You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2010/08/19 15:16:56 UTC
svn commit: r156 - /dev/httpd/
Author: jim
Date: Thu Aug 19 13:16:53 2010
New Revision: 156
Log:
Make pre-release tarballs avail...
Added:
dev/httpd/CHANGES_2.3
dev/httpd/CHANGES_2.3.7
dev/httpd/httpd-2.3.7-deps.tar.bz2 (with props)
dev/httpd/httpd-2.3.7-deps.tar.bz2.asc
dev/httpd/httpd-2.3.7-deps.tar.bz2.md5
dev/httpd/httpd-2.3.7-deps.tar.bz2.sha1
dev/httpd/httpd-2.3.7-deps.tar.gz (with props)
dev/httpd/httpd-2.3.7-deps.tar.gz.asc
dev/httpd/httpd-2.3.7-deps.tar.gz.md5
dev/httpd/httpd-2.3.7-deps.tar.gz.sha1
dev/httpd/httpd-2.3.7.tar.bz2 (with props)
dev/httpd/httpd-2.3.7.tar.bz2.asc
dev/httpd/httpd-2.3.7.tar.bz2.md5
dev/httpd/httpd-2.3.7.tar.bz2.sha1
dev/httpd/httpd-2.3.7.tar.gz (with props)
dev/httpd/httpd-2.3.7.tar.gz.asc
dev/httpd/httpd-2.3.7.tar.gz.md5
dev/httpd/httpd-2.3.7.tar.gz.sha1
Added: dev/httpd/CHANGES_2.3
==============================================================================
--- dev/httpd/CHANGES_2.3 (added)
+++ dev/httpd/CHANGES_2.3 Thu Aug 19 13:16:53 2010
@@ -0,0 +1,1282 @@
+ -*- coding: utf-8 -*-
+
+Changes with Apache 2.3.7
+
+ *) SECURITY: CVE-2010-1452 (cve.mitre.org)
+ mod_dav, mod_cache, mod_session: Fix Handling of requests without a path
+ segment. PR: 49246 [Mark Drayton, Jeff Trawick]
+
+ *) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076.
+ [Stefan Fritsch]
+
+ *) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639.
+ [Stefan Fritsch]
+
+ *) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers
+ via leveraging 100-Continue as the initial "request".
+ [Jim Jagielski]
+
+ *) core/mod_authz_core: Introduce new access_checker_ex hook that enables
+ mod_authz_core to bypass authentication if access should be allowed by
+ IP address/env var/... [Stefan Fritsch]
+
+ *) core: Introduce note_auth_failure hook to allow modules to add support
+ for additional auth types. This makes ap_note_auth_failure() work with
+ mod_auth_digest again. PR 48807. [Stefan Fritsch]
+
+ *) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew]
+
+ *) mod_authn_cache: new module [Nick Kew]
+
+ *) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]
+
+ *) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
+
+ *) mod_rewrite: Allow to set environment variables without explicitly
+ giving a value. [Rainer Jung]
+
+ *) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung]
+
+ *) mod_include: recognise "text/html; parameters" as text/html
+ PR 49616 [Andrey Chernov <ache nagual.pp.ru>]
+
+ *) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH
+ PR 43906 [Nick Kew]
+
+ *) Core: Extra robustness: don't try authz and segfault if authn
+ fails to set r->user. Log bug and return 500 instead.
+ PR 42995 [Nick Kew]
+
+ *) HTTP protocol filter: fix handling of longer chunk extensions
+ PR 49474 [<tee.bee gmx.de>]
+
+ *) Update SSL cipher suite and add example for SSLHonorCipherOrder.
+ [Lars Eilebrecht, Rainer Jung]
+
+ *) move AddOutputFilterByType from core to mod_filter. This should
+ fix nasty side-effects that happen when content_type is set
+ more than once in processing a request, and make it fully
+ compatible with dynamic and proxied contents. [Nick Kew]
+
+ *) mod_log_config: Implement logging for sub second timestamps and
+ request end time. [Rainer Jung]
+
+Changes with Apache 2.3.6
+
+ *) SECURITY: CVE-2009-3555 (cve.mitre.org)
+ mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
+ attack when compiled against OpenSSL version 0.9.8m or later. Introduces
+ the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
+ and offer unsafe legacy renegotiation with clients which do not yet
+ support the new secure renegotiation protocol, RFC 5746.
+ [Joe Orton, and with thanks to the OpenSSL Team]
+
+ *) SECURITY: CVE-2009-3555 (cve.mitre.org)
+ mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
+ by rejecting any client-initiated renegotiations. Forcibly disable
+ keepalive for the connection if there is any buffered data readable. Any
+ configuration which requires renegotiation for per-directory/location
+ access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
+ [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
+
+ *) SECURITY: CVE-2010-0408 (cve.mitre.org)
+ mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
+ when request headers indicate a request body is incoming; not a case of
+ HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
+
+ *) SECURITY: CVE-2010-0425 (cve.mitre.org)
+ mod_isapi: Do not unload an isapi .dll module until the request
+ processing is completed, avoiding orphaned callback pointers.
+ [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
+
+ *) core: Filter init functions are now run strictly once per request
+ before handler invocation. The init functions are no longer run
+ for connection filters. PR 49328. [Joe Orton]
+
+ *) core: Adjust the output filter chain correctly in an internal
+ redirect from a subrequest, preserving filters from the main
+ request as necessary. PR 17629. [Joe Orton]
+
+ *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
+ Response if they so choose to do so. Previously an attempt to cache a 206
+ was arbitrarily allowed if the response contained an Expires or
+ Cache-Control header, and arbitrarily denied if both headers were missing.
+ [Graham Leggett]
+
+ *) core: Add microsecond timestamp fractions, process id and thread id
+ to the error log. [Rainer Jung]
+
+ *) configure: The "most" module set gets build by default. [Rainer Jung]
+
+ *) configure: Building dynamic modules (DSO) by default. [Rainer Jung]
+
+ *) configure: Fix broken VPATH build when using included APR.
+ [Rainer Jung]
+
+ *) mod_session_crypto: Fix configure problem when building
+ with APR 2 and for VPATH builds with included APR.
+ [Rainer Jung]
+
+ *) mod_session_crypto: API compatibility with APR 2 crypto and
+ APR Util 1.x crypto. [Rainer Jung]
+
+ *) ab: Fix memory leak with -v2 and SSL. PR 49383.
+ [Pavel Kankovsky <peak argo troja mff cuni cz>]
+
+ *) core: Add per-module and per-directory loglevel configuration.
+ Add some more trace logging.
+ mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels.
+ mod_ssl: Replace LogLevelDebugDump with trace log levels.
+ mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info
+ and debug.
+ mod_dumpio: Replace DumpIOLogLevel with trace log levels.
+ [Stefan Fritsch]
+
+ *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
+ title page only) when any mod_ldap directives were used in VirtualHost
+ context. [Eric Covener]
+
+ *) mod_disk_cache: Decline the opportunity to cache if the response is
+ a 206 Partial Content. This stops a reverse proxied partial response
+ from becoming cached, and then being served in subsequent responses.
+ [Graham Leggett]
+
+ *) mod_deflate: avoid the risk of forwarding data before headers are set.
+ PR 49369 [Matthew Steele <mdsteele google.com>]
+
+ *) mod_authnz_ldap: Ensure nested groups are checked when the
+ top-level group doesn't have any direct non-group members
+ of attributes in AuthLDAPGroupAttribute. [Eric Covener]
+
+ *) mod_authnz_ldap: Search or Comparison during authorization phase
+ can use the credentials from the authentication phase
+ (AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser).
+ PR 48340 [Domenico Rotiroti, Eric Covener]
+
+ *) mod_authnz_ldap: Allow the initial DN search during authentication
+ to use the HTTP username/pass instead of an anonymous or hard-coded
+ LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern).
+ [Eric Covener]
+
+ *) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix
+ when this module is used for authorization. See AuthLDAPAuthorizePrefix.
+ PR 45584 [Eric Covener]
+
+ *) apxs -q: Stop filtering out ':' characters from the reported values.
+ PR 45343. [Bill Cole]
+
+ *) prefork MPM: Run cleanups for final request when process exits gracefully.
