You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2011/08/30 02:16:15 UTC
svn commit: r385 [2/3] - /dev/httpd/
Added: dev/httpd/CHANGES_2.2
==============================================================================
--- dev/httpd/CHANGES_2.2 (added)
+++ dev/httpd/CHANGES_2.2 Tue Aug 30 00:16:12 2011
@@ -0,0 +1,2765 @@
+ -*- coding: utf-8 -*-
+Changes with Apache 2.2.20
+
+ *) SECURITY: CVE-2011-3192 (cve.mitre.org)
+ core: Fix handling of byte-range requests to use less memory, to avoid
+ denial of service. If the sum of all ranges in a request is larger than
+ the original file, ignore the ranges and send the complete file.
+ PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
+
+ *) mod_authnz_ldap: If the LDAP server returns constraint violation,
+ don't treat this as an error but as "auth denied". [Stefan Fritsch]
+
+ *) mod_filter: Fix FilterProvider conditions of type "resp=" (response
+ headers) for CGI. [Joe Orton, Rainer Jung]
+
+ *) mod_reqtimeout: Fix a timed out connection going into the keep-alive
+ state after a timeout when discarding a request body. PR 51103.
+ [Stefan Fritsch]
+
+ *) core: Do the hook sorting earlier so that the hooks are properly sorted
+ for the pre_config hook and during parsing the config. [Stefan Fritsch]
+
+Changes with Apache 2.2.19
+
+ *) Revert ABI breakage in 2.2.18 caused by the function signature change
+ of ap_unescape_url_keep2f(). This release restores the signature from
+ 2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
+ [Eric Covener]
+
+Changes with Apache 2.2.18
+
+ *) Log an error for failures to read a chunk-size, and return 408 instead
+ 413 when this is due to a read timeout. This change also fixes some cases
+ of two error documents being sent in the response for the same scenario.
+ [Eric Covener] PR49167
+
+ *) core: Only log a 408 if it is no keepalive timeout. PR 39785
+ [Ruediger Pluem, Mark Montague <markmont umich.edu>]
+
+ *) core: Treat timeout reading request as 408 error, not 400.
+ Log 408 errors in access log as was done in Apache 1.3.x.
+ PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch,
+ Dan Poirier]
+
+ *) Core HTTP: disable keepalive when the Client has sent
+ Expect: 100-continue
+ but we respond directly with a non-100 response. Keepalive here led
+ to data from clients continuing being treated as a new request.
+ PR 47087. [Nick Kew]
+
+ *) htpasswd: Change the default algorithm for htpasswd to MD5 on all
+ platforms. Crypt with its 8 character limit is not useful anymore;
+ improve out of disk space handling (PR 30877); print a warning if
+ a password is truncated by crypt. [Stefan Fritsch]
+
+ *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
+ Win32's cscript interpreter can only use a single quote as comment char.
+ [Guenter Knauf]
+
+ *) configure: Fix htpasswd/htdbm libcrypt link errors with some newer
+ linkers. [Stefan Fritsch]
+
+ *) MinGW build improvements. PR 49535. [John Vandenberg
+ <jayvdb gmail.com>, Jeff Trawick]
+
+ *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
+ [Stefan Fritsch]
+
+ *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
+ in request URL path info but not decode them. PR 35256,
+ PR 46830. [Dan Poirier]
+
+ *) mod_rewrite: Allow to unset environment variables. PR 50746.
+ [Rainer Jung]
+
+ *) suEXEC: Add Suexec directive to disable suEXEC without renaming the
+ binary (Suexec Off), or force startup failure if suEXEC is required
+ but not supported (Suexec On). [Jeff Trawick]
+
+ *) mod_proxy: Put the worker in error state if the SSL handshake with the
+ backend fails. PR 50332.
+ [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
+
+ *) prefork: Update MPM state in children during a graceful restart.
+ Allow the HTTP connection handling loop to terminate early
+ during a graceful restart. PR 41743.
+ [Andrew Punch <andrew.punch 247realmedia.com>]
+
+ *) mod_ssl: Correctly read full lines in input filter when the line is
+ incomplete during first read. PR 50481. [Ruediger Pluem]
+
+ *) mod_autoindex: Merge IndexOptions from server to directory context when
+ the directory has no mod_autoindex directives. PR 47766. [Eric Covener]
+
+ *) mod_cache: Make sure that we never allow a 304 Not Modified response
+ that we asked for to leak to the client should the 304 response be
+ uncacheable. PR45341 [Graham Leggett]
+
+ *) mod_dav: Send 400 error if malformed Content-Range header is received for
+ a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
+
+ *) mod_userdir: Add merging of enable, disable, and filename arguments
+ to UserDir directive, leaving enable/disable of userlists unmerged.
+ PR 44076 [Eric Covener]
+
+ *) core: Honor 'AcceptPathInfo OFF' during internal redirects,
+ such as per-directory mod_rewrite substitutions. PR 50349.
+ [Eric Covener]
+
+ *) mod_cache: Check the request to determine whether we are allowed
+ to return cached content at all, and respect a "Cache-Control:
+ no-cache" header from a client. Previously, "no-cache" would
+ behave like "max-age=0". [Graham Leggett]
+
+ *) mod_mem_cache: Add a debug msg when a streaming response exceeds
+ MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary
+ 'memory allocation failed' debug message. PR 49604. [Eric Covener]
+
+ *) proxy_connect: Don't give up in the middle of a CONNECT tunnel
+ when the child process is starting to exit. PR50220. [Eric Covener]
+
+Changes with Apache 2.2.17
+
+ *) prefork MPM: Run cleanups for final request when process exits gracefully
+ to work around a flaw in apr-util. PR 43857. [Tom Donovan]
+
+ *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
+ connections and other protocol handlers (like mod_ftp). Enforce the
+ timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering
+ close time from 30 to 2 seconds. [Stefan Fritsch]
+
+ *) Proxy balancer: support setting error status according to HTTP response
+ code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
+
+ *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
+ password to UTF-8. PR 45318.
+ [Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
+
+ *) core: check symlink ownership if both FollowSymlinks and
+ SymlinksIfOwnerMatch are set [Nick Kew]
+
+ *) core: fix origin checking in SymlinksIfOwnerMatch
+ PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>]
+
+ *) mod_headers: Enable multi-match-and-replace edit option
+ PR 46594 [Nick Kew]
+
+ *) mod_log_config: Make ${cookie}C correctly match whole cookie names
+ instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
+ Stefan Fritsch]
+
+ *) mod_dir, mod_negotiation: Pass the output filter information
+ to newly created sub requests; as these are later on used
+ as true requests with an internal redirect. This allows for
+ mod_cache et.al. to trap the results of the redirect.
+ PR 17629, 43939
+ [Dirk-Willem van Gulik, Jim Jagielski, Joe Orton, Ruediger Pluem]
+
+ *) rotatelogs: Fix possible buffer overflow if admin configures a
+ mongo log file path. [Jeff Trawick]
+
+ *) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton]
+
+ *) vhost: A purely-numeric Host: header should not be treated as a port.
+ PR 44979 [Nick Kew]
+
+ *) core: (re)-introduce -T commandline option to suppress documentroot
+ check at startup.
+ PR 41887 [Jan van den Berg <janvdberg gmail.com>]
+
+Changes with Apache 2.2.16
+
+ *) SECURITY: CVE-2010-1452 (cve.mitre.org)
+ mod_dav, mod_cache: Fix Handling of requests without a path segment.
+ PR: 49246 [Mark Drayton, Jeff Trawick]
+
+ *) SECURITY: CVE-2010-2068 (cve.mitre.org)
+ mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection
+ for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung]
+
+ *) core: Filter init functions are now run strictly once per request
+ before handler invocation. The init functions are no longer run
+ for connection filters. PR 49328. [Joe Orton]
+
+ *) mod_filter: enable it to act on non-200 responses.
+ PR 48377 [Nick Kew]
+
+ *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
+ title page only) when any mod_ldap directives were used in VirtualHost
+ context. [Eric Covener]
+
+ *) mod_ssl: Fix segfault at startup if proxy client certs are shared
+ across multiple vhosts. PR 39915. [Joe Orton]
+
+ *) mod_proxy_http: Log the port of the remote server in various messages.
+ PR 48812. [Igor GaliÄ <i galic brainsware org>]
+
+ *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
+ [Philip M. Gollucci]
+
+ *) mod_dir: add FallbackResource directive, to enable admin to specify
+ an action to happen when a URL maps to no file, without resorting
+ to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew]
+
+ *) mod_rewrite: Allow to set environment variables without explicitly
+ giving a value. [Rainer Jung]
+
+
+Changes with Apache 2.2.15
+
+ *) SECURITY: CVE-2009-3555 (cve.mitre.org)
+ mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
+ attack when compiled against OpenSSL version 0.9.8m or later. Introduces
+ the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
+ and offer unsafe legacy renegotiation with clients which do not yet
+ support the new secure renegotiation protocol, RFC 5746.
+ [Joe Orton, and with thanks to the OpenSSL Team]
+
+ *) SECURITY: CVE-2009-3555 (cve.mitre.org)
+ mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
+ for OpenSSL versions prior to 0.9.8l; reject any client-initiated
+ renegotiations. Forcibly disable keepalive for the connection if there
+ is any buffered data readable. Any configuration which requires
+ renegotiation for per-directory/location access control is still
+ vulnerable, unless using openssl 0.9.8l or later.
+ [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
+
+ *) SECURITY: CVE-2010-0408 (cve.mitre.org)
+ mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
+ when request headers indicate a request body is incoming; not a case of
+ HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
+
+ *) SECURITY: CVE-2010-0425 (cve.mitre.org)
+ mod_isapi: Do not unload an isapi .dll module until the request
+ processing is completed, avoiding orphaned callback pointers.
+ [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
+
+ *) SECURITY: CVE-2010-0434 (cve.mitre.org)
+ Ensure each subrequest has a shallow copy of headers_in so that the
+ parent request headers are not corrupted. Eliminates a problematic
+ optimization in the case of no request body. PR 48359.
+ [Jake Scott, William Rowe, Ruediger Pluem]
+
+ *) mod_reqtimeout: New module to set timeouts and minimum data rates for
+ receiving requests from the client. [Stefan Fritsch]
+
+ *) mod_proxy_ajp: Really regard the operation a success, when the client
+ aborted the connection. In addition adjust the log message if the client
+ aborted the connection. [Ruediger Pluem]
+
+ *) mod_negotiation: Preserve query string over multiviews negotiation.
+ This buglet was fixed for type maps in 2.2.6, but the same issue
+ affected multiviews and was overlooked.
+ PR 33112. [Joergen Thomsen <apache jth.net>]
+
+ *) mod_cache: Introduce the thundering herd lock, a mechanism to keep
+ the flood of requests at bay that strike a backend webserver as
+ a cached entity goes stale. [Graham Leggett]
+
+ *) mod_proxy_http: Make sure that when an ErrorDocument is served
+ from a reverse proxied URL, that the subrequest respects the status
+ of the original request. This brings the behaviour of proxy_handler
+ in line with default_handler. PR 47106. [Graham Leggett]
+
+ *) mod_log_config: Add the R option to log the handler used within the
+ request. [Christian Folini <christian.folini netnea com>]
+
+ *) mod_include: Allow fine control over the removal of Last-Modified and
+ ETag headers within the INCLUDES filter, making it possible to cache
+ responses if desired. Fix the default value of the SSIAccessEnable
+ directive. [Graham Leggett]
+
+ *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
+ is configured for client cert auth. PR 46952. [Joe Orton]
+
+ *) core: Fix potential memory leaks by making sure to not destroy
+ bucket brigades that have been created by earlier filters.
