From 2ae75ae498d439552f5fc4909e88913178b98743 Mon Sep 17 00:00:00 2001 From: Jeff Trawick Date: Fri, 18 Nov 2011 13:14:42 +0000 Subject: [PATCH] no 2.5 alphas yet, so drop the entries for changes also in 2.4.x branch git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1203636 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 2295 +------------------------------------------------------ 1 file changed, 4 insertions(+), 2291 deletions(-) diff --git a/CHANGES b/CHANGES index 93fe42fb77..9361e96c20 100644 --- a/CHANGES +++ b/CHANGES @@ -3,2299 +3,12 @@ Changes with Apache 2.5.0 *) error log hook: add conn_rec as a parameter. [Jeff Trawick] - *) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand] + [Apache 2.5.0-dev includes those bug fixes and changes with the + Apache 2.4.xx tree as documented below, except as noted.] - *) mod_lua: Stop losing track of all but the most specific LuaHook* directives - when multiple per-directory config sections are used. Adds LuaInherit - directive to control how parent sections are merged. [Eric Covener] +Changes with Apache 2.4.x and later: - *) mod_cache: Make sure we merge headers correctly when we handle a - non cacheable conditional response. PR52120. [Graham Leggett] - - *) core: Set MaxMemFree 2048 by default. [Stefan Fritsch] - - *) mpm_event: Fix assertion failure during very high load. [Stefan Fritsch] - - *) configure: Only load the really imporant modules (i.e. those enabled by - the 'few' selection) by default. Don't handle modules enabled with - --enable-foo specially. [Stefan Fritsch] - - *) end-generation hook: Fix false notification of end-of-generation for - temporary intervals with no active MPM children. [Jeff Trawick] - - *) mod_ssl: Add support for RFC 5077 TLS Session tickets. - [Paul Querna] - - *) mod_usertrack: Use random value instead of remote IP address. - [Stefan Fritsch] - -Changes with Apache 2.3.15 - - *) SECURITY: CVE-2011-3348 (cve.mitre.org) - mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not - recognized. [Jean-Frederic Clere] - - *) SECURITY: CVE-2011-3192 (cve.mitre.org) - core: Fix handling of byte-range requests to use less memory, to avoid - denial of service. If the sum of all ranges in a request is larger than - the original file, ignore the ranges and send the complete file. - PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener, - ] - - *) SECURITY: CVE-2011-3607 (cve.mitre.org) - core: Fix integer overflow in ap_pregsub. This can be triggered e.g. - with mod_setenvif via a malicious .htaccess. [Stefan Fritsch] - - *) configure: Load all modules in the generated default configuration - when using --enable-load-all-modules. [Rainer Jung] - - *) mod_reqtimeout: Change the default to set some reasonable timeout - values. [Stefan Fritsch] - - *) core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove - the inode. PR 49623. [Stefan Fritsch] - - *) mod_lua: Expose SSL variables via r:ssl_var_lookup(). [Eric Covener] - - *) mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName} - can now additionally be run as "early" or "late" relative to other modules. - [Eric Covener] - - *) configure: By default, only load those modules that are either required - or explicitly selected by a configure --enable-foo argument. The - LoadModule statements for modules enabled by --enable-mods-shared=most - and friends will be commented out. [Stefan Fritsch] - - *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and - LuaHookQuickHandler) from being configured in , , - and htaccess where the configuration would have been ignored. - [Eric Covener] - - *) mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors - in LuaMapHandler scripts [Eric Covener] - - *) mod_log_debug: Rename optional argument from if= to expr=, to be more - in line with other config directives. [Stefan Fritsch] - - *) mod_headers: Require an expression to be specified with expr=, to be more - in line with other config directives. [Stefan Fritsch] - - *) mod_substitute: To prevent overboarding memory usage, limit line length - to 1MB. [Stefan Fritsch] - - *) mod_lua: Make the query string (r.args) writable. [Eric Covener] - - *) mod_include: Add support for application/x-www-form-urlencoded encoding - and decoding. [Graham Leggett] - - *) rotatelogs: Add -c option to force logfile creation in every rotation - interval, even if empty. [Jan Kaluža ] - - *) core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings. - [Stefan Fritsch] - - *) mod_session_crypto: Refactor to support the new apr_crypto API. - [Graham Leggett] - - *) http: Add missing Location header if local URL-path is used as - ErrorDocument for 30x. [Stefan Fritsch] - - *) mod_buffer: Make sure we step down for subrequests, but not for internal - redirects triggered by mod_rewrite. [Graham Leggett] - - *) mod_lua: add r:construct_url as a wrapper for ap_construct_url. - [Eric Covener] - - *) mod_remote_ip: Fix configuration of internal proxies. PR 49272. - [Jim Riggs ] - - *) mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific - server IP endpoint and remote client IP upon connection. [William Rowe] - - *) mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with - PeerExtList(). [Stefan Fritsch] - - *) mpm_prefork, mpm_worker, mpm_event: If a child is created just before - graceful