+ PR 43857. [Tom Donovan]
+
+ *) ab: fix number of requests sent by ab when keepalive is enabled. PR 48497.
+ [Bryn Dole <dole blekko.com>]
+
+ *) Log an error for failures to read a chunk-size, and return 408 instead of
+ 413 when this is due to a read timeout. This change also fixes some cases
+ of two error documents being sent in the response for the same scenario.
+ [Eric Covener] PR49167
+
+ *) mod_proxy_balancer: Add new directive BalancerNonce to allow admin
+ to control/set the nonce used in the balancer-manager application.
+ [Jim Jagielski]
+
+ *) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673.
+ [Stefan Fritsch]
+
+ *) Proxy balancer: support setting error status according to HTTP response
+ code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
+
+ *) htcacheclean: Introduce the ability to clean specific URLs from the
+ cache, if provided as an optional parameter on the command line.
+ [Graham Leggett]
+
+ *) core: Introduce the IncludeStrict directive, which explicitly fails
+ server startup if no files or directories match a wildcard path.
+ [Graham Leggett]
+
+ *) htcacheclean: Report additional statistics about entries deleted.
+ PR 48944. [Mark Drayton mark markdrayton.info]
+
+ *) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
+ builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
+ build of openssl is required for 'SSLFIPS on'. PR 46270.
+ [Dr Stephen Henson <steve openssl.org>, William Rowe]
+
+ *) mod_proxy_http: Log the port of the remote server in various messages.
+ PR 48812. [Igor GaliÄ <i galic brainsware org>]
+
+ *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
+ connections and other protocol handlers (like mod_ftp). [Stefan Fritsch]
+
+ *) mod_proxy_ajp: Really regard the operation a success, when the client
+ aborted the connection. In addition adjust the log message if the client
+ aborted the connection. [Ruediger Pluem]
+
+ *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
+ allows insecure renegotiation with clients which do not yet
+ support the secure renegotiation protocol. [Joe Orton]
+
+ *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
+ is configured for client cert auth. PR 46952. [Joe Orton]
+
+ *) core: Only log a 408 if it is no keepalive timeout. PR 39785
+ [Ruediger Pluem, Mark Montague <markmont umich.edu>]
+
+ *) support/rotatelogs: Add -L option to create a link to the current
+ log file. PR 48761 [<lyndon orthanc.ca>, Dan Poirier]
+
+ *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory
+ setting only, matching most of the documentation and examples.
+ PR 46541 [Paul Reder, Eric Covener]
+
+ *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument
+ types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener]
+
+ *) mod_negotiation: Preserve query string over multiviews negotiation.
+ This buglet was fixed for type maps in 2.2.6, but the same issue
+ affected multiviews and was overlooked.
+ PR 33112 [Joergen Thomsen <apache jth.net>]
+
+ *) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert
+ when some are not password-protected. [Eric Covener]
+
+ *) Fix startup segfault when the Mutex directive is used but no loaded
+ modules use httpd mutexes. PR 48787. [Jeff Trawick]
+
+ *) Proxy: get the headers right in a HEAD request with
+ ProxyErrorOverride, by checking for an overridden error
+ before not after going into a catch-all code path.
+ PR 41646. [Nick Kew, Stuart Children]
+
+ *) support/rotatelogs: Support the simplest log rotation case, log
+ truncation. Useful when the log is being processed in real time
+ using a command like tail. [Graham Leggett]
+
+ *) support/htcacheclean: Teach it how to write a pid file (modelled on
+ httpd's writing of a pid file) so that it becomes possible to run
+ more than one instance of htcacheclean on the same machine.
+ [Graham Leggett]
+
+ *) Log command line on startup, so there's a record of command line
+ arguments like -f. PR 48752. [Dan Poirier]
+
+ *) Introduce mod_reflector, a handler capable of reflecting POSTed
+ request bodies back within the response through the output filter
+ stack. Can be used to turn an output filter into a web service.
+ [Graham Leggett]
+
+ *) mod_proxy_http: Make sure that when an ErrorDocument is served
+ from a reverse proxied URL, that the subrequest respects the status
+ of the original request. This brings the behaviour of proxy_handler
+ in line with default_handler. PR 47106. [Graham Leggett]
+
+ *) Support wildcards in both the directory and file components of
+ the path specified by the Include directive. [Graham Leggett]
+
+ *) mod_proxy, mod_proxy_http: Support remote https proxies
+ by using HTTP CONNECT. PR 19188.
+ [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
+
+ *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
+ [Philip M. Gollucci]
+
+ *) worker: Don't report server has reached MaxClients until it has.
+ Add message when server gets within MinSpareThreads of MaxClients.
+ PR 46996. [Dan Poirier]
+
+ *) mod_session: Session expiry was being initialised, but not updated
+ on each session save, resulting in timed out sessions when there
+ should not have been. Fixed. [Graham Leggett]
+
+ *) mod_log_config: Add the R option to log the handler used within the
+ request. [Christian Folini <christian.folini netnea com>]
+
+ *) mod_include: Allow fine control over the removal of Last-Modified and
+ ETag headers within the INCLUDES filter, making it possible to cache
+ responses if desired. Fix the default value of the SSIAccessEnable
+ directive. [Graham Leggett]
+
+ *) Add new UnDefine directive to undefine a variable. PR 35350.
+ [Stefan Fritsch]
+
+ *) Make ap_pregsub(), used by AliasMatch and friends, use the same syntax
+ for regex backreferences as mod_rewrite and mod_include: Remove the use
+ of '&' as an alias for '$0' and allow to escape any character with a
+ backslash. PR 48351. [Stefan Fritsch]
+
+ *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
+ password to UTF-8. PR 45318.
+ [Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
+
+ *) ab: Fix calculation of requests per second in HTML output. PR 48594.
+ [Stefan Fritsch]
+
+ *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
+ password now result in an informational level log entry instead of
+ warning level. [Eric Covener]
+
+Changes with Apache 2.3.5
+
+ *) SECURITY: CVE-2010-0434 (cve.mitre.org)
+ Ensure each subrequest has a shallow copy of headers_in so that the
+ parent request headers are not corrupted. Eliminates a problematic
+ optimization in the case of no request body. PR 48359
+ [Jake Scott, William Rowe, Ruediger Pluem]
+
+ *) Turn static function get_server_name_for_url() into public
+ ap_get_server_name_for_url() and use it where appropriate. This
+ fixes mod_rewrite generating invalid URLs for redirects to IPv6
+ literal addresses. [Stefan Fritsch]
+
+ *) mod_ldap: Introduce new config option LDAPTimeout to set the timeout
+ for LDAP operations like bind and search. [Stefan Fritsch]
+
+ *) mod_proxy, mod_proxy_ftp: Move ProxyFtpDirCharset from mod_proxy to
+ mod_proxy_ftp. [Takashi Sato]
+
+ *) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to
+ mod_proxy_connect. [Takashi Sato]
+
+ *) mod_cache: Do an exact match of the keys defined by
+ CacheIgnoreURLSessionIdentifiers against the querystring instead of
+ a partial match. PR 48401.
+ [Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem]
+
+ *) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung]
+
+ *) Core HTTP: disable keepalive when the Client has sent
+ Expect: 100-continue
+ but we respond directly with a non-100 response.
+ Keepalive here led to data from clients continuing being treated as
+ a new request.
+ PR 47087 [Nick Kew]
+
+ *) Core: reject NULLs in request line or request headers.
+ PR 43039 [Nick Kew]
+
+ *) Core: (re)-introduce -T commandline option to suppress documentroot
+ check at startup.
+ PR 41887 [Jan van den Berg <janvdberg gmail.com>]
+
+ *) mod_autoindex: support XHTML as equivalent to HTML in IndexOptions,
+ ScanHTMLTitles, ReadmeName, HeaderName
+ PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew]
+
+ *) Proxy: Fix ProxyPassReverse with relative URL
+ Derived (slightly erroneously) from PR 38864 [Nick Kew]
+
+ *) mod_headers: align Header Edit with Header Set when used on Content-Type
+ PR 48422 [Cyril Bonté <cyril.bonte free.fr>, Nick Kew>]
+
+ *) mod_headers: Enable multi-match-and-replace edit option
+ PR 47066 [Nick Kew]
+
+ *) mod_filter: enable it to act on non-200 responses.
