You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2013/11/22 18:49:19 UTC
svn commit: r3652 - /release/httpd/
Author: jim
Date: Fri Nov 22 17:49:15 2013
New Revision: 3652
Log:
Push 2.4.7 to mirrors
Added:
release/httpd/CHANGES_2.4.7
release/httpd/httpd-2.4.7-deps.tar.bz2 (with props)
release/httpd/httpd-2.4.7-deps.tar.bz2.asc (with props)
release/httpd/httpd-2.4.7-deps.tar.bz2.md5
release/httpd/httpd-2.4.7-deps.tar.bz2.sha1
release/httpd/httpd-2.4.7-deps.tar.gz (with props)
release/httpd/httpd-2.4.7-deps.tar.gz.asc (with props)
release/httpd/httpd-2.4.7-deps.tar.gz.md5
release/httpd/httpd-2.4.7-deps.tar.gz.sha1
release/httpd/httpd-2.4.7.tar.bz2 (with props)
release/httpd/httpd-2.4.7.tar.bz2.asc (with props)
release/httpd/httpd-2.4.7.tar.bz2.md5
release/httpd/httpd-2.4.7.tar.bz2.sha1
release/httpd/httpd-2.4.7.tar.gz (with props)
release/httpd/httpd-2.4.7.tar.gz.asc (with props)
release/httpd/httpd-2.4.7.tar.gz.md5
release/httpd/httpd-2.4.7.tar.gz.sha1
Modified:
release/httpd/Announcement2.4.html
release/httpd/Announcement2.4.txt
Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Fri Nov 22 17:49:15 2013
@@ -15,53 +15,33 @@
<img src="../../images/apache_sub.gif" alt="" />
<h1>
- Apache HTTP Server 2.4.6 Released
+ Apache HTTP Server 2.4.7 Released
</h1>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to <a href="http://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
- the release of version 2.4.6 of the Apache
+ the release of version 2.4.7 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of
innovation by the project, and is recommended over all previous releases. This
- release of Apache is principally a security
- and bug fix release, including the following security fix:
+ release of Apache is principally a feature
+ and bug fix release.
</p>
-<ul>
- <li>SECURITY: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896">CVE-2013-1896</a> (cve.mitre.org)
- Sending a MERGE request against a URI handled by mod_dav_svn with
- the source href (sent as part of the request body as XML) pointing to a
- URI that is not configured for DAV will trigger a segfault.
- </li>
- <li>SECURITY: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249">CVE-2013-2249</a> (cve.mitre.org)
- mod_session_dbd: Make sure that dirty flag is respected when saving
- sessions, and ensure the session ID is changed each time the session
- changes. This changes the format of the updatesession SQL statement.
- Existing configurations must be changed.
- </li>
-</ul>
<p>
Also in this release are some exciting new features including:
</p>
<ul>
- <li> Major updates to mod_lua </li>
- <li> Support for proxying websocket requests </li>
- <li> Higher performant shm-based cache implementation </li>
- <li> Addition of mod_macro for easier configuration management </li>
+ <li>Major updates to mod_proxy_fcgi</li>
+ <li>Higher performant event MPM</li>
+ <li>Enhancements to the WinNT MPM</li>
</ul>
<p>
- As well as several exciting fixes, especially those related to RFC edge cases in mod_cache and mod_proxy.
-</p>
-<p>
- NOTE: Apache httpd 2.4.5 was not released.
-</p>
-<p>
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
</p>
<p>
- Apache HTTP Server 2.4.6 is available for download from:
+ Apache HTTP Server 2.4.7 is available for download from:
</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi"
@@ -69,7 +49,7 @@
</dl>
<p>
Please see the CHANGES_2.4 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.4.6 includes only
+ full list of changes. A condensed list, CHANGES_2.4.7 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
@@ -80,8 +60,8 @@
</dd>
</dl>
<p>
- This release requires the Apache Portable Runtime (APR) version 1.4.x
- and APR-Util version 1.4.x. or higher. The APR libraries must be upgraded for all
+ This release requires the Apache Portable Runtime (APR) version 1.5.x
+ and APR-Util version 1.5.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.
</p>
<p>
Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Fri Nov 22 17:49:15 2013
@@ -1,42 +1,24 @@
- Apache HTTP Server 2.4.6 Released
+ Apache HTTP Server 2.4.7 Released
The Apache Software Foundation and the Apache HTTP Server Project
- are pleased to announce the release of version 2.4.6 of the Apache
+ are pleased to announce the release of version 2.4.7 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- principally a security and bug fix release, including the following
- 2 security fixes:
+ principally a feature and bug fix release.
- *) SECURITY: CVE-2013-1896 (cve.mitre.org)
- Sending a MERGE request against a URI handled by mod_dav_svn
- with the source href (sent as part of the request body as XML)
- pointing to a URI that is not configured for DAV will trigger a
- segfault.