restart and then exits because of a missing lock file, don't - shutdown the whole server. PR 39311. [Shawn Michael - ] - - *) mpm_event: Check the return value from ap_run_create_connection. - PR: 41194. [Davi Arnaut] - - *) mod_mime_magic: Add signatures for PNG and SWF to the example config. - PR: 48352. [Jeremy Wagner-Kaiser ] - - *) core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items - from the parsed (or default) config. This is useful for init scripts that - need to setup temporary directories and permissions. [Stefan Fritsch] - - *) core, mod_actions, mod_asis: Downgrade error log messages which accompany - a 404 request status from loglevel error to info. PR: 35768. [Stefan - Fritsch] - - *) core: Fix hook sorting with Perl modules. PR: 45076. [Torsten Foertsch - ] - - *) core: Enforce LimitRequestFieldSize after multiple headers with the same - name have been merged. [Stefan Fritsch] - - *) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory - usage. PR 51618. [Cristian Rodríguez , - Stefan Fritsch] - - *) mod_ssl: At startup, when checking a server certificate whether it - matches the configured ServerName, also take dNSName entries in the - subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand] - - *) mod_substitute: Reduce memory usage and copying of data. PR 50559. - [Stefan Fritsch] - - *) mod_ssl/proxy: enable the SNI extension for backend TLS connections - [Kaspar Brand] - - *) Add wrappers for malloc, calloc, realloc that check for out of memory - situations and use them in many places. PR 51568, PR 51569, PR 51571. - [Stefan Fritsch] - - *) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is - false but RLIMIT_* are defined. PR51371. [Eric Covener] - - *) core: Correctly obey ServerName / ServerAlias if the Host header from the - request matches the VirtualHost address. - PR 51709. [Micha Lenk ] - - *) mod_unique_id: Use random number generator to initialize counter. - PR 45110. [Stefan Fritsch] - - *) core: Add convenience API for apr_random. [Stefan Fritsch] - - *) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control - the number of overlapping and reversing ranges (respectively) permitted - before returning the entire resource, with a default limit of 20. - [Jim Jagielski] - - *) mod_ldap: Optional function uldap_ssl_supported(r) always returned false - if called from a virtual host with mod_ldap directives in it. Did not - affect mod_authnz_ldap's usage of mod_ldap. [Eric Covener] - - *) mod_filter: Instead of dropping the Accept-Ranges header when a filter - registered with AP_FILTER_PROTO_NO_BYTERANGE is present, - set the header value to "none". [Eric Covener, Ruediger Pluem] - - *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none' - in the case Ranges are being ignored with MaxRanges none. - [Eric Covener] - - *) mod_ssl: revamp CRL-based revocation checking when validating - certificates of clients or proxied servers. Completely delegate - CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck - directive for controlling the revocation checking mode. [Kaspar Brand] - - *) core: Add MaxRanges directive to control the number of ranges permitted - before returning the entire resource, with a default limit of 200. - [Eric Covener] - - *) mod_cache: Ensure that CacheDisable can correctly appear within - a LocationMatch. [Graham Leggett] - - *) mod_cache: Fix the moving of the CACHE filter, which erroneously - stood down if the original filter was not added by configuration. - [Graham Leggett] - - *) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand] - - *) mod_authz_groupfile: Increase length limit of lines in the group file to - 16MB. PR 43084. [Stefan Fritsch] - - *) core: Increase length limit of lines in the configuration file to 16MB. - PR 45888. PR 50824. [Stefan Fritsch] - - *) core: Add API for resizable buffers. [Stefan Fritsch] - - *) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have - LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such - as Tivoli Directory Server 6.3 and later. [Eric Covener] - - *) mod_ldap: Change default number of retries from 10 to 3, and add - an LDAPRetries and LDAPRetryDelay directives. [Eric Covener] - - *) mod_authnz_ldap: Don't retry during authentication, because this just - multiplies the ample retries already being done by mod_ldap. [Eric Covener] - - *) configure: Allow to explicitly disable modules even with module selection - 'reallyall'. [Stefan Fritsch] - - *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the - RewriteEngine is disabled in server context, avoiding a crash while - referencing the invalid int: map at runtime. PR 50994. - [Ben Noordhuis ] - - *) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand] - - *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand] - - *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit. - [Kaspar Brand] - - *) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the - cookie is set when modules such as mod_rewrite trigger a redirect. Also - use r->err_headers_out for the cookie, for the same reason. PR29755. - [Sami J. Mäkinen , Eric Covener] - - *) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and - 'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch] - - *) configure: Enable ldap modules in 'all' and 'most' selections