You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2013/02/25 20:10:55 UTC
svn commit: r1487 - /dev/httpd/ /release/httpd/
Author: wrowe
Date: Mon Feb 25 19:10:51 2013
New Revision: 1487
Log:
Moved to dist/httpd for proxy replication
Added:
release/httpd/CHANGES_2.2.24
- copied unchanged from r1486, dev/httpd/CHANGES_2.2.24
release/httpd/httpd-2.2.24.tar.bz2
- copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.bz2
release/httpd/httpd-2.2.24.tar.bz2.asc
- copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.bz2.asc
release/httpd/httpd-2.2.24.tar.bz2.md5
- copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.bz2.md5
release/httpd/httpd-2.2.24.tar.bz2.sha1
- copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.bz2.sha1
release/httpd/httpd-2.2.24.tar.gz
- copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.gz
release/httpd/httpd-2.2.24.tar.gz.asc
- copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.gz.asc
release/httpd/httpd-2.2.24.tar.gz.md5
- copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.gz.md5
release/httpd/httpd-2.2.24.tar.gz.sha1
- copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.gz.sha1
Removed:
dev/httpd/CHANGES_2.2.24
dev/httpd/httpd-2.2.24.tar.bz2
dev/httpd/httpd-2.2.24.tar.bz2.asc
dev/httpd/httpd-2.2.24.tar.bz2.md5
dev/httpd/httpd-2.2.24.tar.bz2.sha1
dev/httpd/httpd-2.2.24.tar.gz
dev/httpd/httpd-2.2.24.tar.gz.asc
dev/httpd/httpd-2.2.24.tar.gz.md5
dev/httpd/httpd-2.2.24.tar.gz.sha1
Modified:
release/httpd/CHANGES_2.2
Modified: release/httpd/CHANGES_2.2
==============================================================================
--- release/httpd/CHANGES_2.2 (original)
+++ release/httpd/CHANGES_2.2 Mon Feb 25 19:10:51 2013
@@ -1,4 +1,59 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.2.24
+
+ *) SECURITY: CVE-2012-3499 (cve.mitre.org)
+ Various XSS flaws due to unescaped hostnames and URIs HTML output in
+ mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
+ [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
+
+ *) SECURITY: CVE-2012-4558 (cve.mitre.org)
+ XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
+ Niels Heinen <heinenn google com>]
+
+ *) mod_rewrite: Stop merging RewriteBase down to subdirectories
+ unless new option 'RewriteOptions MergeBase' is configured.
+ Merging RewriteBase was unconditionally turned on in 2.2.23.
+ PR 53963. [Eric Covener]
+
+ *) mod_ssl: Send the error message for speaking http to an https port using
+ HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
+ using SNI. PR 50823. [Stefan Fritsch]
+
+ *) mod_ssl: log revoked certificates at level INFO
+ instead of DEBUG. PR 52162. [Stefan Fritsch]
+
+ *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
+ [Rainer Jung]
+
+ *) mod_dir: Add support for the value 'disabled' in FallbackResource.
+ [Vincent Deffontaines]
+
+ *) mod_ldap: Fix regression in handling "server unavailable" errors on
+ Windows. PR 54140. [Eric Covener]
+
+ *) mod_ssl: fix a regression with the string rendering of the "UID" RDN
+ introduced in 2.2.15. PR 54510. [Kaspar Brand]
+
+ *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
+ to more accurately report the negotiated protocol. PR 53916.
+ [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
+
+ *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
+ Response if they so choose to do so. Previously an attempt to cache a 206
+ was arbitrarily allowed if the response contained an Expires or
+ Cache-Control header, and arbitrarily denied if both headers were missing.
+ Currently the disk and memory cache providers do not cache 206 Partial
+ Responses. [Graham Leggett]
+
+ *) core: Remove unintentional APR 1.3 dependency introduced with
+ Apache 2.2.22. [Eric Covener]
+
+ *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
+ the chosen listener is configured for https. [Joe Orton]
+
+ *) mod_ssl: Add new directive SSLCompression to disable TLS-level
+ compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
+
Changes with Apache 2.2.23
*) SECURITY: CVE-2012-0883 (cve.mitre.org)
@@ -115,7 +170,8 @@
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
- *) mod_proxy_ajp: Try to prevent a single long request from marking a worker
+ *) SECURITY: CVE-2012-4557 (cve.mitre.org)
+ mod_proxy_ajp: Try to prevent a single long request from marking a worker
in error. [Jean-Frederic Clere]
*) config: Update the default mod_ssl configuration: Disable SSLv2, only
@@ -621,6 +677,9 @@
different security issues which may affect particular configurations
and third-party modules.
+ *) mod_headers: Make 'Header set Content-Type' effective on responses
+ that already have a Content-Type. [Issac Goldstand]
+
*) mod_include: fix potential segfault when handling back references
on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew]