You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2007/08/31 14:15:02 UTC
svn commit: r571441 - /httpd/httpd/trunk/CHANGES
Author: jim
Date: Fri Aug 31 05:15:02 2007
New Revision: 571441
URL: http://svn.apache.org/viewvc?rev=571441&view=rev
Log:
Finish cleanup of CHANGES files, to reduce the sync required
when backporting, etc...
Modified:
httpd/httpd/trunk/CHANGES
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=571441&r1=571440&r2=571441&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Aug 31 05:15:02 2007
@@ -1,5 +1,6 @@
-*- coding: utf-8 -*-
Changes with Apache 2.3.0
+[ When backported to 2.2.x, remove entry from this file ]
*) mod_proxy_connect: avoid segfault on DNS lookup failure.
PR 40756 [Trevin Beattie <tbeattie boingo.com>]
@@ -346,468 +347,6 @@
allowing string-valued client certificate attributes to be used for
access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1")
[Martin Kraemer, David Reid]
-
-Changes with Apache 2.2.5
-
- *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk]
-
- *) mod_deflate: fix protocol handling in deflate input filter
- PR 23287 [Nick Kew]
-
- *) mod_proxy: fix buffer overflow issue
- PR 41144 [Davi Arnaut]
-
- *) mime.types: add Registered Javascript/ECMAScript MIME types (RFC4329)
- PR 40299 [Dave Hodder <dmh dmh.org.uk>]
-
- *) mod_filter: fix integer comparisons in dispatch rules
- PR 41835 [Nick Kew]
-
- *) mod_filter: fix merging of ! and = in FilterChain
- PR 42186 [Issac Goldstand <margol beamartyr.net>]
-
- *) mod_cache: Let Cache-Control max-age set the expiration of the cached
- representation if Expires is not set. [Justin Erenkrantz]
-
- *) mod_disk_cache: Allow Vary'd responses to be refreshed properly.
- [Justin Erenkrantz]
-
- *) mod_cache: Allow caching of requests with query arguments when
- Cache-Control max-age is explicitly specified. [Justin Erenkrantz]
-
- *) mod_proxy: Print the correct error message for erroneous configured
- ProxyPass directives. PR 40439. [serai lans-tv.com]
-
- *) mod_so: Provide more helpful LoadModule feedback when an error occurs.
- [William Rowe]
-
- *) mod_alias: Accept path components (URL part) in Redirects. PR 35314.
- [Nick Kew]
-
- *) mod_headers: Allow % at the end of a Header value. PR 36609.
- [Nick Kew, Ruediger Pluem]
-
- *) mod_cache: Use the same cache key throughout the whole request processing
- to handle escaped URLs correctly. PR 41475. [Ruediger Pluem]
-
- *) mod_cache: Add CacheIgnoreQueryString directive. PR 41484.
- [Fredrik Widlund <fredrik.widlund qbrick.com>]
-
- *) mod_cache: While serving a cached entity ensure that filters that have
- been applied to this cached entity before saving it to the cache are not
- applied again. PR 40090. [Ruediger Pluem]
-
- *) mod_cache: Correctly cache objects whose URL query string has been
- modified by mod_rewrite. PR 40805. [Ruediger Pluem]
-
- *) mod_proxy_http: Change handling of ProxyErrorOverride such that
- 3xx responses are no longer over-ridden (handling of 4xx and 5xx
- responses is unchanged). PR 39245.
- [Jeff Trawick, Bart van der Schans <schans hippo.nl>]
-
- *) htdbm: Enable crypt support on platforms with crypt() but not
- <crypt.h>, such as z/OS. [David Jones <oscaremma gmail.com>]
-
- *) mod_ssl: initialize thread locks before initializing the hardware
- acceleration library, so the latter can make use of the former.
- PR 20951. [adunn at ncipher.com]
-
- *) ab.c: Correct behavior of HTTP request headers sent by ab
- in presence of -H command-line overrides. PR 31268, 26554.
- [Arvind Srinivasan <arvind.srinivasan sun.com>]
-
- *) ab.c: The apr_port_t type is unsigned, but ab was using a
- signed format code in its reports. PR 42070.
- [Takashi Sato <serai lans-tv.com>]
-
- *) core: Correct a regression since 2.0.x in the handling of AllowOverride
- Options. PR 41829. [Torsten Förtsch <torsten.foertsch gmx.net>]
-
- *) mod_proxy_http: Handle request bodies larger than 2 GB by converting
- the Content-Length header of the request correctly. PR 40883.