if ldap - is compiled into apr-util. [Stefan Fritsch] - - *) core: Add ap_check_cmd_context()-check if a command is executed in - .htaccess file. [Stefan Fritsch] - - *) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590. - [Torsten Foertsch ] - - *) mod_authn_socache: Fix to work in .htaccess if not configured anywhere - in httpd.conf, and introduce an AuthnCacheEnable directive. - PR 51991 [Nick Kew] - - *) mod_xml2enc: new (formerly third-party) module supporting - internationalisation for filters via smart charset sniffing - and conversion. [Nick Kew] - - *) mod_proxy_html: new (formerly third-party) module to fix up - HTML links in a reverse proxy situation, where a backend - generates URLs that are not resolvable by Clients. [Nick Kew] - -Changes with Apache 2.3.14 - - *) mod_proxy_ajp: Improve trace logging. [Rainer Jung] - - *) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets. - [Rainer Jung] - - *) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse, - e.g. to reverse proxy "Location: https://other-internal-server/login" - [Nick Kew] - - *) prefork, worker, event: Make sure crashes are logged to the error log if - httpd has already detached from the console. [Stefan Fritsch] - - *) prefork, worker, event: Reduce period during startup/restart where a - successive signal may be lost. PR 43696. [Arun Bhalla ] - - *) mod_allowmethods: Correct Merging of "reset" and do not allow an - empty parameter list for the AllowMethods directive. [Rainer Jung] - - *) configure: Update selection of modules for 'all' and 'most'. 'all' will - now enable all modules except for example and test modules. Make the - selection for 'most' more useful (including ssl and proxy). Both 'all' - and 'most' will now disable modules if dependencies are missing instead - of aborting. If a specific module is requested with --enable-XXX=yes, - missing dependencies will still cause configure to exit with an error. - [Stefan Fritsch] - - *) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done - in 2.3.13. [Stefan Fritsch] - - *) core: For '*' or '_default_' vhosts, use a wildcard address of any - address family, rather than IPv4 only. [Joe Orton] - - *) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable - include [ ] for literal IPv6 addresses, as mandated by RFC 3875. - PR 26005. [Stefan Fritsch] - - *) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203. - [Nagae Hidetake ] - - *) core: Add more logging to ap_scan_script_header_err* functions. Add - ap_scan_script_header_err*_ex functions that take a module index for - logging. - mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the - new functions in order to make logging configurable per-module. - [Stefan Fritsch] - - *) mod_dir: Add DirectoryIndexRedirect to send an external redirect to - the proper index. [Eric Covener] - - *) mod_deflate: Don't try to compress requests with a zero sized body. - PR 51350. [Stefan Fritsch] - - *) core: Fix startup on IPv6-only systems. PR 50592. [Joe Orton, - ] - - *) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX, - REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the - whitelist in suexec. PR 51499. [Graham Laverty , - Stefan Fritsch] - - *) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch] - - *) mod_log_debug: New module that allows to log custom messages at various - phases in the request processing. [Stefan Fritsch] - - *) mod_ssl: Add some debug logging when loading server certificates. - PR 37912. [Nick Burch ] - - *) configure: Support reallyall option also for --enable-mods-static. - [Rainer Jung] - - *) mod_socache_dc: add --with-distcache to configure for choosing - the distcache installation directory. [Rainer Jung] - - *) mod_socache_dc: use correct build variable MOD_SOCACHE_DC_LDADD - instead of MOD_SOCACHE_LDADD in build macro. [Rainer Jung] - - *) mod_lua, mod_deflate: respect platform specific runpath linker - flag. [Rainer Jung] - - *) configure: Only link the httpd binary against PCRE. No other support - binary needs PCRE. [Rainer Jung] - - *) configure: tolerate dependency checking failures for modules if - they have been enabled implicitely. [Rainer Jung] - - *) configure: Allow to specify module specific custom linker flags via - the MOD_XXX_LDADD variables. [Rainer Jung] - -Changes with Apache 2.3.13 - - *) ab: Support specifying the local address to use. PR 48930. - [Peter Schuller ] - - *) core: Add support to ErrorLogFormat for logging the system unique - thread id under Linux. [Stefan Fritsch] - - *) event: New AsyncRequestWorkerFactor directive to influence how many - connections will be accepted per process. [Stefan Fritsch] - - *) prefork, worker, event: Rename MaxClients to MaxRequestWorkers which - describes more accurately what it does. [Stefan Fritsch] - - *) rotatelogs: Add -p argument to specify custom program to invoke - after a log rotation. PR 51285. [Sven Ulland , - Joe Orton] - - *) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand] - - *) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0. - PR 48215. [Kaspar Brand] - - *) mod_status: Display information about asynchronous connections in the - server-status. PR 44377. [Stefan Fritsch] - - *) mpm_event: If the number of connections of a process is very high, or if - all workers are busy, don't accept new connections in that process. - [Stefan Fritsch] - - *) mpm_event: Process lingering close asynchronously instead of tying up - worker threads. [Jeff Trawick, Stefan Fritsch] - - *) mpm_event: If MaxMemFree is set, limit the number of pools that is kept - around. [Stefan Fritsch] - - *) mpm_event: Fix graceful restart aborting connections. PR 43359. - [Takashi Sato ] - - *) mod_ssl: Disable AECDH ciphers in example config. PR 51363. - [Rob Stradling ] - - *) core: Introduce new function ap_get_conn_socket() to access the socket of - a connection. [Stefan Fritsch] - - *) mod_data: Introduce a filter to support RFC2397 data URLs. [Graham - Leggett] - - *) mod_userdir/mod_alias/mod_vhost_alias: Correctly set DOCUMENT_ROOT, - CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX. PR 26052. PR 46198. - [Stefan Fritsch] - - *) core: Allow to override document_root on a per-request basis. Introduce - new context_document_root and context_prefix which provide information - about non-global URI-to-directory mappings (from e.g. mod_userdir or - mod_alias) to scripts. PR 49705. [Stefan Fritsch] - - *) core: Add and to complement sections. - [Stefan Fritsch] - - *) mod_ext_filter: Remove DebugLevel option in favor of per-module loglevel. - [Stefan Fritsch] - - *) mod_include: Make the "#if expr" element use the new "ap_expr" expression - parser. The old parser can still be used by setting the new directive - SSILegacyExprParser. [Stefan Fritsch] - - *) core: Add some features to ap_expr for use by mod_include: a restricted - mode that does not allow to bypass request access restrictions; new - variables DOCUMENT_URI (alias for REQUEST_URI), LAST_MODIFIED; -A as an - alias for -U; an additional data entry in ap_expr_eval_ctx_t for use by - the consumer; an extensible ap_expr_exec_ctx() API that allows to use that - data entry. [Stefan Fritsch] - - *) mod_include: Merge directory configs instead of one SSI* config directive - causing all other per-directory SSI* config directives to be reset. - [Stefan Fritsch] - - *) mod_charset_lite: Remove DebugLevel option in favour of per-module - loglevel. [Stefan Fritsch] - - *) core: Add ap_regexec_len() function that works with non-null-terminated - strings. PR 51231. [Yehezkel Horowitz ] - - *) mod_authnz_ldap: If the LDAP server returns constraint violation, - don't treat this as an error but as "auth denied". [Stefan Fritsch] - - *) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO - for SCGI/FCGI. PR 50880, 50851. [Mark Montague , - Jim Jagielski] - - *) mod_cache: When content is served stale, and there is no means to - revalidate the content using ETag or Last-Modified, and we have - mandated no stale-on-error behaviour, stand down and don't cache. - Saves a cache write that will never be read. - [Graham Leggett] - - *) mod_reqtimeout: Fix a timed out connection going into the keep-alive - state after a timeout when discarding a request body. PR 51103. - [Stefan Fritsch] - - *) core: Add various file existance test operators to ap_expr. - [Stefan Fritsch] - - *) mod_proxy_express: New mass reverse-proxy switch extension for - mod_proxy. [Jim Jagielski] - - *) configure: Fix script error when configuring module set "reallyall". - [Rainer Jung] - -Changes with Apache 2.3.12 - - *) configure, core: Provide easier support for APR's hook probe - capability. [Jim Jagielski, Jeff Trawick] - - *) Silence autoconf 2.68 warnings. [Rainer Jung] - - *) mod_authnz_ldap: Resolve crash when LDAP is used for authorization only - [Scott Hill ] - - *) support: Make sure check_forensic works with mod_unique_id loaded - [Joe Schaefer] - - *) Add child_status hook for tracking creation/termination of MPM child - processes. Add end_generation hook for notification when the last - MPM child of a generation exits. [Jeff Trawick] - - *) mod_ldap: Make LDAPSharedCacheSize 0 create a non-shared-memory cache per - process as opposed to disabling caching completely. This allows to use - the non-shared-memory cache as a workaround for the shared memory cache - not being available during graceful restarts. PR 48958. [Stefan Fritsch] - - *) Add new ap_reserve_module_slots/ap_reserve_module_slots_directive API, - necessary if a module (like mod_perl) registers additional modules late - in the startup phase. [Stefan Fritsch] - - *) core: Prevent segfault if DYNAMIC_MODULE_LIMIT is reached. PR 51072. - [Torsten Förtsch ] - - *) WinNT MPM: Improve robustness under heavy load. [Jeff Trawick] - - *) MinGW build improvements. PR 49535. [John Vandenberg - , Jeff Trawick] - - *) core: Support module names with colons in loglevel configuration. - [Torsten Förtsch ] - - *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. - [Stefan Fritsch] - - *) core: Abort if the MPM is changed across restart. [Jeff Trawick] - - *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945. - [Peter Pramberger , Jim Jagielski] - - *) mod_proxy_fcgi: Add support for 'ProxyErrorOverride on'. PR 50913. - [Mark Montague , Jim Jagielski] - - *) core: Change the APIs of ap_cfg_getline() and ap_cfg_getc() to return an - error code. Abort with a nice error message if a config line is too long. - Partial fix for PR 50824. [Stefan Fritsch] - - *) mod_info: Dump config to stdout during startup if -DDUMP_CONFIG is - specified. PR 31956. [Stefan