-Changes with Apache 2.1.0-dev
+Changes with Apache 2.1.3
[Remove entries to the current 2.0 section below, when backported]
- *) mod_ldap: prevent the possiblity of an infinite loop in the LDAP
- statistics display. PR 29216 [Graham Leggett]
+ *) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170.
+ [Rici Lake <rici ricilake.net>]
- *) mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz]
+ *) proxy HTTP: Rework the handling of request bodies to handle
+ chunked input and input filters which modify content length, and
+ avoid spooling arbitrary-sized request bodies in memory.
+ PR 15859. [Jeff Trawick]
- *) mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale
- cache responses. [Justin Erenkrantz]
+ *) mod_proxy: Fix incorrect decoding/unescaping for reverse proxies.
+ PR 32459, 15207. [Jim Jagielski]
- *) mod_disk_cache: Do not store aborted content. PR 21492.
- [Rüdiger Plüm <r.pluem t-online.de>]
+ *) Start keeping track of time-taken-to-process-request again for
+ mod_status if ExtendedStatus is enabled. [Jim Jagielski]
- *) mod_disk_cache: Correctly store cached content type. PR 30278.
- [Rüdiger Plüm <r.pluem t-online.de>]
+ *) mod_cache: Add CacheStorePrivate and CacheStoreNoStore directive.
+ [Justin Erenkrantz]
- *) mod_rewrite: Handle per-location rules when r->filename is unset.
- Previously this would segfault or simply not match as expected,
- depending on the platform. [Jeff Trawick]
+ *) Remove compiled-in upper limit on LimitRequestFieldSize.
+ [Bill Stoddard]
+
+ *) mod_ldap: Added the directive LDAPConnectionTimeout to configure
+ the ldap socket connection timeout value.
+ [Brad Nicholes]
+
+ *) Add --enable-pie flag to configure, to build httpd as a Position
+ Independent Executable where supported (GCC/binutils).
+ [Joe Orton]
+
+ *) proxy_balancer: Add in load-balancing via weighted traffic
+ byte count. [Jim Jagielski]
+
+ *) mod_disk_cache: Cache r->err_headers_out headers. This allows CGI
+ scripts to be properly cached. [Justin Erenkrantz, Sander Striker]
+
+ *) mod_ldap: Updated to use the new apr-util v1.1 apr_ldap_*_option()
+ API for the setting of server and client SSL certificates. Replaced
+ LDAPTrustedCA directive with LDAPTrustedGlobalCert and
+ LDAPTrustedClientCert directives to correctly support global certs
+ (CA certs / Netware client certs) and per connection client certs
+ as supported by Netware, OpenLDAP and Netscape/Mozilla.
+ [Graham Leggett]
+
+ *) mod_proxy: Handle client-aborted connections correctly. PR 32443.
+ [Janne Hietamäki, Joe Orton]
+
+ *) mod_cache: Remove unimplemented CacheForceCompletion directive.
+ [Justin Erenkrantz]
+
+ *) support/check_forensic: Fix temp file usage
+ [Javier Fernandez-Sanguino Pen~a <jfs computer.org>]
+
+ *) mod_ssl: Add SSLCADNRequestFile and SSLCADNRequestPath directives
+ which can be used to configure a specific list of CA names to send
+ in a client certificate request. PR 32848.
+ [Tim Taylor <tim.taylor dfas.mil>]
+
+ *) --with-module can now take more than one module to be statically
+ linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
+ If the <modtype>-subdirectory doesn't exist it will be created and
+ populated with a standard Makefile.in. [Erik Abele]
+
+ *) Remove some compiler warnings within the LDAP modules [Graham Leggett]
+
+ *) Add a build script to create a solaris package. [Graham Leggett]
+
+ *) ap_http_scheme() replaced with ap_http_method() - this function
+ returns the scheme (http v.s. https).
+ [William Rowe]
+
+ *) mod_proxy: Fix a request corruption problem and a buffering problem
+ which sometimes prevented proxy-sendchunks from working.