- [Ruediger Pluem, toadie <toadie643 gmail.com>]
-
- *) mod_proxy: Fix some proxy setting inheritance problems (eg:
- ProxyTimeout). PR 11540. [Stuart Children <stuart terminus.co.uk>]
-
- *) Unix MPMs: Catch SIGFPE so that exception hooks and CoreDumpDirectory
- can work after that terminating signal.
- [Eric Covener <covener gmail.com>]
-
- *) Win32: Makefile.win will now build with MS VC 8 (Visual Studio 2005)
- including embedding the .manifest information into each binary.
- [William Rowe]
-
-Changes with Apache 2.2.4
-
- *) mod_isapi: Correctly present SERVER_PORT_SECURE.
- PR: 40573. [Matt Eaton <asf divinehawk.com>]
-
- *) Allow htcacheclean, httxt2dbm, and fcgistarter to link apr/apr-util
- statically like the older support programs.
- [Eric Covener <covener gmail.com>]
-
- *) core: Fix NONBLOCK status of listening sockets on restart/graceful
- PR 37680. [Darius Davis <darius-abz free-range.com.au>]
-
- *) mod_deflate: Rework inflate output and deflate output filter to fix several
- issues: Incorrect handling of flush buckets, potential memory leaks,
- excessive memory usage in inflate output filter for large compressed
- content. PR 39854. [Ruediger Pluem, Nick Kew, Justin Erenkrantz]
-
- *) mod_mem_cache: Memory leak fix: Unconditionally free the buffer.
- [Davi Arnaut <davi haxent.com.br>]
-
- *) Allow mod_dumpio to log at other than DEBUG levels via
- the new DumpIOLogLevel directive. [Jim Jagielski]
-
- *) rotatelogs: Improve error message for open failures. PR 39487.
- [Joe Orton]
-
- *) Better detection and clean up of ldap connection that has been
- terminated by the ldap server. PR 40878.
- [Rob Baily <rbaily servicebench com>]
-
- *) mod_mem_cache: Convert mod_mem_cache to use APR memory pool functions
- by creating a root pool for object persistence across requests. This
- also eliminates the need for custom serialization code.
- [Davi Arnaut <davi haxent.com.br>]
-
- *) mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If
- set, REMOTE_USER will be set to this attribute, rather than the
- username supplied by the user. Useful for example when you want users
- to log in using an email address, but need to supply a userid instead
- to the backend. [Graham Leggett]
-
- *) mod_cgi and mod_cgid: Don't use apr_status_t error return
- from input filters as HTTP return value from the handler.
- PR 31579. [Nick Kew]
-
- *) mod_cache: Eliminate a bogus error in the log when a filter returns
- AP_FILTER_ERROR. [Niklas Edmundsson <nikke acc.umu.se>]
-
- *) core: Fix issue which could cause piped loggers to be orphaned and never
- terminate after a graceful restart. PR 40651. [Joe Orton, Ruediger Pluem]
-
- *) core: Fix address-in-use startup failure caused by corruption of the list
- of listen sockets in some configurations with multiple generic Listen
- directives. [Jeff Trawick]
-
- *) mod_headers: Support regexp-based editing of HTTP headers. [Nick Kew]
-
- *) mod_proxy: Add explicit flushing feature. When Servlet container sends AJP
- body message with size 0, this means that Servlet container has asked for
- an explicit flush. Create flush bucket in that case. This feature has been
- added to the recent Tomcat versions without breaking the AJP protocol.
- [Mladen Turk]
-
- *) mod_proxy_balancer: Set the new environment variable BALANCER_ROUTE_CHANGED
- if a worker with a route different from the one supplied by the client
- had been chosen or if the client supplied no routing information for
- a balancer with sticky sessions. [Ruediger Pluem]
-
- *) mod_proxy_balancer: Add information about the route, the sticky session
- and the worker used during a request as environment variables. PR 39806.
- [Brian <brectanu gmail.com>]
-
- *) mod_proxy: Don't try to use dead backend connection. PR 37770.
- [Olivier BOEL <ob dorrboel.com>]
-
- *) mod_proxy_balancer: Extract stickysession routing information contained as
- parameter in the URL correctly. PR 40400.
- [Ruediger Pluem, Tomokazu Harada <harada sysrdc.ns-sol.co.jp>]
-
- *) mod_proxy_ajp: Added cping/cpong support for the AJP protocol.
- A new worker directive ping=timeout will cause CPING packet
- to be send expecting CPONG packet within defined timeout.
- In case the backend is too busy this will fail instead
- sending the full header. [Mladen Turk]
-
- *) mod_cache: From RFC3986 (section 6.2.3.) if a URI contains an
- authority component and an empty path, the empty path is to be equivalent
- to "/". It explicitly cites the following four URIs as equivalents:
- http://example.com
- http://example.com/
- http://example.com:/
- http://example.com:80/
- [Davi Arnaut <davi haxent.com.br>]
-
- *) mod_cache: Don't cache requests with a expires date in the past;
- otherwise mod_cache will always try to cache the URL. This bug
- might lead to numerous rename() errors on win32 if the URL was
- previously cached. [Davi Arnaut <davi haxent.com.br>]
-
- *) mod_disk_cache: Make sure that only positive integers are accepted
- for the CacheMaxFileSize and CacheMinFileSize parameters in the
- config file. PR39380. [Niklas Edmundsson <nikke acc.umu.se>]
-
- *) core: Deal with the widespread use of apr_status_t return values
- as HTTP status codes, as documented in PR#31759 (a bug shared by
- the default handler, mod_cgi, mod_cgid, mod_proxy, and probably
- others). PR31759. [Jeff Trawick, Ruediger Pluem, Joe Orton]
-
- *) mod_ext_filter: Handle filter names which include capital letters.
- PR 40323. [Jeff Trawick]
-
- *) mod_isapi: Avoid double trailing slashes in HSE_REQ_MAP_URL_TO_PATH
- support. Also corrects the slashes for Windows.
- PR 15993. [William Rowe]
-
- *) mod_isapi: Handle "HTTP/1.1 200 OK" style status lines correctly, the
- token parser worked while the resulting length was misinterpreted.
- PR 29098. [Brock Bland <bbland serena.com>]
-
- *) mod_isapi: Return 0 (failure) for more of the various ap_pass_brigade
- attempts to stream the response at the client. Log these as well.
- PR 30022, 40470. [William Rowe, Matt Eaton <asf divinehawk.com>]
-
- *) mod_isapi: Ensure we walk through all the methods the developer may have
- employed to report their HTTP status result code.
- PR 16637 30033 28089. [Matt Lewandowsky <matt iamcode.net>, William Rowe]
-
- *) mod_echo: Fix precedence problem in if statement. PR 40658.
- [Larry Cipriani <lvc lucent.com>]
-
- *) mod_mime_magic: Fix precedence problem in if statement. PR 40656.
- [Larry Cipriani <lvc lucent.com>]
-
- *) The full server version information is now included in the error log at
- startup as well as server status reports, irrespective of the setting
- of the ServerTokens directive. ap_get_server_version() is now
- deprecated, and is replaced by ap_get_server_banner() and
- ap_get_server_description(). [Jeff Trawick]
-
- *) mod_proxy_balancer: Workers can now be defined as part of
- a balancer cluster "set" in which members of a lower-numbered set
- are preferred over higher numbered ones. [Jim Jagielski]
-
- *) mod_proxy_balancer: Workers can now be defined as "hot standby" which
- will only be used if all other workers are unusable (eg: in
- error or disabled). Also, the balancer-manager displays the election
- count and I/O counts of all workers. [Jim Jagielski]
-
- *) mod_proxy_ajp: Close connection to backend if reading of request body
- fails. PR 40310. [Ian Abel <ianabel mxtelecom.com>]
-
- *) mod_proxy_balancer: Retry worker chosen by route / redirect worker if
- it is in error state before sending "Service Temporarily Unavailable".
- PR 38962. [Christian Boitel <cboitel lfdj.com>]
-
-Changes with Apache 2.2.3
-
- *) SECURITY: CVE-2006-3747 (cve.mitre.org)
- mod_rewrite: Fix an off-by-one security problem in the ldap scheme
- handling. For some RewriteRules this could lead to a pointer being
- written out of bounds. Reported by Mark Dowd of McAfee.
- [Mark Cox]
-
- *) mod_authn_alias: Add a check to make sure that the base provider and the
- alias names are different and also that the alias has not been registered
- before. PR 40051. [Brad Nicholes]
-
- *) mod_authnz_ldap: Fix a problem with invalid auth error detection for LDAP
- client SDKs that don't support the LDAP_SECURITY_ERROR macro. PR 39529.