+ [Stefan Fritsch]
+
+ *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
+ try other providers in the case of an LDAP bind failure.
+ PR 46608. [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
+
+ *) mod_proxy, mod_proxy_http: Support remote https proxies
+ by using HTTP CONNECT.
+ PR 19188. [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
+
+ *) worker: Don't report server has reached MaxClients until it has.
+ Add message when server gets within MinSpareThreads of MaxClients.
+ PR 46996. [Dan Poirier]
+
+ *) mod_ssl: When extracting certificate subject/issuer names to the
+ SSL_*_DN_* variables, handle RDNs with duplicate tags by
+ exporting multiple varialables with an "_n" integer suffix.
+ PR 45875. [Joe Orton, Peter Sylvester <peter.sylvester edelweb.fr>]
+
+ *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
+ password now result in an informational level log entry instead of
+ warning level. [Eric Covener]
+
+ *) core: Preserve Port information over internal redirects
+ PR 35999. [Jonas Ringh <jonas.ringh cixit.se>]
+
+ *) mod_filter: fix FilterProvider matching where "dispatch" string
+ doesn't exist.
+ PR 48054. [<tietew gmail.com>]
+
+ *) Build: fix --with-module to work as documented
+ PR 43881. [Gez Saunders <gez.saunders virgin.net>]
+
+ *) mod_mime: Make RemoveType override the info from TypesConfig.
+ PR 38330. [Stefan Fritsch]
+
+ *) mod_proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
+ rather than BAD_GATEWAY or (especially) NOT_FOUND.
+ PR 46971. [Evan Champion <evanc nortel.com>]
+
+ *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'.
+ [Eric Covener]
+
+ *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
+ some cache entries and log a warning. Also increase the default
+ LDAPSharedCacheSize to 500000. This is a more realistic size suitable
+ for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
+ PR 46749. [Stefan Fritsch]
+
+ *) mod_disk_cache, mod_mem_cache: don't cache incomplete responses,
+ per RFC 2616, 13.8. PR15866. [Dan Poirier]
+
+ *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if
+ the request is a CONNECT request. PR 47928.
+ [Bill Zajac <billz consultla.com>]
+
+ *) mod_cache: correctly consider s-maxage in cacheability
+ decisions. [Dan Poirier]
+
+ *) core: Return APR_EOF if request body is shorter than the length announced
+ by the client. PR 33098. [Stefan Fritsch]
+
+ *) mod_rewrite: Add scgi scheme detection. [André Malo]
+
+ *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and
+ LocationMatch sections. PR 47754. [Dan Poirier]
+
+ *) ab, mod_ssl: Restore compatibility with OpenSSL < 0.9.7g.
+ [Guenter Knauf]
+
+Changes with Apache 2.2.14
+
+ *) SECURITY: CVE-2009-2699 (cve.mitre.org)
+ Fixed in APR 1.3.9. Faulty error handling in the Solaris pollset support
+ (Event Port backend) which could trigger hangs in the prefork and event
+ MPMs on that platform. PR 47645. [Jeff Trawick]
+
+ *) SECURITY: CVE-2009-3095 (cve.mitre.org)
+ mod_proxy_ftp: sanity check authn credentials.
+ [Stefan Fritsch <sf fritsch.de>, Joe Orton]
+
+ *) SECURITY: CVE-2009-3094 (cve.mitre.org)
+ mod_proxy_ftp: NULL pointer dereference on error paths.
+ [Stefan Fritsch <sf fritsch.de>, Joe Orton]
+
+ *) mod_proxy_scgi: Backport from trunk. [André Malo]
+
+ *) mod_ldap: Don't try to resolve file-based user ids to a DN when AuthLDAPURL
+ has been defined at a very high level. PR 45946. [Eric Covener]
+
+ *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
+
+ *) mod_ldap: Bring the LDAPCacheEntries and LDAPOpCacheEntries
+ usage() in synch with the manual and the implementation (0 and -1
+ both disable the cache). [Eric Covener]
+
+ *) mod_ssl: The error message when SSLCertificateFile is missing should
+ at least give the name or position of the problematic virtual host
+ definition. [Stefan Fritsch sf sfritsch.de]
+
+ *) htdbm: Fix possible buffer overflow if dbm database has very
+ long values. PR 30586 [Dan Poirier]
+
+ *) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
+
+ *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute
+ type. PR 45107. [Michael Ströder <michael stroeder.com>,
+ Peter Sylvester <peter.sylvester edelweb.fr>]
+
+ *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore
+ defined session identifiers encoded in the URL when caching.
+ [Ruediger Pluem]
+
+ *) mod_mem_cache: fix seg fault under load due to pool concurrency problem
+ PR: 47672 [Dan Poirier <poirier pobox.com>]
+
+ *) mod_autoindex: Correctly create an empty cell if the description
+ for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
+
+Changes with Apache 2.2.13
+
+ *) SECURITY: CVE-2009-2412 (cve.mitre.org)
+ Distributed with APR 1.3.8 and APR-util 1.3.9 to fix potential overflow
+ in pools and rmm, where size alignment was taking place.
+ [Matt Lewis <ma...@google.com>, Sander Striker]
+
+ *) mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas. Report
+ warnings compiling mod_ssl against OpenSSL to the httpd developers.
+ [Guenter Knauf]
+
+ *) mod_cgid: Do not add an empty argument when calling the CGI script.
+ PR 46380 [Ruediger Pluem]
+
+ *) Fix potential segfaults with use of the legacy ap_rputs() etc
+ interfaces, in cases where an output filter fails. PR 36780.
+ [Joe Orton]
+
+Changes with Apache 2.2.12
+
+ *) SECURITY: CVE-2009-1891 (cve.mitre.org)
+ Fix a potential Denial-of-Service attack against mod_deflate or other
+ modules, by forcing the server to consume CPU time in compressing a
+ large file after a client disconnects. PR 39605.
+ [Joe Orton, Ruediger Pluem]
+
+ *) SECURITY: CVE-2009-1195 (cve.mitre.org)
+ Prevent the "Includes" Option from being enabled in an .htaccess
+ file if the AllowOverride restrictions do not permit it.
+ [Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton,
+ Ruediger Pluem, Jeff Trawick]
+
+ *) SECURITY: CVE-2009-1890 (cve.mitre.org)
+ Fix a potential Denial-of-Service attack against mod_proxy in a
+ reverse proxy configuration, where a remote attacker can force a
+ proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
+
+ *) SECURITY: CVE-2009-1191 (cve.mitre.org)
+ mod_proxy_ajp: Avoid delivering content from a previous request which
+ failed to send a request body. PR 46949 [Ruediger Pluem]
+
+ *) SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org)
+ The bundled copy of the APR-util library has been updated, fixing three
+ different security issues which may affect particular configurations
+ and third-party modules.
+
+ *) mod_include: fix potential segfault when handling back references
+ on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew]
+
+ *) mod_alias: check sanity in Redirect arguments.
+ PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
+
+ *) mod_proxy_http: fix Host: header for literal IPv6 addresses.
+ PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
+
+ *) mod_rewrite: Remove locking for writing to the rewritelog.
+ PR 46942
+
+ *) mod_alias: Ensure Redirect emits HTTP-compliant URLs.
+ PR 44020
+
+ *) mod_proxy_http: fix case sensitivity checking transfer encoding
+ PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
+
+ *) mod_rewrite: Fix the error string returned by RewriteRule.
+ RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
+ argument of RewriteRule was not started with "[" or not ended with "]".
+ PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
+
+ *) mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given;
+ BalancerMember balancer://alias http://example.com/foo
+ ProxyPassReverse /bash balancer://alias/bar
+ backend url http://example.com/foo/bar/that is now translated /bash/that
+ [William Rowe]
+
+ *) New piped log syntax: Use "||process args" to launch the given process
+ without invoking the shell/command interpreter. Use "|$command line"
+ (the default behavior of "|command line" in 2.2) to invoke using shell,
+ consuming an additional shell process for the lifetime of the logging
+ pipe program but granting additional process invocation flexibility.
+ [William Rowe]
+
+ *) mod_ssl: Add server name indication support (RFC 4366) and better
+ support for name based virtual hosts with SSL. PR 34607
+ [Peter Sylvester <peter.sylvester edelweb.fr>,
+ Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton,
+ Ruediger Pluem]
+
+ *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid
+ HTML injections and HTTP response splitting. PR 46837.
+ [Geoff Keating <geoffk apple.com>]
+
+ *) mod_include: Prevent a case of SSI timefmt-smashing with filter chains
+ including multiple INCLUDES filters. PR 39369 [Joe Orton]
+
+ *) mod_rewrite: When evaluating a proxy rule in directory context, do
+ escape the filename by default. PR 46428 [Joe Orton]
+
+ *) mod_proxy_ajp: Check more strictly that the backend follows the AJP
+ protocol. [Mladen Turk]
+
+ *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
+ to enable stricter checking of remote server certificates.
+ [Ruediger Pluem]
+
+ *) mod_substitute: Fix a memory leak. PR 44948
+ [Dan Poirier <poirier pobox.com>]
+
+ *) mod_proxy_ajp: Forward remote port information by default.
+ [Rainer Jung]
+
+ *) mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders
+ directive to correctly remove headers before storing them.
+ [Lars Eilebrecht]
+
+ *) mod_deflate: revert changes in 2.2.8 that caused an invalid
+ etag to be emitted for on-the-fly gzip content-encoding.
+ PR 39727 will require larger fixes and this fix was far more
+ harmful than the original code. PR 45023. [Roy T. Fielding]
+
+ *) mod_disk_cache: The module now turns off sendfile support if
+ 'EnableSendfile off' is defined globally. PR 41218.
+ [Lars Eilebrecht, Issac Goldstand]
+
+ *) prefork: Fix child process hang during graceful restart/stop in
+ configurations with multiple listening sockets. PR 42829. [Joe Orton,
+ Jeff Trawick]
+
+ *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the
+ size of the buffer used for the request-body where necessary
+ during a per-dir renegotiation. PR 39243. [Joe Orton]
+
+ *) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
+ way that per-directory rewrites append the previous notion of PATH_INFO
+ to each substitution before evaluating subsequent rules.
+ PR38642 [Eric Covener]
+
+ *) mod_authnz_ldap: Reduce number of initialization debug messages and make
+ information more clear. PR 46342 [Dan Poirier]
+
+ *) mod_cache: Introduce 'no-cache' per-request environment variable
+ to prevent the saving of an otherwise cacheable response.
+ [Eric Covener]
+
+ *) core: Translate the status line to ASCII on EBCDIC platforms in
+ ap_send_interim_response() and for locally generated "100 Continue"
+ responses. [Eric Covener]
+
+ *) CGI: return 504 (Gateway timeout) rather than 500 when a script
+ times out before returning status line/headers.
+ PR 42190 [Nick Kew]
+
+ *) prefork: Log an error instead of segfaulting when child startup fails
+ due to pollset creation failures. PR 46467. [Jeff Trawick]
+
+ *) mod_ext_filter: fix error handling when the filter prog fails to start,
+ and introduce an onfail configuration option to abort the request
+ or to remove the broken filter and continue.
+ PR 41120 [Nick Kew]
+
+ *) mod_include: support generating non-ASCII characters as entities in SSI
+ PR 25202 [Nick Kew]
+
+ *) core/utils: Enhance ap_escape_html API to support escaping non-ASCII
+ chars [Nick Kew]
+
+ *) mod_rewrite: fix "B" flag breakage by reverting r589343
+ PR 45529 [Bob Ionescu <bobsiegen googlemail.com>]
+
+ *) mod_cgid: fix segfault problem on solaris.
+ PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>, Jeff Trawick]
+
+ *) mod_ldap: Avoid a segfault when result->rc is checked in
+ uldap_connection_init when result is NULL. This could happen if LDAP
+ initialization failed. PR 45994. [Dan Poirier <poirier pobox.com>]
+
+ *) Set Listen protocol to "https" if port is set to 443 and no proto is
+ specified (as documented but not implemented). PR 46066
+ [Dan Poirier <poirier pobox.com>]
+
+ *) mod_cache: Correctly save Content-Encoding of cachable entity. PR 46401
+ [Dan Poirier <poirier pobox.com>]
+
+ *) Output -M and -S dumps (modules and vhosts) to stdout instead of stderr.
+ PR 42571 and PR 44266 (dup). [Dan Poirier <poirier pobox.com>]
+
+ *) mod_cache: When an explicit Expires or Cache-Control header is set, cache
+ normally non-cacheable response statuses. PR 46346.
+ [Alex Polvi <alex polvi.net>]
+
+Changes with Apache 2.2.11
+
+ *) core: When the ap_http_header_filter processes an error bucket, cleanup
+ the passed brigade before returning AP_FILTER_ERROR down the filter
+ chain. This unambiguously ensures the same error bucket isn't revisited
+ [Ruediger Pluem]
+
+ *) core: Error responses set by filters were being coerced into 500 errors,
+ sometimes appended to the original error response. Log entry of:
+ 'Handler for (null) returned invalid result code -3'
+ [Eric Covener]
+
+ *) configure: Don't reject libtool 2.x
+ PR 44817 [Arfrever Frehtes Taifersar Arahesis <Arfrever.FTA gmail.com>]
+
+ *) mod_autoindex: add configuration option to insert string
+ in HTML HEAD (IndexHeadInsert). [Nick Kew]
+
+ *) Add new LogFormat parameter, %k, which logs the number of
+ keepalive requests on this connection for this request.
+ PR 45762 [Dan Poirier <poirier pobox.com>, Jim Jagielski]
+
+ *) Export and install the mod_rewrite.h header to ensure the optional
+ rewrite_mapfunc_t and ap_register_rewrite_mapfunc functions are
+ available to third party modules. [Graham Leggett]
+
+ *) mod_cache: Convert age of cached object to seconds before comparing it to
+ age supplied by the request when checking whether to send a Warning
+ header for a stale response. PR 39713. [Owen Taylor <otaylor redhat.com>]
+
+ *) Build: Correctly set SSL_LIBS during openssl detection if pkgconfig is
+ not available. PR 46018 [Ruediger Pluem]
+
+ *) mod_proxy_ajp: Do not fail if response data is sent before all request
+ data is read. PR 45911 [Ruediger Pluem]
+
+ *) mod_proxy_balancer: Add in forced recovery for balancer members if
+ all are in error state. [Mladen Turk]
+
+ *) mod_proxy: Prevent segmentation faults by correctly adjusting the
+ lifetime of the buckets read from the proxy backend. PR 45792
+ [Ruediger Pluem]
+
+ *) mod_expires: Do not sets negative max-age / Expires header in the past.
+ PR 39774 [Jim Jagielski]
+
+ *) mod_info: Was displaying the wrong value for the KeepAliveTimeout
+ value. [Jim Jagielski]
+
+ *) mod_proxy_ajp: Fix wrongly formatted requests where client
+ sets Content-Length header, but doesn't provide a body.
+ Servlet container always expects that next packet is
+ body whenever C-L is present in the headers. This can lead
+ to wrong interpretation of the packets. In this case
+ send the empty body packet, so container can deal with
+ that. [Mladen Turk]
+
+ *) core: Add ap_timeout_parameter_parse to public API. [Ruediger Pluem]
+
+ *) mod_proxy: Add the possibility to set the worker parameters
+ connectiontimeout and ping in milliseconds. [Ruediger Pluem]
+
+ *) Worker MPM: Crosscheck that idle workers are still available before using
+ them and thus preventing an overflow of the worker queue which causes
+ a SegFault. PR 45605 [Denis Ustimenko <denusk gmail.com>]
+
+ *) Windows: Always build the odbc dbd driver on windows, to be consistent
+ with the apr-util default. [Tom Donovan]
+
+Changes with Apache 2.2.10
+
+ *) SECURITY: CVE-2008-2939 (cve.mitre.org)
+ mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
+ the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
+
+ *) Allow for smax to be 0 for balancer members so that all idle
+ connections are able to be dropped should they exceed ttl.
+ PR 43371 [Phil Endecott <spam_from_apache_bugzilla chezphil.org>,
+ Jim Jagielski]
+
+ *) mod_proxy_http: Don't trigger a retry by the client if a failure to
+ read the response line was the result of a timeout.
+ [Adam Woodworth <mirkperl gmail.com>]
+
+ *) Support chroot on Unix-family platforms
+ PR 43596 [Dimitar Pashev <mitko banksoft-bg.com>]
+
+ *) mod_ssl: implement dynamic mutex callbacks for the benefit of
+ OpenSSL. [Sander Temme]
+
+ *) mod_proxy_balancer: Add 'bybusyness' load balance method.
+ [Joel Gluth <joelgluth yahoo.com.au>, Jim Jagielski]
+
+ *) mod_authn_alias: Detect during startup when AuthDigestProvider
+ is configured to use an incompatible provider via AuthnProviderAlias.
+ PR 45196 [Eric Covener]
+
+ *) mod_proxy: Add 'scolonpathdelim' parameter to allow for ';' to also be
+ used as a session path separator/delim PR 45158. [Jim Jagielski]
+
+ *) mod_charset_lite: Avoid dropping error responses by handling meta buckets
+ correctly. PR 45687 [Dan Poirier <poirier pobox.com>]
+
+ *) mod_proxy_http: Introduce environment variable proxy-initial-not-pooled
+ to avoid reusing pooled connections if the client connection is an
+ initial connection. PR 37770. [Ruediger Pluem]
+
+ *) mod_rewrite: Allow Cookie option to set secure and HttpOnly flags.
+ PR 44799 [Christian Wenz <christian wenz.org>]
+
+ *) mod_ssl: Rewrite shmcb to avoid memory alignment issues. PR 42101.
+ [Geoff Thorpe]
+
+ *) mod_proxy: Add connectiontimeout parameter for proxy workers in order to
+ be able to set the timeout for connecting to the backend separately.
+ PR 45445. [Ruediger Pluem, rahul <rahul sun.com>]
+
+ *) mod_dav_fs: Retrieve minimal system information about directory
+ entries when walking a DAV fs, resolving a performance degradation on
+ Windows. PR 45464. [Joe Orton, Jeff Trawick]
+
+ *) mod_cgid: Pass along empty command line arguments from an ISINDEX
+ query that has consecutive '+' characters in the QUERY_STRING,
+ matching the behavior of mod_cgi.
+ [Eric Covener]
+
+ *) mod_headers: Prevent Header edit from processing only the first header
+ of possibly multiple headers with the same name and deleting the
+ remaining ones. PR 45333. [Ruediger Pluem]
+
+ *) mod_proxy_balancer: Move nonce field in the balancer manager page inside
+ the html form where it belongs. PR 45578. [Ruediger Pluem]
+
+ *) mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to
+ known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
+ [Ruediger Pluem]
+
+ *) mod_rewrite: Preserve the query string when [proxy,noescape]. PR 45247.
+ [Tom Donovan]
+
+Changes with Apache 2.2.9
+
+ *) SECURITY: CVE-2008-2364 (cve.mitre.org)
+ mod_proxy_http: Better handling of excessive interim responses
+ from origin server to prevent potential denial of service and high
+ memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
+ Joe Orton, Jim Jagielski]
+
+ *) SECURITY: CVE-2007-6420 (cve.mitre.org)
+ mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager
+ interface. [Joe Orton]
+
+ *) core: Fix address-in-use startup failure on some platforms caused
+ by creating an IPv4 listener which overlaps with an existing IPv6
+ listener. [Jeff Trawick]
+
+ *) mod_proxy: Make all proxy modules nocanon aware and do not add the
+ query string again in this case. PR 44803.
+ [Jim Jagielski, Ruediger Pluem]
+
+ *) mod_unique_id: Fix timestamp value in UNIQUE_ID.
+ PR 37064 [Kobayashi <kobayashi firstserver.co.jp>]
+
+ *) htpasswd: Fix salt generation weakness. PR 31440
+ [Andreas Krennmair <ak synflood.at>, Peter Watkins <peterw tux.org>,
+ Paul Querna]
+
+ *) core: Add the filename of the configuration file to the warning message
+ about the useless use of AllowOverride. PR 39992.
+ [Darryl Miles <darryl darrylmiles.org>]
+
+ *) scoreboard: Remove unused proxy load balancer elements from scoreboard
+ image (not scoreboard memory itself). [Chris Darroch]
+
+ *) mod_proxy: Support environment variable interpolation in reverse
+ proxying directives. [Nick Kew]
+
+ *) suexec: When group is given as a numeric gid, validate it by looking up
+ the actual group name such that the name can be used in log entries.
+ PR 7862 [<y-koga apache.or.jp>, Leif W <warp-9.9 usa.net>]
+
+ *) Fix garbled TRACE response on EBCDIC platforms.
+ [David Jones <oscaremma gmail.com>]
+
+ *) ab: Include <limits.h> earlier if available since we may need
+ INT_MAX (defined there on Windows) for the definition of MAX_REQUESTS.
+ PR 45024 [Ruediger Pluem]
+
+ *) ab: Improve client performance by clearing connection pool instead
+ of destroying it. PR 40054 [Brad Roberts <braddr puremagic.com>]
+
+ *) ab: Don't stop sending a request if EAGAIN is returned, which
+ will only happen if both the write and subsequent wait are
+ returning EAGAIN, and count posted bytes correctly when the initial
+ write of a request is not complete. PR 10038, 38861, 39679
+ [Patrick McManus <mcmanus datapower.com>,
+ Stefan Fleiter <stefan.fleiter web.de>,
+ Davanum Srinivas, Roy T. Fielding]
+
+ *) ab: Overhaul stats collection and reporting to avoid integer
+ truncation and time divisions within the test loop, retain
+ native time resolution until output, remove unused data,
+ consistently round milliseconds, and generally avoid losing
+ accuracy of calculation due to type casts. PR 44878, 44931.
+ [Roy T. Fielding]
+
+ *) ab: Add -r option to continue after socket receive errors.
+ [Filip Hanik <devlist hanik.com>]
+
+ *) core: Do not allow Options ALL if not all options are allowed to be
+ overwritten. PR 44262 [MichaÅ GrzÄdzicki <lazy iq.pl>]
+
+ *) mod_cache: Handle If-Range correctly if the cached resource was stale.
+ PR 44579 [Ruediger Pluem]
+
+ *) mod_proxy: Do not try a direct connection if the connection via a
+ remote proxy failed before and the request has a request body.
+ [Ruediger Pluem]
+
+ *) mod_proxy_ajp: Do not retry request in the case that we either failed to
+ sent a part of the request body or if the request is not idempotent.
+ PR 44334 [Ruediger Pluem]
+
+ *) mod_rewrite: Initialize hash needed by ap_register_rewrite_mapfunc early
+ enough. PR 44641 [Daniel Lescohier <daniel.lescohier cnet.com>]
+
+ *) mod_dav: Return "method not allowed" if the destination URI of a WebDAV
+ copy / move operation is no DAV resource. PR 44734 [Ruediger Pluem]
+
+ *) http_filters: Don't return 100-continue on redirects. PR 43711
+ [Ruediger Pluem]
+
+ *) mod_ssl: Fix a memory leak with connections that have zlib compression
+ turned on. PR 44975 [Joe Orton, Amund Elstad <Amund.Elstad ist.com>,
+ Dr Stephen Henson <steve openssl.org>]
+
+ *) mod_proxy: Trigger a retry by the client in the case we fail to read the
+ response line from the backend by closing the connection to the client.
+ PR 37770 [Ruediger Pluem]
+
+ *) gen_test_char: add double-quote to the list of T_HTTP_TOKEN_STOP.
+ PR 9727 [Ville Skytt <ville.skytta iki.fi>]
+
+ *) core: reinstate location walk to fix config for subrequests
+ PR 41960 [Jose Kahan <jose w3.org>]
+
+ *) rotatelogs: Log the current file size and error code/description
+ when failing to write to the log file. [Jeff Trawick]
+
+ *) rotatelogs: Added '-f' option to force rotatelogs to create the
+ logfile as soon as started, and not wait until it reads the
+ first entry. [Jim Jagielski]
+
+ *) rotatelogs: Don't leak memory when reopening the logfile.
+ PR 40183 [Ruediger Pluem, Takashi Sato <serai lans-tv.com>]
+
+ *) rotatelogs: Improve atomicity when using -l and cleaup code.
+ PR 44004 [Rainer Jung]
+
+ *) mod_authn_dbd: Disambiguate and tidy database authentication
+ error messages. PR 43210. [Chris Darroch, Phil Endecott
+ <spam_from_apache_bugzilla chezphil.org>]
+
+ *) mod_headers: Add 'merge' option to avoid duplicate values within
+ the same header. [Chris Darroch]
+
+ *) mod_cgid: Explicitly set permissions of the socket (ScriptSock) shared by
+ mod_cgid and request processing threads, for OS'es such as HPUX and AIX
+ that do not use umask for AF_UNIX socket permissions.
+ [Eric Covener, Jeff Trawick]
+
+ *) mod_cgid: Don't try to restart the daemon if it fails to initialize
+ the socket. [Jeff Trawick]
+
+ *) mod_log_config: Add format options for %p so that the actual local
+ or remote port can be logged. PR 43415. [Adam Hasselbalch Hansen
+ <ah...@one.com>, Ruediger Pluem, Jeff Trawick]
+
+ *) Added 'disablereuse' option for ProxyPass which, essentially,
+ disables connection pooling for the backend servers.
+ [Jim Jagielski]
+
+ *) mod_speling: remove regression from 1.3/2.0 behavior and
+ drop dependency between mod_speling and AcceptPathInfo.
+ PR 43562 [Jose Kahan <jose w3.org>]
+
+ *) mod_substitute: The default is now flattening the buckets after
+ each substitution. The newly added 'q' flag allows for the
+ quicker, more efficient bucket-splitting if the user so
+ desires. [Jim Jagielski]
+
+ *) http_filters: Don't spin if get an error when reading the
+ next chunk. PR 44381 [Ruediger Pluem]
+
+ *) ab: Do not try to read non existing response bodies of HEAD requests.
+ PR 34275 [Takashi Sato <serai lans-tv.com>]
+
+ *) ab: Use a 64 bit unsigned int instead of a signed long to count the
+ bytes transferred to avoid integer overflows. PR 44346 [Ruediger Pluem]
+
+ *) ProxyPassReverse is now balancer aware. [Jim Jagielski]
+
+ *) mod_include: Correctly handle SSI directives split over multiple filter
+ passes. PR 44447 [Harald Niesche <harald brokenerror.de>]
+
+ *) mod_cache: Revalidate cache entities which have Cache-Control: no-cache
+ set in their response headers. PR 44511 [Ruediger Pluem]
+
+ *) mod_rewrite: Check all files used by DBM maps for freshness, mod_rewrite
+ didn't pick up on updated sdbm maps due to this.
+ PR41190 [Niklas Edmundsson]
+
+ *) mod_proxy: Lower memory consumption for short lived connections.
+ PR 44026. [Ruediger Pluem]
+
+ *) mod_proxy: Keep connections to the backend persistent in the HTTPS case.
+ [Ruediger Pluem]
+
+ *) Don't add bogus duplicate Content-Language entries
+ PR 11035 [Davi Arnaut]
+
+ *) Worker / Event MPM: Fix race condition in pool recycling that leads to
+ segmentation faults under load. PR 44402
+ [Basant Kumar Kukreja <basant.kukreja sun.com>]
+
+ *) mod_proxy_ftp: Fix base for directory listings.
+ PR 27834 [Nick Kew]
+
+ *) mod_logio: Provide optional function to allow modules to adjust the
+ bytes_in count [Eric Covener]
+
+ *) http_filters: Don't return 100-continue on client error
+ PR 43711 [Chetan Reddy <chetanreddy gmail.com>]
+
+ *) mod_charset_lite: Add TranslateAllMimeTypes sub-option to
+ CharsetOptions, allowing the administrator to skip the
+ mimetype checking that precedes translation.
+ PR 44458 [Eric Covener]
+
+ *) mod_proxy_http: Fix processing of chunked responses if
+ Connection: Transfer-Encoding is set in the response of the proxied
+ system. PR 44311 [Ruediger Pluem]
+
+ *) mod_proxy_http: Return HTTP status codes instead of apr_status_t
+ values for errors encountered while forwarding the request body
+ PR 44165 [Eric Covener]
+
+ *) mod_rewrite: Don't canonicalise URLs with [P,NE]
+ PR 43319 [<rahul sun.com>]
+
+Changes with Apache 2.2.8
+
+ *) core: Fix regression in 2.2.7 in chunk filtering with massively
+ chunked requests. [Ruediger Pluem, Nick Kew]
+
+ *) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
+ to /Device/Nul as the server is starting up, mirroring unix MPM's.
+ PR: 43534 [Tom Donovan <Tom.Donovan acm.org>, William Rowe]
+
+ *) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
+ by recreating the bucket allocator each time the trans pool is cleared.
+ PR: 11427 #16 (follow-on) [Tom Donovan <Tom.Donovan acm.org>]
+
+ *) mod_dav: Fix evaluation of If-Match * and If-None-Match * conditionals.
+ PR 38034 [Paritosh Shah <shah.paritosh gmail.com>]
+
+Changes with Apache 2.2.7 (not released)
+
+ *) SECURITY: CVE-2007-6421 (cve.mitre.org)
+ mod_proxy_balancer: Correctly escape the worker route and the worker
+ redirect string in the HTML output of the balancer manager.
+ Reported by SecurityReason. [Ruediger Pluem]
+
+ *) SECURITY: CVE-2007-6422 (cve.mitre.org)
+ Prevent crash in balancer manager if invalid balancer name is passed
+ as parameter. Reported by SecurityReason. [Ruediger Pluem]
+
+ *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+ mod_status: Ensure refresh parameter is numeric to prevent
+ a possible XSS attack caused by redirecting to other URLs.
+ Reported by SecurityReason. [Mark Cox, Joe Orton]
+
+ *) SECURITY: CVE-2007-5000 (cve.mitre.org)
+ mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
+ [Joe Orton]
+
+ *) SECURITY: CVE-2008-0005 (cve.mitre.org)
+ Introduce the ProxyFtpDirCharset directive, allowing the administrator
+ to identify a default, or specific servers or paths which list their
+ contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]
+
+ *) mod_dav: Adjust etag generation to produce identical results on 32-bit
+ and 64-bit platforms and avoid a regression with conditional PUT's on
+ lock and etag. PR 44152.
+ [Michael Clark <michael metaparadigm.com>, Ruediger Pluem]
+
+ *) mod_ssl: Fix handling of the buffered request body during a per-location
+ renegotiation, when an internal redirect occurs. PR 43738.
+ [Joe Orton]
+
+ *) mod_ldap: Try to establish a new backend LDAP connection when the
+ Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the
+ LDAP server has closed the connection due to a timeout.
+ PR 39095 [Eric Covener]
+
+ *) log.c: Ensure Win32 resurrects its lost robust logger processes.
+ [William Rowe]
+
+ *) mod_disk_cache: Delete temporary files if they cannot be renamed to their
+ final name. [Davi Arnaut <davi haxent.com.br>]
+
+ *) Add explicit charset to the output of various modules to work around
+ possible cross-site scripting flaws affecting web browsers that do not
+ derive the response character set as required by RFC2616. One of these
+ reported by SecurityReason [Joe Orton]
+
+ *) http_protocol: Escape request method in 405 error reporting.
+ This has no security impact since the browser cannot be tricked
+ into sending arbitrary method strings. [Jeff Trawick]
+
+ *) mod_ssl: Fix SSL client certificate extensions parsing bug. PR 44073.
+ [yl <yl bee-ware.net>]
+
+ *) mod_proxy_ajp: Use 64K as maximum AJP packet size. This is the maximum
+ length we can squeeze inside the AJP message packet.
+ [Mladen Turk]
+
+ *) core: Lower memory consumption of ap_r* functions by reusing the brigade
+ instead of recreating it during each filter pass.
+ [Stefan Fritsch <sf sfritsch.de>]
+
+ *) core: Lower memory consumption in case that flush buckets are passed thru
+ the chunk filter as last bucket of a brigade. PR 23567.
+ [Stefan Fritsch <sf sfritsch.de>]
+
+ *) core: Fix broken chunk filtering that causes all non blocking reads to be
+ converted into blocking reads. PR 19954, 41056.
+ [Jean-Frederic Clere, Jim Jagielski]
+
+ *) mod_rewrite: Add the novary flag to RewriteCond.
+ [Ruediger Pluem]
+
+ *) core: Change etag generation to produce identical results on
+ 32-bit and 64-bit platforms. PR 40064. [Joe Orton]
+
+ *) http_protocol: Escape request method in 413 error reporting.
+ Determined to be not generally exploitable, but a flaw in any case.
+ PR 44014 [Victor Stinner <victor.stinner inl.fr>]
+
+ *) mod_filter: Don't segfault on (unsupported) chained FilterProvider usage.
+ PR 43956 [Nick Kew, Ruediger Pluem]
+
+ *) core: Handle unrecognised transfer-encodings.
+ PR 43882 [Nick Kew, Jeff Trawick]
+
+ *) mod_include: Add an "if" directive syntax to test whether an URL
+ is accessible, and if so, conditionally display content. This
+ allows a webmaster to hide a link to a private page when the user
+ has no access to that page. [Graham Leggett]
+
+ *) Various code cleanups. PR 38699, 39518, 42005, 42006, 42007, 42008, 42009
+ [Christophe Jaillet <christophe.jaillet wanadoo.fr>]
+
+ *) mod_proxy_http: Correctly forward unexpected interim (HTTP 1xx)
+ responses from the backend according to RFC2616. But make it
+ configurable in case something breaks on it.
+ PR 16518 [Nick Kew]
+
+ *) mod_substitute: Added a new output filter, which performs
+ inline response content pattern matching (including regex)
+ and substitution. [Jim Jagielski, Ruediger Pluem]
+
+ *) rotatelogs: Change command-line parsing to report more types
+ of errors. Allow local timestamps to be used when rotating based
+ on file size. [Jeff Trawick]
+
+ *) mod_proxy: Canonicalisation improvements. Add "nocanon" keyword to
+ ProxyPass, to suppress URI-canonicalisation in a reverse proxy. Also,
+ don't escape/unescape forward-proxied URLs.