+ [Jeff Trawick]
+
+ *) Fix the RPM spec file so that an RPM build now works. An RPM
+ build now requires system installations of APR and APR-util.
+ [Graham Leggett]
+
+ *) Significantly simplify the load balancer scheduling algorithm
+ for the proxy BalancerMember weighting. loadfactors (lbfactors)
+ are now normalized with respect to each other. [Jim Jagielski]
+
+ *) mod_dumpio: Added to the available module suite; it is an
+ I/O logging/dumping module. Placed in the (new) debug module
+ subdirectory. mod_bucketeer moved to that directory as well.
+ [Jim Jagielski]
+
+ *) core: Add support for APR_TCP_DEFER_ACCEPT to defer accepting
+ of a connection until data is available.
+ [Paul Querna]
+
+ *) conf: Remove AddDefaultCharset from the default configuration because
+ setting a site-wide default does more harm than good. PR 23421.
+ [Roy Fielding]
+
+Changes with Apache 2.1.2
+
+ *) mod_proxy: Respect errors reported by pre_connection hooks.
+ [Jeff Trawick]
+
+ *) worker MPM: Fix a problem which could cause httpd processes to
+ remain active after shutdown. [Jeff Trawick]
+
+ *) core: Error out on sections that are missing an argument instead of
+ silently consuming the section. PR 25460.
+ [Geoffrey Young, Paul Querna]
+
+ *) mod_cache/mod_mem_cache/mod_disk_cache: Move out of experimental.
+
+ *) Upgraded PCRE to version 5.0. [Brian Pane]
+
+ *) mod_cgid: Catch configuration problem where two web server instances
+ share same ServerRoot but admin forgot to use ScriptSock.
+ [Jeff Trawick]
+
+ *) mod_cgi: Ensure that all stderr is logged for a script which returns
+ a Location header to generate a non-local redirect. PR 20111.
+ [Joe Orton]
+
+ *) Added the Event MPM to more efficiently handle clients during a
+ Keep Alive request.
+ [Paul Querna, Greg Ames]
+
+Changes with Apache 2.1.1
+
+ *) mod_proxy_http: Stream content better - always flush buffered data to
+ the client before blocking waiting for new data. PR 19954.
+ [Joe Orton]
+
+ *) mod_ssl: Add support for command-line option "-t -DDUMP_CERTS" which
+ will dump the filenames of all configured SSL certificates to stdout.
+ [Joe Orton]
+
+ *) mod_disk_cache: Remove a bunch of non-implemented garbage collection
+ and cache size directives that are now available through htcacheclean.
+ [Justin Erenkrantz]
+
+ *) Add htcacheclean to support/ for assistance with mod_disk_cache.
+ [Andreas Steinmetz]
+
+ *) mod_authnz_ldap: Added the directive "Requires ldap-filter" that
+ allows the module to authorize a user based on a complex LDAP
+ search filter. [Brad Nicholes]
+
+ *) mod_usertrack: Run the fixups hook before other modules.
+ PR 29755. [Paul Querna]
+
+ *) Allow mod_authnz_ldap authorization functionality to be used
+ without requiring the user to also be authenticated through
+ mod_authnz_ldap. This allows other authentication modules to
+ take advantage of LDAP authorization only [PR 28253]
+ [Jari Ahonen jah progress.com, Brad Nicholes]
+
+ *) Log the client IP address when an error occurs disabling nagle on a
+ connection, but log at a severity of debug since this error
+ generally means that the connection was dropped before data was
+ sent. Log the client IP address when reporting errors in the core
+ output filter. [Jeff Trawick]
+
+ *) Add ap_log_cerror() for logging messages associated with particular
+ client connections. [Jeff Trawick]
+
+ *) core: Add a warning message if the request line read fails.
+ [Paul Querna]
+
+ *) mod_cache: Add CacheIgnoreHeaders directive. PR 30399.