+ PR 48377 [Nick Kew]
+
+Changes with Apache 2.3.4
+
+ *) Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex,
+ and WatchdogMutexPath with a single Mutex directive. Add APIs to
+ simplify setup and user customization of APR proc and global mutexes.
+ (See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
+ respected; set DEFAULT_REL_RUNTIMEDIR instead. [Jeff Trawick]
+
+ *) http_core: KeepAlive no longer accepts other than On|Off.
+ [Takashi Sato]
+
+ *) mod_dav: Remove errno from dav_error interface. Calls to dav_new_error()
+ and dav_new_error_tag() must be adjusted to add an apr_status_t parameter.
+ [Jeff Trawick]
+
+ *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
+ try other providers in the case of an LDAP bind failure.
+ PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
+
+ *) Build: fix --with-module to work as documented
+ PR 43881 [Gez Saunders <gez.saunders virgin.net>]
+
+Changes with Apache 2.3.3
+
+ *) SECURITY: CVE-2009-3095 (cve.mitre.org)
+ mod_proxy_ftp: sanity check authn credentials.
+ [Stefan Fritsch <sf fritsch.de>, Joe Orton]
+
+ *) SECURITY: CVE-2009-3094 (cve.mitre.org)
+ mod_proxy_ftp: NULL pointer dereference on error paths.
+ [Stefan Fritsch <sf fritsch.de>, Joe Orton]
+ *) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against
+ OpenSSL 1.0.0b3. [Vipul Gupta <vipul.gupta sun.com>, Sander Temme]
+
+ *) mod_dav: Include uri when logging a PUT error due to connection abort.
+ PR 38149. [Stefan Fritsch]
+
+ *) mod_dav: Return 409 instead of 500 for a LOCK request if the parent
+ resource does not exist or is not a collection. PR 43465. [Stefan Fritsch]
+
+ *) mod_dav_fs: Return 409 instead of 500 for Litmus test case copy_nodestcoll
+ (a COPY request where the parent of the destination resource does not
+ exist). PR 39299. [Stefan Fritsch]
+
+ *) mod_dav_fs: Don't delete the whole file if a PUT with content-range failed.
+ PR 42896. [Stefan Fritsch]
+
+ *) mod_dav_fs: Make PUT create files atomically and no longer destroy the
+ old file if the transfer aborted. PR 39815. [Paul Querna, Stefan Fritsch]
+
+ *) mod_dav_fs: Remove inode keyed locking as this conflicts with atomically
+ creating files. On systems with inode numbers, this is a format change of
+ the DavLockDB. The old DavLockDB must be deleted on upgrade.
+ [Stefan Fritsch]
+
+ *) mod_log_config: Make ${cookie}C correctly match whole cookie names
+ instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
+ Stefan Fritsch]
+
+ *) vhost: A purely-numeric Host: header should not be treated as a port.
+ PR 44979 [Nick Kew]
+
+ *) mod_ldap: Avoid 500 errors with "Unable to set LDAP_OPT_REFHOPLIMIT option to 5"
+ when built against openldap by using SDK LDAP_OPT_REFHOPLIMIT defaults unless
+ LDAPReferralHopLimit is explicitly configured.
+ [Eric Covener]
+
+ *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'.
+ [Eric Covener]
+
+ *) mod_ssl: Add support for OCSP Stapling. PR 43822.
+ [Dr Stephen Henson <shenson oss-institute.org>]
+
+ *) mod_socache_shmcb: Allow parens in file name if cache size is given.
+ Fixes SSLSessionCache directive mis-parsing parens in pathname.
+ PR 47945. [Stefan Fritsch]
+
+ *) htpasswd: Improve out of disk space handling. PR 30877. [Stefan Fritsch]
+
+ *) htpasswd: Use MD5 hash by default on all platforms. [Stefan Fritsch]
+
+ *) mod_sed: Reduce memory consumption when processing very long lines.
+ PR 48024 [Basant Kumar Kukreja <basant.kukreja sun.com>]
+
+ *) ab: Fix segfault in case the argument for -n is a very large number.
+ PR 47178. [Philipp Hagemeister <oss phihag.de>]
+
+ *) Allow ProxyPreserveHost to work in <Proxy> sections. PR 34901.
+ [Stefan Fritsch]
+
+ *) configure: Fix THREADED_MPMS so that mod_cgid is enabled again
+ for worker MPM. [Takashi Sato]
+
+ *) mod_dav: Provide a mechanism to obtain the request_rec and pathname
+ from the dav_resource. [Jari Urpalainen <jari.urpalainen nokia.com>,
+ Brian France <brian brianfrance.com>]
+
+ *) Build: Use install instead of cp if available on installing
+ modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com]
+
+ *) mod_cache: correctly consider s-maxage in cacheability
+ decisions. [Dan Poirier]
+
+ *) mod_logio/core: Report more accurate byte counts in mod_status if
+ mod_logio is loaded. PR 25656. [Stefan Fritsch]
+
+ *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
+ some cache entries and log a warning. Also increase the default
+ LDAPSharedCacheSize to 500000. This is a more realistic size suitable
+ for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
+ PR 46749. [Stefan Fritsch]
+
+ *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if
+ the request is a CONNECT request. [Bill Zajac <billz consultla.com>]
+
+ *) mod_cache: Teach CacheEnable and CacheDisable to work from within a
+ Location section, in line with how ProxyPass works. [Graham Leggett]
+
+ *) mod_reqtimeout: New module to set timeouts and minimum data rates for
+ receiving requests from the client. [Stefan Fritsch]
+
+ *) core: Fix potential memory leaks by making sure to not destroy
+ bucket brigades that have been created by earlier filters.
+ [Stefan Fritsch]
+
+ *) core, mod_deflate, mod_sed: Reduce memory usage by reusing bucket
+ brigades in several places. [Stefan Fritsch]
+
+ *) mod_cache: Fix uri_meets_conditions() so that CacheEnable will
+ match by scheme, or by a wildcarded hostname. PR 40169
+ [Peter Grandi <pg_asf asf.for.sabi.co.uk>, Graham Leggett]
+
+ *) suxec: Allow to log an error if exec fails by setting FD_CLOEXEC
+ on the log file instead of closing it. PR 10744. [Nicolas Rachinsky]
+
+ *) mod_mime: Make RemoveType override the info from TypesConfig.
+ PR 38330. [Stefan Fritsch]
+
+ *) mod_cache: Introduce the option to run the cache from within the
+ normal request handler, and to allow fine grained control over
+ where in the filter chain content is cached. [Graham Leggett]
+
+ *) core: Treat timeout reading request as 408 error, not 400.
+ Log 408 errors in access log as was done in Apache 1.3.x.
+ PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>,
+ Stefan Fritsch <sf fritsch.de>, Dan Poirier]
+
+ *) mod_ssl: Reintroduce SSL_CLIENT_S_DN, SSL_CLIENT_I_DN, SSL_SERVER_S_DN,
+ SSL_SERVER_I_DN back to the environment variables to be set by mod_ssl.
+ [Peter Sylvester <peter.sylvester edelweb.fr>]
+
+ *) mod_disk_cache: don't cache incomplete responses, per RFC 2616, 13.8.
+ PR15866. [Dan Poirier]
+
+ *) ab: ab segfaults in verbose mode on https sites
+ PR46393. [Ryan Niebur]
+
+ *) mod_dav: Allow other modules to become providers and add resource types
+ to the DAV response. [Jari Urpalainen <jari.urpalainen nokia.com>,
+ Brian France <brian brianfrance.com>]
+
+ *) mod_dav: Allow other modules to add things to the DAV or Allow headers
+ of an OPTIONS request. [Jari Urpalainen <jari.urpalainen nokia.com>,
+ Brian France <brian brianfrance.com>]
+
+ *) core: Lower memory usage of core output filter.