+ PR 41798, 42592 [Nick Kew, Ruediger Pluem, Roy Fielding, Jim Jagielski]
+
+ *) mod_status: Add SeeRequestTail directive, which determines if
+ ExtendedStatus displays the 1st 63 characters of the request
+ or the last 63. Useful for those requests with large string
+ lengths and which only vary with the last several characters.
+ [Jim Jagielski]
+
+ *) mod_ssl: Prevent memory corruption of version string.
+ PR 43865, 43334 [William Rowe, Joe Orton]
+
+ *) core: Avoid some unexpected connection closes by telling the client
+ that the connection is not persistent if the MPM process handling
+ the request is already exiting when the response header is built.
+ [Jeff Trawick]
+
+ *) mod_autoindex: Generate valid XHTML output by adding the xhtml
+ namespace. PR 43649 [Jose Kahan <jose w3.org>]
+
+ *) mod_ldap: Give callers a reference to data copied into the request
+ pool instead of references directly into the cache
+ PR 43786 [Eric Covener]
+
+ *) mod_ldap: Stop passing a reference to pconf around for
+ (limited) use during request processing, avoiding possible
+ memory corruption and crashes. [Eric Covener]
+
+ *) Event MPM: Add support for running under mod_ssl, by reverting to the
+ Worker MPM behaviors, when run under an input filter that buffers
+ its own data. [Paul Querna]
+
+ *) mod_charset_lite: Don't crash when the request has no associated
+ filename. [Jeff Trawick]
+
+ *) Core: fix possible crash at startup in case of nonexistent DocumentRoot.
+ PR 39722 [Adrian Buckley <adrian.buckley ntlworld.com>]
+
+ *) HTTP protocol: Add "DefaultType none" option.
+ PR 13986 and PR 16139 [Nick Kew]
+
+ *) mod_rewrite: Add option to suppress URL unescaping
+ PR 34602 [Guenther Gsenger <guenther.gsenger gmail.com>]
+
+ *) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean
+ shutdown of the server when the MaxClients is higher then 257,
+ in a more responsive manner [Mladen Turk, William Rowe]
+
+ *) mod_proxy_http: Remove Warning headers with wrong date
+ PR 16138 [Nick Kew]
+
+ *) mod_proxy_http: Correctly parse all Connection headers in proxy.
+ PR 43509 [Nick Kew]
+
+ *) mod_proxy_http: add Via header correctly (if enabled) to
+ response, even where other Via headers exist.
+ PR 19439 [Nick Kew]
+
+ *) http_core: OPTIONS * no longer maps to local storage or URI
+ space. Note that unlike previous versions, OPTIONS * no
+ longer returns an Allow: header. PR 43519 [Jim Jagielski]
+
+ *) mod_proxy_http: strip hop-by-hop response headers
+ PR 43455 [Nick Kew]
+
+ *) mod_proxy: Don't by default violate RFC2616 by setting
+ Max-Forwards when the client didn't send it to us.
+ Leave that as a configuration option.
+ PR 16137 [Nick Kew]
+
+ *) scoreboard: improve error message on apr_shm_create failure
+ PR 40037 [Nick Kew]
+
+ *) proxy: Fix persistent backend connections.
+ PR 43472 [Ruediger Pluem]
+
+ *) mod_deflate: initialise inflate-out filter correctly when the
+ first brigade contains no data buckets.
+ PR 43512 [Nick Kew]
+
+ *) mod_proxy_ajp: Ignore any ajp13 flush packets received before
+ we send the response headers. See Tomcat PR 43478.
+ [Jim Jagielski]
+
+ *) mod_proxy_balancer: Do not reset lbstatus, lbfactor and lbset when
+ starting a new child.
+ PR 39907 [Vinicius Petrucci <vpetrucci gmail.com>, Ruediger Pluem]
+
+ *) mod_proxy_http: Propagate Proxy-Authorization header correctly.
+ PR 25947 [Nick Kew]
+
+ *) mod_proxy_ajp: Differentiate within AJP between GET and HEAD
+ requests. PR 43060 [Jim Jagielski]
+
+ *) Don't send spurious "100 Continue" response lines.
+ PR 38014 [Basant Kumar Kukreja <basant.kukreja sun.com>]
+
+ *) mod_proxy_ftp: Don't segfault on bad line in FTP listing
+ PR 40733 [Ulf Harnhammar <metaur telia.com>]
+
+ *) mod_proxy: escape error-notes correctly
+ PR 40952 [Thijs Kinkhorst <thijs debian.org>]
+
+ *) mod_proxy: check ProxyBlock for all blocked addresses
+ PR 36987 [Timo Viipuri <timo.viipuri f-secure.com>]
+
+ *) mod_proxy: Don't lose bytes when a response line arrives in small chunks.
+ PR 40894 [Andrew Rucker Jones <arjones simultan.dyndns.org>]
+
+Changes with Apache 2.2.6
+
+ *) SECURITY: CVE-2007-3847 (cve.mitre.org)
+ mod_proxy: Prevent reading past the end of a buffer when parsing
+ date-related headers. PR 41144.
+ [Davi Arnaut, Nick Kew]
+
+ *) SECURITY: CVE-2007-1863 (cve.mitre.org)
+ mod_cache: Prevent a segmentation fault if attributes are listed in a
+ Cache-Control header without any value.
+ [Niklas Edmundsson <nikke acc.umu.se>]
+
+ *) SECURITY: CVE-2007-3304 (cve.mitre.org)
+ prefork, worker, event MPMs: Ensure that the parent process cannot
+ be forced to kill processes outside its process group.
+ [Joe Orton, Jim Jagielski]
+
+ *) SECURITY: CVE-2006-5752 (cve.mitre.org)
+ mod_status: Fix a possible XSS attack against a site with a public
+ server-status page and ExtendedStatus enabled, for browsers which
+ perform charset "detection". Reported by Stefan Esser. [Joe Orton]
+
+ *) SECURITY: CVE-2007-1862 (cve.mitre.org)
+ mod_mem_cache: Copy headers into longer lived storage; header names and
+ values could previously point to cleaned up storage. PR 41551.
+ [Davi Arnaut <davi haxent.com.br>]
+
+ *) mod_info: mod_info outputs invalid XHTML 1.0 transitional.
+ PR 42847 [Rici Lake <rici ricilake.net>]
+
+ *) mod_ssl: Fix spurious hostname mismatch warning for valid
+ wildcard certificates. PR 37911. [Nick Burch <nick torchbox.com>]
+
+ *) mod_mem_cache: Increase the minimum and default value for
+ MCacheMinObjectSize from 0 to 1, as a MCacheMinObjectSize of 0 does not
+ make sense and leads to a division by zero. PR 40576.
+ [Xuekun Hu <xuekun.hu gmail.com>]
+
+ *) mod_cache: Remove expired content from cache that cannot be revalidated.
+ PR 30370. [Ruediger Pluem]
+
+ *) mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as synonymous.
+ PR 43183 [Brian Rectanus <Brian.Rectanus breach.com>, Vincent Bray]
+
+ *) mod_proxy: Ensure that at least scheme://hostname[:port] matches between
+ worker and URL when searching for the best fitting worker for a given
+ URL. PR 40910 [Ruediger Pluem]
+
+ *) mod_proxy: Improve network performance by setting APR_TCP_NODELAY
+ (disable Nagle algorithm) on sockets if implemented.
+ PR 42871 [Christian BOITEL <christian_boitel yahoo.fr>, Jim Jagielski]
+
+ *) core: Do not replace a Date header set by a proxied backend server.
+ PR 40232 [Ruediger Pluem]
+
+ *) mod_proxy: Add a missing assignment in an error checking code path.
+ PR 40865 [Andrew Rucker Jones <arjones simultan.dyndns.org>]
+
+ *) mod_proxy_connect: avoid segfault on DNS lookup failure.
+ PR 40756 [Trevin Beattie <tbeattie boingo.com>]
+
+ *) mod_proxy: enable Ignore Errors option on ProxyPass Status.
+ PR 43167 [Francisco Gimeno <kikov kikov.org>
+
+ *) mod_proxy_http: Don't try to read body of a HEAD request before
+ responding. PR 41644 [Stuart Children <stuart terminus.co.uk>]
+
+ *) mod_authnz_ldap: Don't return HTTP_UNAUTHORIZED during authorization when
+ LDAP authentication is configured but we haven't seen any
+ 'Require ldap-*' directives, allowing authorization to be passed to lower
+ level modules (e.g. Require valid-user)
+ PR 43281 [Eric Covener]
+
+ *) mod_proxy: don't URLencode tilde in path component
+ PR 38448 [Stijn Hoop <stijn sandcat.nl>]
+
+ *) proxy/ajp_header.c: Fixed header token string comparisons
+ Matching of header tokens failed to include the trailing NIL byte
+ and could misinterpret a longer header token for a shorter.
+ Additionally, a "Content-Type" comparison was made case insensitive.
+ [Martin Kraemer]
+
+ *) proxy/ajp_header.c: Backport of an AJP protocol fix for EBCDIC
+ On EBCDIC machines, the status_line string was incorrectly converted
+ twice. [Jean-Frederic Clere, Martin Kraemer]
+
+ *) mod_dumpio: Fix for correct dumping of traffic on EBCDIC hosts
+ Data had been incorrectly converted twice, resulting in
+ garbled log output. [Martin Kraemer]
+
+ *) mod_autoindex: Add in Type and Charset options to IndexOptions
+ directive. This allows the admin to explicitly set the
+ content-type and charset of the generated page and is therefore
+ a viable workaround for buggy browsers affected by CVE-2007-4465
+ (cve.mitre.org). [Jim Jagielski]
+
+ *) log core: ensure we use a special pool for stderr logging, so that
+ the stderr channel remains valid from the time plog is destroyed,
+ until the time the open_logs hook is called again. [William Rowe]
+
+ *) mod_negotiation: preserve Query String in resolving a type map
+ PR 33112 [Jørgen Thomsen <apache jth.net>, Nick Kew]
+
+ *) mod_ssl: Version reporting update; displays 'compiled against'
+ Apache and build-time SSL Library versions at loglevel [info],
+ while reporting the run-time SSL Library version in the server
+ info tags. Helps to identify a mod_ssl built against one flavor
+ of OpenSSL but running against another (also adds SSL-C version
+ number reporting.) [William Rowe]
+
+ *) mime.types: Many updates to sync with IANA registry and common
+ unregistered types that the owners refuse to register. Admins
+ are encouraged to update their installed mime.types file.
+ PR: 35550, 37798, 39317, 31483 [Roy T. Fielding]
+
+ *) mod_expires: don't crash on bad configuration data
+ PR 43213 [Julien Perez <julien.perez epsylonia.net>]
+
+ *) mod_dbd: Introduce configuration groups to allow inheritance by virtual
+ hosts of database configurations from the main server. Determine the
+ minimal set of distinct configurations and share connection pools
+ whenever possible. Allow virtual hosts to override inherited SQL
+ statements. PR 41302. [Chris Darroch]
+
+ *) mod_dbd: Create memory sub-pools for each DB connection and close
+ DB connections in a pool cleanup function. Ensure prepared statements
+ are destroyed before DB connection is closed. When using reslists,
+ prevent segfaults when child processes exit, and stop memory leakage
+ of ap_dbd_t structures. Avoid use of global s->process->pool, which
+ isn't destroyed by exiting child processes in most multi-process MPMs.
