You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2013/02/18 21:31:50 UTC
svn commit: r1431 [2/3] - /dev/httpd/
Added: dev/httpd/CHANGES_2.4
==============================================================================
--- dev/httpd/CHANGES_2.4 (added)
+++ dev/httpd/CHANGES_2.4 Mon Feb 18 20:31:43 2013
@@ -0,0 +1,2940 @@
+ -*- coding: utf-8 -*-
+
+Changes with Apache 2.4.4
+
+ *) SECURITY: CVE-2012-3499 (cve.mitre.org)
+ Various XSS flaws due to unescaped hostnames and URIs HTML output in
+ mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
+ [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
+
+ *) SECURITY: CVE-2012-4558 (cve.mitre.org)
+ XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
+ Niels Heinen <heinenn google com>]
+
+ *) mod_dir: Add support for the value 'disabled' in FallbackResource.
+ [Vincent Deffontaines]
+
+ *) mod_proxy_connect: Don't keepalive the connection to the client if the
+ backend closes the connection. PR 54474. [Pavel Mateja <pavel netsafe cz>]
+
+ *) mod_lua: Add bindings for mod_dbd/apr_dbd database access.
+ [Daniel Gruno]
+
+ *) mod_proxy: Allow for persistence of local changes made via the
+ balancer-manager between graceful/normal restarts and power
+ cycles. [Jim Jagielski]
+
+ *) mod_status: Print out list of times since a Vhost was last used.
+ [Jim Jagielski]
+
+ *) mod_proxy: Fix startup crash with mis-defined balancers.
+ PR 52402. [Jim Jagielski]
+
+ *) --with-module: Fix failure to integrate them into some existing
+ module directories. PR 40097. [Jeff Trawick]
+
+ *) htcacheclean: Fix potential segfault if "-p" is omitted. [Joe Orton]
+
+ *) mod_proxy_http: Honour special value 0 (unlimited) of LimitRequestBody
+ PR 54435. [Pavel Mateja <pavel netsafe.cz>]
+
+ *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
+ [Rainer Jung]
+
+ *) htcacheclean: Fix list options "-a" and "-A".
+ [Rainer Jung]
+
+ *) mod_slotmem_shm: Fix mistaken reset of num_free for restored shm.
+ [Jim Jagielski]
+
+ *) mod_proxy: non-existance of byrequests is not an immediate error.
+ [Jim Jagielski]
+
+ *) mod_proxy_balancer: Improve output of balancer-manager (re: Drn,
+ Dis, Ign, Stby). PR 52478 [Danijel <dt-ng rbfh de>]
+
+ *) configure: Fix processing of --disable-FEATURE for various features.
+ [Jeff Trawick]
+
+ *) mod_dialup/mod_http: Prevent a crash in mod_dialup in case of internal
+ redirect. PR 52230.
+
+ *) various modules, rotatelogs: Replace use of apr_file_write() with
+ apr_file_write_full() to prevent incomplete writes. PR 53131.
+ [Nicolas Viennot <apache viennot biz>, Stefan Fritsch]
+
+ *) ab: Support socket timeout (-s timeout).
+ [Guido Serra <zeph fsfe org>]
+
+ *) httxt2dbm: Correct length computation for the 'value' stored in the
+ DBM file. PR 47650 [jon buckybox com]
+
+ *) core: Be more correct about rejecting directives that cannot work in <If>
+ sections. [Stefan Fritsch]
+
+ *) core: Fix directives like LogLevel that need to know if they are invoked
+ at virtual host context or in Directory/Files/Location/If sections to
+ work properly in If sections that are not in a Directory/Files/Location.
+ [Stefan Fritsch]
+
+ *) mod_xml2enc: Fix problems with charset conversion altering the
+ Content-Length. [Micha Lenk <micha lenk info>]
+
+ *) ap_expr: Add req_novary function that allows HTTP header lookups
+ without adding the name to the Vary header. [Stefan Fritsch]
+
+ *) mod_slotmem_*: Add in new fgrab() function which forces a grab and
+ slot allocation on a specified slot. Allow for clearing of inuse
+ array. [Jim Jagielski]
+
+ *) mod_proxy_ftp: Fix segfaults on IPv4 requests to hosts with DNS
+ AAAA records. PR 40841. [Andrew Rucker Jones <arjones simultan
+ dyndns org>, <ast domdv de>, Jim Jagielski]
+
+ *) mod_auth_form: Make sure that get_notes_auth() sets the user as does
+ get_form_auth() and get_session_auth(). Makes sure that REMOTE_USER
+ does not vanish during mod_include driven subrequests. [Graham
+ Leggett]
+
+ *) mod_cache_disk: Resolve errors while revalidating disk-cached files on
+ Windows ("...rename tempfile to datafile failed..."). PR 38827
+ [Eric Covener]
+
+ *) mod_proxy_balancer: Bring XML output up to date. [Jim Jagielski]
+
+ *) htpasswd, htdbm: Optionally read passwords from stdin, as more
+ secure alternative to -b. PR 40243. [Adomas Paltanavicius <adomas
+ paltanavicius gmail com>, Stefan Fritsch]
+
+ *) htpasswd, htdbm: Add support for bcrypt algorithm (requires
+ apr-util 1.5 or higher). PR 49288. [Stefan Fritsch]
+
+ *) htpasswd, htdbm: Put full 48bit of entropy into salt, improve
+ error handling. Add some of htpasswd's improvements to htdbm,
+ e.g. warn if password is truncated by crypt(). [Stefan Fritsch]
+
+ *) mod_auth_form: Support the expr parser in the
+ AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and
+ AuthFormLogoutLocation directives. [Graham Leggett]
+
+ *) mod_ssl: Add support for TLS-SRP (Secure Remote Password key exchange
+ for TLS, RFC 5054). PR 51075. [Quinn Slack <sqs cs stanford edu>,
+ Christophe Renou, Peter Sylvester]
+
+ *) mod_rewrite: Stop mergeing RewriteBase down to subdirectories
+ unless new option 'RewriteOptions MergeBase' is configured.
+ PR 53963. [Eric Covener]
+
+ *) mod_header: Allow for exposure of loadavg and server load using new
+ format specifiers %l, %i, %b [Jim Jagielski]
+
+ *) core: Make ap_regcomp() return AP_REG_ESPACE if out of memory. Make
+ ap_pregcomp() abort if out of memory. This raises the minimum PCRE
+ requirement to version 6.0. [Stefan Fritsch]
+
+ *) mod_proxy: Add ability to configure the sticky session separator.
+ PR 53893. [<inu inusasha de>, Jim Jagielski]
+
+ *) mod_dumpio: Correctly log large messages
+ PR 54179 [Marek Wianecki <mieszek2 interia pl>]
+
+ *) core: Don't fail at startup with AH00554 when Include points to
+ a directory without any wildcard character. [Eric Covener]
+
+ *) core: Fail startup if the argument to ServerTokens is unrecognized.
+ [Jackie Zhang <jackie.qq.zhang gmail.com>]
+
+ *) mod_log_forensic: Don't log a spurious "-" if a request has been rejected
+ before mod_log_forensic could attach its id to it. [Stefan Fritsch]
+
+ *) rotatelogs: Omit the second argument for the first invocation of
+ a post-rotate program when -p is used, per the documentation.
+ [Joe Orton]
+
+ *) mod_session_dbd: fix a segmentation fault in the function dbd_remove.
+ PR 53452. [<rebanerebane gmail com>, Reimo Rebane]
+
+ *) core: Functions to provide server load values: ap_get_sload() and
+ ap_get_loadavg(). [Jim Jagielski, Jan Kaluza <jkaluza redhat.com>,
+ Jeff Trawick]
+
+ *) mod_ldap: Fix regression in handling "server unavailable" errors on
+ Windows. PR 54140. [Eric Covener]
+
+ *) syslog logging: Remove stray ", referer" at the end of some messages.
+ [Jeff Trawick]
+
+ *) "Iterate" directives: Report an error if no arguments are provided.
+ [Jeff Trawick]
+
+ *) mod_ssl: Change default for SSLCompression to off, as compression
+ causes security issues in most setups. (The so called "CRIME" attack).
+ [Stefan Fritsch]
+
+ *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
+ to more accurately report the negotiated protocol. PR 53916.
+ [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
+
+ *) core: ErrorDocument now works for requests without a Host header.
+ PR 48357. [Jeff Trawick]
+
+ *) prefork: Avoid logging harmless errors during graceful stop.
+ [Joe Orton, Jeff Trawick]
+
+ *) mod_proxy: When concatting for PPR, avoid cases where we
+ concat ".../" and "/..." to create "...//..." [Jim Jagielski]
+
+ *) mod_cache: Wrong content type and character set when
+ mod_cache serves stale content because of a proxy error.
+ PR 53539. [Rainer Jung, Ruediger Pluem]
+
+ *) mod_proxy_ajp: Fix crash in packet dump code when logging
+ with LogLevel trace7 or trace8. PR 53730. [Rainer Jung]
+
+ *) httpd.conf: Removed the configuration directives setting a bad_DNT
+ environment introduced in 2.4.3. The actual directives are commented
+ out in the default conf file.
+
+ *) core: Apply length limit when logging Status header values.
+ [Jeff Trawick, Chris Darroch]
+
+ *) mod_proxy_balancer: The nonce is only derived from the UUID iff
+ not set via the 'nonce' balancer param. [Jim Jagielski]
+
+ *) mod_ssl: Match wildcard SSL certificate names in proxy mode.
+ PR 53006. [Joe Orton]
+
+ *) Windows: Fix output of -M, -L, and similar command-line options
+ which display information about the server configuration.
+ [Jeff Trawick]
+
+Changes with Apache 2.4.3
+
+ *) SECURITY: CVE-2012-3502 (cve.mitre.org)
+ mod_proxy_ajp, mod_proxy_http: Fix an issue in back end
+ connection closing which could lead to privacy issues due
+ to a response mixup. PR 53727. [Rainer Jung]
+
+ *) SECURITY: CVE-2012-2687 (cve.mitre.org)
+ mod_negotiation: Escape filenames in variant list to prevent a
+ possible XSS for a site where untrusted users can upload files to
+ a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+
+ *) mod_authnz_ldap: Don't try a potentially expensive nested groups
+ search before exhausting all AuthLDAPGroupAttribute checks on the
+ current group. PR 52464 [Eric Covener]
+
+ *) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
+ authorization provider in lua. [Stefan Fritsch]
+
+ *) core: Be less strict when checking whether Content-Type is set to
+ "application/x-www-form-urlencoded" when parsing POST data,
+ or we risk losing data with an appended charset. PR 53698
+ [Petter Berntsen <petterb gmail.com>]
+
+ *) httpd.conf: Added configuration directives to set a bad_DNT environment
+ variable based on User-Agent and to remove the DNT header field from
+ incoming requests when a match occurs. This currently has the effect of
+ removing DNT from requests by MSIE 10.0 because it deliberately violates
+ the current specification of DNT semantics for HTTP. [Roy T. Fielding]
+
+ *) mod_socache_shmcb: Fix bus error due to a misalignment
+ in some 32 bit builds, especially on Solaris Sparc.
+ PR 53040. [Rainer Jung]
+
+ *) mod_cache: Set content type in case we return stale content.
+ [Ruediger Pluem]
+
+ *) Windows: Fix SSL failures on windows with AcceptFilter https none.
+ PR 52476. [Jeff Trawick]
+
+ *) ab: Fix read failure when targeting SSL server. [Jeff Trawick]
+
+ *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
+ - mod_auth_digest: shared memory file
+ [Jeff Trawick]
+
+ *) htpasswd: Use correct file mode for checking if file is writable.
+ PR 45923. [Stefan Fritsch]
+
+ *) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T.
+ <mi apache aldan algebra com>]
+
+ *) mod_ssl: Add new directive SSLCompression to disable TLS-level
+ compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
+
+ *) mod_lua: Add a few missing request_rec fields. Rename remote_ip to
+ client_ip to match conn_rec. [Stefan Fritsch]
+
+ *) mod_lua: Change prototype of vm_construct, to work around gcc bug which
+ causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>]
+
+ *) mpm_event: Don't count connections in lingering close state when
+ calculating how many additional connections may be accepted.
+ [Stefan Fritsch]
+
+ *) mod_ssl: If exiting during initialization because of a fatal error,
+ log a message to the main error log pointing to the appropriate
+ virtual host error log. [Stefan Fritsch]
+
+ *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
+ one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]
+
+ *) mod_proxy_balancer: Restore balancing after a failed worker has
+ recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick]
+
+ *) mod_setenvif: Compile some global regex only once during startup.
+ This should save some memory, especially with .htaccess.
+ [Stefan Fritsch]
+
+ *) core: Add the port number to the vhost's name in the scoreboard.
+ [Stefan Fritsch]
+
+ *) mod_proxy: Fix ProxyPassReverse for balancer configurations.
+ PR 45434. [Joe Orton]
+
+ *) mod_lua: Add the parsebody function for parsing POST data. PR 53064.
+ [Daniel Gruno]
+
+ *) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS.
+ [Stefan Fritsch]
+
+ *) mod_proxy: Fix memory leak or possible corruption in ProxyBlock
+ implementation. [Ruediger Pluem, Joe Orton]
+
+ *) mod_proxy: Check hostname from request URI against ProxyBlock list,
+ not forward proxy, if ProxyRemote* is configured. [Joe Orton]
+
+ *) mod_proxy_connect: Avoid DNS lookup on hostname from request URI
+ if ProxyRemote* is configured. PR 43697. [Joe Orton]
+
+ *) mpm_event, mpm_worker: Remain active amidst prevalent child process
+ resource shortages. [Jeff Trawick]
+
+ *) Add "strict" and "warnings" pragmas to Perl scripts. [Rich Bowen]
+
+ *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
+ - core: the scoreboard (ScoreBoardFile), pid file (PidFile), and
+ mutexes (Mutex)
+ [Jim Jagielski]
+
+ *) ab: Fix bind() errors. [Joe Orton]
+
+ *) mpm_event: Don't do a blocking write when starting a lingering close
+ from the listener thread. PR 52229. [Stefan Fritsch]
+
+ *) mod_so: If a filename without slashes is specified for LoadFile or
+ LoadModule and the file cannot be found in the server root directory,
+ try to use the standard dlopen() search path. [Stefan Fritsch]
+
+ *) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced
+ after child process resource shortages. [Jeff Trawick]
+
+ *) mpm_prefork: Reduce spawn rate after a child process exits due to
+ unexpected poll or accept failure. [Jeff Trawick]
+
+ *) core: Log value of Status header line in script responses rather
+ than the fixed header name. [Chris Darroch]
+
+ *) mpm_ssl: Fix handling of empty response from OCSP server.
+ [Jim Meyering <meyering redhat.com>, Joe Orton]
+
+ *) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch]
+
+ *) mod_authz_core: If an expression in "Require expr" returns denied and
+ references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
+ [Stefan Fritsch]
+
+ *) core: Always log if LimitRequestFieldSize triggers. [Stefan Fritsch]
+
+ *) mod_deflate: Skip compression if compression is enabled at SSL level.
+ [Stefan Fritsch]
+
+ *) core: Add missing HTTP status codes registered with IANA.
+ [Julian Reschke <julian.reschke gmx.de>, Rainer Jung]
+
+ *) mod_ldap: Treat the "server unavailable" condition as a transient
+ error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>]
+
+ *) core: Fix spurious "not allowed here" error returned when the Options
+ directive is used in .htaccess and "AllowOverride Options" (with no
+ specific options restricted) is configured. PR 53444. [Eric Covener]
+
+ *) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
+ PR 53048. [Stefan Fritsch]
+
+ *) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
+ PR 53104. [Greg Ames]
+
+ *) mod_ext_filter: Fix error_log spam when input filters are configured.
+ [Joe Orton]
+
+ *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
+
+ *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
+ [Paul Wouters <pwouters redhat.com>, Joe Orton]
+
+ *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
+ the chosen listener is configured for https. [Joe Orton]
+
+ *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
+ forwarding to SSL backends. PR 53134.
+ [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
+
+ *) mod_info: Display all registered providers. [Stefan Fritsch]
+
+ *) mod_ssl: Send the error message for speaking http to an https port using
+ HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
+ using SNI. PR 50823. [Stefan Fritsch]
+
+ *) core: Fix segfault in logging if r->useragent_addr or c->client_addr is
+ unset. PR 53265. [Stefan Fritsch]
+
+ *) log_server_status: Bring Perl style forward to the present, use
+ standard modules, update for new format of server-status output.
+ PR 45424. [Richard Bowen, Dave Brondsema, and others]
+
+ *) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups.
+ [Joe Orton, André Malo]
+
+ *) core: Prevent "httpd -k restart" from killing server in presence of
+ config error. [Joe Orton]
+
+ *) mod_proxy_fcgi: If there is an error reading the headers from the
+ backend, send an error to the client. PR 52879. [Stefan Fritsch]
+
+Changes with Apache 2.4.2
+
+ *) SECURITY: CVE-2012-0883 (cve.mitre.org)
+ envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
+ current working directory to be searched for DSOs. [Stefan Fritsch]
+
+ *) mod_slotmem_shm: Honor DefaultRuntimeDir [Jim Jagielski]
+
+ *) mod_ssl: Fix crash with threaded MPMs due to race condition when
+ initializing EC temporary keys. [Stefan Fritsch]
+
+ *) mod_rewrite: Fix RewriteCond integer checks to be parsed correctly.
+ PR 53023. [Axel Reinhold <apache freakout.de>, André Malo]
+
+ *) mod_proxy: Add the forcerecovery balancer parameter that determines if
+ recovery for balancer workers is enforced. [Ruediger Pluem]
+
+ *) Fix MPM DSO load failure on AIX. [Jeff Trawick]
+
+ *) mod_proxy: Correctly set up reverse proxy worker. PR 52935.
+ [Petter Berntsen <petterb gmail.com>]
+
+ *) mod_sed: Don't define PATH_MAX to a potentially undefined value, causing
+ compile problems on GNU hurd. [Stefan Fritsch]
+
+ *) core: Add ap_runtime_dir_relative() and DefaultRuntimeDir.
+ [Jeff Trawick]
+
+ *) core: Fix breakage of Listen directives with MPMs that use a
+ per-directory config. PR 52904. [Stefan Fritsch]
+
+ *) core: Disallow directives in AllowOverrideList which are only allowed
+ in VirtualHost or server context. These are usually not prepared to be
+ called in .htaccess files. [Stefan Fritsch]
+
+ *) core: In AllowOverrideList, do not allow 'None' together with other
+ directives. PR 52823. [Stefan Fritsch]
+
+ *) mod_slotmem_shm: Support DEFAULT_REL_RUNTIMEDIR for file-based shm.
+ [Jim Jagielski]
+
+ *) core: Fix merging of AllowOverrideList and ContentDigest.
+ [Stefan Fritsch]
+
+ *) mod_request: Fix validation of the KeptBodySize argument so it
+ doesn't always throw a configuration error. PR 52981 [Eric Covener]
+
+ *) core: Add filesystem paths to access denied / access failed messages
+ AH00035 and AH00036. [Eric Covener]
+
+ *) mod_dumpio: Properly handle errors from subsequent input filters.
+ PR 52914. [Stefan Fritsch]
+
+ *) Unix MPMs: Fix small memory leak in parent process if connect()
+ failed when waking up children. [Joe Orton]
+
+ *) "DirectoryIndex disabled" now undoes DirectoryIndex settings in
+ the current configuration section, not just previous config sections.
+ PR 52845. [Eric Covener]
+
+ *) mod_xml2enc: Fix broken handling of EOS buckets which could lead to
+ response headers not being sent. PR 52766. [Stefan Fritsch]
+
+ *) mod_ssl: Properly free the GENERAL_NAMEs. PR 32652. [Kaspar Brand]
+
+ *) core: Check during config test that directories for the access
+ logs actually exist. PR 29941. [Stefan Fritsch]
+
+ *) mod_xml2enc, mod_proxy_html: Enable per-module loglevels.
+ [Stefan Fritsch]
+
+ *) mod_filter: Fix segfault with AddOutputFilterByType. PR 52755.
+ [Stefan Fritsch]
+
+ *) mod_session: Sessions are encoded as application/x-www-form-urlencoded
+ strings, however we do not handle the encoding of spaces properly.
+ Fixed. [Graham Leggett]
+
+ *) Configuration: Example in comment should use a path consistent
+ with the default configuration. PR 52715.
+ [Rich Bowen, Jens Schleusener, Rainer Jung]
+
+ *) Configuration: Switch documentation links from trunk to 2.4.
+ [Rainer Jung]
+
+ *) configure: Fix out of tree build using apr and apr-util in srclib.
+ [Rainer Jung]
+
+Changes with Apache 2.4.1
+
+ *) SECURITY: CVE-2012-0053 (cve.mitre.org)
+ Fix an issue in error responses that could expose "httpOnly" cookies
+ when no custom ErrorDocument is specified for status code 400.
+ [Eric Covener]
+
+ *) mod_proxy_balancer: Fix crash on Windows. PR 52402 [Mladen Turk]
+
+ *) core: Check during configtest that the directories for error logs exist.