Fritsch] - - *) Restore visibility of DEFAULT_PIDLOG to core and modules. MPM - helper function ap_remove_pid() added. [Jeff Trawick] - - *) Enable DEFAULT_REL_RUNTIMEDIR on Windows and NetWare. [various] - - *) Correct C++ incompatibility with http_log.h. [Stefan Fritsch, Jeff - Trawick] - - *) mod_log_config: Prevent segfault. PR 50861. [Torsten Förtsch - ] - - *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes - in request URL path info but not decode them. Change behavior of option - "On" to decode the encoded slashes as 2.0 and 2.2 do. PR 35256, - PR 46830. [Dan Poirier] - - *) mod_ssl: Check SNI hostname against Host header case-insensitively. - PR 49491. [Mayank Agrawal ] - - *) mod_ldap: Add LDAPConnectionPoolTTL to give control over lifetime - of bound backend LDAP connections. PR47634 [Eric Covener] - - *) mod_cache: Make CacheEnable and CacheDisable configurable per - directory in addition to per server, making them work from within - a LocationMatch. [Graham Leggett] - - *) worker, event, prefork: Correct several issues when built as - DSOs; most notably, the scoreboard was reinitialized during graceful - restart, such that processes of the previous generation were not - observable. [Jeff Trawick] - -Changes with Apache 2.3.11 - - *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI. - Win32's cscript interpreter can only use a single quote as comment char. - [Guenter Knauf] - - *) mod_proxy: balancer-manager now uses POST instead of GET. - [Jim Jagielski] - - *) core: new util function: ap_parse_form_data(). Previously, - this capability was tucked away in mod_request. [Jim Jagielski] - - *) core: new hook: ap_run_pre_read_request. [Jim Jagielski] - - *) mod_cache: When a request other than GET or HEAD arrives, we must - invalidate existing cache entities as per RFC2616 13.10. PR 15868. - [Graham Leggett] - - *) modules: Fix many modules that were not correctly initializing if they - were not active during server startup but got enabled later during a - graceful restart. [Stefan Fritsch] - - *) core: Create new ap_state_query function that allows modules to determine - if the current configuration run is the initial one at server startup, - and if the server is started for testing/config dumping only. - [Stefan Fritsch] - - *) mod_proxy: Runtime configuration of many parameters for existing - balancers via the balancer-manager. [Jim Jagielski] - - *) mod_proxy: Runtime addition of new workers (BalancerMember) for existing - balancers via the balancer-manager. [Jim Jagielski] - - *) mod_cache: When a bad Expires date is present, we need to behave as if - the Expires is in the past, not as if the Expires is missing. PR 16521. - [Co-Advisor ] - - *) mod_cache: We must ignore quoted-string values that appear in a - Cache-Control header. PR 50199. [Graham Leggett] - - *) mod_dav: Revert change to send 501 error if unknown Content-* header is - received for a PUT request. PR 42978. [Stefan Fritsch] - - *) mod_cache: Respect s-maxage as described by RFC2616 14.9.3, which must - take precedence if present. PR 35247. [Graham Leggett] - - *) mod_ssl: Fix a possible startup failure if multiple SSL vhosts - are configured with the same ServerName and private key file. - [Masahiro Matsuya , Joe Orton] - - *) mod_socache_dc: Make module compile by fixing some typos. - PR 50735 [Mark Montague ] - - *) prefork: Update MPM state in children during a graceful stop or - restart. PR 41743. [Andrew Punch ] - - *) mod_mime: Ignore leading dots when looking for mime extensions. - PR 50434 [Stefan Fritsch] - - *) core: Add support to set variables with the 'Define' directive. The - variables that can then be used in the config using the ${VAR} syntax - known from envvar interpolation. [Stefan Fritsch] - - *) mod_proxy_http: make adding of X-Forwarded-* headers configurable. - ProxyAddHeaders defaults to On. [Vincent Deffontaines] - - *) mod_slotmem_shm: Increase memory alignment for slotmem data. - [Rainer Jung] - - *) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout, - SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew. - [Kaspar Brand ] - - *) mod_ssl: Revamp output buffering to reduce network overhead for - output fragmented into many buckets, such as chunked HTTP responses. - [Joe Orton] - - *) core: Apply sections to all requests, not only to file base requests. - Allow to use inside , , and sections. - The merging of sections now happens after the merging of - sections, even if an section is embedded inside a or - section. [Stefan Fritsch] - - *) mod_proxy: Refactor usage of shared data by dropping the scoreboard - and using slotmem. Create foundation for dynamic growth/changes of - members within a balancer. Remove BalancerNonce in favor of a - per-balancer 'nonce' parameter. [Jim Jagielski] - - *) mod_status: Don't show slots which are disabled by MaxClients as open. - PR: 47022 [Jordi Prats , Stefan Fritsch] - - *) mpm_prefork: Fix ap_mpm_query results for AP_MPMQ_MAX_DAEMONS and - AP_MPMQ_MAX_THREADS. - - *) mod_authz_core: Fix bug in merging logic if user-based and non-user-based - authorization directives were mixed. [Stefan Fritsch] - - *) mod_authn_socache: change directive name from AuthnCacheProvider - to AuthnCacheProvideFor. The term "provider" is overloaded in - this module, and