X-Git-Url: https://granicus.if.org/sourcecode?a=blobdiff_plain;f=CHANGES;h=640bdf79b27356463b230c30c7f4739be64f91bf;hb=638a4a7e440facc0536f6e2c6d20c0416c2314cb;hp=38335d51e25c869eaa72a553c5c1e8785d80cf84;hpb=2af6b8f57fe43e2026a2038ee68ee3e926f0503e;p=apache diff --git a/CHANGES b/CHANGES index 38335d51e2..640bdf79b2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,23 +1,93 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 - *) mod_proxy_fcgi: Enable opt-in to TCP connection reuse by explicitly - setting proxy option disablereuse=off. [Eric Covener] PR 57378. - - *) mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME - passed to fastcgi backends. [Eric Covener] + *) SECURITY: CVE-2015-0228 (cve.mitre.org) + mod_lua: A maliciously crafted websockets PING after a script + calls r:wsupgrade() can cause a child process crash. + [Edward Lu ] - *) mod_http: Fix incorrect If-Match handling. PR 57358 - [Kunihiko Sakamoto ] + *) mod_deflate: A misplaced check prevents limiting small bodies with the + new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic] + + *) ab: Add missing longest request (100%) to CSV export. + [Marcin Fabrykowski ] + + *) core: Add expression support to ErrorDocument. Switch from a fixed + sized 664 byte array per merge to a hash table. [Graham Leggett] + + *) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides + a combination of certificate serialNumber and issuer as defined by + CertificateExactMatch in RFC4523. [Graham Leggett] + + *) suexec: Filter out the HTTP_PROXY environment variable because it is + treated as alias for http_proxy by some programs. [Stefan Fritsch] + + *) mod_proxy_http: Use the "Connection: close" header for requests to + backends not recycling connections (disablereuse), including the default + reverse and forward proxies. [Yann Ylavic] + + *) mod_proxy_http: Don't expect the backend to ack the "Connection: close" to + finally close those not meant to be kept alive by SetEnv proxy-nokeepalive + or force-proxy-request-1.0, and respond with 502 instead of 400 if its + Connection header is invalid. [Yann Ylavic] + + *) mod_proxy(es): Avoid error response/document handling by the core if some + input filter already did it while reading client's payload. [Yann Ylavic] + + *) http: Make ap_die() robust against any HTTP error code and not modify + response status (finally logged) when nothing is to be done. [Yann Ylavic] + + *) mod_proxy_connect/wstunnel: If both client and backend sides get readable + at the same time, don't lose errors occuring while forwarding on the first + side when none occurs next on the other side, and abort. [Yann Ylavic] + + *) mod_lua: After a r:wsupgrade(), mod_lua was not properly + responding to a websockets PING but instead invoking the specified + script. PR57524. [Edward Lu ] + + *) mod_macro: Clear macros before initialization to avoid use-after-free + on startup or restart when the module is linked statically. PR 57525 + [apache.org tech.futurequest.net, Yann Ylavic] - *) mod_proxy_ajp: Fix handling of the default port (8009) in the - ProxyPass and configurations. PR 57259. [Yann Ylavic]. + *) mod_proxy_http: Don't establish or reuse a backend connection before pre- + fetching the request body, so to minimize the delay between it is supposed + to be alive and the first bytes sent: this is a best effort to prevent the + backend from closing because of idle or keepalive timeout in the meantime. + Also, handle a new "proxy-flushall" environment variable which allows to + flush any forwarded body data immediately. PR 56541+37920. [Yann Ylavic] - *) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument. - PR 57334. [Yann Ylavic]. + *) core: Define and UnDefine are no longer permitted in + directory context. Previously they would always be evaulated + as the configuration was read without regard for the directory + context. [Eric Covener] - *) core: Fix -D[efined] or [d] variables lifetime accross restarts. - PR 57328. [Armin Abfalterer , Yann Ylavic]. + *) config: For directives that do not expect any arguments, enforce + that none are specified in the configuration file. + [Joachim Zobel , Eric Covener] + + *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. + PR 57100. [Michael Kaufmann , + Yann Ylavic] + + *) mod_alias: Introduce expression parser support for Alias, ScriptAlias + and Redirect. [Graham Leggett] + + *) mod_rewrite: Improve 'bad flag delimeters' startup error by showing + how the input was tokenized. PR 56528. [Edward Lu ] + + *) mod_ssl: Add support for extracting subjectAltName entries of type + rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n + environment variables. Also addresses PR 57207. [Kaspar Brand] + + *) mod_proxy: Don't put non balancer-member workers in error state by + default for connection or 500/503 errors, and honor status=+I for + any error. PR 48388. [Yann Ylavic] + + *) mod_socache_memcache: Pass expiration time through to memcached. PR 55445. + [Faidon Liambotis , Joe Orton] + + *) mod_http: Fix incorrect If-Match handling. PR 57358. + [Kunihiko Sakamoto ] *) mod_proxy_ajp: Fix client connection errors handling and logged status when it occurs. PR 56823. [Yann Ylavic] @@ -31,18 +101,11 @@ Changes with Apache 2.5.0 *) mod_rewrite: Improve relative substitutions in per-directory/htaccess context for directories found by mod_userdir and mod_alias. These no - loner require RewriteBase to be specified. [Eric Covener] + longer require RewriteBase to be specified. [Eric Covener] *) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since r1608202. [Eric Covener] - *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes. - PR 57167 [Edward Lu ] - - *) mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read - determine whether it is a normal close or a real error. PR 57168. [Yann - Ylavic] - *) mod_buffer: Forward flushed input data immediatly and avoid (unlikely) access to freed memory. [Yann Ylavic, Christophe Jaillet] @@ -50,9 +113,6 @@ Changes with Apache 2.5.0 SSL connection itself is established via a proxy server. PR 57139 [Szabolcs Gyurko ] - *) mod_ssl: Do not crash when looking up SSL related variables during - expression evaluation on non SSL connections. PR 57070 [Ruediger Pluem] - *) core: Ensure that httpd exits with an error status when the MPM fails to run. [Yann Ylavic] @@ -82,16 +142,6 @@ Changes with Apache 2.5.0 *) mod_authnz_ldap: Return LDAP connections to the pool before the handler is run, instead of waiting until the end of the request. [Eric Covener] - *) mod_ldap: Be more conservative with the last-used time for - LDAPConnectionPoolTTL. PR54587 [Eric Covener] - - *) mod_deflate: Don't fail when flushing inflated data to the user-agent - and that coincides with the end of stream ("Zlib error flushing inflate - buffer"). PR 56196. [Christoph Fausak ] - - *) mod_proxy: Don't limit the size of the connectable Unix Domain Socket - paths. [Christophe Jaillet, Yann Ylavic] - *) mod_ssl: dump SSL IO/state for the write side of the connection(s), like reads (level TRACE4). [Yann Ylavic]