+ PR 29941 [Stefan Fritsch]
+
+ *) Core configuration: add AllowOverride option to treat syntax
+ errors in .htaccess as non-fatal. PR 52439 [Nick Kew, Jim Jagielski]
+
+ *) core: Fix memory consumption in core output filter with streaming
+ bucket types like CGI or PIPE. [Joe Orton, Stefan Fritsch]
+
+ *) configure: Disable modules at configure time if a prerequisite module
+ is not enabled. PR 52487. [Stefan Fritsch]
+
+ *) Rewrite and proxy now decline what they don't support rather
+ than fail the request. [Joe Orton]
+
+ *) Fix building against external apr plus apr-util if apr is not installed
+ in a system default path. [Rainer Jung]
+
+ *) Doxygen fixes and improvements. [Joe Orton, Igor GaliÄ]
+
+ *) core: Fix building against PCRE 8.30 by switching from the obsolete
+ pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]
+
+Changes with Apache 2.4.0
+
+ *) SECURITY: CVE-2012-0031 (cve.mitre.org)
+ Fix scoreboard issue which could allow an unprivileged child process
+ could cause the parent to crash at shutdown rather than terminate
+ cleanly. [Joe Orton]
+
+ *) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch]
+
+ *) SECURITY: CVE-2012-0021 (cve.mitre.org)
+ mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
+ string is in use and a client sends a nameless, valueless cookie, causing
+ a denial of service. The issue existed since version 2.2.17 and 2.3.3.
+ PR 52256. [Rainer Canavan <rainer-apache 7val com>]
+
+ *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
+ control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive.
+ [Kaspar Brand]
+
+ *) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
+ or later, to improve binary compatibility with future OpenSSL releases.
+ [Kaspar Brand]
+
+ *) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass,
+ but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime
+ behave identically in both cases. PR52342. [Graham Leggett]
+
+ *) Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with
+ corresponding man pages. [Graham Leggett]
+
+ *) Distinguish properly between the bindir and sbindir directories when
+ installing binaries. Previously all binaries were silently installed to
+ sbindir, whether they were system administration commands or not.
+ [Graham Leggett]
+
+Changes with Apache 2.3.16
+
+ *) SECURITY: CVE-2011-4317 (cve.mitre.org)
+ Resolve additional cases of URL rewriting with ProxyPassMatch or
+ RewriteRule, where particular request-URIs could result in undesired
+ backend network exposure in some configurations.
+ [Joe Orton]
+
+ *) core: Limit line length in .htaccess to 8K like in 2.2.x, to avoid
+ additional DoS potential. [Stefan Fritsch]
+
+ *) core, all modules: Add unique tag to most error log messages. [Stefan
+ Fritsch]
+
+ *) mod_socache_memcache: Change provider name from "mc" to "memcache" to
+ match module name. [Stefan Fritsch]
+
+ *) mod_slotmem_shm: Change provider name from "shared" to "shm" to match
+ module name. [Stefan Fritsch]
+
+ *) mod_ldap: Fix segfault with Solaris LDAP when enabling ldaps. This
+ requires an apr-util fix in which is available in apr-util >= 1.4.0.
+ PR 42682. [Stefan Fritsch]
+
+ *) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible
+ for RewriteRules to be placed in .htaccess files that match the directory
+ with no trailing slash. PR 48304.
+ [Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>]
+
+ *) mod_session_crypto: Add a SessionCryptoPassphraseFile directive so that
+ the administrator can hide the keys from the configuration. [Graham
+ Leggett]
+
+ *) Introduce a per request version of the remote IP address, which can be
+ optionally modified by a module when the effective IP of the client
+ is not the same as the real IP of the client (such as a load balancer).
+ Introduce a per connection "peer_ip" and a per request "client_ip" to
+ distinguish between the raw IP address of the connection and the effective
+ IP address of the request. [Graham Leggett]
+
+ *) ap_pass_brigade_fchk() function added. [Jim Jagielski]
+
+ *) core: Pass ap_errorlog_info struct to error log hook. [Stefan Fritsch]
+
+ *) mod_cache_disk: Make sure we check return codes on all writes and
+ attempts to close, and clean up after ourselves in these cases.
+ PR43589. [Graham Leggett]
+
+ *) mod_cache_disk: Remove the unnecessary intermediate brigade while
+ writing to disk. Fixes a problem where mod_disk_cache was leaving
+ buckets in the intermediate brigade and not passing them to out on
+ exit. [Florian S. <f_los_ch yahoo.com>, Graham Leggett]
+
+ *) mod_ssl: use a shorter setting for SSLCipherSuite in the default
+ default configuration file, and add some more information about
+ configuring a speed-optimized alternative.
+ [Kaspar Brand]
+
+ *) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand]
+
+ *) mod_lua: Stop losing track of all but the most specific LuaHook* directives
+ when multiple per-directory config sections are used. Adds LuaInherit
+ directive to control how parent sections are merged. [Eric Covener]
+
+ *) Server directive display (-L): Include directives of DSOs.
+ [Jeff Trawick]
+
+ *) mod_cache: Make sure we merge headers correctly when we handle a
+ non cacheable conditional response. PR52120. [Graham Leggett]
+
+ *) Pre GA removal of components that will not be included:
+ - mod_noloris was superseded by mod_reqtimeout
+ - mod_serf
+ - mpm_simple
+ [Rainer Jung]
+
+ *) core: Set MaxMemFree 2048 by default. [Stefan Fritsch]
+
+ *) mpm_event: Fix assertion failure during very high load. [Stefan Fritsch]
+
+ *) configure: Additional modules loaded by default: mod_headers.
+ Modules moved from module set "few" to "most" and no longer loaded
+ by default: mod_actions, mod_allowmethods, mod_auth_form, mod_buffer,
+ mod_cgi(d), mod_include, mod_negotiation, mod_ratelimit, mod_request,
+ mod_userdir. [Rainer Jung]
+
+ *) mod_lua: Use the right lua scope when used as a hook. [Rainer Jung]
+
+ *) configure: Only load the really imporant modules (i.e. those enabled by
+ the 'few' selection) by default. Don't handle modules enabled with
+ --enable-foo specially. [Stefan Fritsch]
+
+ *) end-generation hook: Fix false notification of end-of-generation for
+ temporary intervals with no active MPM children. [Jeff Trawick]
+
+ *) mod_ssl: Add support for configuring persistent TLS session ticket
+ encryption/decryption keys (useful for clustered environments).
+ [Paul Querna, Kaspar Brand]
+
+ *) mod_usertrack: Use random value instead of remote IP address.
+ [Stefan Fritsch]
+
+Changes with Apache 2.3.15
+
+ *) SECURITY: CVE-2011-3348 (cve.mitre.org)
+ mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
+ recognized. [Jean-Frederic Clere]
+
+ *) SECURITY: CVE-2011-3192 (cve.mitre.org)
+ core: Fix handling of byte-range requests to use less memory, to avoid
+ denial of service. If the sum of all ranges in a request is larger than
+ the original file, ignore the ranges and send the complete file.
+ PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
+ <lowprio20 gmail.com>]
+
+ *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+ core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
+ with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]
+
+ *) SECURITY: CVE-2011-3368 (cve.mitre.org)
+ Reject requests where the request-URI does not match the HTTP
+ specification, preventing unexpected expansion of target URLs in
+ some reverse proxy configurations. [Joe Orton]
+
+ *) configure: Load all modules in the generated default configuration
+ when using --enable-load-all-modules. [Rainer Jung]
+
+ *) mod_reqtimeout: Change the default to set some reasonable timeout
+ values. [Stefan Fritsch]
+
+ *) core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove
+ the inode. PR 49623. [Stefan Fritsch]
+
+ *) mod_lua: Expose SSL variables via r:ssl_var_lookup(). [Eric Covener]
+
+ *) mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName}
+ can now additionally be run as "early" or "late" relative to other modules.
+ [Eric Covener]
+
+ *) configure: By default, only load those modules that are either required
+ or explicitly selected by a configure --enable-foo argument. The
+ LoadModule statements for modules enabled by --enable-mods-shared=most
+ and friends will be commented out. [Stefan Fritsch]
+
+ *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and
+ LuaHookQuickHandler) from being configured in <Directory>, <Files>,
+ and htaccess where the configuration would have been ignored.
+ [Eric Covener]
+
+ *) mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors
+ in LuaMapHandler scripts [Eric Covener]
+
+ *) mod_log_debug: Rename optional argument from if= to expr=, to be more
+ in line with other config directives. [Stefan Fritsch]
+
+ *) mod_headers: Require an expression to be specified with expr=, to be more
+ in line with other config directives. [Stefan Fritsch]
+
+ *) mod_substitute: To prevent overboarding memory usage, limit line length
+ to 1MB. [Stefan Fritsch]
+
+ *) mod_lua: Make the query string (r.args) writable. [Eric Covener]
+
+ *) mod_include: Add support for application/x-www-form-urlencoded encoding
+ and decoding. [Graham Leggett]
+
+ *) rotatelogs: Add -c option to force logfile creation in every rotation
+ interval, even if empty. [Jan Kaluža <jkaluza redhat.com>]
+
+ *) core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings.
+ [Stefan Fritsch]
+
+ *) mod_session_crypto: Refactor to support the new apr_crypto API.
+ [Graham Leggett]
+
+ *) http: Add missing Location header if local URL-path is used as
+ ErrorDocument for 30x. [Stefan Fritsch]
+
+ *) mod_buffer: Make sure we step down for subrequests, but not for internal
+ redirects triggered by mod_rewrite. [Graham Leggett]
+
+ *) mod_lua: add r:construct_url as a wrapper for ap_construct_url.
+ [Eric Covener]
+
+ *) mod_remote_ip: Fix configuration of internal proxies. PR 49272.
+ [Jim Riggs <jim riggs me>]
+
+ *) mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific
+ server IP endpoint and remote client IP upon connection. [William Rowe]
+
+ *) mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with
+ PeerExtList(). [Stefan Fritsch]
+
+ *) mpm_prefork, mpm_worker, mpm_event: If a child is created just before
+ graceful restart and then exits because of a missing lock file, don't
+ shutdown the whole server. PR 39311. [Shawn Michael
+ <smichael rightnow com>]
+
+ *) mpm_event: Check the return value from ap_run_create_connection.
+ PR: 41194. [Davi Arnaut]
+
+ *) mod_mime_magic: Add signatures for PNG and SWF to the example config.
+ PR: 48352. [Jeremy Wagner-Kaiser <jwagner-kaiser adknowledge com>]
+
+ *) core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items
+ from the parsed (or default) config. This is useful for init scripts that
+ need to setup temporary directories and permissions. [Stefan Fritsch]
+
+ *) core, mod_actions, mod_asis: Downgrade error log messages which accompany
+ a 404 request status from loglevel error to info. PR: 35768. [Stefan
+ Fritsch]
+
+ *) core: Fix hook sorting with Perl modules. PR: 45076. [Torsten Foertsch
+ <torsten foertsch gmx net>]
+
+ *) core: Enforce LimitRequestFieldSize after multiple headers with the same
+ name have been merged. [Stefan Fritsch]
+
+ *) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory
+ usage. PR 51618. [Cristian RodrÃguez <crrodriguez opensuse org>,
+ Stefan Fritsch]
+
+ *) mod_ssl: At startup, when checking a server certificate whether it
+ matches the configured ServerName, also take dNSName entries in the
+ subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand]
+
+ *) mod_substitute: Reduce memory usage and copying of data. PR 50559.
