You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2013/02/18 21:31:50 UTC
svn commit: r1431 [3/3] - /dev/httpd/
Added: dev/httpd/CHANGES_2.4.4
==============================================================================
--- dev/httpd/CHANGES_2.4.4 (added)
+++ dev/httpd/CHANGES_2.4.4 Mon Feb 18 20:31:43 2013
@@ -0,0 +1,221 @@
+ -*- coding: utf-8 -*-
+
+Changes with Apache 2.4.4
+
+ *) SECURITY: CVE-2012-3499 (cve.mitre.org)
+ Various XSS flaws due to unescaped hostnames and URIs HTML output in
+ mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
+ [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
+
+ *) SECURITY: CVE-2012-4558 (cve.mitre.org)
+ XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
+ Niels Heinen <heinenn google com>]
+
+ *) mod_dir: Add support for the value 'disabled' in FallbackResource.
+ [Vincent Deffontaines]
+
+ *) mod_proxy_connect: Don't keepalive the connection to the client if the
+ backend closes the connection. PR 54474. [Pavel Mateja <pavel netsafe cz>]
+
+ *) mod_lua: Add bindings for mod_dbd/apr_dbd database access.
+ [Daniel Gruno]
+
+ *) mod_proxy: Allow for persistence of local changes made via the
+ balancer-manager between graceful/normal restarts and power
+ cycles. [Jim Jagielski]
+
+ *) mod_status: Print out list of times since a Vhost was last used.
+ [Jim Jagielski]
+
+ *) mod_proxy: Fix startup crash with mis-defined balancers.
+ PR 52402. [Jim Jagielski]
+
+ *) --with-module: Fix failure to integrate them into some existing
+ module directories. PR 40097. [Jeff Trawick]
+
+ *) htcacheclean: Fix potential segfault if "-p" is omitted. [Joe Orton]
+
+ *) mod_proxy_http: Honour special value 0 (unlimited) of LimitRequestBody
+ PR 54435. [Pavel Mateja <pavel netsafe.cz>]
+
+ *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
+ [Rainer Jung]
+
+ *) htcacheclean: Fix list options "-a" and "-A".
+ [Rainer Jung]
+
+ *) mod_slotmem_shm: Fix mistaken reset of num_free for restored shm.
+ [Jim Jagielski]
+
+ *) mod_proxy: non-existance of byrequests is not an immediate error.
+ [Jim Jagielski]
+
+ *) mod_proxy_balancer: Improve output of balancer-manager (re: Drn,
+ Dis, Ign, Stby). PR 52478 [Danijel <dt-ng rbfh de>]
+
+ *) configure: Fix processing of --disable-FEATURE for various features.
+ [Jeff Trawick]
+
+ *) mod_dialup/mod_http: Prevent a crash in mod_dialup in case of internal
+ redirect. PR 52230.
+
+ *) various modules, rotatelogs: Replace use of apr_file_write() with
+ apr_file_write_full() to prevent incomplete writes. PR 53131.
+ [Nicolas Viennot <apache viennot biz>, Stefan Fritsch]
+
+ *) ab: Support socket timeout (-s timeout).
+ [Guido Serra <zeph fsfe org>]
+
+ *) httxt2dbm: Correct length computation for the 'value' stored in the
+ DBM file. PR 47650 [jon buckybox com]
+
+ *) core: Be more correct about rejecting directives that cannot work in <If>
+ sections. [Stefan Fritsch]
+
+ *) core: Fix directives like LogLevel that need to know if they are invoked
+ at virtual host context or in Directory/Files/Location/If sections to
+ work properly in If sections that are not in a Directory/Files/Location.
+ [Stefan Fritsch]
+
+ *) mod_xml2enc: Fix problems with charset conversion altering the
+ Content-Length. [Micha Lenk <micha lenk info>]
+
+ *) ap_expr: Add req_novary function that allows HTTP header lookups
+ without adding the name to the Vary header. [Stefan Fritsch]
+
+ *) mod_slotmem_*: Add in new fgrab() function which forces a grab and
+ slot allocation on a specified slot. Allow for clearing of inuse
+ array. [Jim Jagielski]
+
+ *) mod_proxy_ftp: Fix segfaults on IPv4 requests to hosts with DNS
+ AAAA records. PR 40841. [Andrew Rucker Jones <arjones simultan
+ dyndns org>, <ast domdv de>, Jim Jagielski]
+
+ *) mod_auth_form: Make sure that get_notes_auth() sets the user as does
+ get_form_auth() and get_session_auth(). Makes sure that REMOTE_USER
+ does not vanish during mod_include driven subrequests. [Graham
+ Leggett]
+
+ *) mod_cache_disk: Resolve errors while revalidating disk-cached files on
+ Windows ("...rename tempfile to datafile failed..."). PR 38827
+ [Eric Covener]
+
+ *) mod_proxy_balancer: Bring XML output up to date. [Jim Jagielski]
+
+ *) htpasswd, htdbm: Optionally read passwords from stdin, as more
+ secure alternative to -b. PR 40243. [Adomas Paltanavicius <adomas
+ paltanavicius gmail com>, Stefan Fritsch]
+
+ *) htpasswd, htdbm: Add support for bcrypt algorithm (requires
+ apr-util 1.5 or higher). PR 49288. [Stefan Fritsch]
+
+ *) htpasswd, htdbm: Put full 48bit of entropy into salt, improve
+ error handling. Add some of htpasswd's improvements to htdbm,
+ e.g. warn if password is truncated by crypt(). [Stefan Fritsch]
+
+ *) mod_auth_form: Support the expr parser in the
+ AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and
+ AuthFormLogoutLocation directives. [Graham Leggett]
+
+ *) mod_ssl: Add support for TLS-SRP (Secure Remote Password key exchange
+ for TLS, RFC 5054). PR 51075. [Quinn Slack <sqs cs stanford edu>,
+ Christophe Renou, Peter Sylvester]
+
+ *) mod_rewrite: Stop mergeing RewriteBase down to subdirectories
+ unless new option 'RewriteOptions MergeBase' is configured.