+ PR 39985. [Chris Darroch, Nick Kew]
+
+ *) mod_dbd: Handle error conditions in dbd_construct() properly.
+ Simplify ap_dbd_open() and use correct arguments to apr_dbd_error()
+ when non-threaded. Register correct cleanup data in non-threaded
+ ap_dbd_acquire() and ap_dbd_cacquire(). Clean up configuration data
+ and merge function. Use ap_log_error() wherever possible.
+ [Chris Darroch, Nick Kew]
+
+ *) mod_dbd: Stash DBD connections in request_config of initial request
+ only, or else sub-requests and internal redirections may cause
+ entire DBD pool to be stashed in a single HTTP request. [Chris Darroch]
+
+ *) main core: Emit errors during the initial apr_app_initialize()
+ or apr_pool_create() (when apr-based error reporting is not ready).
+ [William Rowe, Jeff Trawick]
+
+ *) log core: fix the new piped logger case where we couldn't connect
+ the replacement stderr logger's stderr to the NULL stdout stream.
+ Continue in this case, since the previous alternative of no error
+ logging at all (/dev/null) is far worse. [William Rowe]
+
+ *) mpm_winnt: Prevent the parent-child pipe from leaking into other
+ spawned processes, and ensure we have a /Device/null handle for
+ stdout when running as-a-service. [William Rowe]
+
+ *) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
+ improper merging of the cache lock in vhost config
+ PR 43164 [Eric Covener]
+
+ *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk]
+
+ *) mod_deflate: fix protocol handling in deflate input filter
+ PR 23287 [Nick Kew]
+
+ *) mime.types: add Registered Javascript/ECMAScript MIME types (RFC4329)
+ PR 40299 [Dave Hodder <dmh dmh.org.uk>]
+
+ *) mod_filter: fix integer comparisons in dispatch rules
+ PR 41835 [Nick Kew]
+
+ *) mod_filter: fix merging of ! and = in FilterChain
+ PR 42186 [Issac Goldstand <margol beamartyr.net>]
+
+ *) mod_deflate: don't try to process metadata buckets as data. what should
+ have been a 413 error was logged as a 500 and a blank screen appeared
+ at the browser.
+ [Greg Ames, Ruediger Pluem]
+
+ *) mod_cgi, mod_cgid: Fix use of CGI scripts as ErrorDocuments.
+ PR 39710. [Paul Querna, Ruediger Pluem]
+
+ *) mod_proxy: Allow to use different values for sessionid
+ in url encoded id and cookies. PR 41897. [Jean-Frederic Clere]
+
+ *) mod_proxy: Fix the 503 returned when session route does
+ not match any of the balancer members. [Mladen Turk]
+
+ *) mod_proxy: Added ProxyPassMatch directive, which is similar
+ to ProxyPass but takes a regex local path prefix. [Jim Jagielski]
+
+ *) mod_cache: Do not set Date or Expires when they are missing from
+ the original response or are invalid. [Justin Erenkrantz]
+
+ *) mod_cache: Correctly handle HEAD requests on expired cache content.
+ PR 41230. [Niklas Edmundsson <nikke acc.umu.se>]
+
+ *) mod_cache: Let Cache-Control max-age set the expiration of the cached
+ representation if Expires is not set. [Justin Erenkrantz]
+
+ *) mod_cache: Allow caching of requests with query arguments when
+ Cache-Control max-age is explicitly specified. [Justin Erenkrantz]
+
+ *) mod_disk_cache: Allow Vary'd responses to be refreshed properly.
+ [Justin Erenkrantz]
+
+ *) mod_proxy: Print the correct error message for erroneous configured
+ ProxyPass directives. PR 40439. [Takashi Sato <serai lans-tv.com>]
+
+ *) mod_so: Provide more helpful LoadModule feedback when an error occurs.
+ [William Rowe]
+
+ *) mod_alias: Accept path components (URL part) in Redirects. PR 35314.
+ [Nick Kew]
+
+ *) mod_headers: Allow % at the end of a Header value. PR 36609.
+ [Nick Kew, Ruediger Pluem]
+
+ *) mod_cache: Use the same cache key throughout the whole request processing
+ to handle escaped URLs correctly. PR 41475. [Ruediger Pluem]
+
+ *) mod_cache: Add CacheIgnoreQueryString directive. PR 41484.
+ [Fredrik Widlund <fredrik.widlund qbrick.com>]
+
+ *) mod_cache: While serving a cached entity ensure that filters that have
+ been applied to this cached entity before saving it to the cache are not
+ applied again. PR 40090. [Ruediger Pluem]
+
+ *) mod_cache: Correctly cache objects whose URL query string has been
+ modified by mod_rewrite. PR 40805. [Ruediger Pluem]
+
+ *) HTTP proxy ProxyErrorOverride: Leave 1xx and 3xx responses alone. Only
+ processing of error responses (4xx, 5xx) will be altered. PR 39245.
+ [Jeff Trawick, Bart van der Schans <schans hippo.nl>]
+
+ *) htdbm: Enable crypt support on platforms with crypt() but not
+ <crypt.h>, such as z/OS. [David Jones <oscaremma gmail.com>]
+
+ *) mod_ssl: initialize thread locks before initializing the hardware
+ acceleration library, so the latter can make use of the former.
+ PR 20951. [<adunn at ncipher.com>]
+
+ *) ab.c: Correct behavior of HTTP request headers sent by ab
+ in presence of -H command-line overrides. PR 31268, 26554.
+ [Arvind Srinivasan <arvind.srinivasan sun.com>]
+
+ *) ab.c: The apr_port_t type is unsigned, but ab was using a
+ signed format code in its reports. PR 42070.
+ [Takashi Sato <serai lans-tv.com>]
+
+ *) mod_ldap: Remove the hardcoded size limit parameter for
+ ldap_search_ext_s and replace it with an APR_ defined value that
+ is set according to the LDAP SDK being used, resolving a problem
+ with SDKs that define LDAP_NO_LIMIT to something other than -1.
+ [David Jones <oscaremma gmail com>]
+
+ *) core: Correct a regression since 2.0.x in the handling of AllowOverride
+ Options. PR 41829. [Torsten Förtsch <torsten.foertsch gmx.net>]
+
+ *) mod_proxy_http: Handle request bodies larger than 2 GB by converting
+ the Content-Length header of the request correctly. PR 40883.
+ [Ruediger Pluem, toadie <toadie643 gmail.com>]
+
+ *) mod_proxy: Fix some proxy setting inheritance problems (eg:
+ ProxyTimeout). PR 11540. [Stuart Children <stuart terminus.co.uk>]
+
+ *) Unix MPMs: Catch SIGFPE so that exception hooks and CoreDumpDirectory
+ can work after that terminating signal.
+ [Eric Covener]
+
+ *) Win32: Makefile.win will now build with MS VC 8 (Visual Studio 2005)
+ including embedding the .manifest information into each binary.
+ [William Rowe]
+
+There was no Apache 2.2.5
+
+Changes with Apache 2.2.4
+
+ *) mod_isapi: Correctly present SERVER_PORT_SECURE.
+ PR: 40573. [Matt Eaton <asf divinehawk.com>]
+
+ *) Allow htcacheclean, httxt2dbm, and fcgistarter to link apr/apr-util
+ statically like the older support programs.
+ [Eric Covener <covener gmail.com>]
+
+ *) core: Fix NONBLOCK status of listening sockets on restart/graceful
+ PR 37680. [Darius Davis <darius-abz free-range.com.au>]
+
+ *) mod_deflate: Rework inflate output and deflate output filter to fix
+ several issues: Incorrect handling of flush buckets, potential memory
+ leaks, excessive memory usage in inflate output filter for large
+ compressed content. PR 39854.
+ [Ruediger Pluem, Nick Kew, Justin Erenkrantz]
+
+ *) mod_mem_cache: Memory leak fix: Unconditionally free the buffer.
+ [Davi Arnaut <davi haxent.com.br>]
+
+ *) Allow mod_dumpio to log at other than DEBUG levels via
+ the new DumpIOLogLevel directive. [Jim Jagielski]
+
+ *) rotatelogs: Improve error message for open failures. PR 39487.
+ [Joe Orton]
+
+ *) mod_dbd: share per-request database handles across subrequests
+ and internal redirects [Chris Darroch]
+
+ *) mod_dbd: key connection pools to virtual hosts correctly even when
+ ServerName is unset/unavailable [Graham Leggett]
+
+ *) Better detection and clean up of ldap connection that has been
+ terminated by the ldap server. PR 40878.
+ [Rob Baily <rbaily servicebench com>]
+
+ *) mod_mem_cache: Convert mod_mem_cache to use APR memory pool functions
+ by creating a root pool for object persistence across requests. This
+ also eliminates the need for custom serialization code.
+ [Davi Arnaut <davi haxent.com.br>]
+
+ *) mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If
+ set, REMOTE_USER will be set to this attribute, rather than the
+ username supplied by the user. Useful for example when you want users
+ to log in using an email address, but need to supply a userid instead
+ to the backend. [Graham Leggett]
+
+ *) mod_cgi and mod_cgid: Don't use apr_status_t error return
+ from input filters as HTTP return value from the handler.
+ PR 31759. [Nick Kew]
+
+ *) mod_cache: Eliminate a bogus error in the log when a filter returns
+ AP_FILTER_ERROR. [Niklas Edmundsson <nikke acc.umu.se>]
+
+ *) core: Fix issue which could cause piped loggers to be orphaned and never
+ terminate after a graceful restart. PR 40651.
+ [Joe Orton, Ruediger Pluem]
+
+ *) core: Fix address-in-use startup failure caused by corruption of the list
+ of listen sockets in some configurations with multiple generic Listen
+ directives. [Jeff Trawick]
+
+ *) mod_headers: Support regexp-based editing of HTTP headers. [Nick Kew]
+
+ *) mod_proxy: Add explicit flushing feature. When Servlet container sends
+ AJP body message with size 0, this means that Servlet container has asked
+ for an explicit flush. Create flush bucket in that case. This feature has
+ been added to the recent Tomcat versions without breaking the AJP
+ protocol. [Mladen Turk]
+
+ *) mod_proxy_balancer: Set the new environment variable
+ BALANCER_ROUTE_CHANGED if a worker with a route different from the one
+ supplied by the client had been chosen or if the client supplied no
+ routing information for a balancer with sticky sessions.
+ [Ruediger Pluem]
+
+ *) mod_proxy_balancer: Add information about the route, the sticky session
+ and the worker used during a request as environment variables. PR 39806.
+ [Brian <brectanu gmail.com>]
+
+ *) mod_proxy: Don't try to use dead backend connection. PR 37770.
+ [Olivier BOEL <ob dorrboel.com>]
+
+ *) mod_proxy_balancer: Extract stickysession routing information contained
+ as parameter in the URL correctly. PR 40400.
+ [Ruediger Pluem, Tomokazu Harada <harada sysrdc.ns-sol.co.jp>]
+
+ *) mod_proxy_ajp: Added cping/cpong support for the AJP protocol.
+ A new worker directive ping=timeout will cause CPING packet
+ to be send expecting CPONG packet within defined timeout.