+ [Stefan Fritsch]
+
+ *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
+ [Kaspar Brand]
+
+ *) Add wrappers for malloc, calloc, realloc that check for out of memory
+ situations and use them in many places. PR 51568, PR 51569, PR 51571.
+ [Stefan Fritsch]
+
+ *) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is
+ false but RLIMIT_* are defined. PR51371. [Eric Covener]
+
+ *) core: Correctly obey ServerName / ServerAlias if the Host header from the
+ request matches the VirtualHost address.
+ PR 51709. [Micha Lenk <micha lenk.info>]
+
+ *) mod_unique_id: Use random number generator to initialize counter.
+ PR 45110. [Stefan Fritsch]
+
+ *) core: Add convenience API for apr_random. [Stefan Fritsch]
+
+ *) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control
+ the number of overlapping and reversing ranges (respectively) permitted
+ before returning the entire resource, with a default limit of 20.
+ [Jim Jagielski]
+
+ *) mod_ldap: Optional function uldap_ssl_supported(r) always returned false
+ if called from a virtual host with mod_ldap directives in it. Did not
+ affect mod_authnz_ldap's usage of mod_ldap. [Eric Covener]
+
+ *) mod_filter: Instead of dropping the Accept-Ranges header when a filter
+ registered with AP_FILTER_PROTO_NO_BYTERANGE is present,
+ set the header value to "none". [Eric Covener, Ruediger Pluem]
+
+ *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'
+ in the case Ranges are being ignored with MaxRanges none.
+ [Eric Covener]
+
+ *) mod_ssl: revamp CRL-based revocation checking when validating
+ certificates of clients or proxied servers. Completely delegate
+ CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck
+ directive for controlling the revocation checking mode. [Kaspar Brand]
+
+ *) core: Add MaxRanges directive to control the number of ranges permitted
+ before returning the entire resource, with a default limit of 200.
+ [Eric Covener]
+
+ *) mod_cache: Ensure that CacheDisable can correctly appear within
+ a LocationMatch. [Graham Leggett]
+
+ *) mod_cache: Fix the moving of the CACHE filter, which erroneously
+ stood down if the original filter was not added by configuration.
+ [Graham Leggett]
+
+ *) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]
+
+ *) mod_authz_groupfile: Increase length limit of lines in the group file to
+ 16MB. PR 43084. [Stefan Fritsch]
+
+ *) core: Increase length limit of lines in the configuration file to 16MB.
+ PR 45888. PR 50824. [Stefan Fritsch]
+
+ *) core: Add API for resizable buffers. [Stefan Fritsch]
+
+ *) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have
+ LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such
+ as Tivoli Directory Server 6.3 and later. [Eric Covener]
+
+ *) mod_ldap: Change default number of retries from 10 to 3, and add
+ an LDAPRetries and LDAPRetryDelay directives. [Eric Covener]
+
+ *) mod_authnz_ldap: Don't retry during authentication, because this just
+ multiplies the ample retries already being done by mod_ldap. [Eric Covener]
+
+ *) configure: Allow to explicitly disable modules even with module selection
+ 'reallyall'. [Stefan Fritsch]
+
+ *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the
+ RewriteEngine is disabled in server context, avoiding a crash while
+ referencing the invalid int: map at runtime. PR 50994.
+ [Ben Noordhuis <info noordhuis nl>]
+
+ *) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]
+
+ *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
+
+ *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
+ [Kaspar Brand]
+
+ *) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the
+ cookie is set when modules such as mod_rewrite trigger a redirect. Also
+ use r->err_headers_out for the cookie, for the same reason. PR29755.
+ [Sami J. Mäkinen <sjm almamedia fi>, Eric Covener]
+
+ *) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and
+ 'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch]
+
+ *) configure: Enable ldap modules in 'all' and 'most' selections if ldap
+ is compiled into apr-util. [Stefan Fritsch]
+
+ *) core: Add ap_check_cmd_context()-check if a command is executed in
+ .htaccess file. [Stefan Fritsch]
+
+ *) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590.
+ [Torsten Foertsch <torsten foertsch gmx net>]
+
+ *) mod_authn_socache: Fix to work in .htaccess if not configured anywhere
+ in httpd.conf, and introduce an AuthnCacheEnable directive.
+ PR 51991 [Nick Kew]
+
+ *) mod_xml2enc: new (formerly third-party) module supporting
+ internationalisation for filters via smart charset sniffing
+ and conversion. [Nick Kew]
+
+ *) mod_proxy_html: new (formerly third-party) module to fix up
+ HTML links in a reverse proxy situation, where a backend
+ generates URLs that are not resolvable by Clients. [Nick Kew]
+
+Changes with Apache 2.3.14
+
+ *) mod_proxy_ajp: Improve trace logging. [Rainer Jung]
+
+ *) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets.
+ [Rainer Jung]
+
+ *) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse,
+ e.g. to reverse proxy "Location: https://other-internal-server/login"
+ [Nick Kew]
+
+ *) prefork, worker, event: Make sure crashes are logged to the error log if
+ httpd has already detached from the console. [Stefan Fritsch]
+
+ *) prefork, worker, event: Reduce period during startup/restart where a
+ successive signal may be lost. PR 43696. [Arun Bhalla <arun shme net>]
+
+ *) mod_allowmethods: Correct Merging of "reset" and do not allow an
+ empty parameter list for the AllowMethods directive. [Rainer Jung]
+
+ *) configure: Update selection of modules for 'all' and 'most'. 'all' will
+ now enable all modules except for example and test modules. Make the
+ selection for 'most' more useful (including ssl and proxy). Both 'all'
+ and 'most' will now disable modules if dependencies are missing instead
+ of aborting. If a specific module is requested with --enable-XXX=yes,
+ missing dependencies will still cause configure to exit with an error.
+ [Stefan Fritsch]
+
+ *) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done
+ in 2.3.13. [Stefan Fritsch]
+
+ *) core: For '*' or '_default_' vhosts, use a wildcard address of any
+ address family, rather than IPv4 only. [Joe Orton]
+
+ *) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable
+ include [ ] for literal IPv6 addresses, as mandated by RFC 3875.
+ PR 26005. [Stefan Fritsch]
+
+ *) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203.
+ [Nagae Hidetake <nagae eagan jp>]
+
+ *) core: Add more logging to ap_scan_script_header_err* functions. Add
+ ap_scan_script_header_err*_ex functions that take a module index for
+ logging.
+ mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the
+ new functions in order to make logging configurable per-module.
+ [Stefan Fritsch]
+
+ *) mod_dir: Add DirectoryIndexRedirect to send an external redirect to
+ the proper index. [Eric Covener]
+
+ *) mod_deflate: Don't try to compress requests with a zero sized body.
+ PR 51350. [Stefan Fritsch]
+
+ *) core: Fix startup on IPv6-only systems. PR 50592. [Joe Orton,
+ <root linkage white-void net>]
+
+ *) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX,
+ REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the
+ whitelist in suexec. PR 51499. [Graham Laverty <graham reg ca>,
+ Stefan Fritsch]
+
+ *) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch]
+
+ *) mod_log_debug: New module that allows to log custom messages at various
+ phases in the request processing. [Stefan Fritsch]
+
+ *) mod_ssl: Add some debug logging when loading server certificates.
+ PR 37912. [Nick Burch <nick burch alfresco com>]
+
+ *) configure: Support reallyall option also for --enable-mods-static.
+ [Rainer Jung]
+
+ *) mod_socache_dc: add --with-distcache to configure for choosing
+ the distcache installation directory. [Rainer Jung]
+
+ *) mod_socache_dc: use correct build variable MOD_SOCACHE_DC_LDADD
+ instead of MOD_SOCACHE_LDADD in build macro. [Rainer Jung]
+
+ *) mod_lua, mod_deflate: respect platform specific runpath linker
+ flag. [Rainer Jung]
+
+ *) configure: Only link the httpd binary against PCRE. No other support
+ binary needs PCRE. [Rainer Jung]
+
+ *) configure: tolerate dependency checking failures for modules if
+ they have been enabled implicitely. [Rainer Jung]
+
+ *) configure: Allow to specify module specific custom linker flags via
+ the MOD_XXX_LDADD variables. [Rainer Jung]
+
+Changes with Apache 2.3.13
+
+ *) ab: Support specifying the local address to use. PR 48930.
+ [Peter Schuller <scode spotify com>]
+
+ *) core: Add support to ErrorLogFormat for logging the system unique
+ thread id under Linux. [Stefan Fritsch]
+
+ *) event: New AsyncRequestWorkerFactor directive to influence how many
+ connections will be accepted per process. [Stefan Fritsch]
+
+ *) prefork, worker, event: Rename MaxClients to MaxRequestWorkers which
+ describes more accurately what it does. [Stefan Fritsch]
+
+ *) rotatelogs: Add -p argument to specify custom program to invoke
+ after a log rotation. PR 51285. [Sven Ulland <sveniu ifi.uio.no>,
+ Joe Orton]
+
+ *) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand]
+
+ *) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0.
+ PR 48215. [Kaspar Brand]
+
+ *) mod_status: Display information about asynchronous connections in the
+ server-status. PR 44377. [Stefan Fritsch]
+
+ *) mpm_event: If the number of connections of a process is very high, or if
+ all workers are busy, don't accept new connections in that process.
+ [Stefan Fritsch]
+
+ *) mpm_event: Process lingering close asynchronously instead of tying up
+ worker threads. [Jeff Trawick, Stefan Fritsch]
+
+ *) mpm_event: If MaxMemFree is set, limit the number of pools that is kept
+ around. [Stefan Fritsch]
+
+ *) mpm_event: Fix graceful restart aborting connections. PR 43359.
+ [Takashi Sato <takashi lans-tv com>]
+
+ *) mod_ssl: Disable AECDH ciphers in example config. PR 51363.
+ [Rob Stradling <rob comodo com>]
+
+ *) core: Introduce new function ap_get_conn_socket() to access the socket of
+ a connection. [Stefan Fritsch]
+
+ *) mod_data: Introduce a filter to support RFC2397 data URLs. [Graham
+ Leggett]
+
+ *) mod_userdir/mod_alias/mod_vhost_alias: Correctly set DOCUMENT_ROOT,
+ CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX. PR 26052. PR 46198.