+ PR 53963. [Eric Covener]
+
+ *) mod_header: Allow for exposure of loadavg and server load using new
+ format specifiers %l, %i, %b [Jim Jagielski]
+
+ *) core: Make ap_regcomp() return AP_REG_ESPACE if out of memory. Make
+ ap_pregcomp() abort if out of memory. This raises the minimum PCRE
+ requirement to version 6.0. [Stefan Fritsch]
+
+ *) mod_proxy: Add ability to configure the sticky session separator.
+ PR 53893. [<inu inusasha de>, Jim Jagielski]
+
+ *) mod_dumpio: Correctly log large messages
+ PR 54179 [Marek Wianecki <mieszek2 interia pl>]
+
+ *) core: Don't fail at startup with AH00554 when Include points to
+ a directory without any wildcard character. [Eric Covener]
+
+ *) core: Fail startup if the argument to ServerTokens is unrecognized.
+ [Jackie Zhang <jackie.qq.zhang gmail.com>]
+
+ *) mod_log_forensic: Don't log a spurious "-" if a request has been rejected
+ before mod_log_forensic could attach its id to it. [Stefan Fritsch]
+
+ *) rotatelogs: Omit the second argument for the first invocation of
+ a post-rotate program when -p is used, per the documentation.
+ [Joe Orton]
+
+ *) mod_session_dbd: fix a segmentation fault in the function dbd_remove.
+ PR 53452. [<rebanerebane gmail com>, Reimo Rebane]
+
+ *) core: Functions to provide server load values: ap_get_sload() and
+ ap_get_loadavg(). [Jim Jagielski, Jan Kaluza <jkaluza redhat.com>,
+ Jeff Trawick]
+
+ *) mod_ldap: Fix regression in handling "server unavailable" errors on
+ Windows. PR 54140. [Eric Covener]
+
+ *) syslog logging: Remove stray ", referer" at the end of some messages.
+ [Jeff Trawick]
+
+ *) "Iterate" directives: Report an error if no arguments are provided.
+ [Jeff Trawick]
+
+ *) mod_ssl: Change default for SSLCompression to off, as compression
+ causes security issues in most setups. (The so called "CRIME" attack).
+ [Stefan Fritsch]
+
+ *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
+ to more accurately report the negotiated protocol. PR 53916.
+ [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
+
+ *) core: ErrorDocument now works for requests without a Host header.
+ PR 48357. [Jeff Trawick]
+
+ *) prefork: Avoid logging harmless errors during graceful stop.
+ [Joe Orton, Jeff Trawick]
+
+ *) mod_proxy: When concatting for PPR, avoid cases where we
+ concat ".../" and "/..." to create "...//..." [Jim Jagielski]
+
+ *) mod_cache: Wrong content type and character set when
+ mod_cache serves stale content because of a proxy error.
+ PR 53539. [Rainer Jung, Ruediger Pluem]
+
+ *) mod_proxy_ajp: Fix crash in packet dump code when logging
+ with LogLevel trace7 or trace8. PR 53730. [Rainer Jung]
+
+ *) httpd.conf: Removed the configuration directives setting a bad_DNT
+ environment introduced in 2.4.3. The actual directives are commented
+ out in the default conf file.
+
+ *) core: Apply length limit when logging Status header values.
+ [Jeff Trawick, Chris Darroch]
+
+ *) mod_proxy_balancer: The nonce is only derived from the UUID iff
+ not set via the 'nonce' balancer param. [Jim Jagielski]
+
+ *) mod_ssl: Match wildcard SSL certificate names in proxy mode.
+ PR 53006. [Joe Orton]
+
+ *) Windows: Fix output of -M, -L, and similar command-line options
+ which display information about the server configuration.