+ [Stefan Fritsch <sf sfritsch.de>]
+
+ *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and
+ LocationMatch sections. PR47754. [Dan Poirier]
+
+ *) mod_request: Make sure the KeptBodySize directive rejects values
+ that aren't valid numbers. [Graham Leggett]
+
+ *) mod_session_crypto: Sanity check should the potentially encrypted
+ session cookie be too short. [Graham Leggett]
+
+ *) mod_session.c: Prevent a segfault when session is added but not
+ configured. [Graham Leggett]
+
+ *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
+
+ *) mod_auth_digest: Fail server start when nonce count checking
+ is configured without shared memory, or md5-sess algorithm is
+ configured. [Dan Poirier]
+
+ *) mod_proxy_connect: The connect method doesn't work if the client is
+ connecting to the apache proxy through an ssl socket. Fixed.
+ PR29744. [Brad Boyer, Mark Cave-Ayland, Julian Gilbey, Fabrice Durand,
+ David Gence, Tim Dodge, Per Gunnar Hans, Emmanuel Elango,
+ Kevin Croft, Rudolf Cardinal]
+
+ *) mod_ssl: The error message when SSLCertificateFile is missing should
+ at least give the name or position of the problematic virtual host
+ definition. [Stefan Fritsch sf sfritsch.de]
+
+ *) mod_auth_digest: Fix null pointer when qop=none. [Dan Poirier]
+
+ *) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
+
+ *) mod_headers: generalise the envclause to support expression
+ evaluation with ap_expr parser [Nick Kew]
+
+ *) mod_cache: Introduce the thundering herd lock, a mechanism to keep
+ the flood of requests at bay that strike a backend webserver as
+ a cached entity goes stale. [Graham Leggett]
+
+ *) mod_auth_digest: Fix usage of shared memory and re-enable it.
+ PR 16057 [Dan Poirier]
+
+ *) Preserve Port information over internal redirects
+ PR 35999 [Jonas Ringh <jonas.ringh cixit.se>]
+
+ *) Proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
+ rather than BAD_GATEWAY or (especially) NOT_FOUND.
+ PR 46971 [evanc nortel.com]
+
+ *) Various modules: Do better checking of pollset operations in order to
+ avoid segmentation faults if they fail. PR 46467
+ [Stefan Fritsch <sf sfritsch.de>]
+
+ *) mod_autoindex: Correctly create an empty cell if the description
+ for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
+
+ *) ab: Fix broken error messages after resolver or connect() failures.
+ [Jeff Trawick]
+
+ *) SECURITY: CVE-2009-1890 (cve.mitre.org)
+ Fix a potential Denial-of-Service attack against mod_proxy in a
+ reverse proxy configuration, where a remote attacker can force a
+ proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
+
+ *) SECURITY: CVE-2009-1191 (cve.mitre.org)
+ mod_proxy_ajp: Avoid delivering content from a previous request which
+ failed to send a request body. PR 46949 [Ruediger Pluem]
+
+ *) htdbm: Fix possible buffer overflow if dbm database has very
+ long values. PR 30586 [Dan Poirier]
+
+ *) core: Return APR_EOF if request body is shorter than the length announced
+ by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>]
+
+ *) mod_suexec: correctly set suexec_enabled when httpd is run by a
+ non-root user and may have insufficient permissions.
+ PR 42175 [Jim Radford <radford blackbean.org>]
+
+ *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute
+ type. PR 45107. [Michael Ströder <michael stroeder.com>,
+ Peter Sylvester <peter.sylvester edelweb.fr>]
+
+ *) mod_proxy_http: fix case sensitivity checking transfer encoding
+ PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
+
+ *) mod_alias: ensure Redirect issues a valid URL.
+ PR 44020 [HÃ¥kon Stordahl <hakon stordahl.org>]
+
+ *) mod_dir: add FallbackResource directive, to enable admin to specify
+ an action to happen when a URL maps to no file, without resorting
+ to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew]
+
+ *) mod_cgid: Do not leak the listening Unix socket file descriptor to the
+ CGI process. PR 47335 [Kornél Pál <kornelpal gmail.com>]
+
+ *) mod_rewrite: Remove locking for writing to the rewritelog.
+ PR 46942 [Dan Poirier <poirier pobox.com>]
+
+ *) mod_alias: check sanity in Redirect arguments.
+ PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
+
+ *) mod_proxy_http: fix Host: header for literal IPv6 addresses.
+ PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
+
+ *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore
+ defined session identifiers encoded in the URL when caching.
+ [Ruediger Pluem]
+
+ *) mod_rewrite: Fix the error string returned by RewriteRule.
+ RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
+ argument of RewriteRule was not started with "[" or not ended with "]".
+ PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
+
+ *) Windows: Fix usage message.
+ [Rainer Jung]
+
+ *) apachectl: When passing through arguments to httpd in
+ non-SysV mode, use the "$@" syntax to preserve arguments.
+ [Eric Covener]
+
+ *) mod_dbd: add DBDInitSQL directive to enable SQL statements to
+ be run when a connection is opened. PR 46827
+ [Marko Kevac <mkevac gmail.com>]
+
+ *) mod_cgid: Improve handling of long AF_UNIX socket names (ScriptSock).
+ PR 47037. [Jeff Trawick]
+
+ *) mod_proxy_ajp: Check more strictly that the backend follows the AJP
+ protocol. [Mladen Turk]
+
+ *) mod_proxy_ajp: Forward remote port information by default.
+ [Rainer Jung]
+
+ *) Allow MPMs to be loaded dynamically, as with most other modules. Use
+ --enable-mpms-shared={list|"all"} to enable. This required changes to
+ the MPM interfaces. Removed: mpm.h, mpm_default.h (as an installed
+ header), APACHE_MPM_DIR, MPM_NAME, ap_threads_per_child,
+ ap_max_daemons_limit, ap_my_generation, etc. ap_mpm_query() can't be
+ called until after the register-hooks phase. [Jeff Trawick]
+
+ *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
+ to enable stricter checking of remote server certificates.
+ [Ruediger Pluem]
+
+ *) ab: Fix a 100% CPU loop on platforms where a failed non-blocking connect
+ returns EINPROGRESS and a subsequent poll() returns only POLLERR.
+ Observed on HP-UX. [Eric Covener]
+
+ *) Remove broken support for BeOS, TPF, and even older platforms such
+ as A/UX, Next, and Tandem. [Jeff Trawick]
+
+ *) mod_proxy_ftp: Add ProxyFtpListOnWildcard directive to allow files with
+ globbing characters to be retrieved instead of converted into a
+ directory listing. PR 46789 [Dan Poirier <poirier pobox.com>]
+
+ *) Provide ap_retained_data_create()/ap_retained_data_get() for preservation
+ of module state across unload/load. [Jeff Trawick]
+
+ *) mod_substitute: Fix a memory leak. PR 44948
+ [Dan Poirier <poirier pobox.com>]
+
+Changes with Apache 2.3.2
+
+ *) mod_mime_magic: Fix detection of compressed content. [Rainer Jung]
+
+ *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid
+ HTML injections and HTTP response splitting. PR 46837.
+ [Geoff Keating <geoffk apple.com>]
+
+ *) mod_ssl: add support for type-safe STACK constructs in OpenSSL
+ development HEAD. PR 45521. [Kaspar Brand, Sander Temme]
+
+ *) ab: Fix maintenance of the pollset to resolve EALREADY errors
+ with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris).
+ PR 44584. Use APR_POLLSET_NOCOPY for better performance with some
+ pollset implementations. [Jeff Trawick]
+
+ *) mod_disk_cache: The module now turns off sendfile support if
+ 'EnableSendfile off' is defined globally. [Lars Eilebrecht]
+
+ *) mod_deflate: Adjust content metadata before bailing out on 304
+ responses so that the metadata does not differ from 200 response.
+ [Roy T. Fielding]
+
+ *) mod_deflate: Fix creation of invalid Etag headers. We now make sure
+ that the Etag value is properly quoted when adding the gzip marker.
+ PR 39727, 45023. [Lars Eilebrecht, Roy T. Fielding]
+
+ *) Added 20x22 icons for ODF, SVG, and XML documents. PR 37185.
+ [Peter Harlow]
+
+ *) Disabled DefaultType directive and removed ap_default_type()
+ from core. We now exclude Content-Type from responses for which
+ a media type has not been configured via mime.types, AddType,
+ ForceType, or some other mechanism. PR 13986. [Roy T. Fielding]
+
+ *) mod_rewrite: Add IPV6 variable to RewriteCond
+ [Ryan Phillips <ryan-apache trolocsis.com>]
+
+ *) core: Enhance KeepAliveTimeout to support a value in milliseconds.