+ [Stefan Fritsch]
+
+ *) core: Allow to override document_root on a per-request basis. Introduce
+ new context_document_root and context_prefix which provide information
+ about non-global URI-to-directory mappings (from e.g. mod_userdir or
+ mod_alias) to scripts. PR 49705. [Stefan Fritsch]
+
+ *) core: Add <ElseIf> and <Else> to complement <If> sections.
+ [Stefan Fritsch]
+
+ *) mod_ext_filter: Remove DebugLevel option in favor of per-module loglevel.
+ [Stefan Fritsch]
+
+ *) mod_include: Make the "#if expr" element use the new "ap_expr" expression
+ parser. The old parser can still be used by setting the new directive
+ SSILegacyExprParser. [Stefan Fritsch]
+
+ *) core: Add some features to ap_expr for use by mod_include: a restricted
+ mode that does not allow to bypass request access restrictions; new
+ variables DOCUMENT_URI (alias for REQUEST_URI), LAST_MODIFIED; -A as an
+ alias for -U; an additional data entry in ap_expr_eval_ctx_t for use by
+ the consumer; an extensible ap_expr_exec_ctx() API that allows to use that
+ data entry. [Stefan Fritsch]
+
+ *) mod_include: Merge directory configs instead of one SSI* config directive
+ causing all other per-directory SSI* config directives to be reset.
+ [Stefan Fritsch]
+
+ *) mod_charset_lite: Remove DebugLevel option in favour of per-module
+ loglevel. [Stefan Fritsch]
+
+ *) core: Add ap_regexec_len() function that works with non-null-terminated
+ strings. PR 51231. [Yehezkel Horowitz <horowity checkpoint com>]
+
+ *) mod_authnz_ldap: If the LDAP server returns constraint violation,
+ don't treat this as an error but as "auth denied". [Stefan Fritsch]
+
+ *) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO
+ for SCGI/FCGI. PR 50880, 50851. [Mark Montague <mark catseye.org>,
+ Jim Jagielski]
+
+ *) mod_cache: When content is served stale, and there is no means to
+ revalidate the content using ETag or Last-Modified, and we have
+ mandated no stale-on-error behaviour, stand down and don't cache.
+ Saves a cache write that will never be read.
+ [Graham Leggett]
+
+ *) mod_reqtimeout: Fix a timed out connection going into the keep-alive
+ state after a timeout when discarding a request body. PR 51103.
+ [Stefan Fritsch]
+
+ *) core: Add various file existance test operators to ap_expr.
+ [Stefan Fritsch]
+
+ *) mod_proxy_express: New mass reverse-proxy switch extension for
+ mod_proxy. [Jim Jagielski]
+
+ *) configure: Fix script error when configuring module set "reallyall".
+ [Rainer Jung]
+
+Changes with Apache 2.3.12
+
+ *) configure, core: Provide easier support for APR's hook probe
+ capability. [Jim Jagielski, Jeff Trawick]
+
+ *) Silence autoconf 2.68 warnings. [Rainer Jung]
+
+ *) mod_authnz_ldap: Resolve crash when LDAP is used for authorization only
+ [Scott Hill <shill genscape.com>]
+
+ *) support: Make sure check_forensic works with mod_unique_id loaded
+ [Joe Schaefer]
+
+ *) Add child_status hook for tracking creation/termination of MPM child
+ processes. Add end_generation hook for notification when the last
+ MPM child of a generation exits. [Jeff Trawick]
+
+ *) mod_ldap: Make LDAPSharedCacheSize 0 create a non-shared-memory cache per
+ process as opposed to disabling caching completely. This allows to use
+ the non-shared-memory cache as a workaround for the shared memory cache
+ not being available during graceful restarts. PR 48958. [Stefan Fritsch]
+
+ *) Add new ap_reserve_module_slots/ap_reserve_module_slots_directive API,
+ necessary if a module (like mod_perl) registers additional modules late
+ in the startup phase. [Stefan Fritsch]
+
+ *) core: Prevent segfault if DYNAMIC_MODULE_LIMIT is reached. PR 51072.
+ [Torsten Förtsch <torsten foertsch gmx net>]
+
+ *) WinNT MPM: Improve robustness under heavy load. [Jeff Trawick]
+
+ *) MinGW build improvements. PR 49535. [John Vandenberg
+ <jayvdb gmail.com>, Jeff Trawick]
+
+ *) core: Support module names with colons in loglevel configuration.
+ [Torsten Förtsch <torsten foertsch gmx net>]
+
+ *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
+ [Stefan Fritsch]
+
+ *) core: Abort if the MPM is changed across restart. [Jeff Trawick]
+
+ *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
+ [Peter Pramberger <peter pramberger.at>, Jim Jagielski]
+
+ *) mod_proxy_fcgi: Add support for 'ProxyErrorOverride on'. PR 50913.
+ [Mark Montague <mark catseye.org>, Jim Jagielski]
+
+ *) core: Change the APIs of ap_cfg_getline() and ap_cfg_getc() to return an
+ error code. Abort with a nice error message if a config line is too long.
+ Partial fix for PR 50824. [Stefan Fritsch]
+
+ *) mod_info: Dump config to stdout during startup if -DDUMP_CONFIG is
+ specified. PR 31956. [Stefan Fritsch]
+
+ *) Restore visibility of DEFAULT_PIDLOG to core and modules. MPM
+ helper function ap_remove_pid() added. [Jeff Trawick]
+
+ *) Enable DEFAULT_REL_RUNTIMEDIR on Windows and NetWare. [various]
+
+ *) Correct C++ incompatibility with http_log.h. [Stefan Fritsch, Jeff
+ Trawick]
+
+ *) mod_log_config: Prevent segfault. PR 50861. [Torsten Förtsch
+ <torsten.foertsch gmx.net>]
+
+ *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
+ in request URL path info but not decode them. Change behavior of option
+ "On" to decode the encoded slashes as 2.0 and 2.2 do. PR 35256,
+ PR 46830. [Dan Poirier]
+
+ *) mod_ssl: Check SNI hostname against Host header case-insensitively.
+ PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>]
+
+ *) mod_ldap: Add LDAPConnectionPoolTTL to give control over lifetime
+ of bound backend LDAP connections. PR47634 [Eric Covener]
+
+ *) mod_cache: Make CacheEnable and CacheDisable configurable per
+ directory in addition to per server, making them work from within
+ a LocationMatch. [Graham Leggett]
+
+ *) worker, event, prefork: Correct several issues when built as
+ DSOs; most notably, the scoreboard was reinitialized during graceful
+ restart, such that processes of the previous generation were not
+ observable. [Jeff Trawick]
+
+Changes with Apache 2.3.11
+
+ *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
+ Win32's cscript interpreter can only use a single quote as comment char.
+ [Guenter Knauf]
+
+ *) mod_proxy: balancer-manager now uses POST instead of GET.
+ [Jim Jagielski]
+
+ *) core: new util function: ap_parse_form_data(). Previously,
+ this capability was tucked away in mod_request. [Jim Jagielski]
+
+ *) core: new hook: ap_run_pre_read_request. [Jim Jagielski]
+
+ *) modules: Fix many modules that were not correctly initializing if they
+ were not active during server startup but got enabled later during a
+ graceful restart. [Stefan Fritsch]
+
+ *) core: Create new ap_state_query function that allows modules to determine
+ if the current configuration run is the initial one at server startup,
+ and if the server is started for testing/config dumping only.
+ [Stefan Fritsch]
+
+ *) mod_proxy: Runtime configuration of many parameters for existing
+ balancers via the balancer-manager. [Jim Jagielski]
+
+ *) mod_proxy: Runtime addition of new workers (BalancerMember) for existing
+ balancers via the balancer-manager. [Jim Jagielski]
+
+ *) mod_cache: When a bad Expires date is present, we need to behave as if
+ the Expires is in the past, not as if the Expires is missing. PR 16521.
+ [Co-Advisor <coad measurement-factory.com>]
+
+ *) mod_cache: We must ignore quoted-string values that appear in a
+ Cache-Control header. PR 50199. [Graham Leggett]
+
+ *) mod_dav: Revert change to send 501 error if unknown Content-* header is
+ received for a PUT request. PR 42978. [Stefan Fritsch]
+
+ *) mod_cache: Respect s-maxage as described by RFC2616 14.9.3, which must
+ take precedence if present. PR 35247. [Graham Leggett]
+
+ *) mod_ssl: Fix a possible startup failure if multiple SSL vhosts
+ are configured with the same ServerName and private key file.
+ [Masahiro Matsuya <mmatsuya redhat.com>, Joe Orton]
+
+ *) mod_socache_dc: Make module compile by fixing some typos.
+ PR 50735 [Mark Montague <mark catseye.org>]
+
+ *) prefork: Update MPM state in children during a graceful stop or
+ restart. PR 41743. [Andrew Punch <andrew.punch 247realmedia.com>]
+
+ *) mod_mime: Ignore leading dots when looking for mime extensions.
+ PR 50434 [Stefan Fritsch]
+
+ *) core: Add support to set variables with the 'Define' directive. The
+ variables that can then be used in the config using the ${VAR} syntax
+ known from envvar interpolation. [Stefan Fritsch]
+
+ *) mod_proxy_http: make adding of X-Forwarded-* headers configurable.
+ ProxyAddHeaders defaults to On. [Vincent Deffontaines]
+
+ *) mod_slotmem_shm: Increase memory alignment for slotmem data.
+ [Rainer Jung]
+
+ *) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout,
+ SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew.
+ [Kaspar Brand <httpd-dev.2011 velox.ch>]
+
+ *) mod_ssl: Revamp output buffering to reduce network overhead for
+ output fragmented into many buckets, such as chunked HTTP responses.
+ [Joe Orton]
+
+ *) core: Apply <If> sections to all requests, not only to file base requests.
+ Allow to use <If> inside <Directory>, <Location>, and <Files> sections.
+ The merging of <If> sections now happens after the merging of <Location>
+ sections, even if an <If> section is embedded inside a <Directory> or
+ <Files> section. [Stefan Fritsch]
+
+ *) mod_proxy: Refactor usage of shared data by dropping the scoreboard
+ and using slotmem. Create foundation for dynamic growth/changes of
+ members within a balancer. Remove BalancerNonce in favor of a
+ per-balancer 'nonce' parameter. [Jim Jagielski]
+
+ *) mod_status: Don't show slots which are disabled by MaxClients as open.
+ PR: 47022 [Jordi Prats <jordi prats gmail com>, Stefan Fritsch]
+
+ *) mpm_prefork: Fix ap_mpm_query results for AP_MPMQ_MAX_DAEMONS and
+ AP_MPMQ_MAX_THREADS.