-
- *) SECURITY: CVE-2013-2249 (cve.mitre.org)
- mod_session_dbd: Make sure that dirty flag is respected when saving
- sessions, and ensure the session ID is changed each time the session
- changes. This changes the format of the updatesession SQL statement.
- Existing configurations must be changed.
Also in this release are some exciting new features including:
- *) Major updates to mod_lua
- *) Support for proxying websocket requests
- *) Higher performant shm-based cache implementation
- *) Addition of mod_macro for easier configuration management
-
- As well as several exciting fixes, especially those related to RFC edge
- cases in mod_cache and mod_proxy.
-
- NOTE: Apache httpd 2.4.5 was not released.
+ *) Major updates to mod_proxy_fcgi
+ *) Higher performant event MPM
+ *) Enhancements to the WinNT MPM
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
- Apache HTTP Server 2.4.6 is available for download from:
+ Apache HTTP Server 2.4.7 is available for download from:
http://httpd.apache.org/download.cgi
@@ -47,16 +29,16 @@
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.4.6 includes only
+ full list of changes. A condensed list, CHANGES_2.4.7 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_24.html
- This release requires the Apache Portable Runtime (APR) version 1.4.x
- and APR-Util version 1.4.x. or higher. The APR libraries must be upgraded for
- all features of httpd to operate correctly.
+ This release requires the Apache Portable Runtime (APR) version 1.5.x
+ and APR-Util version 1.5.x. The APR libraries must be upgraded for all
+ features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
Added: release/httpd/CHANGES_2.4.7
==============================================================================
--- release/httpd/CHANGES_2.4.7 (added)
+++ release/httpd/CHANGES_2.4.7 Fri Nov 22 17:49:15 2013
@@ -0,0 +1,200 @@
+ -*- coding: utf-8 -*-
+
+Changes with Apache 2.4.7
+
+ *) APR 1.5.0 or later is now required for the event MPM.
+
+ *) slotmem_shm: Error detection. [Jim Jagielski]
+
+ *) event: Use skiplist data structure. [Jim Jagielski]
+
+ *) mpm_unix: Add ap_mpm_podx_* implementation to avoid code duplication
+ and align w/ trunk. [Jim Jagielski]
+
+ *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
+ directives. [Mike Rumph <mike.rumph oracle.com>]
+
+ *) mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars.
+ An individual envvar with an encoded length of more than 16K will be
+ omitted. [Jeff Trawick]
+
+ *) mod_proxy_fcgi: Handle reading protocol data that is split between
+ packets. [Jeff Trawick]
+
+ *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
+ allowing custom parameters to be configured via SSLCertificateFile,
+ and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
+ Unless custom parameters are configured, the standardized parameters
+ are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
+
+ *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand]
+
+ *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
+ keys, and unconditionally disable aNULL, eNULL and EXP ciphers
+ (not overridable via SSLCipherSuite). [Kaspar Brand]
+
+ *) Add experimental cmake-based build system for Windows. [Jeff Trawick,
+ Tom Donovan]
+
+ *) event MPM: Fix possible crashes (third party modules accessing c->sbh)
+ or occasional missed mod_status updates for some keepalive requests
+ under load. [Eric Covener]
+
+ *) mod_authn_socache: Support optional initialization arguments for
+ socache providers. [Chris Darroch]
+
+ *) mod_session: Reset the max-age on session save. PR 47476. [Alexey
+ Varlamov <alexey.v.varlamov gmail com>]
+
+ *) mod_session: After parsing the value of the header specified by the
+ SessionHeader directive, remove the value from the response. PR 55279.
+ [Graham Leggett]
+
+ *) mod_headers: Allow for format specifiers in the substitution string
+ when using Header edit. [Daniel Ruggeri]
+
+ *) mod_dav: dav_resource->uri is treated as unencoded. This was an
+ unnecessary ABI changed introduced in 2.4.6. PR 55397.
+
+ *) mod_dav: Don't require lock tokens for COPY source. PR 55306.
+
+ *) core: Don't truncate output when sending is interrupted by a signal,
+ such as from an exiting CGI process. PR 55643. [Jeff Trawick]
+
+ *) WinNT MPM: Exit the child if the parent process crashes or is terminated.
+ [Oracle Corporation]
+
+ *) Windows: Correct failure to discard stderr in some error log
+ configurations. (Error message AH00093) [Jeff Trawick]
+
+ *) mod_session_crypto: Allow using exec: calls to obtain session
+ encryption key. [Daniel Ruggeri]
+
+ *) core: Add missing Reason-Phrase in HTTP response headers.
+ PR 54946. [Rainer Jung]
+
+ *) mod_rewrite: Make rewrite websocket-aware to allow proxying.
