X-Git-Url: https://granicus.if.org/sourcecode?a=blobdiff_plain;f=CHANGES;h=9011e7e5668ea7dc47e607b3cb25cae677ef7e0c;hb=7d5bef8273f482dee4d3b82c101f07db78c2f7bb;hp=5a595df6edeed12f3609d255bee327acb4de6ba0;hpb=0260bcb6ba9e04aa4fea87647c6ab198d8b6e025;p=apache

diff --git a/CHANGES b/CHANGES
index 5a595df6ed..9011e7e566 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,35 +2,126 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
-  *) SECURITY: CVE-2007-6388 (cve.mitre.org)
-     mod_status: Ensure refresh parameter is numeric to prevent
-     a possible XSS attack caused by redirecting to other URLs. 
-     Reported by SecurityReason.  [Mark Cox, Joe Orton]
-
-  *) SECURITY: CVE-2007-6421 (cve.mitre.org)
-     mod_proxy_balancer: Correctly escape the worker route and the worker
-     redirect string in the HTML output of the balancer manager.
-     Reported by SecurityReason. [Ruediger Pluem]
-
-  *) SECURITY: CVE-2007-6422 (cve.mitre.org)
-     Prevent crash in balancer manager if invalid balancer name is passed
-     as parameter. Reported by SecurityReason. [Ruediger Pluem]
-
-  *) mod_dav: Adjust etag generation to produce identical results on 32-bit
-     and 64-bit platforms and avoid a regression with conditional PUT's on lock
-     and etag. PR 44152.
-     [Michael Clark <michael metaparadigm.com>, Ruediger Pluem]
-
-  *) mod_deflate: Transform ETag when transforming the entity.
-     PR 39727 [Henrik Nordstrom <hno squid-cache.org>, Nick Kew]
-
-  *) Add explicit charset to the output of various modules to work around
-     possible cross-site scripting flaws affecting web browsers that do not
-     derive the response character set as required by  RFC2616.  One of these
-     reported by SecurityReason [Joe Orton]
-
-  *) mod_ssl: Added server name indication support (RFC 4366).
-     PR 34607. [Kaspar Brand <asfbugz velox.ch>]
+  *) mod_session_cookie: Add a session implementation capable of storing
+     session information within cookies on the browser. Useful for high
+     volume sites where server bound sessions are too resource intensive.
+     [Graham Leggett]
+
+  *) mod_session: Add a generic session interface to unify the different
+     attempts at saving persistent sessions across requests.
+     [Graham Leggett]
+
+  *) core, authn/z: Avoid calling access control hooks for internal requests
+     with configurations which match those of initial request.  Revert to
+     original behaviour (call access control hooks for internal requests
+     with URIs different from initial request) if any access control hooks or
+     providers are not registered as permitting this optimization.
+     Introduce wrappers for access control hook and provider registration
+     which can accept additional mode and flag data.  [Chris Darroch]
+
+  *) http_filters: Don't spin if get an error when reading the
+     next chunk. PR 44381 [Ruediger Pluem]
+
+  *) mod_dav: Return "method not allowed" if the destination URI of a WebDAV
+     copy / move operation is no DAV resource. PR 44734 [Ruediger Pluem]
+
+  *) Introduced ap_expr API for expression evaluation.
+     This is adapted from mod_include, which is the first module
+     to use the new API.
+     [Nick Kew]
+
+  *) mod_authz_dbd: When redirecting after successful login/logout per
+     AuthzDBDRedirectQuery, do not report authorization failure, and use
+     first row returned by database query instead of last row.
+     [Chris Darroch]
+
+  *) mod_rewrite: Initialize hash needed by ap_register_rewrite_mapfunc early
+     enough. PR 44641 [Daniel Lescohier <daniel.lescohier cnet.com>]
+
+  *) mod_authn_dbd: Disambiguate and tidy database authentication
+     error messages.  PR 43210.  [Chris Darroch, Phil Endecott
+     <spam_from_apache_bugzilla chezphil.org>]
+
+  *) mod_cache: Handle If-Range correctly if the cached resource was stale.