we should avoid confusion between the provider - of a backend (AuthnCacheSOCache) and the authn provider(s) for - which this module provides cacheing (AuthnCacheProvideFor). - [Nick Kew] - - *) mod_proxy_http: Allocate the fake backend request from a child pool - of the backend connection, instead of misusing the pool of the frontend - request. Fixes a thread safety issue where buckets set aside in the - backend connection leak into other threads, and then disappear when - the frontend request is cleaned up, in turn causing corrupted buckets - to make other threads spin. [Graham Leggett] - - *) mod_ssl: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables - to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and - escape other special characters with backslashes. The old format can - still be used with the LegacyDNStringFormat argument to SSLOptions. - - *) core, mod_rewrite: Make the REQUEST_SCHEME variable available to - scripts and mod_rewrite. [Stefan Fritsch] - - *) mod_rewrite: Allow to use arbitrary boolean expressions (ap_expr) in - RewriteCond. [Stefan Fritsch] - - *) mod_rewrite: Allow to unset environment variables using E=!VAR. - PR 49512. [Mark Drayton , Stefan Fritsch] - - *) mod_headers: Restore the 2.3.8 and earlier default for the first - argument of the Header directive ("onsuccess"). [Eric Covener] - - *) core: Disallow the mixing of relative and absolute Options PR 33708. - [Sönke Tesch ] - - *) core: When exporting request headers to HTTP_* environment variables, - drop variables whose names contain invalid characters. Describe in the - docs how to restore the old behaviour. [Malte S. Stretz ] - - *) core: When selecting an IP-based virtual host, favor an exact match for - the port over a wildcard (or omitted) port instead of favoring the one - that came first in the configuration file. [Eric Covener] - - *) core: Overlapping virtual host address/port combinations now implicitly - enable name-based virtual hosting for that address. The NameVirtualHost - directive has no effect, and _default_ is interpreted the same as "*". - [Eric Covener] - - *) core: In the absence of any Options directives, the default is now - "FollowSymlinks" instead of "All". [Igor Galić] - - *) rotatelogs: Add -e option to write logs through to stdout for optional - further processing. [Graham Leggett] - - *) mod_ssl: Correctly read full lines in input filter when the line is - incomplete during first read. PR 50481. [Ruediger Pluem] - - *) mod_authz_core: Add AuthzSendForbiddenOnFailure directive to allow - sending '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if authorization - fails for an authenticated user. PR 40721. [Stefan Fritsch] - -Changes with Apache 2.3.10 - - *) mod_rewrite: Don't implicitly URL-escape the original query string - when no substitution has changed it. PR 50447. [Eric Covener] - - *) core: Honor 'AcceptPathInfo OFF' during internal redirects, - such as per-directory mod_rewrite substitutions. PR 50349. - [Eric Covener] - - *) mod_rewrite: Add 'RewriteOptions InheritBefore' to put the base - rules/conditions before the overridden rules/conditions. PR 39313. - [Jérôme Grandjanny ] - - *) mod_autoindex: add IndexIgnoreReset to reset the list of IndexIgnored - filenames in higher precedence configuration sections. PR 24243. - [Eric Covener] - - *) mod_cgid: RLimit* directive support for mod_cgid. PR 42135 - [Eric Covener] - - *) core: Fail startup when the argument to ServerName looks like a glob - or a regular expression instead of a hostname (*?[]). PR 39863 - [Rahul Nair ] - - *) mod_userdir: Add merging of enable, disable, and filename arguments - to UserDir directive, leaving enable/disable of userlists unmerged. - PR 44076 [Eric Covener] - - *) httpd: When no -k option is provided on the httpd command line, the server - was starting without checking for an existing pidfile. PR 50350 - [Eric Covener] - - *) mod_proxy: Put the worker in error state if the SSL handshake with the - backend fails. PR 50332. - [Daniel Ruggeri , Ruediger Pluem] - - *) mod_cache_disk: Fix Windows build which was broken after renaming - the module. [Gregg L. Smith] - -Changes with Apache 2.3.9 - - *) SECURITY: CVE-2010-1623 (cve.mitre.org) - Fix a denial of service attack against mod_reqtimeout. - [Stefan Fritsch] - - *) mod_headers: Change default first argument of Header directive - from "onsuccess" to "always". [Eric Covener] - - *) mod_include: Add the onerror attribute to the include element, - allowing an URL to be specified to include on error. [Graham - Leggett] - - *) mod_cache_disk: mod_disk_cache renamed to mod_cache_disk, to be - consistent with the naming of other modules. [Graham Leggett] - - *) mod_setenvif: Add SetEnvIfExpr directive to set env var depending on - expression. [Stefan Fritsch] - - *) mod_proxy: Fix ProxyPassInterpolateEnv directive. PR 50292. - [Stefan Fritsch] - - *) suEXEC: Add Suexec directive to disable suEXEC without renaming the - binary (Suexec Off), or force startup failure if suEXEC is required - but not supported (Suexec On). Change SuexecUserGroup to fail - startup instead of just printing a warning if suEXEC is disabled. - [Jeff Trawick] - - *) core: Add Error directive for aborting startup or htaccess processing - with a specified error message. [Jeff