You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2013/02/25 20:10:55 UTC
svn commit: r1487 - /dev/httpd/ /release/httpd/

Author: wrowe
Date: Mon Feb 25 19:10:51 2013
New Revision: 1487

Log:
Moved to dist/httpd for proxy replication

Added:
    release/httpd/CHANGES_2.2.24
      - copied unchanged from r1486, dev/httpd/CHANGES_2.2.24
    release/httpd/httpd-2.2.24.tar.bz2
      - copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.bz2
    release/httpd/httpd-2.2.24.tar.bz2.asc
      - copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.bz2.asc
    release/httpd/httpd-2.2.24.tar.bz2.md5
      - copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.bz2.md5
    release/httpd/httpd-2.2.24.tar.bz2.sha1
      - copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.bz2.sha1
    release/httpd/httpd-2.2.24.tar.gz
      - copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.gz
    release/httpd/httpd-2.2.24.tar.gz.asc
      - copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.gz.asc
    release/httpd/httpd-2.2.24.tar.gz.md5
      - copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.gz.md5
    release/httpd/httpd-2.2.24.tar.gz.sha1
      - copied unchanged from r1486, dev/httpd/httpd-2.2.24.tar.gz.sha1
Removed:
    dev/httpd/CHANGES_2.2.24
    dev/httpd/httpd-2.2.24.tar.bz2
    dev/httpd/httpd-2.2.24.tar.bz2.asc
    dev/httpd/httpd-2.2.24.tar.bz2.md5
    dev/httpd/httpd-2.2.24.tar.bz2.sha1
    dev/httpd/httpd-2.2.24.tar.gz
    dev/httpd/httpd-2.2.24.tar.gz.asc
    dev/httpd/httpd-2.2.24.tar.gz.md5
    dev/httpd/httpd-2.2.24.tar.gz.sha1
Modified:
    release/httpd/CHANGES_2.2

Modified: release/httpd/CHANGES_2.2
==============================================================================
--- release/httpd/CHANGES_2.2 (original)
+++ release/httpd/CHANGES_2.2 Mon Feb 25 19:10:51 2013
@@ -1,4 +1,59 @@
                                                          -*- coding: utf-8 -*-
+Changes with Apache 2.2.24
+
+  *) SECURITY: CVE-2012-3499 (cve.mitre.org)
+     Various XSS flaws due to unescaped hostnames and URIs HTML output in
+     mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
+     [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
+
+  *) SECURITY: CVE-2012-4558 (cve.mitre.org)
+     XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
+     Niels Heinen <heinenn google com>]
+
+  *) mod_rewrite: Stop merging RewriteBase down to subdirectories
+     unless new option 'RewriteOptions MergeBase' is configured.
+     Merging RewriteBase was unconditionally turned on in 2.2.23.
+     PR 53963. [Eric Covener]
+
+  *) mod_ssl: Send the error message for speaking http to an https port using
+     HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
+     using SNI. PR 50823. [Stefan Fritsch]
+
+  *) mod_ssl: log revoked certificates at level INFO
+     instead of DEBUG. PR 52162. [Stefan Fritsch]
+
+  *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
+     [Rainer Jung]
+
+  *) mod_dir: Add support for the value 'disabled' in FallbackResource.
+     [Vincent Deffontaines]
+
+  *) mod_ldap: Fix regression in handling "server unavailable" errors on
+     Windows.  PR 54140.  [Eric Covener]
+
+  *) mod_ssl: fix a regression with the string rendering of the "UID" RDN
+     introduced in 2.2.15. PR 54510. [Kaspar Brand]
+     
+  *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
+     to more accurately report the negotiated protocol. PR 53916.
+     [NicolÃ¡s Pernas Maradei <nico emutex com>, Kaspar Brand]
+
+  *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
+     Response if they so choose to do so. Previously an attempt to cache a 206
+     was arbitrarily allowed if the response contained an Expires or
+     Cache-Control header, and arbitrarily denied if both headers were missing.
+     Currently the disk and memory cache providers do not cache 206 Partial
+     Responses. [Graham Leggett]
+
+  *) core: Remove unintentional APR 1.3 dependency introduced with
+     Apache 2.2.22. [Eric Covener]
+
+  *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
+     the chosen listener is configured for https. [Joe Orton]
+
+  *) mod_ssl: Add new directive SSLCompression to disable TLS-level
+     compression. PR 53219. [BjÃ¶rn Jacke <bjoern j3e de>, Stefan Fritsch]
+
 Changes with Apache 2.2.23
 
   *) SECURITY: CVE-2012-0883 (cve.mitre.org)
@@ -115,7 +170,8 @@
      when no custom ErrorDocument is specified for status code 400.
      [Eric Covener]
 
-  *) mod_proxy_ajp: Try to prevent a single long request from marking a worker
+  *) SECURITY: CVE-2012-4557 (cve.mitre.org)
+     mod_proxy_ajp: Try to prevent a single long request from marking a worker
      in error. [Jean-Frederic Clere]
 
   *) config: Update the default mod_ssl configuration: Disable SSLv2, only
@@ -621,6 +677,9 @@
      different security issues which may affect particular configurations
      and third-party modules.
 
+  *) mod_headers: Make 'Header set Content-Type' effective on responses
+     that already have a Content-Type.  [Issac Goldstand]
+
   *) mod_include: fix potential segfault when handling back references
      on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew]