-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) SECURITY: CVE-2015-0253 (cve.mitre.org)
+ core: Fix a crash introduced in with ErrorDocument 400 pointing
+ to a local URL-path with the INCLUDES filter active, introduced
+ in 2.4.11. PR 57531. [Yann Ylavic]
+
+ *) mod_dav: Avoid a potential integer underflow in the lock timeout value sent
+ back to a client. The answer to a LOCK request could be an extremly large
+ integer if the time needed to lock the resource was longer that the
+ requested timeout given in the LOCK request. In such a case, we now answer
+ "Second-0". PR55420
+ [Christophe Jaillet]
+
+ *) mod_ssl: Fix possible crash when loading server certificate constraints.
+ PR 57694. [Paul Spangler <paul.spangler ni com>, Yann Ylavic]
+
+ *) core, modules: Avoid error response/document handling by the core if some
+ handler or input filter already did it while reading the request (causing
+ a double response body). [Yann Ylavic]
+
*) mod_proxy: use the original (non absolute) form of the request-line's URI
for requests embedded in CONNECT payloads used to connect SSL backends via
a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms <hendrik.harms
*) mod_proxy: Fix a race condition that caused a failed worker to be retried
before the retry period is over. [Ruediger Pluem]
- *) SECURITY: CVE-2015-0253 (cve.mitre.org)
- core: Fix a crash introduced in with ErrorDocument 400 pointing
- to a local URL-path with the INCLUDES filter active, introduced
- in 2.4.11. PR 57531. [Yann Ylavic]
-
*) mod_rewrite: Add support for starting External Rewriting Programs
as non-root user on UNIX systems by specifying username and group name
as third argument of RewriteMap directive. [Jan Kaluza]
*) mod_deflate: A misplaced check prevents limiting small bodies with the
new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic]
- *) ab: Add missing longest request (100%) to CSV export.
- [Marcin Fabrykowski <bugzilla fabrykowski.pl>]
-
*) core: Add expression support to ErrorDocument. Switch from a fixed
sized 664 byte array per merge to a hash table. [Graham Leggett]
or force-proxy-request-1.0, and respond with 502 instead of 400 if its
Connection header is invalid. [Yann Ylavic]
- *) mod_proxy(es): Avoid error response/document handling by the core if some
- input filter already did it while reading client's payload. [Yann Ylavic]
-
*) http: Make ap_die() robust against any HTTP error code and not modify
response status (finally logged) when nothing is to be done. [Yann Ylavic]
at the same time, don't lose errors occuring while forwarding on the first
side when none occurs next on the other side, and abort. [Yann Ylavic]
- *) mod_macro: Clear macros before initialization to avoid use-after-free
- on startup or restart when the module is linked statically. PR 57525
- [apache.org tech.futurequest.net, Yann Ylavic]
-
*) mod_proxy_http: Don't establish or reuse a backend connection before pre-
fetching the request body, so to minimize the delay between it is supposed
to be alive and the first bytes sent: this is a best effort to prevent the
that none are specified in the configuration file.
[Joachim Zobel <jzobel heute-morgen.de>, Eric Covener]
- *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
- PR 57100. [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
- Yann Ylavic]
-
*) mod_alias: Introduce expression parser support for Alias, ScriptAlias
and Redirect. [Graham Leggett]
*) mod_authnz_ldap: Return LDAP connections to the pool before the handler
is run, instead of waiting until the end of the request. [Eric Covener]
- *) mod_ssl: dump SSL IO/state for the write side of the connection(s),
- like reads (level TRACE4). [Yann Ylavic]
-
- *) mod_proxy: Shutdown (eg. close notify) the backend connection before
- closing. [Yann Ylavic]
-
- *) mpm_event[opt]: Send the SSL close notify alert when the KeepAliveTimeout
- expires. PR54998. [Yann Ylavic]
-
- *) mod_ssl: Ensure that the SSL close notify alert is flushed to the client.
- PR54998. [Tim Kosse <tim.kosse filezilla-project.org>, Yann Ylavic]
-
*) mod_log_config: Add GlobalLog to allow a globally defined log to
be inherited by virtual hosts that define a CustomLog.
[Edward Lu <Chaosed0 gmail.com>]
*) Add module mod_ssl_ct, which provides an implementation of Certificate
Transparency (RFC 6962) for httpd. [Jeff Trawick]
- *) mod_proxy: Preserve original request headers even if they differ
- from the ones to be forwarded to the backend. PR 45387.
- [Yann Ylavic]
-
*) mod_remoteip: Prevent an external proxy from presenting an internal
proxy. PR 55962. [Mike Rumph]