+
+ *) mod_authz_core: Fix bug in merging logic if user-based and non-user-based
+ authorization directives were mixed. [Stefan Fritsch]
+
+ *) mod_authn_socache: change directive name from AuthnCacheProvider
+ to AuthnCacheProvideFor. The term "provider" is overloaded in
+ this module, and we should avoid confusion between the provider
+ of a backend (AuthnCacheSOCache) and the authn provider(s) for
+ which this module provides cacheing (AuthnCacheProvideFor).
+ [Nick Kew]
+
+ *) mod_proxy_http: Allocate the fake backend request from a child pool
+ of the backend connection, instead of misusing the pool of the frontend
+ request. Fixes a thread safety issue where buckets set aside in the
+ backend connection leak into other threads, and then disappear when
+ the frontend request is cleaned up, in turn causing corrupted buckets
+ to make other threads spin. [Graham Leggett]
+
+ *) mod_ssl: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
+ to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
+ escape other special characters with backslashes. The old format can
+ still be used with the LegacyDNStringFormat argument to SSLOptions.
+
+ *) core, mod_rewrite: Make the REQUEST_SCHEME variable available to
+ scripts and mod_rewrite. [Stefan Fritsch]
+
+ *) mod_rewrite: Allow to use arbitrary boolean expressions (ap_expr) in
+ RewriteCond. [Stefan Fritsch]
+
+ *) mod_rewrite: Allow to unset environment variables using E=!VAR.
+ PR 49512. [Mark Drayton <mark markdrayton info>, Stefan Fritsch]
+
+ *) mod_headers: Restore the 2.3.8 and earlier default for the first
+ argument of the Header directive ("onsuccess"). [Eric Covener]
+
+ *) core: Disallow the mixing of relative and absolute Options PR 33708.
+ [Sönke Tesch <st kino-fahrplan.de>]
+
+ *) core: When exporting request headers to HTTP_* environment variables,
+ drop variables whose names contain invalid characters. Describe in the
+ docs how to restore the old behaviour. [Malte S. Stretz <mss apache org>]
+
+ *) core: When selecting an IP-based virtual host, favor an exact match for
+ the port over a wildcard (or omitted) port instead of favoring the one
+ that came first in the configuration file. [Eric Covener]
+
+ *) core: Overlapping virtual host address/port combinations now implicitly
+ enable name-based virtual hosting for that address. The NameVirtualHost
+ directive has no effect, and _default_ is interpreted the same as "*".
+ [Eric Covener]
+
+ *) core: In the absence of any Options directives, the default is now
+ "FollowSymlinks" instead of "All". [Igor GaliÄ]
+
+ *) rotatelogs: Add -e option to write logs through to stdout for optional
+ further processing. [Graham Leggett]
+
+ *) mod_ssl: Correctly read full lines in input filter when the line is
+ incomplete during first read. PR 50481. [Ruediger Pluem]
+
+ *) mod_authz_core: Add AuthzSendForbiddenOnFailure directive to allow
+ sending '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if authorization
+ fails for an authenticated user. PR 40721. [Stefan Fritsch]
+
+Changes with Apache 2.3.10
+
+ *) mod_rewrite: Don't implicitly URL-escape the original query string
+ when no substitution has changed it. PR 50447. [Eric Covener]
+
+ *) core: Honor 'AcceptPathInfo OFF' during internal redirects,
+ such as per-directory mod_rewrite substitutions. PR 50349.
+ [Eric Covener]
+
+ *) mod_rewrite: Add 'RewriteOptions InheritBefore' to put the base
+ rules/conditions before the overridden rules/conditions. PR 39313.
+ [Jérôme Grandjanny <jerome.grandjanny cea.fr>]
+
+ *) mod_autoindex: add IndexIgnoreReset to reset the list of IndexIgnored
+ filenames in higher precedence configuration sections. PR 24243.
+ [Eric Covener]
+
+ *) mod_cgid: RLimit* directive support for mod_cgid. PR 42135
+ [Eric Covener]
+
+ *) core: Fail startup when the argument to ServerName looks like a glob
+ or a regular expression instead of a hostname (*?[]). PR 39863
+ [Rahul Nair <rahul.g.nair gmail.com>]
+
+ *) mod_userdir: Add merging of enable, disable, and filename arguments
+ to UserDir directive, leaving enable/disable of userlists unmerged.
+ PR 44076 [Eric Covener]
+
+ *) httpd: When no -k option is provided on the httpd command line, the server
+ was starting without checking for an existing pidfile. PR 50350
+ [Eric Covener]
+
+ *) mod_proxy: Put the worker in error state if the SSL handshake with the
+ backend fails. PR 50332.
+ [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
+
+ *) mod_cache_disk: Fix Windows build which was broken after renaming
+ the module. [Gregg L. Smith]
+
+Changes with Apache 2.3.9
+
+ *) SECURITY: CVE-2010-1623 (cve.mitre.org)
+ Fix a denial of service attack against mod_reqtimeout.
+ [Stefan Fritsch]
+
+ *) mod_headers: Change default first argument of Header directive
+ from "onsuccess" to "always". [Eric Covener]
+
+ *) mod_include: Add the onerror attribute to the include element,
+ allowing an URL to be specified to include on error. [Graham
+ Leggett]
+
+ *) mod_cache_disk: mod_disk_cache renamed to mod_cache_disk, to be
+ consistent with the naming of other modules. [Graham Leggett]
+
+ *) mod_setenvif: Add SetEnvIfExpr directive to set env var depending on
+ expression. [Stefan Fritsch]
+
+ *) mod_proxy: Fix ProxyPassInterpolateEnv directive. PR 50292.
+ [Stefan Fritsch]
+
+ *) suEXEC: Add Suexec directive to disable suEXEC without renaming the
+ binary (Suexec Off), or force startup failure if suEXEC is required
+ but not supported (Suexec On). Change SuexecUserGroup to fail
+ startup instead of just printing a warning if suEXEC is disabled.
+ [Jeff Trawick]
+
+ *) core: Add Error directive for aborting startup or htaccess processing
+ with a specified error message. [Jeff Trawick]
+
+ *) mod_rewrite: Fix the RewriteEngine directive to work within a
+ location. Previously, once RewriteEngine was switched on globally,
+ it was impossible to switch off. [Graham Leggett]
+
+ *) core, mod_include, mod_ssl: Move the expression parser derived from
+ mod_include back into mod_include. Replace ap_expr with a parser
+ derived from mod_ssl's parser. Make mod_ssl use the new parser. Rework
+ ap_expr's public interface and provide hooks for modules to add variables
+ and functions. [Stefan Fritsch]
+
+ *) core: Do the hook sorting earlier so that the hooks are properly sorted
+ for the pre_config hook and during parsing the config. [Stefan Fritsch]
+
+ *) core: In the absence of any AllowOverride directives, the default is now
+ "None" instead of "All". PR49823 [Eric Covener]
+
+ *) mod_proxy: Don't allow ProxyPass or ProxyPassReverse in
+ <Directory> or <Files>. PR47765 [Eric Covener]
+
+ *) prefork/worker/event MPMS: default value (when no directive is present)
+ of MaxConnectionsPerChild/MaxRequestsPerChild is changed to 0 from 10000
+ to match default configuration and manual. PR47782 [Eric Covener]
+
+ *) proxy_connect: Don't give up in the middle of a CONNECT tunnel
+ when the child process is starting to exit. PR50220. [Eric Covener]
+
+ *) mod_autoindex: Fix inheritance of mod_autoindex directives into
+ contexts that don't have any mod_autoindex directives. PR47766.
+ [Eric Covener]
+
+ *) mod_rewrite: Add END flag for RewriteRule to prevent further rounds
+ of rewrite processing when a per-directory substitution occurs.
+ [Eric Covener]
+
+ *) mod_ssl: Make sure to always log an error if loading of CA certificates
+ fails. PR 40312. [Paul Tiemann <issues apache org ourdetour com>]
+
+ *) mod_dav: Send 501 error if unknown Content-* header is received for a PUT
+ request (RFC 2616 9.6). PR 42978. [Stefan Fritsch]
+
+ *) mod_dav: Send 400 error if malformed Content-Range header is received for
+ a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
+
+ *) mod_proxy: Release the backend connection as soon as EOS is detected,
+ so the backend isn't forced to wait for the client to eventually
+ acknowledge the data. [Graham Leggett]
+
+ *) mod_proxy: Optimise ProxyPass within a Location so that it is stored
+ per-directory, and chosen during the location walk. Make ProxyPass
+ work correctly from within a LocationMatch. [Graham Leggett]
+
+ *) core: Fix segfault if per-module LogLevel is on virtual host
+ scope. PR 50117. [Stefan Fritsch]
+
+ *) mod_proxy: Move the ProxyErrorOverride directive to have per
+ directory scope. [Graham Leggett]
+
+ *) mod_allowmethods: New module to deny certain HTTP methods without
+ interfering with authentication/authorization. [Paul Querna,
+ Igor GaliÄ, Stefan Fritsch]
+
+ *) mod_ssl: Log certificate information and improve error message if client
+ cert verification fails. PR 50093, PR 50094. [Lassi Tuura <lat cern ch>,
+ Stefan Fritsch]
+
+ *) htcacheclean: Teach htcacheclean to limit cache size by number of
+ inodes in addition to size of files. Prevents a cache disk from
+ running out of space when many small files are cached.
+ [Graham Leggett]
+
+ *) core: Rename MaxRequestsPerChild to MaxConnectionsPerChild, which
+ describes more accurately what the directive does. The old name
+ still works but logs a warning. [Stefan Fritsch]
+
+ *) mod_cache: Optionally serve stale data when a revalidation returns a
+ 5xx response, controlled by the CacheStaleOnError directive.
+ [Graham Leggett]
+
+ *) htcacheclean: Allow the listing of valid URLs within the cache, with
+ the option to list entry metadata such as sizes and times. [Graham
+ Leggett]
+
+ *) mod_cache: correctly parse quoted strings in cache headers.
+ PR 50199 [Nick Kew]
+
+ *) mod_cache: Allow control over the base URL of reverse proxied requests
+ using the CacheKeyBaseURL directive, so that the cache key can be
+ calculated from the endpoint URL instead of the server URL. [Graham
+ Leggett]
+
+ *) mod_cache: CacheLastModifiedFactor, CacheStoreNoStore, CacheStorePrivate,
+ CacheStoreExpired, CacheIgnoreNoLastMod, CacheDefaultExpire,
+ CacheMinExpire and CacheMaxExpire can be set per directory/location.
+ [Graham Leggett]
+
+ *) mod_disk_cache: CacheMaxFileSize, CacheMinFileSize, CacheReadSize and
+ CacheReadTime can be set per directory/location. [Graham Leggett]
+
+ *) core: Speed up config parsing if using a very large number of config
+ files. PR 50002 [andrew cloudaccess net]
+
+ *) mod_cache: Support the caching of HEAD requests. [Graham Leggett]
+
+ *) htcacheclean: Allow the option to round up file sizes to a given
+ block size, improving the accuracy of disk usage. [Graham Leggett]
+
+ *) mod_ssl: Add authz providers for use with mod_authz_core and its
+ RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL),
+ 'ssl-verify-client' (for use with 'SSLVerifyClient optional'), and
+ 'ssl-require' (expressions with same syntax as SSLRequire).