+ In case the backend is too busy this will fail instead
+ sending the full header. [Mladen Turk]
+
+ *) mod_disk_cache: Make sure that only positive integers are accepted
+ for the CacheMaxFileSize and CacheMinFileSize parameters in the
+ config file. PR39380. [Niklas Edmundsson <nikke acc.umu.se>]
+
+ *) mod_cache: From RFC3986 (section 6.2.3.) if a URI contains an
+ authority component and an empty path, the empty path is to be equivalent
+ to "/". It explicitly cites the following four URIs as equivalents:
+ http://example.com
+ http://example.com/
+ http://example.com:/
+ http://example.com:80/
+ [Davi Arnaut <davi haxent.com.br>]
+
+ *) mod_cache: Don't cache requests with a expires date in the past;
+ otherwise mod_cache will always try to cache the URL. This bug
+ might lead to numerous rename() errors on win32 if the URL was
+ previously cached. [Davi Arnaut <davi haxent.com.br>]
+
+ *) core: Deal with the widespread use of apr_status_t return values
+ as HTTP status codes, as documented in PR#31759 (a bug shared by
+ the default handler, mod_cgi, mod_cgid, mod_proxy, and probably
+ others). PR31759. [Jeff Trawick, Ruediger Pluem, Joe Orton]
+
+ *) mod_ext_filter: Handle filter names which include capital letters.
+ PR 40323. [Jeff Trawick]
+
+ *) mod_isapi: Avoid double trailing slashes in HSE_REQ_MAP_URL_TO_PATH
+ support. Also corrects the slashes for Windows.
+ PR 15993. [William Rowe]
+
+ *) mod_isapi: Handle "HTTP/1.1 200 OK" style status lines correctly, the
+ token parser worked while the resulting length was misinterpreted.
+ PR 29098. [Brock Bland <bbland serena.com>]
+
+ *) mod_isapi: Return 0 (failure) for more of the various ap_pass_brigade
+ attempts to stream the response at the client. Log these as well.
+ PR 30022, 40470. [William Rowe, Matt Eaton <asf divinehawk.com>]
+
+ *) mod_isapi: Ensure we walk through all the methods the developer may have
+ employed to report their HTTP status result code. PR 16637 30033 28089
+ [Matt Lewandowsky <matt iamcode.net>, William Rowe]
+
+ *) mod_echo: Fix precedence problem in if statement. PR 40658.
+ [Larry Cipriani <lvc lucent.com>]
+
+ *) mod_mime_magic: Fix precedence problem in if statement. PR 40656.
+ [Larry Cipriani <lvc lucent.com>]
+
+ *) The full server version information is now included in the error log at
+ startup as well as server status reports, irrespective of the setting
+ of the ServerTokens directive. ap_get_server_version() is now
+ deprecated, and is replaced by ap_get_server_banner() and
+ ap_get_server_description(). [Jeff Trawick]
+
+ *) mod_proxy_balancer: Workers can now be defined as part of
+ a balancer cluster "set" in which members of a lower-numbered set
+ are preferred over higher numbered ones. [Jim Jagielski]
+
+ *) mod_proxy_balancer: Workers can now be defined as "hot standby" which
+ will only be used if all other workers are unusable (eg: in
+ error or disabled). Also, the balancer-manager displays the election
+ count and I/O counts of all workers. [Jim Jagielski]
+
+ *) mod_proxy_ajp: Close connection to backend if reading of request body
+ fails. PR 40310. [Ian Abel <ianabel mxtelecom.com>]
+
+ *) mod_proxy_balancer: Retry worker chosen by route / redirect worker if
+ it is in error state before sending "Service Temporarily Unavailable".
+ PR 38962. [Christian Boitel <cboitel lfdj.com>]
+
+Changes with Apache 2.2.3
+
+ *) SECURITY: CVE-2006-3747 (cve.mitre.org)
+ mod_rewrite: Fix an off-by-one security problem in the ldap scheme
+ handling. For some RewriteRules this could lead to a pointer being
+ written out of bounds. Reported by Mark Dowd of McAfee.
+ [Mark Cox]
+
+ *) Win32: Minor fixes to build more cleanly under Visual Studio 2005
+ with command line builds. [William Rowe]
+
+ *) mod_authn_alias: Add a check to make sure that the base provider and the
+ alias names are different and also that the alias has not been registered
+ before. PR 40051. [Brad Nicholes]
+
+ *) mod_authnz_ldap: Fix a problem with invalid auth error detection for LDAP
+ client SDKs that don't support the LDAP_SECURITY_ERROR macro. PR 39529.
+ [Ray Price <dohrayme yahoo.com>, Josh Fenlason <jfenlason ptc.com>]
+
+ *) mod_cache: Do not overwrite the Content-Type in the cache, for
+ successfully revalidated cached objects. PR 39647. [Ruediger Pluem]
+
+ *) mod_speling: Add directive to deal with case corrections only
+ and ignore other misspellings [Olivier Thereaux <ot w3.org>]
+
+ *) mod_dbd: Fix dependence on virtualhost configuration in
+ defining prepared statements (possible segfault at startup
+ in user modules such as mod_authn_dbd). [Nick Kew]
+
+ *) Add optional 'scheme://' prefix to ServerName directive,
+ allowing correct determination of the canonical server URL
+ for use behind a proxy or offload device handling SSL; fixing
+ redirect generation in those cases. PR 33398. [Sander Temme]
+
+ *) Added server_scheme field to server_rec for above. Minor MMN bump.
+ [Sander Temme]
+
+ *) mod_cache: Make caching of reverse SSL proxies possible again. PR 39593.
+ [Ruediger Pluem, Joe Orton]
+
+ *) Worker MPM: On graceless shutdown or restart, send signals to
+ each worker thread to wake them up if they're polling on a
+ Keep-Alive connection. PR 38737. [Chris Darroch]
+
+ *) worker and event MPMs: fix excessive forking if fork() or child_init
+ take a long time. PR 39275.
+ [Greg Ames, Jeff Trawick, Chris Darroch <chrisd pearsoncmg.com> ]
+
+ *) configure: Add "--with-included-apr" flag to force use of the
+ bundled version of APR at build time. [Joe Orton]
+
+ *) Respect GracefulShutdownTimeout in the worker and event MPMs.
+ [Chris Darroch, Garrett Rooney]
+
+ *) mod_mem_cache: Set content type correctly when delivering data from
+ cache. PR 39266. [Ruediger Pluem]
+
+ *) mod_autoindex: Fix filename escaping with FancyIndexing disabled.
+ PR 38910. [Robby Griffin <rmg terc.edu>]
+
+ *) mod_charset_lite: Bypass translation when the source and dest charsets
+ are the same. [Jeff Trawick]
+
+Changes with Apache 2.2.2
+
+ *) mod_deflate: work correctly in an internal redirect
+ [Brian J. France <list firehawksystems com>]
+
+ *) mod_proxy_balancer: Initialize members of a balancer correctly.
+ PR 38227. [James A. Robinson <jim.robinson stanford.edu>]
+
+ *) mod_proxy: Do not release connections from connection pool twice.
+ PR 38793. [Ruediger Pluem, matthias <mk-asf gigacodes.de>]
+
+ *) core: Prevent reading uninitialized memory while reading a line of
+ protocol input. PR 39282. [Davi Arnaut <davi haxent com br>]
+
+ *) mod_dbd: Update defaults, improve error reporting.
+ [Chris Darroch <chrisd pearsoncmg com>, Nick Kew]
+
+ *) mod_dbd: Create own pool and mutex to avoid problem use of
+ process pool in request processing.
+ [Chris Darroch <chrisd pearsoncmg com>]
+
+ *) HTML-escape the Expect error message. Not classed as security as
+ an attacker has no way to influence the Expect header a victim will
+ send to a target site. Reported by Thiago Zaninotti
+ <thiango nstalker.com>. [Mark Cox]
+
+ *) htdbm: Fix crash processing -d option in 64-bit mode on HP-UX.
+ [Jeff Trawick]
+
+ *) htdbm: Warn the user when adding a plaintext password on a platform
+ where it wouldn't work with the server (i.e., anywhere that has
+ crypt()). [Jeff Trawick]
+
+ *) mod_proxy: don't reuse a connection that may be to the wrong backend
+ PR 39253 [Ruediger Pluem]
+
+ *) Default handler: Don't return output filter apr_status_t values.
+ PR 31759. [Jeff Trawick, Ruediger Pluem, Joe Orton]
+
+Changes with Apache 2.2.1
+
+ *) SECURITY: CVE-2005-3357 (cve.mitre.org)
+ mod_ssl: Fix a possible crash during access control checks if a
+ non-SSL request is processed for an SSL vhost (such as the
+ "HTTP request received on SSL port" error message when an 400
+ ErrorDocument is configured, or if using "SSLEngine optional").
+ PR 37791. [Rüdiger Plüm, Joe Orton]
+
+ *) SECURITY: CVE-2005-3352 (cve.mitre.org)
+ mod_imagemap: Escape untrusted referer header before outputting
+ in HTML to avoid potential cross-site scripting. Change also
+ made to ap_escape_html so we escape quotes. Reported by JPCERT.
+ [Mark Cox]
+
+ *) mod_proxy_ajp: Flushing of the output after each AJP chunk is now
+ configurable at runtime via the 'flushpackets' and 'flushwait' worker
+ params. Minor MMN bump. [Jim Jagielski]
+
+ *) mod_proxy: Fix incorrect usage of local and shared worker init.
+ PR 38403. [Jim Jagielski]
+
+ *) mod_isapi: Fix compiler errors on Unix platforms.
+ [William Rowe]
+
+ *) mod_proxy_http: Do send keep-alive header if the client sent
+ connection: keep-alive and do not close backend connection if the client
+ sent connection: close. PR 38524. [Ruediger Pluem, Joe Orton]
+
+ *) mod_disk_cache: Return the correct error codes from bucket read
+ failures, instead of APR_EGENERAL.
+ [Brian Akins <brian.akins turner.com>]
+
+ *) Add APR/APR-Util Compiled and Runtime Version numbers to the
+ output of 'httpd -V'. [William Rowe]
+
+ *) http: If a connection is aborted while waiting for a chunked line,
+ flag the connection as errored out. [Justin Erenkrantz]
+
+ *) core: Reject invalid Expect header immediately. PR 38123.
+ [Ruediger Pluem]
+
+ *) Fix mis-shifted 32 bit scope, masked to 64 bits as a method.
+ [Will Rowe, Joe Orton]
+
+ *) mod_proxy: Fix KeepAlives not being allowed and set to
+ backend servers. PR 38602. [Ruediger Pluem, Jim Jagielski]
+
+ *) Fix instdso.sh "sed syntax error" installation issue on some
+ platforms. PR 38108. [Masaoki Kobayashi <masaoki techfirm.co.jp>]
+
+ *) mod_ssl: Fix possible crashes in shmcb with gcc 4 on platforms
+ requiring word-aligned pointers. PR 38838. [Joe Orton]
+
+ *) mod_proxy: If we get an error reading the upstream response,
+ close the connection. [Justin Erenkrantz, Roy T. Fielding,
+ Jim Jagielski, Ruediger Pluem]
+
+ *) mod_proxy_ajp: Support common headers of the AJP protocol in responses.
+ PR 38340. [Aleksey Pesternikov <apesternikov yahoo.com>]
+
+ *) mod_proxy_balancer: Do not overwrite the status of initialized workers
+ and respect the configured status of uninitilized workers when creating
+ a new child process. [Ruediger Pluem]
+
+ *) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of
+ the ajp message to prevent mod_proxy_ajp from reading beyond the buffer
+ boundaries and thus revealing possibly sensitive memory contents to the
+ client. [Ruediger Pluem]
+
+ *) Ensure that the proper status line is written to the client, fixing
+ incorrect status lines caused by filters which modify r->status without
+ resetting r->status_line, such as the built-in byterange filter.
+ [Jeff Trawick]
+
+ *) mod_speling: Stop crashing with certain non-file requests.
