-*- coding: utf-8 -*-
Changes with Apache 2.5.0
- *) mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME
- passed to fastcgi backends. [Eric Covener]
+ *) SECURITY: CVE-2015-0253 (cve.mitre.org)
+ core: Fix a crash introduced in with ErrorDocument 400 pointing
+ to a local URL-path with the INCLUDES filter active, introduced
+ in 2.4.11. PR 57531. [Yann Ylavic]
+
+ *) mod_dav: Avoid a potential integer underflow in the lock timeout value sent
+ back to a client. The answer to a LOCK request could be an extremly large
+ integer if the time needed to lock the resource was longer that the
+ requested timeout given in the LOCK request. In such a case, we now answer
+ "Second-0". PR55420
+ [Christophe Jaillet]
+
+ *) mod_ssl: Fix possible crash when loading server certificate constraints.
+ PR 57694. [Paul Spangler <paul.spangler ni com>, Yann Ylavic]
+
+ *) core, modules: Avoid error response/document handling by the core if some
+ handler or input filter already did it while reading the request (causing
+ a double response body). [Yann Ylavic]
+
+ *) mod_proxy: use the original (non absolute) form of the request-line's URI
+ for requests embedded in CONNECT payloads used to connect SSL backends via
+ a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms <hendrik.harms
+ gmail com>, William Rowe, Yann Ylavic]
+
+ *) mod_proxy: Fix a race condition that caused a failed worker to be retried
+ before the retry period is over. [Ruediger Pluem]
+
+ *) mod_rewrite: Add support for starting External Rewriting Programs
+ as non-root user on UNIX systems by specifying username and group name
+ as third argument of RewriteMap directive. [Jan Kaluza]
+
+ *) core: If explicitly configured, use the KeepaliveTimeout value of the
+ virtual host which handled the latest request on the connection, or by
+ default the one of the first virtual host bound to the same IP:port.
+ PR56226. [Yann Ylavic]
+
+ *) mod_authn_core: Add expression support to AuthName and AuthType.
+ [Graham Leggett]
- *) mod_http: Fix incorrect If-Match handling. PR 57358
- [Kunihiko Sakamoto <ksakamoto google.com>]
+ *) mod_deflate: A misplaced check prevents limiting small bodies with the
+ new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic]
+
+ *) core: Add expression support to ErrorDocument. Switch from a fixed
+ sized 664 byte array per merge to a hash table. [Graham Leggett]
+
+ *) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
+ a combination of certificate serialNumber and issuer as defined by
+ CertificateExactMatch in RFC4523. [Graham Leggett]
+
+ *) suexec: Filter out the HTTP_PROXY environment variable because it is
+ treated as alias for http_proxy by some programs. [Stefan Fritsch]
+
+ *) mod_proxy_http: Use the "Connection: close" header for requests to
+ backends not recycling connections (disablereuse), including the default
+ reverse and forward proxies. [Yann Ylavic]
+
+ *) mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
+ finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
+ or force-proxy-request-1.0, and respond with 502 instead of 400 if its
+ Connection header is invalid. [Yann Ylavic]
+
+ *) http: Make ap_die() robust against any HTTP error code and not modify
+ response status (finally logged) when nothing is to be done. [Yann Ylavic]
+
+ *) mod_proxy_connect/wstunnel: If both client and backend sides get readable
+ at the same time, don't lose errors occuring while forwarding on the first
+ side when none occurs next on the other side, and abort. [Yann Ylavic]
+
+ *) mod_proxy_http: Don't establish or reuse a backend connection before pre-
+ fetching the request body, so to minimize the delay between it is supposed
+ to be alive and the first bytes sent: this is a best effort to prevent the
+ backend from closing because of idle or keepalive timeout in the meantime.
+ Also, handle a new "proxy-flushall" environment variable which allows to
+ flush any forwarded body data immediately. PR 56541+37920. [Yann Ylavic]
+
+ *) core: Define and UnDefine are no longer permitted in
+ directory context. Previously they would always be evaulated
+ as the configuration was read without regard for the directory
+ context. [Eric Covener]
+
+ *) config: For directives that do not expect any arguments, enforce
+ that none are specified in the configuration file.