- [Ray Price <dohrayme yahoo.com>, Josh Fenlason <jfenlason ptc.com>]
-
- *) mod_cache: Do not overwrite the Content-Type in the cache, for
- successfully revalidated cached objects. PR 39647. [Ruediger Pluem]
-
- *) mod_speling: Add directive to deal with case corrections only
- and ignore other misspellings [Olivier Thereaux <ot w3.org>]
-
- *) mod_dbd: Fix dependence on virtualhost configuration in
- defining prepared statements (possible segfault at startup
- in user modules such as mod_authn_dbd). [Nick Kew]
-
- *) Add optional 'scheme://' prefix to ServerName directive,
- allowing correct determination of the canonical server URL
- for use behind a proxy or offload device handling SSL; fixing
- redirect generation in those cases. PR 33398. [Sander Temme]
-
- *) Added server_scheme field to server_rec for above. Minor MMN bump.
- [Sander Temme]
-
- *) mod_cache: Make caching of reverse SSL proxies possible again. PR 39593.
- [Ruediger Pluem, Joe Orton]
-
- *) Worker MPM: On graceless shutdown or restart, send signals to
- each worker thread to wake them up if they're polling on a
- Keep-Alive connection. PR 38737. [Chris Darroch]
-
- *) worker and event MPMs: fix excessive forking if fork() or child_init
- take a long time. PR 39275.
- [Greg Ames, Jeff Trawick, Chris Darroch <chrisd pearsoncmg.com> ]
-
- *) configure: Add "--with-included-apr" flag to force use of the
- bundled version of APR at build time. [Joe Orton]
-
- *) Respect GracefulShutdownTimeout in the worker and event MPMs.
- [Chris Darroch, Garrett Rooney]
-
- *) mod_mem_cache: Set content type correctly when delivering data from
- cache. PR 39266. [Ruediger Pluem]
-
- *) mod_autoindex: Fix filename escaping with FancyIndexing disabled.
- PR 38910. [Robby Griffin <rmg terc.edu>]
-
- *) mod_charset_lite: Bypass translation when the source and dest charsets
- are the same. [Jeff Trawick]
-
-Changes with Apache 2.2.2
-
- *) mod_deflate: Allow mod_deflate to handle internal redirects.
- [Brian J. France <list firehawksystems.com>]
-
- *) mod_proxy_balancer: Initialize members of a balancer correctly.
- PR 38227. [James A. Robinson <jim.robinson stanford.edu>]
-
- *) mod_proxy: Do not release connections from connection pool twice.
- PR 38793. [Ruediger Pluem, matthias <mk-asf gigacodes.de>]
-
- *) core: Prevent reading uninitialized memory while reading a line of
- protocol input. PR 39282. [Davi Arnaut <davi haxent.com.br>]
-
- *) mod_dbd: Update defaults, improve error reporting.
- [Chris Darroch <chrisd pearsoncmg com>, Nick Kew]
-
- *) mod_dbd: Create own pool and mutex to avoid problem use of
- process pool in request processing.
- [Chris Darroch <chrisd pearsoncmg com>]
-
- *) HTML-escape the Expect error message. Not classed as security as
- an attacker has no way to influence the Expect header a victim will
- send to a target site. Reported by Thiago Zaninotti
- <thiango nstalker.com>. [Mark Cox]
-
- *) htdbm: Fix crash processing -d option in 64-bit mode on HP-UX.
- [Jeff Trawick]
-
- *) htdbm: Warn the user when adding a plaintext password on a platform
- where it wouldn't work with the server (i.e., anywhere that has
- crypt()). [Jeff Trawick]
-
- *) mod_proxy: don't reuse a connection that may be to the wrong backend
- PR 39253 [Ruediger Pluem]
-
- *) Default handler: Don't return output filter apr_status_t values.
- PR 31759. [Jeff Trawick, Ruediger Pluem, Joe Orton]
-
-Changes with Apache 2.2.1
-
- *) SECURITY: CVE-2005-3357 (cve.mitre.org)
- mod_ssl: Fix a possible crash during access control checks if a
- non-SSL request is processed for an SSL vhost (such as the
- "HTTP request received on SSL port" error message when an 400
- ErrorDocument is configured, or if using "SSLEngine optional").
- PR 37791. [Rüdiger Plüm, Joe Orton]
-
- *) SECURITY: CVE-2005-3352 (cve.mitre.org)
- mod_imagemap: Escape untrusted referer header before outputting
- in HTML to avoid potential cross-site scripting. Change also
- made to ap_escape_html so we escape quotes. Reported by JPCERT.
- [Mark Cox]
-
- *) mod_proxy_ajp: Flushing of the output after each AJP chunk is now
- configurable at runtime via the 'flushpackets' and 'flushwait' worker
- params. Minor MMN bump. [Jim Jagielski]
-
- *) mod_proxy: Fix incorrect usage of local and shared worker init.