+ PR 46275. [Takashi Sato]
+
+ *) rotatelogs: Allow size units B, K, M, G and combination of
+ time and size based rotation. [Rainer Jung]
+
+ *) rotatelogs: Add flag for verbose (debug) output. [Rainer Jung]
+
+ *) mod_ssl: Fix merging of SSLRenegBufferSize directive. PR 46508
+ [<tlhackque yahoo.com>]
+
+ *) core: Translate the the status line to ASCII on EBCDIC platforms in
+ ap_send_interim_response() and for locally generated "100 Continue"
+ responses. [Eric Covener]
+
+ *) prefork: Fix child process hang during graceful restart/stop in
+ configurations with multiple listening sockets. PR 42829. [Joe Orton,
+ Jeff Trawick]
+
+ *) mod_session_crypto: Ensure that SessionCryptoDriver can only be
+ set in the global scope. [Graham Leggett]
+
+ *) mod_ext_filter: We need to detect failure to startup the filter
+ program (a mangled response is not acceptable). Fix to detect
+ failure, and offer configuration option either to abort or
+ to remove the filter and continue.
+ PR 41120 [Nick Kew]
+
+ *) mod_session_crypto: Rewrite the session_crypto module against the
+ apr_crypto API. [Graham Leggett]
+
+ *) mod_auth_form: Fix a pool lifetime issue, don't remove the subrequest
+ until the main request is cleaned up. [Graham Leggett]
+
+Changes with Apache 2.3.1
+
+ *) ap_slotmem: Add in new slot-based memory access API impl., including
+ 2 providers (mod_sharedmem and mod_plainmem) [Jim Jagielski,
+ Jean-Frederic Clere, Brian Akins <brian.akins turner.com>]
+
+ *) mod_include: support generating non-ASCII characters as entities in SSI
+ PR 25202 [Nick Kew]
+
+ *) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars
+ PR 25202 [Nick Kew]
+
+ *) mod_rewrite: fix "B" flag breakage by reverting r5589343
+ PR 45529 [Bob Ionescu <bobsiegen googlemail.com>]
+
+ *) CGI: return 504 (Gateway timeout) rather than 500 when a script
+ times out before returning status line/headers.
+ PR 42190 [Nick Kew]
+
+ *) mod_cgid: fix segfault problem on solaris.
+ PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>]
+
+ *) mod_proxy_scgi: Added. [André Malo]
+
+ *) mod_cache: Introduce 'no-cache' per-request environment variable
+ to prevent the saving of an otherwise cacheable response.
+ [Eric Covener]
+
+ *) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
+ way that per-directory rewrites append the previous notion of PATH_INFO
+ to each substitution before evaluating subsequent rules.
+ PR 38642 [Eric Covener]
+
+ *) mod_cgid: Do not add an empty argument when calling the CGI script.
+ PR 46380 [Ruediger Pluem]
+
+ *) scoreboard: Remove unused sb_type from process_score.
+ [Torsten Foertsch <torsten.foertsch gmx.net>, Chris Darroch]
+
+ *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the
+ size of the buffer used for the request-body where necessary
+ during a per-dir renegotiation. PR 39243. [Joe Orton]
+
+ *) mod_proxy_fdpass: New module to pass a client connection over to a separate
+ process that is reading from a unix daemon socket.
+
+ *) mod_ssl: Improve environment variable extraction to be more
+ efficient and to correctly handle DNs with duplicate tags.
+ PR 45975. [Joe Orton]
+
+ *) Remove the obsolete serial attribute from the RPM spec file. Compile
+ against the external pcre. Add missing binaries fcgistarter, and
+ mod_socache* and mod_session*. [Graham Leggett]
+
+Changes with Apache 2.3.0
+
+ *) mod_ratelimit: New module to do bandwidth rate limiting. [Paul Querna]
+
+ *) Remove X-Pad header which was added as a work around to a bug in
+ Netscape 2.x to 4.0b2. [Takashi Sato <takashi lans-tv.com>]
+
+ *) Add DTrace Statically Defined Tracing (SDT) probes.
+ [Theo Schlossnagle <jesus omniti.com>, Paul Querna]
+
+ *) mod_proxy_balancer: Move all load balancing implementations
+ as individual, self-contained mod_proxy submodules under
+ modules/proxy/balancers [Jim Jagielski]
+
+ *) Rename APIs to include ap_ prefix:
+ find_child_by_pid -> ap_find_child_by_pid
+ suck_in_APR -> ap_suck_in_APR
+ sys_privileges_handlers -> ap_sys_privileges_handlers
+ unixd_accept -> ap_unixd_accept
+ unixd_config -> ap_unixd_config
+ unixd_killpg -> ap_unixd_killpg
+ unixd_set_global_mutex_perms -> ap_unixd_set_global_mutex_perms
+ unixd_set_proc_mutex_perms -> ap_unixd_set_proc_mutex_perms
+ unixd_set_rlimit -> ap_unixd_set_rlimit
+ [Paul Querna]
+
+ *) mod_lbmethod_heartbeat: New module to load balance mod_proxy workers
+ based on heartbeats. [Paul Querna]
+
+ *) mod_heartmonitor: New module to collect heartbeats, and write out a file
+ so that other modules can load balance traffic as needed. [Paul Querna]
+
+ *) mod_heartbeat: New module to generate multicast heartbeats to know if a
+ server is online. [Paul Querna]
+
+ *) mod_buffer: Honour the flush bucket and flush the buffer in the
+ input filter. Make sure that metadata buckets are written to
+ the buffer, not to the final brigade. [Graham Leggett]
+
+ *) mod_buffer: Optimise the buffering of heap buckets when the heap
+ buckets stay exactly APR_BUCKET_BUFF_SIZE long. [Graham Leggett,
+ Ruediger Pluem]
+
+ *) mod_buffer: Optional support for buffering of the input and output
+ filter stacks. Can collapse many small buckets into fewer larger
+ buckets, and prevents excessively small chunks being sent over
+ the wire. [Graham Leggett]
+
+ *) mod_privileges: new module to make httpd on Solaris privileges-aware
+ and to enable different virtualhosts to run with different
+ privileges and Unix user/group IDs [Nick Kew]
+
+ *) mod_mem_cache: this module has been removed. [William Rowe]
+
+ *) authn/z: Remove mod_authn_default and mod_authz_default.
+ [Chris Darroch]
+
+ *) authz: Fix handling of authz configurations, make default authz
+ logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject,
+ and AuthzMergeRules directives with Match, <Match*>, and AuthzMerge
+ directives. [Chris Darroch]
+
+ *) mod_authn_core: Prevent crash when provider alias created to
+ provider which is not yet registered. [Chris Darroch]
+
+ *) mod_authn_core: Add AuthType of None to support disabling
+ authentication. [Chris Darroch]
+
+ *) core: Allow <Limit> and <LimitExcept> directives to nest, and
+ constrain their use to conform with that of other access control
+ and authorization directives. [Chris Darroch]
+
+ *) unixd: turn existing code into a module, and turn the set user/group
+ and chroot into a child_init function. [Nick Kew]
+
+ *) mod_dir: Support "DirectoryIndex disabled"
+ Suggested By André Warnier <aw ice-sa.com> [Eric Covener]
+
+ *) mod_ssl: Send Content-Type application/ocsp-request for POST requests to
+ OSCP responders. PR 46014 [Dr Stephen Henson <steve openssl.org>]
+
+ *) mod_authnz_ldap: don't return NULL-valued environment variables to
+ other modules. PR 39045 [Francois Pesce <francois.pesce gmail.com>]
+
+ *) Don't adjust case in pathname components that are not of interest
+ to mod_mime. Fixes mod_negotiation's use of such components.
+ PR 43250 [Basant Kumar Kukreja <basant.kukreja sun.com>]
+
+ *) Be tolerant in what you accept - accept slightly broken
+ status lines from a backend provided they include a valid status code.