+ [Joachim Zobel <jzobel heute-morgen.de>, Eric Covener]
+
+ *) mod_alias: Introduce expression parser support for Alias, ScriptAlias
+ and Redirect. [Graham Leggett]
+
+ *) mod_rewrite: Improve 'bad flag delimeters' startup error by showing
+ how the input was tokenized. PR 56528. [Edward Lu <Chaosed0 gmail.com>]
- *) mod_proxy_ajp: Fix handling of the default port (8009) in the
- ProxyPass and <Proxy> configurations. PR 57259. [Yann Ylavic].
+ *) mod_ssl: Add support for extracting subjectAltName entries of type
+ rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
+ environment variables. Also addresses PR 57207. [Kaspar Brand]
- *) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument.
- PR 57334. [Yann Ylavic].
+ *) mod_proxy: Don't put non balancer-member workers in error state by
+ default for connection or 500/503 errors, and honor status=+I for
+ any error. PR 48388. [Yann Ylavic]
- *) core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts.
- PR 57328. [Armin Abfalterer <a.abfalterer gmail.com>, Yann Ylavic].
+ *) mod_socache_memcache: Pass expiration time through to memcached. PR 55445.
+ [Faidon Liambotis <paravoid debian.org>, Joe Orton]
+
+ *) mod_http: Fix incorrect If-Match handling. PR 57358.
+ [Kunihiko Sakamoto <ksakamoto google.com>]
*) mod_proxy_ajp: Fix client connection errors handling and logged status
when it occurs. PR 56823. [Yann Ylavic]
*) mod_rewrite: Improve relative substitutions in per-directory/htaccess
context for directories found by mod_userdir and mod_alias. These no
- loner require RewriteBase to be specified. [Eric Covener]
+ longer require RewriteBase to be specified. [Eric Covener]
*) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since
r1608202. [Eric Covener]
- *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
- PR 57167 [Edward Lu <Chaosed0 gmail.com>]
-
- *) mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read
- determine whether it is a normal close or a real error. PR 57168. [Yann
- Ylavic]
-
*) mod_buffer: Forward flushed input data immediatly and avoid (unlikely)
access to freed memory. [Yann Ylavic, Christophe Jaillet]
SSL connection itself is established via a proxy server.
PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
- *) mod_ssl: Do not crash when looking up SSL related variables during
- expression evaluation on non SSL connections. PR 57070 [Ruediger Pluem]
-
*) core: Ensure that httpd exits with an error status when the MPM fails
to run. [Yann Ylavic]
*) mod_authnz_ldap: Return LDAP connections to the pool before the handler
is run, instead of waiting until the end of the request. [Eric Covener]
- *) mod_ldap: Be more conservative with the last-used time for
- LDAPConnectionPoolTTL. PR54587 [Eric Covener]
-
- *) mod_deflate: Don't fail when flushing inflated data to the user-agent
- and that coincides with the end of stream ("Zlib error flushing inflate
- buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
-
- *) mod_proxy: Don't limit the size of the connectable Unix Domain Socket
- paths. [Christophe Jaillet, Yann Ylavic]
-
- *) mod_ssl: dump SSL IO/state for the write side of the connection(s),
- like reads (level TRACE4). [Yann Ylavic]
-
- *) mod_proxy: Shutdown (eg. close notify) the backend connection before
- closing. [Yann Ylavic]
-
- *) mpm_event[opt]: Send the SSL close notify alert when the KeepAliveTimeout
- expires. PR54998. [Yann Ylavic]
-
- *) mod_ssl: Ensure that the SSL close notify alert is flushed to the client.
- PR54998. [Tim Kosse <tim.kosse filezilla-project.org>, Yann Ylavic]
-
*) mod_log_config: Add GlobalLog to allow a globally defined log to
be inherited by virtual hosts that define a CustomLog.
[Edward Lu <Chaosed0 gmail.com>]
*) Add module mod_ssl_ct, which provides an implementation of Certificate
Transparency (RFC 6962) for httpd. [Jeff Trawick]
- *) mod_proxy: Preserve original request headers even if they differ
- from the ones to be forwarded to the backend. PR 45387.
- [Yann Ylavic]
-
*) mod_remoteip: Prevent an external proxy from presenting an internal
proxy. PR 55962. [Mike Rumph]
projects / apache / blobdiff