- PR 38403. [Jim Jagielski]
-
- *) mod_isapi: Fix compiler errors on Unix platforms.
- [William Rowe]
-
- *) mod_proxy_http: Send HTTP Keep-Alive Headers. PR 38524.
- [Rüdiger Plüm, Joe Orton]
-
- *) mod_disk_cache: Return the correct error codes from bucket read
- failures, instead of APR_EGENERAL.
- [Brian Akins <brian.akins turner.com>]
-
- *) Add APR/APR-Util Compiled and Runtime Version numbers to the
- output of 'httpd -V'. [William Rowe]
-
- *) http: If a connection is aborted while waiting for a chunked line,
- flag the connection as errored out. [Justin Erenkrantz]
-
- *) core: Reject invalid Expect header immediately. PR 38123.
- [Ruediger Pluem]
-
- *) mod_proxy: Fix KeepAlives not being allowed and set to
- backend servers. PR 38602. [Ruediger Pluem, Jim Jagielski]
-
- *) mod_proxy: If we get an error reading the upstream response,
- close the connection. [Justin Erenkrantz, Roy T. Fielding,
- Jim Jagielski, Ruediger Pluem]
-
- *) mod_proxy_ajp: Support common headers of the AJP protocol in responses.
- PR 38340. [Aleksey Pesternikov <apesternikov yahoo.com>]
-
- *) mod_proxy_balancer: Do not overwrite the status of initialized workers and
- respect the configured status of uninitilized workers when creating a new
- child process. [Ruediger Pluem]
-
- *) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of
- the ajp message to prevent mod_proxy_ajp from reading beyond the buffer
- boundaries and thus revealing possibly sensitive memory contents to the
- client. [Ruediger Pluem]
-
- *) Ensure that the proper status line is written to the client, fixing
- incorrect status lines caused by filters which modify r->status without
- resetting r->status_line, such as the built-in byterange filter.
- [Jeff Trawick]
-
- *) mod_speling: Stop crashing with certain non-file requests. [Jeff Trawick]
-
- *) mod_cache: Make caching of reverse proxies possible again. PR 38017.
- [Ruediger Pluem]
-
- *) Modify apr[util] .h detection to avoid breakage on VPATH builds
- using Solaris make (amoung others) and avoid breakage in ./buildconf
- when srclib/apr[-util] are symlinks rather than directories proper.
- [William Rowe]
-
- *) Chunk filter: Fix chunk filter to create correct chunks in the case that
- a flush bucket is surrounded by data buckets. [Ruediger Pluem]
-
- *) Fix syntax error in httpd.h with strict compilers. PR 38740.
- [Per Olausson <pao darkheim.freeserve.co.uk>]
-
- *) Preserve the Content-Length header for a proxied HEAD response.
- PR 18757. [Greg Ames]
-
- *) Fix recursive ErrorDocument handling. PR 36090.
- [Chris Darroch <chrisd pearsoncmg.com>]
-
- *) Don't hang on error return from post_read_request. PR37790 [Nick Kew]
-
- *) Fix off-by-one error in proxy_balancer. PR37753
- [Kazuhiro Osawa <ko yappo ne jp>]
-
-Changes with Apache 2.2.0
-
- *) mod_negotiation: Minor performance tweak by reusing already calculated
- strlen.
- [Ruediger Pluem, Christophe Jaillet <christophe.jaillet wanadoo.fr>]
-
- *) Remove support for 'On' and 'Off' for AuthBasicProvider and
- AuthDigestProvider. [Joshua Slive, Justin Erenkrantz]
-
- *) Add in new UseCanonicalPhysicalPort directive, which controls
- whether or not Apache will ever use the actual physical port
- when constructing the canonical port number. [Jim Jagielski]
-
- *) mod_dav: Fix a null pointer dereference in an error code path during the
- handling of MKCOL.
- [Ruediger Pluem, Ghassan Misherghi <ghassanm ucdavis.edu>]
-
- *) Fix DESTDIR=... installation when using bundled copy of APR.
- [Torsten Foertsch <torsten.foertsch gmx.net>]
-
- *) mod_proxy_balancer: When finding best worker, use case insensitive
- match for scheme and host, but case sensitive for the rest of
- the path. [Jim Jagielski, Ruediger Pluem]
-
[Apache 2.1.0-dev includes those bug fixes and changes with the
Apache 2.2.xx tree as documented, and except as noted, below.]