets (RFC 5077),
+ default value is "On" (unchanged behavior).
+ Session ticket creation uses a random key created during web
+ server startup and recreated during restarts. No other key
+ recreation mechanism is available currently. Therefore using session
+ tickets without restarting the web server with an appropriate frequency
+ (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
+
+ *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
+ compile against APR-1.2.x (minimum required version). [Yann Ylavic]
+
+ *) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts
+ computed for subsequent requests. PR 56729. [Eric Covener]
+
Changes with Apache 2.2.29
*) Corrected docs/manual pages for new MergeTrailers directive and other
Added: dev/httpd/CHANGES_2.2.30
==============================================================================
--- dev/httpd/CHANGES_2.2.30 (added)
+++ dev/httpd/CHANGES_2.2.30 Sat Jul 11 14:19:05 2015
@@ -0,0 +1,120 @@
+ -*- coding: utf-8 -*-
+Changes with Apache 2.2.30
+
+ *) SECURITY: CVE-2015-3183 (cve.mitre.org)
+ core: Fix chunk header parsing defect.
+ Remove apr_brigade_flatten(), buffering and duplicated code from
+ the HTTP_IN filter, parse chunks in a single pass with zero copy.
+ Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
+ authorized characters. [Graham Leggett, Yann Ylavic]
+
+ *) http: Fix LimitRequestBody checks when there is no more bytes to read.
+ [Michael Kaufmann <mail michael-kaufmann.ch>]
+
+ *) core: Allow spaces after chunk-size for compatibility with implementations
+ using a pre-filled buffer. [Yann Ylavic, Jeff Trawick]
+
+ *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
+ no longer send warning-level unrecognized_name(112) alerts. PR 56241.
+ [Kaspar Brand]
+
+ *) http: Make ap_die() robust against any HTTP error code and not modify
+ response status (finally logged) when nothing is to be done. PR 56035.
+ [Yann Ylavic]
+
+ *) core, modules: Avoid error response/document handling by the core if some
+ handler or input filter already did it while reading the request (causing
+ a double response body). [Yann Ylavic]
+
+ *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
+ 5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick,
+ Olli Hauer <ohauer gmx de>]
+
+ *) mod_proxy: use the original (non absolute) form of the request-line's URI
+ for requests embedded in CONNECT payloads used to connect SSL backends via
+ a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms <hendrik.harms
+ gmail com>, William Rowe, Yann Ylavic]
+
+ *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
+ internationalization. [William Rowe]
+
+ *) mod_log_config: Implement logging for sub second timestamps and
+ request end time. [Rainer Jung]
+
+ *) mod_log_config: Ensure that time data is consistent if multiple
+ duration patterns are used in combination, e.g. %D and %{ms}T.
+ [Rainer Jung]
+
+ *) mod_log_config: Add "%{UNIT}T" format to output request duration in
+ seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
+ [Ben Reser, Rainer Jung]
+
+ *) In alignment with RFC 7525, the default recommended SSLCipherSuite
+ and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
+ default recommended SSLProtocol and SSLProxyProtocol directives now
+ exclude SSLv3. Existing configurations must be adjusted by the
+ administrator. [William Rowe]
+
+ *) core: Avoid potential use of uninitialized (NULL) request data in
+ request line error path. [Yann Ylavic]
+
+ *) mod_proxy_http: Use the "Connection: close" header for requests to
+ backends not recycling connections (disablereuse), including the default
+ reverse and forward proxies. [Yann Ylavic]
+
+ *) mod_proxy: Add ap_connection_reusable() for checking if a connection
+ is reusable as of this point in processing. [Jeff Trawick]
+
+ *) mod_proxy: Reuse proxy/balancer workers' parameters and scores across
+ graceful restarts, even if new workers are added, old ones removed, or
+ the order changes. [Jan Kaluza, Yann Ylavic]
+
+ *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
+ PR 57100. [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
+ Yann Ylavic]
+
+ *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
+ allowing custom parameters to be configured via SSLCertificateFile,
+ and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
+ Unless custom parameters are configured, the standardized parameters
+ are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
+
+ *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
+ keys, and unconditionally disable aNULL, eNULL and EXP ciphers
+ (not overridable via SSLCipherSuite). [Kaspar Brand]
+
+ *) mod_ssl: Add support for configuring persistent TLS session ticket
+ encryption/decryption keys (useful for clustered environments).