+ [Rüiger Plü <r.pluem t-online.de>]
+
+ *) mod_rewrite: Removed the MaxRedirects option in favor of the
+ core LimitInternalRecursion directive. [André Malo]
+
+ *) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
+ library handles special characters. PR 24437 [Jess Holle]
*) Unix MPMs: Shut down the server more quickly when child processes are
slow to exit. [Joe Orton, Jeff Trawick]
*) mod_proxy: If a request has a blank body and has a 0 Content-Length
headers, pass that to the proxy. [Justin Erenkrantz]
- *) mod_rewrite: Fix query string handling for proxied URLs. PR 14518.
- [michael teitler <michael.teitler cetelem.fr>,
- Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]
-
*) Recognize QSA flag in mod_rewrite again.
[Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]
Changes with Apache 2.0.53
+ *) Fix handling of files >2Gb on all platforms (or builds) where
+ apr_off_t is larger than apr_size_t. PR 28898. [Joe Orton]
+
+ *) mod_include: Fix bug which could truncate variable expansions
+ of N*64 characters by one byte. PR 32985. [Joe Orton]
+
+ *) Correct handling of certain bucket types in ap_save_brigade, fixing
+ possible segfaults in mod_cgi with #include virtual. PR 31247.
+ [Joe Orton]
+
+ *) Allow for the use of --with-module=foo:bar where the ./modules/foo
+ directory is local only. Assumes, of course, that the required
+ files are in ./modules/foo, but makes it easier to statically
+ build/log "external" modules. [Jim Jagielski]
+
+ *) Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that
+ ldap authorization only modules have access to the util_ldap
+ user cache without having to require ldap authentication as well.
+ [PR 31898] [Jari Ahonen jah progress.com, Brad Nicholes]
+
+ *) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
+ allows the module to only authorize a user if the attribute value
+ specified matches the value of the user object. PR 31913
+ [Ryan Morgan <rmorgan pobox.com>]
+
+ *) SECURITY: CAN-2004-0942 (cve.mitre.org)
+ Fix for memory consumption DoS in handling of MIME folded request
+ headers. [Joe Orton]
+
+ *) SECURITY: CAN-2004-0885 (cve.mitre.org)
+ mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
+ bypassed during an SSL renegotiation. PR 31505.
+ [Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]
+
+ *) mod_ssl: Fail at startup rather than segfault at runtime if a
+ client cert is configured with an encrypted private key.
+ PR 24030. [Joe Orton]
+
+ *) apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". PR 31448
+ [Joe Orton]
+
+ *) mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d.
+ [Jeff Trawick]
+
+ *) mod_cache: CacheDisable will only disable the URLs it was meant to
+ disable, not all caching. PR 31128.
+ [Edward Rudd <eddie omegaware.com>, Paul Querna]
+
+ *) mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale
+ cache responses. [Justin Erenkrantz]
+
+ *) mod_rewrite: Handle per-location rules when r->filename is unset.
+ Previously this would segfault or simply not match as expected,
+ depending on the platform. [Jeff Trawick]
+
+ *) mod_rewrite: Fix query string handling for proxied URLs. PR 14518.
+ [michael teitler <michael.teitler cetelem.fr>,
+ Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]
+
+ *) mod_rewrite: Fix 0 bytes write into random memory position.
+ PR 31036. [André Malo]
+
+ *) mod_disk_cache: Do not store aborted content. PR 21492.
+ [Rüiger Plü <r.pluem t-online.de>]
+
+ *) mod_disk_cache: Correctly store cached content type. PR 30278.
+ [Rüiger Plü <r.pluem t-online.de>]
+
+ *) mod_ldap: prevent the possiblity of an infinite loop in the LDAP
+ statistics display. PR 29216 [Graham Leggett]
+
+ *) mod_ldap: fix a bogus error message to tell the user which file
+ is causing a potential problem with the LDAP shared memory cache.