+ PR 55598. [Chris Harris <chris.harris kitware com>]
+
+ *) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
+ instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]
+
+ *) ab: Add wait time, fix processing time, and output write errors only if
+ they occured. [Christophe Jaillet]
+
+ *) worker MPM: Don't forcibly kill worker threads if the child process is
+ exiting gracefully. [Oracle Corporation]
+
+ *) core: apachectl -S prints wildcard name-based virtual hosts twice.
+ PR54948 [Eric Covener]
+
+ *) mod_auth_basic: Add AuthBasicUseDigestAlgorithm directive to
+ allow migration of passwords from digest to basic authentication.
+ [Chris Darroch]
+
+ *) ab: Add a new -l parameter in order not to check the length of the responses.
+ This can be usefull with dynamic pages.
+ PR9945, PR27888, PR42040 [<ccikrs1 cranbrook edu>]
+
+ *) Suppress formatting of startup messages written to the console when
+ ErrorLogFormat is used. [Jeff Trawick]
+
+ *) mod_auth_digest: Be more specific when the realm mismatches because the
+ realm has not been specified. [Graham Leggett]
+
+ *) mod_proxy: Add a note in the balancer manager stating whether changes
+ will or will not be persisted and whether settings are inherited.
+ [Daniel Ruggeri, Jim Jagielski]
+
+ *) mod_cache: Avoid a crash with strcmp() when the hostname is not provided.
+ [Graham Leggett]
+
+ *) core: Add util_fcgi.h and associated definitions and support
+ routines for FastCGI, based largely on mod_proxy_fcgi.
+ [Jeff Trawick]
+
+ *) mod_headers: Add 'Header note header-name note-name' for copying a response
+ headers value into a note. [Eric Covener]
+
+ *) mod_headers: Add 'setifempty' command to Header and RequestHeader.
+ [Eric Covener]
+
+ *) mod_logio: new format-specifier %S (sum) which is the sum of received
+ and sent byte counts.
+ PR54015 [Christophe Jaillet]
+
+ *) mod_deflate: Improve error detection when decompressing request bodies
+ with trailing garbage: handle case where trailing bytes are in
+ the same bucket. [Rainer Jung]
+
+ *) mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663
+ from ERROR to DEBUG, since these modules do not know what mod_authz_core
+ is doing with their AUTHZ_DENIED return value. [Eric Covener]
+
+ *) mod_ldap: add TRACE5 for LDAP retries. [Eric Covener]
+
+ *) mod_ldap: retry on an LDAP timeout during authn. [Eric Covener]
+
+ *) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP
+ SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK
+ default, sans rebind authentication callback.
+ [Jan Kaluza <kaluze AT redhat.com>]
+
+ *) core: Log a message at TRACE1 when the client aborts a connection.
+ [Eric Covener]
+
+ *) WinNT MPM: Don't crash during child process initialization if the
+ Listen protocol is unrecognized. [Jeff Trawick]
+
+ *) modules: Fix some compiler warnings. [Guenter Knauf]
+
+ *) Sync 2.4 and trunk
+ - Avoid some memory allocation and work when TRACE1 is not activated
+ - fix typo in include guard
+ - indent
+ - No need to lower the string before removing the path, it is just a waste of time...
+ - Save a few cycles
+ [Christophe Jaillet <christophe.jaillet wanadoo.fr>]
+
+ *) mod_filter: Add "change=no" as a proto-flag to FilterProtocol
+ to remove a providers initial flags set at registration time.
+ [Eric Covener]
+
+ *) core, mod_ssl: Enable the ability for a module to reverse the sense of
+ a poll event from a read to a write or vice versa. This is a step on
+ the way to allow mod_ssl taking full advantage of the event MPM.
+ [Graham Leggett]
+
+ *) Makefile.win: Install proper pcre DLL file during debug build install.
+ PR 55235. [Ben Reser <ben reser org>]
+
+ *) mod_ldap: Fix a potential memory leak or corruption. PR 54936.
+ [Zhenbo Xu <zhenbo1987 gmail com>]
+
+ *) ab: Fix potential buffer overflows when processing the T and X
+ command-line options. PR 55360.