Trawick] - - *) mod_rewrite: Fix the RewriteEngine directive to work within a - location. Previously, once RewriteEngine was switched on globally, - it was impossible to switch off. [Graham Leggett] - - *) core, mod_include, mod_ssl: Move the expression parser derived from - mod_include back into mod_include. Replace ap_expr with a parser - derived from mod_ssl's parser. Make mod_ssl use the new parser. Rework - ap_expr's public interface and provide hooks for modules to add variables - and functions. [Stefan Fritsch] - - *) core: Do the hook sorting earlier so that the hooks are properly sorted - for the pre_config hook and during parsing the config. [Stefan Fritsch] - - *) core: In the absence of any AllowOverride directives, the default is now - "None" instead of "All". PR49823 [Eric Covener] - - *) mod_proxy: Don't allow ProxyPass or ProxyPassReverse in - or . PR47765 [Eric Covener] - - *) prefork/worker/event MPMS: default value (when no directive is present) - of MaxConnectionsPerChild/MaxRequestsPerChild is changed to 0 from 10000 - to match default configuration and manual. PR47782 [Eric Covener] - - *) proxy_connect: Don't give up in the middle of a CONNECT tunnel - when the child process is starting to exit. PR50220. [Eric Covener] - - *) mod_autoindex: Fix inheritance of mod_autoindex directives into - contexts that don't have any mod_autoindex directives. PR47766. - [Eric Covener] - - *) mod_rewrite: Add END flag for RewriteRule to prevent further rounds - of rewrite processing when a per-directory substitution occurs. - [Eric Covener] - - *) mod_ssl: Make sure to always log an error if loading of CA certificates - fails. PR 40312. [Paul Tiemann ] - - *) mod_dav: Send 501 error if unknown Content-* header is received for a PUT - request (RFC 2616 9.6). PR 42978. [Stefan Fritsch] - - *) mod_dav: Send 400 error if malformed Content-Range header is received for - a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch] - - *) mod_proxy: Release the backend connection as soon as EOS is detected, - so the backend isn't forced to wait for the client to eventually - acknowledge the data. [Graham Leggett] - - *) mod_proxy: Optimise ProxyPass within a Location so that it is stored - per-directory, and chosen during the location walk. Make ProxyPass - work correctly from within a LocationMatch. [Graham Leggett] - - *) core: Fix segfault if per-module LogLevel is on virtual host - scope. PR 50117. [Stefan Fritsch] - - *) mod_proxy: Move the ProxyErrorOverride directive to have per - directory scope. [Graham Leggett] - - *) mod_allowmethods: New module to deny certain HTTP methods without - interfering with authentication/authorization. [Paul Querna, - Igor Galić, Stefan Fritsch] - - *) mod_ssl: Log certificate information and improve error message if client - cert verification fails. PR 50093, PR 50094. [Lassi Tuura , - Stefan Fritsch] - - *) htcacheclean: Teach htcacheclean to limit cache size by number of - inodes in addition to size of files. Prevents a cache disk from - running out of space when many small files are cached. - [Graham Leggett] - - *) core: Rename MaxRequestsPerChild to MaxConnectionsPerChild, which - describes more accurately what the directive does. The old name - still works but logs a warning. [Stefan Fritsch] - - *) mod_cache: Optionally serve stale data when a revalidation returns a - 5xx response, controlled by the CacheStaleOnError directive. - [Graham Leggett] - - *) htcacheclean: Allow the listing of valid URLs within the cache, with - the option to list entry metadata such as sizes and times. [Graham - Leggett] - - *) mod_cache: correctly parse quoted strings in cache headers. - PR 50199 [Nick Kew] - - *) mod_cache: Allow control over the base URL of reverse proxied requests - using the CacheKeyBaseURL directive, so that the cache key can be - calculated from the endpoint URL instead of the server URL. [Graham - Leggett] - - *) mod_cache: CacheLastModifiedFactor, CacheStoreNoStore, CacheStorePrivate, - CacheStoreExpired, CacheIgnoreNoLastMod, CacheDefaultExpire, - CacheMinExpire and CacheMaxExpire can be set per directory/location. - [Graham Leggett] - - *) mod_disk_cache: CacheMaxFileSize, CacheMinFileSize, CacheReadSize and - CacheReadTime can be set per directory/location. [Graham Leggett] - - *) core: Speed up config parsing if using a very large number of config - files. PR 50002 [andrew cloudaccess net] - - *) mod_cache: Support the caching of HEAD requests. [Graham Leggett] - - *) htcacheclean: Allow the option to round up file sizes to a given - block size, improving the accuracy of disk usage. [Graham Leggett] - - *) mod_ssl: Add authz providers for use with mod_authz_core and its - RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL), - 'ssl-verify-client' (for use with 'SSLVerifyClient optional'), and - 'ssl-require' (expressions with same syntax as SSLRequire). - [Stefan Fritsch] - - *) mod_ssl: Make the ssl expression parser thread-safe. It now requires - bison instead of yacc. [Stefan Fritsch] - - *) mod_disk_cache: Change on-disk header file format to support the - link of the device/inode of the data file to the matching header - file, and to support the option of not writing a data file when - the data file is empty. [Graham Leggett] - - *) core/mod_unique_id: Add