+     PR 44579 [Ruediger Pluem]
+
+  *) mod_speling: remove regression from 1.3/2.0 behavior and
+     drop dependency between mod_speling and AcceptPathInfo.
+     PR 43562 [Jose Kahan <jose w3.org>]
+
+  *) mod_ldap: Correctly return all requested attribute values
+     when some attributes have a null value. 
+     PR 44560 [Anders Kaseorg <anders kaseorg.com>]
+
+  *) core: check symlink ownership if both FollowSymlinks and
+     SymlinksIfOwnerMatch are set [Nick Kew]
+
+  *) core: fix origin checking in SymlinksIfOwnerMatch
+     PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>]
+
+  *) rotatelogs: Added '-f' option to force rotatelogs to create the
+     logfile as soon as started, and not wait until it reads the
+     first entry. [Jim Jagielski]
+
+  *) mod_proxy: Do not try a direct connection if the connection via a
+     remote proxy failed before and the request has a request body.
+     [Ruediger Pluem]
+
+  *) mod_substitute: The default is now flattening the buckets after
+     each substitution. This was mostly done to abide by the
+     Principle Of Least Astonishment. The newly added 'q' flag allows for
+     the quicker, more efficient bucket-splitting if the user so
+     desires. [Jim Jagielski]
+
+  *) Added 'disablereuse' option for ProxyPass which, essentially,
+     disables connection pooling for the backend servers.
+     [Jim Jagielski]
+
+  *) Activate mod_cache, mod_file_cache and mod_disc_cache as part of the
+     'most' set for '--enable-modules' and '--enable-shared-mods'. Include 
+     mod_mem_cache in 'all' as well. [Dirk-Willem van Gulik]
+
+  *) Also install mod_so.h, mod_rewrite.h and mod_cache.h; as these
+     contain public function declarations which are useful for
+     third party module authors. PR 42431 [Dirk-Willem van Gulik].
+
+  *) mod_dir, mod_negotiation: pass the output filter information
+     to newly created sub requests; as these are later on used
+     as true requests with an internal redirect. This allows for
+     mod_cache et.al. to trap the results of the redirect. 
+     [Dirk-Willem van Gulik, Ruediger Pluem]
+
+  *) ab: Use a 64 bit unsigned int instead of a signed long to count the
+     bytes transferred to avoid integer overflows. PR 44346 [Ruediger Pluem]
+
+  *) mod_proxy_ajp: Do not retry request in the case that we either failed to
+     sent a part of the request body or if the request is not idempotent.
+     PR 44334 [Ruediger Pluem]
+
+  *) ProxyPassReverse is now balancer aware. [Jim Jagielski]
+
+  *) rotatelogs: Don't leak memory when reopening the logfile.
+     PR 40183 [Ruediger Pluem, Takashi Sato <serai lans-tv.com>]
+
+  *) mod_ldap: Add support (taking advantage of the new APR capability)
+     for ldap rebind callback while chasing referrals. This allows direct
+     searches on LDAP servers (in particular MS Active Directory 2003+)
+     using referrals without the use of the global catalog.
+     PRs 26538, 40268, and 42557 [Paul J. Reder]
+
+  *) ab: Do not try to read non existing response bodies of HEAD requests.
+     PR 34275 [Takashi Sato <serai lans-tv.com>]
+
+  *) Support chroot on Unix-family platforms
+     PR 43596 [Dimitar Pashev <mitko banksoft-bg.com>]
+
+  *) mod_proxy_http: Return HTTP status codes instead of apr_status_t
+     values for errors encountered while forwarding the request body
+     PR 44165 [Eric Covener]
+
+  *) mod_ssl: Added server name indication support (SNI, RFC 4366).
+     PR 34607. [Kaspar Brand <asfbugz velox.ch>]. A test configuration
+     can be created with test/make_sni.sh [Dirk-Willem van Gulik].
 
   *) ApacheMonitor.exe: Introduce --kill argument for use by the
      installer.  This will permit the installation tool to remove