-*- coding: utf-8 -*-
Changes with Apache 2.5.0
-
- *) mod_ssl: Add optional function "ssl_get_tls_cb" to allow support
- for channel bindings. [Simo Sorce <simo redhat.com>]
- *) mod_cache: Avoid sending 304 responses during failed revalidations
- PR56881. [Eric Covener]
+ *) SECURITY: CVE-2015-0228 (cve.mitre.org)
+ mod_lua: A maliciously crafted websockets PING after a script
+ calls r:wsupgrade() can cause a child process crash.
+ [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_deflate: A misplaced check prevents limiting small bodies with the
+ new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic]
+
+ *) ab: Add missing longest request (100%) to CSV export.
+ [Marcin Fabrykowski <bugzilla fabrykowski.pl>]
+
+ *) core: Add expression support to ErrorDocument. Switch from a fixed
+ sized 664 byte array per merge to a hash table. [Graham Leggett]
+
+ *) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
+ a combination of certificate serialNumber and issuer as defined by
+ CertificateExactMatch in RFC4523. [Graham Leggett]
+
+ *) suexec: Filter out the HTTP_PROXY environment variable because it is
+ treated as alias for http_proxy by some programs. [Stefan Fritsch]
+
+ *) mod_proxy_http: Use the "Connection: close" header for requests to
+ backends not recycling connections (disablereuse), including the default
+ reverse and forward proxies. [Yann Ylavic]
+
+ *) mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
+ finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
+ or force-proxy-request-1.0, and respond with 502 instead of 400 if its
+ Connection header is invalid. [Yann Ylavic]
+
+ *) mod_proxy(es): Avoid error response/document handling by the core if some
+ input filter already did it while reading client's payload. [Yann Ylavic]
+
+ *) http: Make ap_die() robust against any HTTP error code and not modify
+ response status (finally logged) when nothing is to be done. [Yann Ylavic]
+
+ *) mod_proxy_connect/wstunnel: If both client and backend sides get readable
+ at the same time, don't lose errors occuring while forwarding on the first
+ side when none occurs next on the other side, and abort. [Yann Ylavic]
+
+ *) mod_lua: After a r:wsupgrade(), mod_lua was not properly
+ responding to a websockets PING but instead invoking the specified
+ script. PR57524. [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_macro: Clear macros before initialization to avoid use-after-free
+ on startup or restart when the module is linked statically. PR 57525
+ [apache.org tech.futurequest.net, Yann Ylavic]
+
+ *) mod_proxy_http: Don't establish or reuse a backend connection before pre-
+ fetching the request body, so to minimize the delay between it is supposed
+ to be alive and the first bytes sent: this is a best effort to prevent the
+ backend from closing because of idle or keepalive timeout in the meantime.
+ Also, handle a new "proxy-flushall" environment variable which allows to
+ flush any forwarded body data immediately. PR 56541+37920. [Yann Ylavic]
+
+ *) core: Define and UnDefine are no longer permitted in
+ directory context. Previously they would always be evaulated
+ as the configuration was read without regard for the directory
+ context. [Eric Covener]
- *) core: Avoid useless warning message when parsing a section guarded by
- <IfDefine foo> if $(foo) is used within the section.
- PR 56858 [Christophe Jaillet]
+ *) config: For directives that do not expect any arguments, enforce
+ that none are specified in the configuration file.
+ [Joachim Zobel <jzobel heute-morgen.de>, Eric Covener]
- *) mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the
- application. PR 56858. [Manuel Mausz <manuel-asf mausz.at>]
+ *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
+ PR 57100. [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
+ Yann Ylavic]
- *) mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade
- failed) messages from ERROR to TRACE1. Other filters do not bother
- re-reporting failures from lower level filters. PR56832. [Eric Covener]
+ *) mod_alias: Introduce expression parser support for Alias, ScriptAlias
+ and Redirect. [Graham Leggett]
- *) mod_proxy_http: Proxy responses with error status and
- "ProxyErrorOverride On" hang until proxy timeout.