+ PR 31431 [Graham Leggett]
+
+ *) mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz]
+
*) Fix the re-linking issue when purging elements from the LDAP cache
PR 24801 [Jess Holle <jessh ptc.com>]
Changes with Apache 2.0.52
- *) Fix the global mutex crash when the global mutex is never allocated due
- to disabled/empty caches. [Jess Holle <jessh ptc.com>]
+ *) Use HTML 2.0 <hr> for error pages. PR 30732 [André Malo]
+
+ *) Fix the global mutex crash when the global mutex is never allocated
+ due to disabled/empty caches. [Jess Holle <jessh ptc.com>]
+
+ *) Fix a segfault in the LDAP cache when it is configured switched
+ off. [Jess Holle <jessh ptc.com>]
*) SECURITY: CAN-2004-0811 (cve.mitre.org)
Fix merging of the Satisfy directive, which was applied to
Changes with Apache 2.0.51
+ *) SECURITY: CAN-2004-0786 (cve.mitre.org)
+ Fix an input validation issue in apr-util which could be
+ triggered by malformed IPv6 literal addresses. [Joe Orton]
+
+ *) SECURITY: CAN-2004-0747 (cve.mitre.org)
+ Fix buffer overflow in expansion of environment variables in
+ configuration file parsing. [André Malo]
+
+ *) SECURITY: CAN-2004-0809 (cve.mitre.org)
+ mod_dav_fs: Fix a segfault in the handling of an indirect lock
+ refresh. PR 31183. [Joe Orton]
+
*) mod_include no longer checks for recursion, because that's done
in the core. This allows for careful usage of recursive SSI.
[André Malo]
Changes with Apache 2.0.48
- *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
- the AF_UNIX socket used to communicate with the cgid daemon and
- the CGI script. [Jeff Trawick]
+ *) SECURITY: CAN-2003-0789 (cve.mitre.org)
+ mod_cgid: Resolve some mishandling of the AF_UNIX socket used to
+ communicate with the cgid daemon and the CGI script.
+ [Jeff Trawick]
- *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and
- mod_rewrite which occurred if one configured a regular expression
- with more than 9 captures. [André Malo]
+ *) SECURITY: CAN-2003-0542 (cve.mitre.org)
+ Fix buffer overflows in mod_alias and mod_rewrite which occurred
+ if one configured a regular expression with more than 9 captures.
+ [André Malo]
*) mod_include: fix segfault which occured if the filename was not
set, for example, when processing some error conditions.
Changes with Apache 2.0.47
- *) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
- of per-directory renegotiations and the SSLCipherSuite directive
- being used to upgrade from a weak ciphersuite to a strong one
- could result in the weak ciphersuite being used in place of the
- strong one. [Ben Laurie]
+ *) SECURITY: CAN-2003-0192 (cve.mitre.org)
+ Fixed a bug whereby certain sequences of per-directory
+ renegotiations and the SSLCipherSuite directive being used to
+ upgrade from a weak ciphersuite to a strong one could result in
+ the weak ciphersuite being used in place of the strong one.
+ [Ben Laurie]
- *) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing
- temporary denial of service when accept() on a rarely accessed port
- returns certain errors. Reported by Saheed Akhtar
- <S.Akhtar talis.com>. [Jeff Trawick]
+ *) SECURITY: CAN-2003-0253 (cve.mitre.org)
+ Fixed a bug in prefork MPM causing temporary denial of service
+ when accept() on a rarely accessed port returns certain errors.
+ Reported by Saheed Akhtar <S.Akhtar talis.com>. [Jeff Trawick]
- *) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
- of service when target host is IPv6 but proxy server can't create
- IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo
- <tsuneo.yoshioka f-secure.com>]
+ *) SECURITY: CAN-2003-0254 (cve.mitre.org)
+ Fixed a bug in ftp proxy causing denial of service when target
+ host is IPv6 but proxy server can't create IPv6 socket. Fixed by
+ the reporter. [Yoshioka Tsuneo <tsuneo.yoshioka f-secure.com>]
*) SECURITY [VU#379828] Prevent the server from crashing when entering
infinite loops. The new LimitInternalRecursion directive configures
Changes with Apache 2.0.46
- *) SECURITY [CAN-2003-0245]: Fixed a bug causing apr_pvsprintf() to crash
- by sending an overly long string. This can be triggered remotely
- through mod_dav, mod_ssl, and other mechanisms. Reported by David
- Endler <DEndler iDefense.com>.