+ PR 44995 [Rainer Jung <rainer.jung kippdata.de>]
+
+ *) New module mod_sed: filter Request/Response bodies through sed
+ [Basant Kumar Kukreja <basant.kukreja sun.com>]
+
+ *) mod_auth_form: Make sure that basic authentication is correctly
+ faked directly after login. [Graham Leggett]
+
+ *) mod_session_cookie, mod_session_dbd: Make sure cookies are set both
+ within the output headers and error output headers, so that the
+ session is maintained across redirects. [Graham Leggett]
+
+ *) mod_auth_form: Make sure the logged in user is populated correctly
+ after a form login. Fixes a missing REMOTE_USER variable directly
+ following a login. [Graham Leggett]
+
+ *) mod_session_cookie: Make sure that cookie attributes are correctly
+ included in the blank cookie when cookies are removed. This fixes an
+ inability to log out when using mod_auth_form. [Graham Leggett]
+
+ *) mod_session: Prevent a segfault when a CGI script sets a cookie with a
+ null value. [David Shane Holden <dpejesh apache.org>]
+
+ *) core, authn/z: Determine registered authn/z providers directly in
+ ap_setup_auth_internal(), which allows optional functions that just
+ wrapped ap_list_provider_names() to be removed from authn/z modules.
+ [Chris Darroch]
+
+ *) authn/z: Convert common provider version strings to macros.
+ [Chris Darroch]
+
+ *) core: When testing for slash-terminated configuration paths in
+ ap_location_walk(), don't look past the start of an empty string
+ such as that created by a <Location ""> directive.
+ [Chris Darroch]
+
+ *) core, mod_proxy: If a kept_body is present, it becomes safe for
+ subrequests to support message bodies. Make sure that safety
+ checks within the core and within the proxy are not triggered
+ when kept_body is present. This makes it possible to embed
+ proxied POST requests within mod_include. [Graham Leggett]
+
+ *) mod_auth_form: Make sure the input filter stack is properly set
+ up before reading the login form. Make sure the kept body filter
+ is correctly inserted to ensure the body can be read a second
+ time safely should the authn be successful. [Graham Leggett,
+ Ruediger Pluem]
+
+ *) mod_request: Insert the KEPT_BODY filter via the insert_filter
+ hook instead of during fixups. Add a safety check to ensure the
+ filters cannot be inserted more than once. [Graham Leggett,
+ Ruediger Pluem]
+
+ *) ap_cache_cacheable_headers_out() will (now) always
+ merge an error headers _before_ clearing them and _before_
+ merging in the actual entity headers and doing normal
+ hop-by-hop cleansing. [Dirk-Willem van Gulik].
+
+ *) cache: retire ap_cache_cacheable_hdrs_out() which was used
+ for both in- and out-put headers; and replace it by a single
+ ap_cache_cacheable_headers() wrapped in a in- and out-put
+ specific ap_cache_cacheable_headers_in()/out(). The latter
+ which will also merge error and ensure content-type. To keep
+ cache modules consistent with ease. This API change bumps
+ up the minor MM by one [Dirk-Willem van Gulik].
+
+ *) Move the KeptBodySize directive, kept_body filters and the
+ ap_parse_request_body function out of the http module and into a
+ new module called mod_request, reducing the size of the core.
+ [Graham Leggett]
+
+ *) mod_dbd: Handle integer configuration directive parameters with a
+ dedicated function.
+
+ *) Change the directives within the mod_session* modules to be valid
+ both inside and outside the location/directory sections, as
+ suggested by wrowe. [Graham Leggett]
+
+ *) mod_auth_form: Add a module capable of allowing end users to log
+ in using an HTML form, storing the credentials within mod_session.
+ [Graham Leggett]
+
+ *) Add a function to the http filters that is able to parse an HTML
+ form request with the type of application/x-www-form-urlencoded.
+ [Graham Leggett]
+
+ *) mod_session_crypto: Initialise SSL in the post config hook.
+ [Ruediger Pluem, Graham Leggett]
+
+ *) mod_session_dbd: Add a session implementation capable of storing
+ session information in a SQL database via the dbd interface. Useful
+ for sites where session privacy is important. [Graham Leggett]
+
+ *) mod_session_crypto: Add a session encoding implementation capable
+ of encrypting and decrypting sessions wherever they may be stored.
+ Introduces a level of privacy when sessions are stored on the
+ browser. [Graham Leggett]
+
+ *) mod_session_cookie: Add a session implementation capable of storing
+ session information within cookies on the browser. Useful for high
+ volume sites where server bound sessions are too resource intensive.
+ [Graham Leggett]
+
+ *) mod_session: Add a generic session interface to unify the different
+ attempts at saving persistent sessions across requests.
+ [Graham Leggett]
+
+ *) core, authn/z: Avoid calling access control hooks for internal requests
+ with configurations which match those of initial request. Revert to
+ original behaviour (call access control hooks for internal requests
+ with URIs different from initial request) if any access control hooks or
+ providers are not registered as permitting this optimization.
+ Introduce wrappers for access control hook and provider registration
+ which can accept additional mode and flag data. [Chris Darroch]
+
+ *) Introduced ap_expr API for expression evaluation.
+ This is adapted from mod_include, which is the first module
+ to use the new API.
+ [Nick Kew]
+
+ *) mod_authz_dbd: When redirecting after successful login/logout per
+ AuthzDBDRedirectQuery, do not report authorization failure, and use
+ first row returned by database query instead of last row.
+ [Chris Darroch]
+
+ *) mod_ldap: Correctly return all requested attribute values
+ when some attributes have a null value.
+ PR 44560 [Anders Kaseorg <anders kaseorg.com>]
+
+ *) core: check symlink ownership if both FollowSymlinks and
+ SymlinksIfOwnerMatch are set [Nick Kew]
+
+ *) core: fix origin checking in SymlinksIfOwnerMatch
+ PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>]
+
+ *) Activate mod_cache, mod_file_cache and mod_disk_cache as part of the
+ 'most' set for '--enable-modules' and '--enable-shared-mods'. Include
+ mod_mem_cache in 'all' as well. [Dirk-Willem van Gulik]
+
+ *) Also install mod_so.h, mod_rewrite.h and mod_cache.h; as these
+ contain public function declarations which are useful for
+ third party module authors. PR 42431 [Dirk-Willem van Gulik].
+
+ *) mod_dir, mod_negotiation: pass the output filter information
+ to newly created sub requests; as these are later on used
+ as true requests with an internal redirect. This allows for
+ mod_cache et.al. to trap the results of the redirect.
+ [Dirk-Willem van Gulik, Ruediger Pluem]
+
+ *) mod_ldap: Add support (taking advantage of the new APR capability)
+ for ldap rebind callback while chasing referrals. This allows direct
+ searches on LDAP servers (in particular MS Active Directory 2003+)
+ using referrals without the use of the global catalog.
+ PRs 26538, 40268, and 42557 [Paul J. Reder]
+
+ *) ApacheMonitor.exe: Introduce --kill argument for use by the
+ installer. This will permit the installation tool to remove
+ all running instances before attempting to remove the .exe.
+ [William Rowe]
+
+ *) mod_ssl: Add support for OCSP validation of client certificates.
+ PR 41123. [Marc Stern <marc.stern approach.be>, Joe Orton]
+
+ *) mod_serf: New module for Reverse Proxying. [Paul Querna]
+
+ *) core: Add the option to keep aside a request body up to a certain
+ size that would otherwise be discarded, to be consumed by filters
+ such as mod_include. When enabled for a directory, POST requests
+ to shtml files can be passed through to embedded scripts as POST
+ requests, rather being downgraded to GET requests. [Graham Leggett]
+
+ *) mod_ssl: Fix TLS upgrade (RFC 2817) support. PR 41231. [Joe Orton]
+
+ *) scoreboard: Correctly declare ap_time_process_request.
+ PR 43789 [Tom Donovan <Tom.Donovan acm.org>]
+
+ *) core; scoreboard: ap_get_scoreboard_worker(sbh) now takes the sbh member
+ from the connection rec, ap_get_scoreboard_worker(proc, thread) will now
+ provide the unusual legacy lookup. [William Rowe]
+
+ *) mpm winnt: fix null pointer dereference
+ PR 42572 [Davi Arnaut]
+
+ *) mod_authnz_ldap, mod_authn_dbd: Tidy up the code to expose authn
+ parameters to the environment. Improve portability to
+ EBCDIC machines by using apr_toupper(). [Martin Kraemer]
+
+ *) mod_ldap, mod_authnz_ldap: Add support for nested groups (i.e. the ability
+ to authorize an authenticated user via a "require ldap-group X" directive
+ where the user is not in group X, but is in a subgroup contained in X.