+ [Stefan Fritsch]
+
+ *) mod_ssl: Make the ssl expression parser thread-safe. It now requires
+ bison instead of yacc. [Stefan Fritsch]
+
+ *) mod_disk_cache: Change on-disk header file format to support the
+ link of the device/inode of the data file to the matching header
+ file, and to support the option of not writing a data file when
+ the data file is empty. [Graham Leggett]
+
+ *) core/mod_unique_id: Add generate_log_id hook to allow to use
+ the ID generated by mod_unique_id as error log ID for requests.
+ [Stefan Fritsch]
+
+ *) mod_cache: Make sure that we never allow a 304 Not Modified response
+ that we asked for to leak to the client should the 304 response be
+ uncacheable. PR45341 [Graham Leggett]
+
+ *) mod_cache: Add the cache_status hook to register the final cache
+ decision hit/miss/revalidate. Add optional support for an X-Cache
+ and/or an X-Cache-Detail header to add the cache status to the
+ response. PR48241 [Graham Leggett]
+
+ *) mod_authz_host: Add 'local' provider that matches connections originating
+ on the local host. PR 19938. [Stefan Fritsch]
+
+ *) Event MPM: Fix crash accessing pollset on worker thread when child
+ process is exiting. [Jeff Trawick]
+
+ *) core: For process invocation (cgi, fcgid, piped loggers and so forth)
+ pass the system library path (LD_LIBRARY_PATH or platform-specific
+ variables) along with the system PATH, by default. Both should be
+ overridden together as desired using PassEnv etc; see mod_env.
+ [William Rowe]
+
+ *) mod_cache: Introduce CacheStoreExpired, to allow administrators to
+ capture a stale backend response, perform If-Modified-Since requests
+ against the backend, and serving from the cache all 304 responses.
+ This restores pre-2.2.4 cache behavior. [William Rowe]
+
+ *) mod_rewrite: Introduce <=, >= string comparison operators, and integer
+ comparators -lt, -le, -eq, -ge, and -gt. To help bash users and drop
+ the ambiguity of the symlink test "-ltest", introduce -h or -L as
+ symlink test operators. [William Rowe]
+
+ *) mod_cache: Give the cache provider the opportunity to choose to cache
+ or not cache based on the buckets present in the brigade, such as the
+ presence of a FILE bucket.
+ [Graham Leggett]
+
+ *) mod_authz_core: Allow authz providers to check args while reading the
+ config and allow to cache parsed args. Move 'all' and 'env' authz
+ providers from mod_authz_host to mod_authz_core. Add 'method' authz
+ provider depending on the HTTP method. [Stefan Fritsch]
+
+ *) mod_include: Move the request_rec within mod_include to be
+ exposed within include_ctx_t. [Graham Leggett]
+
+ *) mod_include: Reinstate support for UTF-8 character sets by allowing a
+ variable being echoed or set to be decoded and then encoded as separate
+ steps. PR47686 [Graham Leggett]
+
+ *) mod_cache: Add a discrete commit_entity() provider function within the
+ mod_cache provider interface which is called to indicate to the
+ provider that caching is complete, giving the provider the opportunity
+ to commit temporary files permanently to the cache in an atomic
+ fashion. Replace the inconsistent use of error cleanups with a formal
+ set of pool cleanups attached to a subpool, which is destroyed on error.
+ [Graham Leggett]
+
+ *) mod_cache: Change the signature of the store_body() provider function
+ within the mod_cache provider interface to support an "in" brigade
+ and an "out" brigade instead of just a single input brigade. This
+ gives a cache provider the option to consume only part of the brigade
+ passed to it, rather than the whole brigade as was required before.
+ This fixes an out of memory and a request timeout condition that would
+ occur when the original document was a large file. Introduce
+ CacheReadSize and CacheReadTime directives to mod_disk_cache to control
+ the amount of data to attempt to cache at a time. [Graham Leggett]
+
+ *) core: Add ErrorLogFormat to allow configuring error log format, including
+ additional information that is logged once per connection or request. Add
+ error log IDs for connections and request to allow correlating error log
+ lines and the corresponding access log entry. [Stefan Fritsch]
+
+ *) core: Disable sendfile by default. [Stefan Fritsch]
+
+ *) mod_cache: Check the request to determine whether we are allowed
+ to return cached content at all, and respect a "Cache-Control:
+ no-cache" header from a client. Previously, "no-cache" would
+ behave like "max-age=0". [Graham Leggett]
+
+ *) mod_cache: Use a proper filter context to hold filter data instead
+ of misusing the per-request configuration. Fixes a segfault on trunk
+ when the normal handler is used. [Graham Leggett]
+
+ *) mod_cgid: Log a warning if the ScriptSock path is truncated because
+ it is too long. PR 49388. [Stefan Fritsch]
+
+ *) vhosts: Do not allow _default_ in NameVirtualHost, or mixing *
+ and non-* ports on NameVirtualHost, or multiple NameVirtualHost
+ directives for the same address:port, or NameVirtualHost
+ directives with no matching VirtualHosts, or multiple ip-based
+ VirtualHost sections for the same address:port. These were
+ previously accepted with a warning, but the behavior was
+ undefined. [Dan Poirier]
+
+ *) mod_remoteip: Fix a segfault when using mod_remoteip in conjunction with
+ Allow/Deny. PR 49838. [Andrew Skalski <voltara gmail.com>]
+
+ *) core: DirectoryMatch can now match on the end of line character ($),
+ and sub-directories of matched directories are no longer implicitly
+ matched. PR49809 [Eric Covener]
+
+ *) Regexps: introduce new higher-level regexp utility including parsing
+ and executing perl-style regexp ops (e.g s/foo/bar/i) and regexp memory
+ [Nick Kew]
+
+ *) Proxy: support setting source address. PR 29404
+ [Multiple contributors iterating through bugzilla,
+ Aron Ujvari <xanco nikhok.hu>, Aleksey Midenkov <asm uezku.kemsu.ru>,
+ <dan listening-station.net; trunk version Nick Kew]
+
+ *) HTTP protocol: return 400 not 503 if we have to abort due to malformed
+ chunked encoding. [Nick Kew]
+
+Changes with Apache 2.3.8
+
+ *) suexec: Support large log files. PR 45856. [Stefan Fritsch]
+
+ *) core: Abort with sensible error message if no or more than one MPM is
+ loaded. [Stefan Fritsch]
+
+ *) mod_proxy: Rename erroronstatus to failonstatus.
+ [Daniel Ruggeri <DRuggeri primary.net>]
+
+ *) mod_dav_fs: Fix broken "creationdate" property.
+ Regression in version 2.3.7. [Rainer Jung]
+
+Changes with Apache 2.3.7
+
+ *) SECURITY: CVE-2010-1452 (cve.mitre.org)
+ mod_dav, mod_cache, mod_session: Fix Handling of requests without a path
+ segment. PR: 49246 [Mark Drayton, Jeff Trawick]
+
+ *) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076.
+ [Stefan Fritsch]
+
+ *) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639.
+ [Stefan Fritsch]
+
+ *) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers
+ via leveraging 100-Continue as the initial "request".
+ [Jim Jagielski]
+
+ *) core/mod_authz_core: Introduce new access_checker_ex hook that enables
+ mod_authz_core to bypass authentication if access should be allowed by
+ IP address/env var/... [Stefan Fritsch]
+
+ *) core: Introduce note_auth_failure hook to allow modules to add support
+ for additional auth types. This makes ap_note_auth_failure() work with
+ mod_auth_digest again. PR 48807. [Stefan Fritsch]
+
+ *) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew]
+
+ *) mod_authn_socache: new module [Nick Kew]
+
+ *) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]
+
+ *) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
+
+ *) mod_rewrite: Allow to set environment variables without explicitly
+ giving a value. [Rainer Jung]
+
+ *) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung]
+
+ *) mod_include: recognise "text/html; parameters" as text/html
+ PR 49616 [Andrey Chernov <ache nagual.pp.ru>]
+
+ *) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH
+ PR 43906 [Nick Kew]
+
+ *) Core: Extra robustness: don't try authz and segfault if authn
+ fails to set r->user. Log bug and return 500 instead.
+ PR 42995 [Nick Kew]
+
+ *) HTTP protocol filter: fix handling of longer chunk extensions
+ PR 49474 [<tee.bee gmx.de>]
+
+ *) Update SSL cipher suite and add example for SSLHonorCipherOrder.
+ [Lars Eilebrecht, Rainer Jung]
+
+ *) move AddOutputFilterByType from core to mod_filter. This should
+ fix nasty side-effects that happen when content_type is set
+ more than once in processing a request, and make it fully
+ compatible with dynamic and proxied contents. [Nick Kew]
+
+ *) mod_log_config: Implement logging for sub second timestamps and
+ request end time. [Rainer Jung]
+
+Changes with Apache 2.3.6
+
+ *) SECURITY: CVE-2009-3555 (cve.mitre.org)
+ mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
+ attack when compiled against OpenSSL version 0.9.8m or later. Introduces
+ the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
+ and offer unsafe legacy renegotiation with clients which do not yet
+ support the new secure renegotiation protocol, RFC 5746.
+ [Joe Orton, and with thanks to the OpenSSL Team]
+
+ *) SECURITY: CVE-2009-3555 (cve.mitre.org)
+ mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
+ by rejecting any client-initiated renegotiations. Forcibly disable
+ keepalive for the connection if there is any buffered data readable. Any
+ configuration which requires renegotiation for per-directory/location
+ access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
+ [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
+
+ *) SECURITY: CVE-2010-0408 (cve.mitre.org)
+ mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
+ when request headers indicate a request body is incoming; not a case of
+ HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
+
+ *) SECURITY: CVE-2010-0425 (cve.mitre.org)
+ mod_isapi: Do not unload an isapi .dll module until the request
+ processing is completed, avoiding orphaned callback pointers.
+ [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
+
+ *) core: Filter init functions are now run strictly once per request
+ before handler invocation. The init functions are no longer run
+ for connection filters. PR 49328. [Joe Orton]
+
+ *) core: Adjust the output filter chain correctly in an internal
+ redirect from a subrequest, preserving filters from the main
+ request as necessary. PR 17629. [Joe Orton]
+
+ *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
+ Response if they so choose to do so. Previously an attempt to cache a 206
+ was arbitrarily allowed if the response contained an Expires or
+ Cache-Control header, and arbitrarily denied if both headers were missing.