+ [Jeff Trawick]
+
+ [Apache 2.3.0-dev includes those bug fixes and changes with the
+ Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
+
Added: dev/httpd/httpd-2.4.4-deps.tar.bz2
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.4-deps.tar.bz2
------------------------------------------------------------------------------
svn:mime-type = application/x-bzip2
Added: dev/httpd/httpd-2.4.4-deps.tar.bz2.asc
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.4-deps.tar.bz2.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: dev/httpd/httpd-2.4.4-deps.tar.bz2.md5
==============================================================================
--- dev/httpd/httpd-2.4.4-deps.tar.bz2.md5 (added)
+++ dev/httpd/httpd-2.4.4-deps.tar.bz2.md5 Mon Feb 18 20:31:43 2013
@@ -0,0 +1 @@
+625b1574b5a7e772b1394e0419c353f6 *httpd-2.4.4-deps.tar.bz2
Added: dev/httpd/httpd-2.4.4-deps.tar.bz2.sha1
==============================================================================
--- dev/httpd/httpd-2.4.4-deps.tar.bz2.sha1 (added)
+++ dev/httpd/httpd-2.4.4-deps.tar.bz2.sha1 Mon Feb 18 20:31:43 2013
@@ -0,0 +1 @@
+70afac8334e8649a66ed014d4ea7b13ec6ce6638 *httpd-2.4.4-deps.tar.bz2
Added: dev/httpd/httpd-2.4.4-deps.tar.gz
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.4-deps.tar.gz
------------------------------------------------------------------------------
svn:mime-type = application/x-gzip
Added: dev/httpd/httpd-2.4.4-deps.tar.gz.asc
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.4-deps.tar.gz.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: dev/httpd/httpd-2.4.4-deps.tar.gz.md5
==============================================================================
--- dev/httpd/httpd-2.4.4-deps.tar.gz.md5 (added)
+++ dev/httpd/httpd-2.4.4-deps.tar.gz.md5 Mon Feb 18 20:31:43 2013
@@ -0,0 +1 @@
+fb02c785af2387d93b87734d305e0374 *httpd-2.4.4-deps.tar.gz
Added: dev/httpd/httpd-2.4.4-deps.tar.gz.sha1
==============================================================================
--- dev/httpd/httpd-2.4.4-deps.tar.gz.sha1 (added)
+++ dev/httpd/httpd-2.4.4-deps.tar.gz.sha1 Mon Feb 18 20:31:43 2013
@@ -0,0 +1 @@
+379638df2ffeee14f186f072f16c5f2c9a44cc07 *httpd-2.4.4-deps.tar.gz
Added: dev/httpd/httpd-2.4.4.tar.bz2
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.4.tar.bz2
------------------------------------------------------------------------------
svn:mime-type = application/x-bzip2
Added: dev/httpd/httpd-2.4.4.tar.bz2.asc
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.4.tar.bz2.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: dev/httpd/httpd-2.4.4.tar.bz2.md5
==============================================================================
--- dev/httpd/httpd-2.4.4.tar.bz2.md5 (added)
+++ dev/httpd/httpd-2.4.4.tar.bz2.md5 Mon Feb 18 20:31:43 2013
@@ -0,0 +1 @@
+0e712ee2119cd798c8ae39d5f11a9206 *httpd-2.4.4.tar.bz2
Added: dev/httpd/httpd-2.4.4.tar.bz2.sha1
==============================================================================
--- dev/httpd/httpd-2.4.4.tar.bz2.sha1 (added)
+++ dev/httpd/httpd-2.4.4.tar.bz2.sha1 Mon Feb 18 20:31:43 2013
@@ -0,0 +1 @@
+0c5ab7f876aa10fbe8bfab2c34f8dd3dc76db16c *httpd-2.4.4.tar.bz2
Added: dev/httpd/httpd-2.4.4.tar.gz
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.4.tar.gz
------------------------------------------------------------------------------
svn:mime-type = application/x-gzip
Added: dev/httpd/httpd-2.4.4.tar.gz.asc
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.4.4.tar.gz.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: dev/httpd/httpd-2.4.4.tar.gz.md5
==============================================================================
--- dev/httpd/httpd-2.4.4.tar.gz.md5 (added)
+++ dev/httpd/httpd-2.4.4.tar.gz.md5 Mon Feb 18 20:31:43 2013
@@ -0,0 +1 @@
+a2fed766e67c9681e0d9b86768f08286 *httpd-2.4.4.tar.gz
Added: dev/httpd/httpd-2.4.4.tar.gz.sha1
==============================================================================
--- dev/httpd/httpd-2.4.4.tar.gz.sha1 (added)
+++ dev/httpd/httpd-2.4.4.tar.gz.sha1 Mon Feb 18 20:31:43 2013
@@ -0,0 +1 @@
+2834fa7c0a510890a0a2f946359c6f64d73abf13 *httpd-2.4.4.tar.gz