+ [Jeff Trawick]
+
+ *) mod_cache: Make caching of reverse proxies possible again. PR 38017.
+ [Ruediger Pluem]
+
+ *) Modify apr[util] .h detection to avoid breakage on VPATH builds
+ using Solaris make (amoung others) and avoid breakage in ./buildconf
+ when srclib/apr[-util] are symlinks rather than directories proper.
+ [William Rowe]
+
+ *) Avoid Server-driven negotiation when a script has emitted an
+ explicit Status: header. PR 38070. [Nick Kew]
+
+ *) Fix to avoid feeding C99 to C++ compilers. [Joe Orton]
+
+ *) Chunk filter: Fix chunk filter to create correct chunks in the case that
+ a flush bucket is surrounded by data buckets. [Ruediger Pluem]
+
+ *) Fix syntax error in httpd.h with strict compilers. PR 37840.
+ [Per Olausson <pao darkheim.freeserve.co.uk>]
+
+ *) Fix recursive ErrorDocument handling. PR 36090.
+ [Chris Darroch <chrisd pearsoncmg.com>]
+
+ *) Don't hang on error return from post_read_request. PR 37790.
+ [Nick Kew]
+
+ *) Fix off-by-one error in proxy_balancer. PR 37753.
+ [Kazuhiro Osawa <ko yappo ne jp>]
+
+Changes with Apache 2.2.0
+
+ *) mod_negotiation: Minor performance tweak by reusing already calculated
+ strlen.
+ [Ruediger Pluem, Christophe Jaillet <christophe.jaillet wanadoo.fr>]
+
+ *) Remove support for 'On' and 'Off' for AuthBasicProvider and
+ AuthDigestProvider. [Joshua Slive, Justin Erenkrantz]
+
+ *) Add in new UseCanonicalPhysicalPort directive, which controls
+ whether or not Apache will ever use the actual physical port
+ when constructing the canonical port number. [Jim Jagielski]
+
+ *) mod_dav: Fix a null pointer dereference in an error code path during the
+ handling of MKCOL.
+ [Ruediger Pluem, Ghassan Misherghi <ghassanm ucdavis.edu>]
+
+ *) mod_proxy_balancer: When finding best worker, use case insensitive
+ match for scheme and host, but case sensitive for the rest of
+ the path. [Jim Jagielski, Ruediger Pluem]
+
+ *) Require use of APR >= 1.2.0 and APR-util >= 1.2.0 when configured
+ to use external copies of the libraries. [Joe Orton]
+
+ *) Fix DESTDIR=... installation when using bundled copy of APR.
+ [Torsten Foertsch <torsten.foertsch gmx.net>]
+
+ *) mod_dav: Fix handling of unknown state tokens in If: headers.
+ PR: 37288. [Joe Orton]
+
+ *) Strip out Experimental MPMs that have gone nowhere since 2.0
+ (perchild, threadpool, leader). [Nick Kew]
+
+Changes with Apache 2.1.9
+
+ *) Add mod_authn_dbd (SQL-based authentication) [Nick Kew]
+
+ *) mod_proxy_ajp: Do not spool the entire response from AJP backend before
+ sending it up the filter chain. PR 37100. [Ruediger Pluem]
+
+ *) mod_cache: Create new filters CACHE_OUT_SUBREQ / CACHE_SAVE_SUBREQ which
+ only differ by the type from CACHE_OUT / CACHE_SAVE to ensure that
+ subrequests to non-local resources work again. [Ruediger Pluem]
+
+ *) mod_proxy: Do not lowercase the entire worker name of a BalancerMember
+ since this breaks case sensitive URI's. PR 36906. [Ruediger Pluem]
+
+ *) core: AddOutputFilterByType is ignored for proxied requests. PR 31226.
+ [Joe Orton, Ruediger Pluem]
+
+ *) mod_proxy_http: Prevent data corruption of POST request bodies when
+ client accesses proxied resources with SSL. PR 37145.
+ [Ruediger Pluem, William Rowe]
+
+ *) mod_ssl: Fix issue which could cause spurious warnings about use
+ of name-based vhosts. PR 37051. [Joe Orton]
+
+ *) ab: Fix to ensure that only the expected number of requests are run.
+ PR 36966. [Joe Orton]
+
+ *) mod_proxy_balancer: BalancerManager and proxies correctly handle
+ member workers with paths. PR 36816. [Ruediger Pluem, Jim Jagielski]
+
+ *) mod_log_config: %{hextid}P will log the thread id in hex with APR
+ versions 1.2.0 or higher. [Jeff Trawick]
+
+ *) httpd.exe/apachectl -V: display the DYNAMIC_MODULE_LIMIT setting, as
+ in 1.3. [Jeff Trawick]
+
+ *) Support dbd connection tied to conn_rec in mod_dbd. [Nick Kew]
+
+ *) Fix use of pools in mod_dbd. [Brian J France, Nick Kew]
+
+ *) Promote modules from "experimental": mod_dbd, mod_filter,
+ mod_charset_lite. [Nick Kew]
+
+ *) mod_proxy_ajp: mod_proxy_ajp sends empty SSL attributes for non SSL
+ connections. PR 36883.
+ [William Barker <william.barker wilshire.com>, Ruediger Pluem]
+
+ *) Eliminated the NET_TIME filter, restructuring the timeout logic.
+ This provides a working mod_echo on all platforms, and ensures any
+ custom protocol module is at least given an initial timeout value
+ based on the <VirtualHost > context's Timeout directive.
+ [William Rowe]
+
+ *) mod_proxy: Run the request_status hook also if there are no free workers
+ or all workers are in error state.
+ [Ruediger Pluem, Brian Akins <brian.akins turner.com>]
+
+ *) mod_proxy_connect: Fix high CPU loop on systems like UnixWare which
+ trigger POLL_ERR or POLL_HUP on a terminated connection. PR 36951.
+ [Jeff Trawick, Ruediger Pluem]
+
+ *) mod_proxy_balancer: Fix handling of sticky sessions with Tomcat.
+ PR 36507. [Ruediger Pluem]
+
+ *) SECURITY: CVE-2005-2970 (cve.mitre.org)
+ worker MPM: Fix a memory leak which can occur after an aborted
+ connection in some limited circumstances. [Greg Ames]
+
+ *) Doxygen fixups. [Neale Ranns <neale ranns.org>, Ian Holsman]
+
+ *) mod_cache/mod_dir: Correct a subrequest lookup bug which was preventing
+ mod_dir from serving indexes correctly with mod_cache enabled.
+ [Colm MacCarthaigh]
+
+Changes with Apache 2.1.8
+
+ *) Fix lingering close implementation to match 1.3.x behaviour.
+ PR 35292. [Joe Orton]
+
+ *) mod_ssl: Support limited buffering of request bodies to allow
+ per-location renegotiation to proceed. PR 12355. [Joe Orton]
+
+ *) Fix regression since 2.0.x in AllowOverride Options handling.
+ PR 35330. [kabe <kabe sra-tohoku.co.jp>]
+
+ *) mod_ssl: Fix memory leak in ssl_util_algotypeof().
+ PR 25659. [David Blake <dblake hp com>, Martin Kraemer]
+
+ *) prefork, worker and event MPMs: Support a graceful-stop procedure:
+ Server will wait until existing requests are finished or until
+ "GracefulShutdownTimeout" number of seconds before exiting.
+ [Colm MacCarthaigh, Ken Coar, Bill Stoddard]
+
+ *) prefork, worker and event MPMs: Prevent children from holding open
+ listening ports upon graceful restart or stop. PR 28167.
+ [Colm MacCarthaigh, Brian Pinkerton <bp thinkpink.com>]
+
+ *) SECURITY: CVE-2005-2700 (cve.mitre.org)
+ mod_ssl: Fix a security issue where "SSLVerifyClient" was not
+ enforced in per-location context if "SSLVerifyClient optional"
+ was configured in the vhost configuration. [Joe Orton]
+
+ *) mod_ssl: Catch parse errors from misconfigured or malformed
+ CRLs. PR 36438. [Joe Orton]
+
+ *) mod_proxy/mod_proxy_balancer: lbmethods now implemented as
+ providers. Prevent problems when no Vhost containers were
+ configured with proxy balancers. [Jim Jagielski]
+
+ *) New provider function to list all available provider names in a
+ specific group and version (ap_list_provider_names). [Jim Jagielski]
+
+ *) mod_cache: Enhance CacheEnable/CacheDisable to control caching on a
+ per-protocol, per-host and per-path basis. Intended for proxy
+ configurations. [Colm MacCarthaigh]
+
+ *) mod_disk_cache: Canonicalise the storage key, for improved hit/miss
+ ratio. [Colm MacCarthaigh]
+
+ *) mod_cgid: Append .PID to the script socket filename and remove the
+ script socket on exit. [Colm MacCarthaigh, Jim Jagielski]
+
+ *) mod_cgid: run the get_suexec_identity hook within the request-handler
+ instead of within cgid. PR 36410. [Colm MacCarthaigh]
+
+ *) Linux 2.0: remove support for threaded MPM's due to linuxthreads use
+ of SIGUSR1 clashing with graceful restart signal. [Colm MacCarthaigh]
+
+Changes with Apache 2.1.7
+
+ *) SECURITY: CVE-2005-2491 (cve.mitre.org):
+ Fix integer overflows in PCRE in quantifier parsing which could
+ be triggered by a local user through use of a carefully-crafted
+ regex in an .htaccess file. [Philip Hazel]
+
+ *) mod_proxy/mod_proxy_balancer: Provide a simple, functional
+ interface to add additional balancer lb selection methods
+ without requiring code changes to mod_proxy/mod_proxy_balancer;
+ these can be implemented via sub-modules now. [Jim Jagielski]
+
+ *) mod_cache: Fix incorrectly served 304 responses when expired cache
+ entity is valid, but cache is unwritable and headers cannot be
+ updated. [Colm MacCarthaigh <colm stdlib.net>]
+
+ *) mod_cache: Remove entities from the cache when re-validation
+ receives a 404 or other content-no-longer-present error.
+ [Rüdiger Plüm ruediger.pluem vodafone.com]
+
+ *) mod_disk_cache: Properly remove files from cache when needed.
+ [Rüdiger Plüm ruediger.pluem vodafone.com]
+
+ *) mod_disk_cache: Support htcacheclean removing directories.
+ [Andreas Steinmetz]
+
+ *) htcacheclean: Add -t option to remove empty directories.
+ [Colm MacCarthaigh <colm stdlib.net>]
+
+ *) Remove the base href tag from mod_proxy_ftp, as it breaks relative
+ links for clients not using an Authorization header. [Graham Leggett,
+ Jon Snow <jsnow27 gatesec.net>]
+
+ *) mod_cache: Restore the HTTP status of cached responses.
+ [Hansjoerg Pehofer <hansjoerg.pehofer uibk.ac.at>]
+
+ *) mod_cache: Store varied contents all in the same prefix for a varied URI.
+ [Paul Querna]
+
+ *) mod_cache: Run the CACHE_SAVE and CACHE_OUT Filters after other content
+ filters. [Paul Querna]
+
+ *) mod_negotiation: Correctly report 404 instead of 403 for missing files.
+ [Paul Querna]
+
+ *) new hook (request_status) that gets ran in proxy_handler just before
+ the final return. This gives modules an opportunity to do something
+ based on the proxy status. (minor MMN bump)
+ [Brian Akins <bakins turner.com>, Ian Holsman]
+
+ *) Add additional SSLSessionCache option, 'nonenotnull', which is
[... 733 lines stripped ...]