+ PR 42891 [Paul J. Reder]
+
+ *) mod_ssl: Add support for caching SSL Sessions in memcached. [Paul Querna]
+
+ *) apxs: Enhance -q flag to print all known variables and their values
+ when invoked without variable name(s).
+ [William Rowe, Sander Temme]
+
+ *) apxs: Eliminate run-time check for mod_so. PR 40653.
+ [David M. Lee <dmlee crossroads.com>]
+
+ *) beos MPM: Create pmain pool and run modules' child_init hooks when
+ entering ap_mpm_run(), then destroy pmain when exiting ap_mpm_run().
+ [Chris Darroch]
+
+ *) netware MPM: Destroy pmain pool when exiting ap_mpm_run() so that
+ cleanups registered in modules' child_init hooks are performed.
+ [Chris Darroch]
+
+ *) Fix issue which could cause error messages to be written to access logs
+ on Win32. PR 40476. [Tom Donovan <Tom.Donovan acm.org>]
+
+ *) The LockFile directive, which specifies the location of
+ the accept() mutex lockfile, is deprecated. Instead, the
+ AcceptMutex directive now takes an optional lockfile
+ location parameter, ala SSLMutex. [Jim Jagielski]
+
+ *) mod_authn_dbd: Export any additional columns queried in the SQL select
+ into the environment with the name AUTHENTICATE_<COLUMN>. This brings
+ mod_authn_dbd behaviour in line with mod_authnz_ldap. [Graham Leggett]
+
+ *) mod_dbd: Key the storage of prepared statements on the hex string
+ value of server_rec, rather than the server name, as the server name
+ may change (eg when the server name is set) at any time, causing
+ weird behaviour in modules dependent on mod_dbd. [Graham Leggett]
+
+ *) mod_proxy_fcgi: Added win32 build. [Mladen Turk]
+
+ *) sendfile_nonblocking() takes the _brigade_ as an argument, gets
+ the first bucket from the brigade, finds it not to be a FILE
+ bucket and barfs. The fix is to pass a bucket rather than a brigade.
+ [Niklas Edmundsson <nikke acc.umu.se>]
+
+ *) mod_rewrite: support rewritemap by SQL query [Nick Kew]
+
+ *) ap_get_server_version() has been removed. Third-party modules must
+ now use ap_get_server_banner() or ap_get_server_description().
+ [Jeff Trawick]
+
+ *) All MPMs: Introduce a check_config phase between pre_config and
+ open_logs, to allow modules to review interdependent configuration
+ directive values and adjust them while messages can still be logged
+ to the console. Handle relevant MPM directives during this phase
+ and format messages for both the console and the error log, as
+ appropriate. [Chris Darroch]
+
+ *) core: Do not allow internal redirects like the DirectoryIndex of mod_dir
+ to circumvent the symbolic link checks imposed by FollowSymLinks and
+ SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem, William Rowe]
+
+ *) New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ]
+ configures the I/O Dump of SSL traffic, when LogLevel is set to Debug.
+ The default is none as this is far greater debugging resolution than
+ the typical administrator is prepared to untangle. [William Rowe]
+
+ *) mod_disk_cache: If possible, check if the size of an object to cache is
+ within the configured boundaries before actually saving data.
+ [Niklas Edmundsson <nikke acc.umu.se>]
+
+ *) Worker and event MPMs: Remove improper scoreboard updates which were
+ performed in the event of a fork() failure. [Chris Darroch]
+
+ *) Add support for fcgi:// proxies to mod_rewrite.
+ [Markus Schiegl <ms schiegl.com>]
+
+ *) Remove incorrect comments from scoreboard.h regarding conditional
+ loading of worker_score structure with mod_status, and remove unused
+ definitions relating to old life_status field.
+ [Chris Darroch <chrisd pearsoncmg.com>]
+
+ *) Remove allocation of memory for unused array of lb_score pointers
+ in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>]
+
+ *) Add mod_proxy_fcgi, a FastCGI back end for mod_proxy.
+ [Garrett Rooney, Jim Jagielski, Paul Querna]
+
+ *) Event MPM: Fill in the scoreboard's tid field. PR 38736.
+ [Chris Darroch <chrisd pearsoncmg.com>]
+
+ *) mod_charset_lite: Remove Content-Length when output filter can
+ invalidate it. Warn when input filter can invalidate it.
+ [Jeff Trawick]
+
+ *) Authz: Add the new module mod_authn_core that will provide common
+ authn directives such as 'AuthType', 'AuthName'. Move the directives
+ 'AuthType' and 'AuthName' out of the core module and merge mod_authz_alias
+ into mod_authn_core. [Brad Nicholes]
+
+ *) Authz: Move the directives 'Order', 'Allow', 'Deny' and 'Satisfy'
+ into the new module mod_access_compat which can be loaded to provide
+ support for these directives.
+ [Brad Nicholes]
+
+ *) Authz: Move the 'Require' directive from the core module as well as
+ add the directives '<SatisfyAll>', '<SatisfyOne>', '<RequireAlias>'
+ and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR'
+ logic into the authorization processing. [Brad Nicholes]
+
+ *) Authz: Add the new module mod_authz_core which acts as the
+ authorization provider vector and contains common authz
+ directives. [Brad Nicholes]
+
+ *) Authz: Renamed mod_authz_dbm authz providers from 'group' and
+ 'file-group' to 'dbm-group' and 'dbm-file-group'. [Brad Nicholes]
+
+ *) Authz: Added the new authz providers 'env', 'ip', 'host', 'all' to handle
+ host-based access control provided by mod_authz_host and invoked
+ through the 'Require' directive. [Brad Nicholes]
+
+ *) Authz: Convert all of the authz modules from hook based to
+ provider based. [Brad Nicholes]
+
+ *) mod_cache: Add CacheMinExpire directive to set the minimum time in
+ seconds to cache a document.
+ [Brian Akins <brian.akins turner.com>, Ruediger Pluem]
+
+ *) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]
+
+ *) Fix typo in ProxyStatus syntax error message.
+ [Christophe Jaillet <christophe.jaillet wanadoo.fr>]
+
+ *) Asynchronous write completion for the Event MPM. [Brian Pane]
+
+ *) Added an End-Of-Request bucket type. The logging of a request and
+ the freeing of its pool are now done when the EOR bucket is destroyed.
+ This has the effect of delaying the logging until right after the last
+ of the response is sent; ap_core_output_filter() calls the access logger
+ indirectly when it destroys the EOR bucket. [Brian Pane]
+
+ *) Rewrite of logresolve support utility: IPv6 addresses are now supported
+ and the format of statistical output has changed. [Colm MacCarthaigh]
+
+ *) Rewrite of ap_coreoutput_filter to do nonblocking writes [Brian Pane]
+
+ *) Added new connection states for handler and write completion
+ [Brian Pane]
+
+ *) mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264.
+ [Justin Erenkrantz]
+
+ *) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive,
+ allowing string-valued client certificate attributes to be used for
+ access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1")
+ [Martin Kraemer, David Reid]
+
+ [Apache 2.3.0-dev includes those bug fixes and changes with the
+ Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
+
+Changes with Apache 1.3.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/CHANGES?view=markup
+
+
Added: dev/httpd/CHANGES_2.3.7
==============================================================================
--- dev/httpd/CHANGES_2.3.7 (added)
+++ dev/httpd/CHANGES_2.3.7 Thu Aug 19 13:16:53 2010
@@ -0,0 +1,81 @@
+ -*- coding: utf-8 -*-
+
+Changes with Apache 2.3.7
+
+ *) SECURITY: CVE-2010-1452 (cve.mitre.org)
+ mod_dav, mod_cache, mod_session: Fix Handling of requests without a path
+ segment. PR: 49246 [Mark Drayton, Jeff Trawick]
+
+ *) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076.
+ [Stefan Fritsch]
+
+ *) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639.
+ [Stefan Fritsch]
+
+ *) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers
+ via leveraging 100-Continue as the initial "request".
