Changes with Apache 2.3.0
[ When backported to 2.2.x, remove entry from this file ]
- *) SECURITY: CVE-2007-6388 (cve.mitre.org)
- mod_status: Ensure refresh parameter is numeric to prevent
- a possible XSS attack caused by redirecting to other URLs.
- Reported by SecurityReason. [Mark Cox, Joe Orton]
-
- *) SECURITY: CVE-2007-6421 (cve.mitre.org)
- mod_proxy_balancer: Correctly escape the worker route and the worker
- redirect string in the HTML output of the balancer manager.
- Reported by SecurityReason. [Ruediger Pluem]
-
- *) SECURITY: CVE-2007-6422 (cve.mitre.org)
- Prevent crash in balancer manager if invalid balancer name is passed
- as parameter. Reported by SecurityReason. [Ruediger Pluem]
-
- *) Introduce the ProxyFtpDirCharset directive, allowing the administrator
- to identify a default, or specific servers or paths which list their
- contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]
-
- *) mod_dav: Fix evaluation of If-Match * and If-None-Match * conditionals.
- PR 38034 [Paritosh Shah <shah.paritosh gmail.com>]
-
- *) mod_dav: Adjust etag generation to produce identical results on 32-bit
- and 64-bit platforms and avoid a regression with conditional PUT's on lock
- and etag. PR 44152.
- [Michael Clark <michael metaparadigm.com>, Ruediger Pluem]
-
- *) mod_deflate: Transform ETag when transforming the entity.
- PR 39727 [Henrik Nordstrom <hno squid-cache.org>, Nick Kew]
-
- *) Add explicit charset to the output of various modules to work around
- possible cross-site scripting flaws affecting web browsers that do not
- derive the response character set as required by RFC2616. One of these
- reported by SecurityReason [Joe Orton]
-
- *) mod_ssl: Added server name indication support (RFC 4366).
- PR 34607. [Kaspar Brand <asfbugz velox.ch>]
+ *) mod_session_cookie: Add a session implementation capable of storing
+ session information within cookies on the browser. Useful for high
+ volume sites where server bound sessions are too resource intensive.
+ [Graham Leggett]
+
+ *) mod_session: Add a generic session interface to unify the different
+ attempts at saving persistent sessions across requests.
+ [Graham Leggett]
+
+ *) core, authn/z: Avoid calling access control hooks for internal requests
+ with configurations which match those of initial request. Revert to
+ original behaviour (call access control hooks for internal requests
+ with URIs different from initial request) if any access control hooks or
+ providers are not registered as permitting this optimization.
+ Introduce wrappers for access control hook and provider registration
+ which can accept additional mode and flag data. [Chris Darroch]
+
+ *) http_filters: Don't spin if get an error when reading the
+ next chunk. PR 44381 [Ruediger Pluem]
+
+ *) mod_dav: Return "method not allowed" if the destination URI of a WebDAV
+ copy / move operation is no DAV resource. PR 44734 [Ruediger Pluem]
+
+ *) Introduced ap_expr API for expression evaluation.
+ This is adapted from mod_include, which is the first module
+ to use the new API.
+ [Nick Kew]
+
+ *) mod_authz_dbd: When redirecting after successful login/logout per
+ AuthzDBDRedirectQuery, do not report authorization failure, and use
+ first row returned by database query instead of last row.
+ [Chris Darroch]
+
+ *) mod_rewrite: Initialize hash needed by ap_register_rewrite_mapfunc early
+ enough. PR 44641 [Daniel Lescohier <daniel.lescohier cnet.com>]
+
+ *) mod_authn_dbd: Disambiguate and tidy database authentication
+ error messages. PR 43210. [Chris Darroch, Phil Endecott
+ <spam_from_apache_bugzilla chezphil.org>]
+
+ *) mod_cache: Handle If-Range correctly if the cached resource was stale.