+ [Paul Querna, Kaspar Brand]
+
+ *) SSLProtocol and SSLCipherSuite recommendations in the example/default
+ conf/extra/httpd-ssl.conf file are now global in scope, affecting all
+ VirtualHosts (matching 2.4 default configuration). [William Rowe]
+
+ *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the
+ selected DB engine. PR 46421. [Jan Kaluza].
+
+ *) Turn static function get_server_name_for_url() into public
+ ap_get_server_name_for_url() and use it where appropriate. This
+ fixes mod_rewrite generating invalid URLs for redirects to IPv6
+ literal addresses. PR 52831 [Stefan Fritsch]
+
+ *) dav_validate_request: avoid validating locks and ETags when there are
+ no If headers providing them on a resource we aren't modifying.
+ [Ben Reser]
+
+ *) mod_ssl: New directive SSLSessionTickets (On|Off).
+ The directive controls the use of TLS session tickets (RFC 5077),
+ default value is "On" (unchanged behavior).
+ Session ticket creation uses a random key created during web
+ server startup and recreated during restarts. No other key
+ recreation mechanism is available currently. Therefore using session
+ tickets without restarting the web server with an appropriate frequency
+ (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
+
+ *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
+ compile against APR-1.2.x (minimum required version). [Yann Ylavic]
+
+ *) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts
+ computed for subsequent requests. PR 56729. [Eric Covener]
+
Added: dev/httpd/httpd-2.2.30.tar.bz2
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.2.30.tar.bz2
------------------------------------------------------------------------------
svn:mime-type = application/x-bzip2
Added: dev/httpd/httpd-2.2.30.tar.bz2.asc
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.2.30.tar.bz2.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: dev/httpd/httpd-2.2.30.tar.bz2.md5
==============================================================================
--- dev/httpd/httpd-2.2.30.tar.bz2.md5 (added)
+++ dev/httpd/httpd-2.2.30.tar.bz2.md5 Sat Jul 11 14:19:05 2015
@@ -0,0 +1 @@
+3a3dfb31b84542b49c49d62cb671fa7b *httpd-2.2.30.tar.bz2
Added: dev/httpd/httpd-2.2.30.tar.bz2.sha1
==============================================================================
--- dev/httpd/httpd-2.2.30.tar.bz2.sha1 (added)
+++ dev/httpd/httpd-2.2.30.tar.bz2.sha1 Sat Jul 11 14:19:05 2015
@@ -0,0 +1 @@
+b8da32bde5d776957527dceec3ff2d020020fcd4 *httpd-2.2.30.tar.bz2
Added: dev/httpd/httpd-2.2.30.tar.gz
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.2.30.tar.gz
------------------------------------------------------------------------------
svn:mime-type = application/x-gzip
Added: dev/httpd/httpd-2.2.30.tar.gz.asc
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.2.30.tar.gz.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: dev/httpd/httpd-2.2.30.tar.gz.md5
==============================================================================
--- dev/httpd/httpd-2.2.30.tar.gz.md5 (added)
+++ dev/httpd/httpd-2.2.30.tar.gz.md5 Sat Jul 11 14:19:05 2015
@@ -0,0 +1 @@
+a464c2a4cbc5365415cd5ba08728ddcd *httpd-2.2.30.tar.gz
Added: dev/httpd/httpd-2.2.30.tar.gz.sha1
==============================================================================
--- dev/httpd/httpd-2.2.30.tar.gz.sha1 (added)
+++ dev/httpd/httpd-2.2.30.tar.gz.sha1 Sat Jul 11 14:19:05 2015
@@ -0,0 +1 @@
+8c12e98e5b1c9c1e9133343dabc91c976702929c *httpd-2.2.30.tar.gz