- PR53420 [Rainer Jung]
+ *) mod_rewrite: Improve 'bad flag delimeters' startup error by showing
+ how the input was tokenized. PR 56528. [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_ssl: Add support for extracting subjectAltName entries of type
+ rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
+ environment variables. Also addresses PR 57207. [Kaspar Brand]
+
+ *) mod_proxy: Don't put non balancer-member workers in error state by
+ default for connection or 500/503 errors, and honor status=+I for
+ any error. PR 48388. [Yann Ylavic]
+
+ *) mod_socache_memcache: Pass expiration time through to memcached. PR 55445.
+ [Faidon Liambotis <paravoid debian.org>, Joe Orton]
+
+ *) mod_http: Fix incorrect If-Match handling. PR 57358.
+ [Kunihiko Sakamoto <ksakamoto google.com>]
+
+ *) mod_proxy_ajp: Fix client connection errors handling and logged status
+ when it occurs. PR 56823. [Yann Ylavic]
+
+ *) ap_expr: Add filemod function for checking file modification dates
+ [Daniel Gruno]
+
+ *) core: Add CGIPassAuth directive to control whether HTTP authorization
+ headers are passed to scripts as CGI variables. PR 56855. [Jeff
+ Trawick]
+
+ *) mod_rewrite: Improve relative substitutions in per-directory/htaccess
+ context for directories found by mod_userdir and mod_alias. These no
+ longer require RewriteBase to be specified. [Eric Covener]
+
+ *) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since
+ r1608202. [Eric Covener]
+
+ *) mod_buffer: Forward flushed input data immediatly and avoid (unlikely)
+ access to freed memory. [Yann Ylavic, Christophe Jaillet]
+
+ *) mod_proxy: Use the correct server name for SNI in case the backend
+ SSL connection itself is established via a proxy server.
+ PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
+
+ *) core: Ensure that httpd exits with an error status when the MPM fails
+ to run. [Yann Ylavic]
+
+ *) apreq: Content-Length header should be always interpreted as a decimal.
+ Leading 0 could be erroneously considered as an octal value. PR 56598.
+ [Chris Card <ctcard hotmail com>]
+
+ *) mod_proxy: Now allow for 191 character worker names, with non-fatal
+ errors if name is truncated. PR53218. [Jim Jagielski]
+
+ *) mod_ssl: Add optional function "ssl_get_tls_cb" to allow support
+ for channel bindings. [Simo Sorce <simo redhat.com>]
*) mod_proxy_wstunnel: Concurrent websockets messages could be
lost or delayed with ProxyWebsocketAsync enabled.
*) mpm_winnt: Normalize the error and status messages emitted by service.c,
the service control interface for Windows. [William Rowe]
-
- *) SECURITY: CVE-2013-5704 (cve.mitre.org)
- core: HTTP trailers could be used to replace HTTP headers
- late during request processing, potentially undoing or
- otherwise confusing modules that examined or modified
- request headers earlier. Adds "MergeTrailers" directive to restore
- legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
- *) http_protocol: fix logic in ap_method_list_(add|remove) in order:
- - to correctly reset bits
- - not to modify the 'method_mask' bitfield unnecessarily
-
- *) mod_log_config: Allow three character log formats to be registered. For
- backwards compatibility, the first character of a three-character format
- must be the '^' (caret) character. [Eric Covener]
-
*) mod_authnz_ldap: Return LDAP connections to the pool before the handler
is run, instead of waiting until the end of the request. [Eric Covener]
- *) mod_ldap: Be more conservative with the last-used time for
- LDAPConnectionPoolTTL. PR54587 [Eric Covener]
-
- *) mod_deflate: Don't fail when flushing inflated data to the user-agent
- and that coincides with the end of stream ("Zlib error flushing inflate
- buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
-
- *) mod_proxy: Don't limit the size of the connectable Unix Domain Socket
- paths. [Christophe Jaillet, Yann Ylavic]
-
*) mod_ssl: dump SSL IO/state for the write side of the connection(s),
like reads (level TRACE4). [Yann Ylavic]
*) mod_rewrite: Support an optional list of characters to escape in the
argument for the 'B' (escape backreferences) flag. [Eric Covener]
- *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
- OCSP requests should use a nonce to be checked against the responder's
- one. PR 56233. [ Yann Ylavic ]
-
*) mod_dir: Default to 2.2-like behavior and skip execution when method is
neither GET nor POST, such as for DAV requests. PR 54914. [Chris Darroch]