+ [Jim Jagielski]
+
+ *) core/mod_authz_core: Introduce new access_checker_ex hook that enables
+ mod_authz_core to bypass authentication if access should be allowed by
+ IP address/env var/... [Stefan Fritsch]
+
+ *) core: Introduce note_auth_failure hook to allow modules to add support
+ for additional auth types. This makes ap_note_auth_failure() work with
+ mod_auth_digest again. PR 48807. [Stefan Fritsch]
+
+ *) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew]
+
+ *) mod_authn_cache: new module [Nick Kew]
+
+ *) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]
+
+ *) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
+
+ *) mod_rewrite: Allow to set environment variables without explicitly
+ giving a value. [Rainer Jung]
+
+ *) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung]
+
+ *) mod_include: recognise "text/html; parameters" as text/html
+ PR 49616 [Andrey Chernov <ache nagual.pp.ru>]
+
+ *) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH
+ PR 43906 [Nick Kew]
+
+ *) Core: Extra robustness: don't try authz and segfault if authn
+ fails to set r->user. Log bug and return 500 instead.
+ PR 42995 [Nick Kew]
+
+ *) HTTP protocol filter: fix handling of longer chunk extensions
+ PR 49474 [<tee.bee gmx.de>]
+
+ *) Update SSL cipher suite and add example for SSLHonorCipherOrder.
+ [Lars Eilebrecht, Rainer Jung]
+
+ *) move AddOutputFilterByType from core to mod_filter. This should
+ fix nasty side-effects that happen when content_type is set
+ more than once in processing a request, and make it fully
+ compatible with dynamic and proxied contents. [Nick Kew]
+
+ *) mod_log_config: Implement logging for sub second timestamps and
+ request end time. [Rainer Jung]
+
+
+
+ [Apache 2.3.0-dev includes those bug fixes and changes with the
+ Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
+
+Changes with Apache 1.3.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/CHANGES?view=markup
+
+
Added: dev/httpd/httpd-2.3.7-deps.tar.bz2
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.3.7-deps.tar.bz2
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: dev/httpd/httpd-2.3.7-deps.tar.bz2.asc
==============================================================================
--- dev/httpd/httpd-2.3.7-deps.tar.bz2.asc (added)
+++ dev/httpd/httpd-2.3.7-deps.tar.bz2.asc Thu Aug 19 13:16:53 2010
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (Darwin)
+
+iD8DBQBMbSk8izpgHwjJdeURAsd9AKD6YVakk+0D/s8wMBCcuft3lpiiXACfYeJq
+GZWJoYkxCmXoKU8Cp5gO0ME=
+=TPMU
+-----END PGP SIGNATURE-----
Added: dev/httpd/httpd-2.3.7-deps.tar.bz2.md5
==============================================================================
--- dev/httpd/httpd-2.3.7-deps.tar.bz2.md5 (added)
+++ dev/httpd/httpd-2.3.7-deps.tar.bz2.md5 Thu Aug 19 13:16:53 2010
@@ -0,0 +1 @@
+7dfdd9ae466bfd8738678a84a90c9ae7 *httpd-2.3.7-deps.tar.bz2
Added: dev/httpd/httpd-2.3.7-deps.tar.bz2.sha1
==============================================================================
--- dev/httpd/httpd-2.3.7-deps.tar.bz2.sha1 (added)
+++ dev/httpd/httpd-2.3.7-deps.tar.bz2.sha1 Thu Aug 19 13:16:53 2010
@@ -0,0 +1 @@
+e819d8aead1c76b64016bd61a49643412c13d21a *httpd-2.3.7-deps.tar.bz2
Added: dev/httpd/httpd-2.3.7-deps.tar.gz
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.3.7-deps.tar.gz
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: dev/httpd/httpd-2.3.7-deps.tar.gz.asc
==============================================================================
--- dev/httpd/httpd-2.3.7-deps.tar.gz.asc (added)
+++ dev/httpd/httpd-2.3.7-deps.tar.gz.asc Thu Aug 19 13:16:53 2010
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (Darwin)
+
+iD8DBQBMbSkzizpgHwjJdeURAsk8AKCjcBRZ5vedoLT8FXMnApj5PNmingCfTcw5
+IObFeuKs6qui2IczT66x4GU=
+=mTm+
+-----END PGP SIGNATURE-----
Added: dev/httpd/httpd-2.3.7-deps.tar.gz.md5
==============================================================================
--- dev/httpd/httpd-2.3.7-deps.tar.gz.md5 (added)
+++ dev/httpd/httpd-2.3.7-deps.tar.gz.md5 Thu Aug 19 13:16:53 2010
@@ -0,0 +1 @@
+af290fcc0d03de0725f652bb09c1df02 *httpd-2.3.7-deps.tar.gz
Added: dev/httpd/httpd-2.3.7-deps.tar.gz.sha1
==============================================================================
--- dev/httpd/httpd-2.3.7-deps.tar.gz.sha1 (added)
+++ dev/httpd/httpd-2.3.7-deps.tar.gz.sha1 Thu Aug 19 13:16:53 2010
@@ -0,0 +1 @@
+f6e4d4801fa04267855a38995cb9ffb825ce7fe2 *httpd-2.3.7-deps.tar.gz
Added: dev/httpd/httpd-2.3.7.tar.bz2
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.3.7.tar.bz2
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: dev/httpd/httpd-2.3.7.tar.bz2.asc
==============================================================================
--- dev/httpd/httpd-2.3.7.tar.bz2.asc (added)
+++ dev/httpd/httpd-2.3.7.tar.bz2.asc Thu Aug 19 13:16:53 2010
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (Darwin)
+
+iD8DBQBMbSkjizpgHwjJdeURAsjKAKCq7bJo2mwECyMFEWF2+Ua7XVQotwCgicaj
+2nd9CQOtbJfym+D4RO6FF50=
+=S2ze
+-----END PGP SIGNATURE-----
Added: dev/httpd/httpd-2.3.7.tar.bz2.md5
==============================================================================
--- dev/httpd/httpd-2.3.7.tar.bz2.md5 (added)
+++ dev/httpd/httpd-2.3.7.tar.bz2.md5 Thu Aug 19 13:16:53 2010
@@ -0,0 +1 @@
+4853a5af8934f952fbcd118f6188a210 *httpd-2.3.7.tar.bz2
Added: dev/httpd/httpd-2.3.7.tar.bz2.sha1
==============================================================================
--- dev/httpd/httpd-2.3.7.tar.bz2.sha1 (added)
+++ dev/httpd/httpd-2.3.7.tar.bz2.sha1 Thu Aug 19 13:16:53 2010
@@ -0,0 +1 @@
+340ec6ca35b65d0f73c0b92d17076d16fc6039a2 *httpd-2.3.7.tar.bz2
Added: dev/httpd/httpd-2.3.7.tar.gz
==============================================================================
Binary file - no diff available.
Propchange: dev/httpd/httpd-2.3.7.tar.gz
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: dev/httpd/httpd-2.3.7.tar.gz.asc
==============================================================================
--- dev/httpd/httpd-2.3.7.tar.gz.asc (added)
+++ dev/httpd/httpd-2.3.7.tar.gz.asc Thu Aug 19 13:16:53 2010
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (Darwin)
+
+iD8DBQBMbSj9izpgHwjJdeURArThAJsGj+C4JggzWdoyhdpfex3MjQs0AACePrxv
+LUp5XBQQAfS4RDk2pYrl4/c=
+=ctA1
+-----END PGP SIGNATURE-----
Added: dev/httpd/httpd-2.3.7.tar.gz.md5
==============================================================================
--- dev/httpd/httpd-2.3.7.tar.gz.md5 (added)
+++ dev/httpd/httpd-2.3.7.tar.gz.md5 Thu Aug 19 13:16:53 2010
@@ -0,0 +1 @@
+beae5f31c9523771591e79b8a896be35 *httpd-2.3.7.tar.gz
Added: dev/httpd/httpd-2.3.7.tar.gz.sha1
==============================================================================
--- dev/httpd/httpd-2.3.7.tar.gz.sha1 (added)
+++ dev/httpd/httpd-2.3.7.tar.gz.sha1 Thu Aug 19 13:16:53 2010
@@ -0,0 +1 @@
+c89e2c46b1b1cb11f01a56a25a2b438cd83009dd *httpd-2.3.7.tar.gz