+ PR 44579 [Ruediger Pluem]
+
+ *) mod_speling: remove regression from 1.3/2.0 behavior and
+ drop dependency between mod_speling and AcceptPathInfo.
+ PR 43562 [Jose Kahan <jose w3.org>]
+
+ *) mod_ldap: Correctly return all requested attribute values
+ when some attributes have a null value.
+ PR 44560 [Anders Kaseorg <anders kaseorg.com>]
+
+ *) core: check symlink ownership if both FollowSymlinks and
+ SymlinksIfOwnerMatch are set [Nick Kew]
+
+ *) core: fix origin checking in SymlinksIfOwnerMatch
+ PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>]
+
+ *) rotatelogs: Added '-f' option to force rotatelogs to create the
+ logfile as soon as started, and not wait until it reads the
+ first entry. [Jim Jagielski]
+
+ *) mod_proxy: Do not try a direct connection if the connection via a
+ remote proxy failed before and the request has a request body.
+ [Ruediger Pluem]
+
+ *) mod_substitute: The default is now flattening the buckets after
+ each substitution. This was mostly done to abide by the
+ Principle Of Least Astonishment. The newly added 'q' flag allows for
+ the quicker, more efficient bucket-splitting if the user so
+ desires. [Jim Jagielski]
+
+ *) Added 'disablereuse' option for ProxyPass which, essentially,
+ disables connection pooling for the backend servers.
+ [Jim Jagielski]
+
+ *) Activate mod_cache, mod_file_cache and mod_disc_cache as part of the
+ 'most' set for '--enable-modules' and '--enable-shared-mods'. Include
+ mod_mem_cache in 'all' as well. [Dirk-Willem van Gulik]
+
+ *) Also install mod_so.h, mod_rewrite.h and mod_cache.h; as these
+ contain public function declarations which are useful for
+ third party module authors. PR 42431 [Dirk-Willem van Gulik].
+
+ *) mod_dir, mod_negotiation: pass the output filter information
+ to newly created sub requests; as these are later on used
+ as true requests with an internal redirect. This allows for
+ mod_cache et.al. to trap the results of the redirect.
+ [Dirk-Willem van Gulik, Ruediger Pluem]
+
+ *) ab: Use a 64 bit unsigned int instead of a signed long to count the
+ bytes transferred to avoid integer overflows. PR 44346 [Ruediger Pluem]
+
+ *) mod_proxy_ajp: Do not retry request in the case that we either failed to
+ sent a part of the request body or if the request is not idempotent.
+ PR 44334 [Ruediger Pluem]
+
+ *) ProxyPassReverse is now balancer aware. [Jim Jagielski]
+
+ *) rotatelogs: Don't leak memory when reopening the logfile.
+ PR 40183 [Ruediger Pluem, Takashi Sato <serai lans-tv.com>]
+
+ *) mod_ldap: Add support (taking advantage of the new APR capability)
+ for ldap rebind callback while chasing referrals. This allows direct
+ searches on LDAP servers (in particular MS Active Directory 2003+)
+ using referrals without the use of the global catalog.
+ PRs 26538, 40268, and 42557 [Paul J. Reder]
+
+ *) ab: Do not try to read non existing response bodies of HEAD requests.
+ PR 34275 [Takashi Sato <serai lans-tv.com>]
+
+ *) Support chroot on Unix-family platforms
+ PR 43596 [Dimitar Pashev <mitko banksoft-bg.com>]
+
+ *) mod_proxy_http: Return HTTP status codes instead of apr_status_t
+ values for errors encountered while forwarding the request body
+ PR 44165 [Eric Covener]
+
+ *) mod_ssl: Added server name indication support (SNI, RFC 4366).
+ PR 34607. [Kaspar Brand <asfbugz velox.ch>]. A test configuration
+ can be created with test/make_sni.sh [Dirk-Willem van Gulik].
*) ApacheMonitor.exe: Introduce --kill argument for use by the
installer. This will permit the installation tool to remove
projects / apache / blobdiff