+ [Graham Leggett]
+
+ *) core: Add microsecond timestamp fractions, process id and thread id
+ to the error log. [Rainer Jung]
+
+ *) configure: The "most" module set gets build by default. [Rainer Jung]
+
+ *) configure: Building dynamic modules (DSO) by default. [Rainer Jung]
+
+ *) configure: Fix broken VPATH build when using included APR.
+ [Rainer Jung]
+
+ *) mod_session_crypto: Fix configure problem when building
+ with APR 2 and for VPATH builds with included APR.
+ [Rainer Jung]
+
+ *) mod_session_crypto: API compatibility with APR 2 crypto and
+ APR Util 1.x crypto. [Rainer Jung]
+
+ *) ab: Fix memory leak with -v2 and SSL. PR 49383.
+ [Pavel Kankovsky <peak argo troja mff cuni cz>]
+
+ *) core: Add per-module and per-directory loglevel configuration.
+ Add some more trace logging.
+ mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels.
+ mod_ssl: Replace LogLevelDebugDump with trace log levels.
+ mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info
+ and debug.
+ mod_dumpio: Replace DumpIOLogLevel with trace log levels.
+ [Stefan Fritsch]
+
+ *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
+ title page only) when any mod_ldap directives were used in VirtualHost
+ context. [Eric Covener]
+
+ *) mod_disk_cache: Decline the opportunity to cache if the response is
+ a 206 Partial Content. This stops a reverse proxied partial response
+ from becoming cached, and then being served in subsequent responses.
+ [Graham Leggett]
+
+ *) mod_deflate: avoid the risk of forwarding data before headers are set.
+ PR 49369 [Matthew Steele <mdsteele google.com>]
+
+ *) mod_authnz_ldap: Ensure nested groups are checked when the
+ top-level group doesn't have any direct non-group members
+ of attributes in AuthLDAPGroupAttribute. [Eric Covener]
+
+ *) mod_authnz_ldap: Search or Comparison during authorization phase
+ can use the credentials from the authentication phase
+ (AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser).
+ PR 48340 [Domenico Rotiroti, Eric Covener]
+
+ *) mod_authnz_ldap: Allow the initial DN search during authentication
+ to use the HTTP username/pass instead of an anonymous or hard-coded
+ LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern).
+ [Eric Covener]
+
+ *) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix
+ when this module is used for authorization. See AuthLDAPAuthorizePrefix.
+ PR 45584 [Eric Covener]
+
+ *) apxs -q: Stop filtering out ':' characters from the reported values.
+ PR 45343. [Bill Cole]
+
+ *) prefork MPM: Work around possible crashes on child exit in APR reslist
+ cleanup code. PR 43857. [Tom Donovan]
+
+ *) ab: fix number of requests sent by ab when keepalive is enabled. PR 48497.
+ [Bryn Dole <dole blekko.com>]
+
+ *) Log an error for failures to read a chunk-size, and return 408 instead of
+ 413 when this is due to a read timeout. This change also fixes some cases
+ of two error documents being sent in the response for the same scenario.
+ [Eric Covener] PR49167
+
+ *) mod_proxy_balancer: Add new directive BalancerNonce to allow admin
+ to control/set the nonce used in the balancer-manager application.
+ [Jim Jagielski]
+
+ *) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673.
+ [Stefan Fritsch]
+
+ *) Proxy balancer: support setting error status according to HTTP response
+ code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
+
+ *) htcacheclean: Introduce the ability to clean specific URLs from the
+ cache, if provided as an optional parameter on the command line.
+ [Graham Leggett]
+
+ *) core: Introduce the IncludeStrict directive, which explicitly fails
+ server startup if no files or directories match a wildcard path.
+ [Graham Leggett]
+
+ *) htcacheclean: Report additional statistics about entries deleted.
+ PR 48944. [Mark Drayton mark markdrayton.info]
+
+ *) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
+ builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
+ build of openssl is required for 'SSLFIPS on'. PR 46270.
+ [Dr Stephen Henson <steve openssl.org>, William Rowe]
+
+ *) mod_proxy_http: Log the port of the remote server in various messages.
+ PR 48812. [Igor GaliÄ <i galic brainsware org>]
+
+ *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
+ connections and other protocol handlers (like mod_ftp). [Stefan Fritsch]
+
+ *) mod_proxy_ajp: Really regard the operation a success, when the client
+ aborted the connection. In addition adjust the log message if the client
+ aborted the connection. [Ruediger Pluem]
+
+ *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
+ allows insecure renegotiation with clients which do not yet
+ support the secure renegotiation protocol. [Joe Orton]
+
+ *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
+ is configured for client cert auth. PR 46952. [Joe Orton]
+
+ *) core: Only log a 408 if it is no keepalive timeout. PR 39785
+ [Ruediger Pluem, Mark Montague <markmont umich.edu>]
+
+ *) support/rotatelogs: Add -L option to create a link to the current
+ log file. PR 48761 [<lyndon orthanc.ca>, Dan Poirier]
+
+ *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory
+ setting only, matching most of the documentation and examples.
+ PR 46541 [Paul Reder, Eric Covener]
+
+ *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument
+ types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener]
+
+ *) mod_negotiation: Preserve query string over multiviews negotiation.
+ This buglet was fixed for type maps in 2.2.6, but the same issue
+ affected multiviews and was overlooked.
+ PR 33112 [Joergen Thomsen <apache jth.net>]
+
+ *) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert
+ when some are not password-protected. [Eric Covener]
+
+ *) Fix startup segfault when the Mutex directive is used but no loaded
+ modules use httpd mutexes. PR 48787. [Jeff Trawick]
+
+ *) Proxy: get the headers right in a HEAD request with
+ ProxyErrorOverride, by checking for an overridden error
+ before not after going into a catch-all code path.
+ PR 41646. [Nick Kew, Stuart Children]
+
+ *) support/rotatelogs: Support the simplest log rotation case, log
+ truncation. Useful when the log is being processed in real time
+ using a command like tail. [Graham Leggett]
+
+ *) support/htcacheclean: Teach it how to write a pid file (modelled on
+ httpd's writing of a pid file) so that it becomes possible to run
+ more than one instance of htcacheclean on the same machine.
+ [Graham Leggett]
+
+ *) Log command line on startup, so there's a record of command line
+ arguments like -f. PR 48752. [Dan Poirier]
+
+ *) Introduce mod_reflector, a handler capable of reflecting POSTed
+ request bodies back within the response through the output filter
+ stack. Can be used to turn an output filter into a web service.
+ [Graham Leggett]
+
+ *) mod_proxy_http: Make sure that when an ErrorDocument is served
+ from a reverse proxied URL, that the subrequest respects the status
+ of the original request. This brings the behaviour of proxy_handler
+ in line with default_handler. PR 47106. [Graham Leggett]
+
+ *) Support wildcards in both the directory and file components of
+ the path specified by the Include directive. [Graham Leggett]
+
+ *) mod_proxy, mod_proxy_http: Support remote https proxies
+ by using HTTP CONNECT. PR 19188.
+ [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
+
+ *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
+ [Philip M. Gollucci]
+
+ *) worker: Don't report server has reached MaxClients until it has.
+ Add message when server gets within MinSpareThreads of MaxClients.
+ PR 46996. [Dan Poirier]
+
+ *) mod_session: Session expiry was being initialised, but not updated
+ on each session save, resulting in timed out sessions when there
+ should not have been. Fixed. [Graham Leggett]
+
+ *) mod_log_config: Add the R option to log the handler used within the
+ request. [Christian Folini <christian.folini netnea com>]
+
+ *) mod_include: Allow fine control over the removal of Last-Modified and
+ ETag headers within the INCLUDES filter, making it possible to cache
+ responses if desired. Fix the default value of the SSIAccessEnable
+ directive. [Graham Leggett]
+
+ *) Add new UnDefine directive to undefine a variable. PR 35350.
+ [Stefan Fritsch]
+
+ *) Make ap_pregsub(), used by AliasMatch and friends, use the same syntax
+ for regex backreferences as mod_rewrite and mod_include: Remove the use
+ of '&' as an alias for '$0' and allow to escape any character with a
+ backslash. PR 48351. [Stefan Fritsch]
+
+ *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
+ password to UTF-8. PR 45318.
+ [Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
+
+ *) ab: Fix calculation of requests per second in HTML output. PR 48594.
+ [Stefan Fritsch]
+
+ *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
+ password now result in an informational level log entry instead of
+ warning level. [Eric Covener]
+
+Changes with Apache 2.3.5
+
+ *) SECURITY: CVE-2010-0434 (cve.mitre.org)
+ Ensure each subrequest has a shallow copy of headers_in so that the
+ parent request headers are not corrupted. Eliminates a problematic
+ optimization in the case of no request body. PR 48359
+ [Jake Scott, William Rowe, Ruediger Pluem]
+
+ *) Turn static function get_server_name_for_url() into public
+ ap_get_server_name_for_url() and use it where appropriate. This
+ fixes mod_rewrite generating invalid URLs for redirects to IPv6
+ literal addresses. [Stefan Fritsch]
+
+ *) mod_ldap: Introduce new config option LDAPTimeout to set the timeout
+ for LDAP operations like bind and search. [Stefan Fritsch]
+
+ *) mod_proxy, mod_proxy_ftp: Move ProxyFtpDirCharset from mod_proxy to
+ mod_proxy_ftp. [Takashi Sato]
+
+ *) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to
+ mod_proxy_connect. [Takashi Sato]
+
+ *) mod_cache: Do an exact match of the keys defined by
+ CacheIgnoreURLSessionIdentifiers against the querystring instead of
+ a partial match. PR 48401.
+ [Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem]
+
+ *) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung]
+
+ *) Core HTTP: disable keepalive when the Client has sent
+ Expect: 100-continue
+ but we respond directly with a non-100 response.
+ Keepalive here led to data from clients continuing being treated as
+ a new request.
+ PR 47087 [Nick Kew]
+
+ *) Core: reject NULLs in request line or request headers.
+ PR 43039 [Nick Kew]
+
+ *) Core: (re)-introduce -T commandline option to suppress documentroot
+ check at startup.
+ PR 41887 [Jan van den Berg <janvdberg gmail.com>]
+
+ *) mod_autoindex: support XHTML as equivalent to HTML in IndexOptions,
+ ScanHTMLTitles, ReadmeName, HeaderName
+ PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew]
+
+ *) Proxy: Fix ProxyPassReverse with relative URL
+ Derived (slightly erroneously) from PR 38864 [Nick Kew]
+
+ *) mod_headers: align Header Edit with Header Set when used on Content-Type
+ PR 48422 [Cyril Bonté <cyril.bonte free.fr>, Nick Kew>]
+
+ *) mod_headers: Enable multi-match-and-replace edit option
+ PR 46594 [Nick Kew]
+
[... 906 lines stripped ...]