- [Joe Orton <jorton redhat.com>]
+ *) SECURITY: CAN-2003-0245 (cve.mitre.org)
+ Fixed a bug causing apr_pvsprintf() to crash by sending an overly
+ long string. This can be triggered remotely through mod_dav,
+ mod_ssl, and other mechanisms.
+ Reported by David Endler <DEndler iDefense.com>. [Joe Orton]
- *) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
- affecting basic authentication on Unix platforms related to
- thread-safety in apr_password_validate(). The problem was reported
- by John Hughes <john.hughes entegrity.com>.
+ *) SECURITY: CAN-2003-0189 (cve.mitre.org)
+ Fixed a denial-of-service vulnerability affecting basic
+ authentication on Unix platforms related to thread-safety in
+ apr_password_validate().
+ Reported by John Hughes <john.hughes entegrity.com>.
*) Fix for mod_dav. Call the 'can_be_activity' callback, if provided,
when a MKACTIVITY request comes in.
*) Fixed a segfault when multiple ProxyBlock directives were used.
PR: 19023 [Sami Tikka <sami.tikka f-secure.com>]
- *) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability
- identified and reported by Robert Howard <rihoward rawbw.com> that
- where device names faulted the running OS2 worker process.
- The fix is actually in APR 0.9.4. [Brian Havard]
+ *) SECURITY: CAN-2003-0134 (cve.mitre.org)
+ OS2: Fix a Denial of Service vulnerability identified and
+ reported by Robert Howard <rihoward rawbw.com> that where device
+ names faulted the running OS2 worker process. The fix is
+ actually in APR 0.9.4. [Brian Havard]
*) Forward port: Escape special characters (especially control
characters) in mod_log_config to make a clear distinction between
*) Fix possible segfaults under obscure error conditions within the
cgid daemon. [Jeff Trawick, William Rowe]
- *) SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability
- identified by David Endler <DEndler iDefense.com> on all platforms.
- An unlimited stream of newlines were acceptable between requests
- where each <lf> would allocate an 80 byte buffer, leading very
- quickly to memory exahustion. [Brian Pane]
+ *) SECURITY: CAN-2003-0132 (cve.mitre.org)
+ Close a Denial of Service vulnerability identified by David
+ Endler <DEndler iDefense.com> on all platforms. An unlimited
+ stream of newlines were acceptable between requests where each
+ <lf> would allocate an 80 byte buffer, leading very quickly to
+ memory exahustion. [Brian Pane]
*) Added an rpm build script.
[Graham Leggett, Joe Orton <jorton redhat.com>]
Changes with Apache 2.0.43
- *) SECURITY [CVE-2002-0840]: HTML-escape the address produced by
- ap_server_signature() against this cross-site scripting
- vulnerability exposed by the directive 'UseCanonicalName Off'.
- Also HTML-escape the SERVER_NAME environment variable for CGI
- and SSI requests. It's safe to escape as only the '<', '>',
- and '&' characters are affected, which won't appear in a valid
- hostname. Reported by Matthew Murphy <mattmurphy kc.rr.com>.
- [Brian Pane]
+ *) SECURITY: CVE-2002-0840 (cve.mitre.org)
+ HTML-escape the address produced by ap_server_signature() against
+ this cross-site scripting vulnerability exposed by the directive
+ 'UseCanonicalName Off'. Also HTML-escape the SERVER_NAME
+ environment variable for CGI and SSI requests. It's safe to
+ escape as only the '<', '>', and '&' characters are affected,
+ which won't appear in a valid hostname. Reported by Matthew
+ Murphy <mattmurphy kc.rr.com>. [Brian Pane]
*) Fix a core dump in mod_cache when it attemtped to store uncopyable
buckets. This happened, for instance, when a file to be cached
could lead to an infinite loop. PR 12705
[Amund Elstad <amund.elstad ergo.no>, Jeff Trawick]
- *) SECURITY [CVE-2002-1156] (cve.mitre.org):
+ *) SECURITY: CVE-2002-1156 (cve.mitre.org)
Fix the exposure of CGI source when a POST request is sent to
a location where both DAV and CGI are enabled. [Ryan Bloom]
Changes with Apache 2.0.40
- *) SECURITY [CAN-2002-0661] (cve.mitre.org):
+ *) SECURITY: CAN-2002-0661 (cve.mitre.org)
Close a very significant security hole that
applies only to the Win32, OS2 and Netware platforms. Unix was not
affected, Cygwin may be affected. Certain URIs will bypass security
Reported by Auriemma Luigi <bugtest sitoverde.com>.
[Brad Nicholes]
- *) SECURITY [CAN-2002-0654] (cve.mitre.org):
+ *) SECURITY: CAN-2002-0654 (cve.mitre.org)
Close a path-revealing exposure in multiview type
map negotiation (such as the default error documents) where the
module would report the full path of the typemapped .var file when
negotiation. Reported by Auriemma Luigi <bugtest sitoverde.com>.
[William Rowe]
- *) SECURITY [CAN-2002-0654] (cve.mitre.org):
+ *) SECURITY: CAN-2002-0654 (cve.mitre.org)
Close a path-revealing exposure in cgi/cgid when we
fail to invoke a script. The modules would report "couldn't create
child process /path-to-script/script.pl" revealing the full path
the pipes and spawning functionality working.
[Brad Nicholes]
- *) SECURITY [CVE-2002-0392] (cve.mitre.org) [CERT VU#944335]:
+ *) SECURITY: CVE-2002-0392 (cve.mitre.org) [CERT VU#944335]
Detect overflow when reading the hex bytes forming a chunk line.
[Aaron Bannert]
multiple places and allows for an SSL module to be added much
simpler. [Ryan Bloom]
- *) SECURITY [CVE-2000-0913] (cve.mitre.org):
+ *) SECURITY: CVE-2000-0913 (cve.mitre.org)
Fix a security problem that affects certain configurations of
mod_rewrite. If the result of a RewriteRule is a filename that
contains expansion specifiers, especially regexp backreferences
container is VirtualHost or Directory or whatever.
[Jeff Trawick]
- *) SECURITY [CAN-2000-1204] (cve.mitre.org):
+ *) SECURITY: CAN-2000-1204 (cve.mitre.org)
Prevent the source code for CGIs from being revealed when
using mod_vhost_alias and the CGI directory is under the document root
and a user makes a request like http://www.example.com//cgi-bin/cgi
run-time configurable using the ExtendedStatus directive.
[Jim Jagielski]
- *) SECURITY [CVE-1999-1199] (cve.mitre.org):
+ *) SECURITY: CVE-1999-1199 (cve.mitre.org)
Eliminate O(n^2) space DoS attacks (and other O(n^2)
cpu time attacks) in header parsing. Add ap_overlap_tables(),
a function which can be used to perform bulk update operations
- on tables in a more efficient manner.
- [Dean Gaudet]
+ on tables in a more efficient manner. [Dean Gaudet]
*) SECURITY: Added compile-time and configurable limits for
various aspects of reading a client request to avoid some simple
*) Cache a proxied request in the event that the client cancels the
transfer, provided that the configured percentage of the file has
- already been transfered. It works for HTTP transfers only. The
+ already been transferred. It works for HTTP transfers only. The
new configuration directive is called CacheForceCompletion.
[Glen Parker <glenebob nwlink.com>] PR#2277