+ [Mike Rumph <mike.rumph oracle.com>]
+
+ *) fcgistarter: Specify SO_REUSEADDR to allow starting a server
+ with old connections in TIME_WAIT. [Jeff Trawick]
+
+ *) core: Add open_htaccess hook which, in conjunction with dirwalk_stat
+ and post_perdir_config (introduced in 2.4.5), allows mpm-itk to be
+ used without patches to httpd core. [Stefan Fritsch]
+
+ *) support/htdbm: fix processing of -t command line switch. Regression
+ introduced in 2.4.4
+ PR 55264 [Jo Rhett <jrhett netconsonance com>]
+
+
+ [Apache 2.3.0-dev includes those bug fixes and changes with the
+ Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
+
Added: release/httpd/httpd-2.4.7-deps.tar.bz2
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.4.7-deps.tar.bz2
------------------------------------------------------------------------------
svn:mime-type = application/x-bzip2
Added: release/httpd/httpd-2.4.7-deps.tar.bz2.asc
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.4.7-deps.tar.bz2.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: release/httpd/httpd-2.4.7-deps.tar.bz2.md5
==============================================================================
--- release/httpd/httpd-2.4.7-deps.tar.bz2.md5 (added)
+++ release/httpd/httpd-2.4.7-deps.tar.bz2.md5 Fri Nov 22 17:49:15 2013
@@ -0,0 +1 @@
+c528a9ffe7ce8ff87fd005f58320650c *httpd-2.4.7-deps.tar.bz2
Added: release/httpd/httpd-2.4.7-deps.tar.bz2.sha1
==============================================================================
--- release/httpd/httpd-2.4.7-deps.tar.bz2.sha1 (added)
+++ release/httpd/httpd-2.4.7-deps.tar.bz2.sha1 Fri Nov 22 17:49:15 2013
@@ -0,0 +1 @@
+08296290cbf995a608ea8de517fc5e3030e55c83 *httpd-2.4.7-deps.tar.bz2
Added: release/httpd/httpd-2.4.7-deps.tar.gz
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.4.7-deps.tar.gz
------------------------------------------------------------------------------
svn:mime-type = application/x-gzip
Added: release/httpd/httpd-2.4.7-deps.tar.gz.asc
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.4.7-deps.tar.gz.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: release/httpd/httpd-2.4.7-deps.tar.gz.md5
==============================================================================
--- release/httpd/httpd-2.4.7-deps.tar.gz.md5 (added)
+++ release/httpd/httpd-2.4.7-deps.tar.gz.md5 Fri Nov 22 17:49:15 2013
@@ -0,0 +1 @@
+2f407f7bff6e19485f71e2fb9ca27a50 *httpd-2.4.7-deps.tar.gz
Added: release/httpd/httpd-2.4.7-deps.tar.gz.sha1
==============================================================================
--- release/httpd/httpd-2.4.7-deps.tar.gz.sha1 (added)
+++ release/httpd/httpd-2.4.7-deps.tar.gz.sha1 Fri Nov 22 17:49:15 2013
@@ -0,0 +1 @@
+9b96f23a14bde3aff6a1a3ec3cc3835cc28c529f *httpd-2.4.7-deps.tar.gz
Added: release/httpd/httpd-2.4.7.tar.bz2
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.4.7.tar.bz2
------------------------------------------------------------------------------
svn:mime-type = application/x-bzip2
Added: release/httpd/httpd-2.4.7.tar.bz2.asc
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.4.7.tar.bz2.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: release/httpd/httpd-2.4.7.tar.bz2.md5
==============================================================================
--- release/httpd/httpd-2.4.7.tar.bz2.md5 (added)
+++ release/httpd/httpd-2.4.7.tar.bz2.md5 Fri Nov 22 17:49:15 2013
@@ -0,0 +1 @@
+170d7fb6fe5f28b87d1878020a9ab94e *httpd-2.4.7.tar.bz2
Added: release/httpd/httpd-2.4.7.tar.bz2.sha1
==============================================================================
--- release/httpd/httpd-2.4.7.tar.bz2.sha1 (added)
+++ release/httpd/httpd-2.4.7.tar.bz2.sha1 Fri Nov 22 17:49:15 2013
@@ -0,0 +1 @@
+19ed9ee56462e44d61a093ea57e964cf0af05c0e *httpd-2.4.7.tar.bz2
Added: release/httpd/httpd-2.4.7.tar.gz
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.4.7.tar.gz
------------------------------------------------------------------------------
svn:mime-type = application/x-gzip
Added: release/httpd/httpd-2.4.7.tar.gz.asc
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.4.7.tar.gz.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: release/httpd/httpd-2.4.7.tar.gz.md5
==============================================================================
--- release/httpd/httpd-2.4.7.tar.gz.md5 (added)
+++ release/httpd/httpd-2.4.7.tar.gz.md5 Fri Nov 22 17:49:15 2013
@@ -0,0 +1 @@
+9272aadaa2d702f6ae5758641d830d7f *httpd-2.4.7.tar.gz
Added: release/httpd/httpd-2.4.7.tar.gz.sha1
==============================================================================
--- release/httpd/httpd-2.4.7.tar.gz.sha1 (added)
+++ release/httpd/httpd-2.4.7.tar.gz.sha1 Fri Nov 22 17:49:15 2013
@@ -0,0 +1 @@
+9a73783b0f75226fb2afdcadd30ccba77ba05149 *httpd-2.4.7.tar.gz