generate_log_id hook to allow to use - the ID generated by mod_unique_id as error log ID for requests. - [Stefan Fritsch] - - *) mod_cache: Make sure that we never allow a 304 Not Modified response - that we asked for to leak to the client should the 304 response be - uncacheable. PR45341 [Graham Leggett] - - *) mod_cache: Add the cache_status hook to register the final cache - decision hit/miss/revalidate. Add optional support for an X-Cache - and/or an X-Cache-Detail header to add the cache status to the - response. PR48241 [Graham Leggett] - - *) mod_authz_host: Add 'local' provider that matches connections originating - on the local host. PR 19938. [Stefan Fritsch] - - *) Event MPM: Fix crash accessing pollset on worker thread when child - process is exiting. [Jeff Trawick] - - *) core: For process invocation (cgi, fcgid, piped loggers and so forth) - pass the system library path (LD_LIBRARY_PATH or platform-specific - variables) along with the system PATH, by default. Both should be - overridden together as desired using PassEnv etc; see mod_env. - [William Rowe] - - *) mod_cache: Introduce CacheStoreExpired, to allow administrators to - capture a stale backend response, perform If-Modified-Since requests - against the backend, and serving from the cache all 304 responses. - This restores pre-2.2.4 cache behavior. [William Rowe] - - *) mod_rewrite: Introduce <=, >= string comparison operators, and integer - comparators -lt, -le, -eq, -ge, and -gt. To help bash users and drop - the ambiguity of the symlink test "-ltest", introduce -h or -L as - symlink test operators. [William Rowe] - - *) mod_cache: Give the cache provider the opportunity to choose to cache - or not cache based on the buckets present in the brigade, such as the - presence of a FILE bucket. - [Graham Leggett] - - *) mod_authz_core: Allow authz providers to check args while reading the - config and allow to cache parsed args. Move 'all' and 'env' authz - providers from mod_authz_host to mod_authz_core. Add 'method' authz - provider depending on the HTTP method. [Stefan Fritsch] - - *) mod_include: Move the request_rec within mod_include to be - exposed within include_ctx_t. [Graham Leggett] - - *) mod_include: Reinstate support for UTF-8 character sets by allowing a - variable being echoed or set to be decoded and then encoded as separate - steps. PR47686 [Graham Leggett] - - *) mod_cache: Add a discrete commit_entity() provider function within the - mod_cache provider interface which is called to indicate to the - provider that caching is complete, giving the provider the opportunity - to commit temporary files permanently to the cache in an atomic - fashion. Replace the inconsistent use of error cleanups with a formal - set of pool cleanups attached to a subpool, which is destroyed on error. - [Graham Leggett] - - *) mod_cache: Change the signature of the store_body() provider function - within the mod_cache provider interface to support an "in" brigade - and an "out" brigade instead of just a single input brigade. This - gives a cache provider the option to consume only part of the brigade - passed to it, rather than the whole brigade as was required before. - This fixes an out of memory and a request timeout condition that would - occur when the original document was a large file. Introduce - CacheReadSize and CacheReadTime directives to mod_disk_cache to control - the amount of data to attempt to cache at a time. [Graham Leggett] - - *) core: Add ErrorLogFormat to allow configuring error log format, including - additional information that is logged once per connection or request. Add - error log IDs for connections and request to allow correlating error log - lines and the corresponding access log entry. [Stefan Fritsch] - - *) core: Disable sendfile by default. [Stefan Fritsch] - - *) mod_cache: Check the request to determine whether we are allowed - to return cached content at all, and respect a "Cache-Control: - no-cache" header from a client. Previously, "no-cache" would - behave like "max-age=0". [Graham Leggett] - - *) mod_cache: Use a proper filter context to hold filter data instead - of misusing the per-request configuration. Fixes a segfault on trunk - when the normal handler is used. [Graham Leggett] - - *) mod_cgid: Log a warning if the ScriptSock path is truncated because - it is too long. PR 49388. [Stefan Fritsch] - - *) vhosts: Do not allow _default_ in NameVirtualHost, or mixing * - and non-* ports on NameVirtualHost, or multiple NameVirtualHost - directives for the same address:port, or NameVirtualHost - directives with no matching VirtualHosts, or multiple ip-based - VirtualHost sections for the same address:port. These were - previously accepted with a warning, but the behavior was - undefined. [Dan Poirier] - - *) mod_remoteip: Fix a segfault when using mod_remoteip in conjunction with - Allow/Deny. PR 49838. [Andrew Skalski ] - - *) core: DirectoryMatch can now match on the end of line character ($), - and sub-directories of matched directories are no longer implicitly - matched. PR49809 [Eric Covener] - - *) Regexps: introduce new higher-level regexp utility including parsing - and executing perl-style regexp ops (e.g s/foo/bar/i) and regexp memory - [Nick Kew] - - *) Proxy: support setting source address. PR 29404 - [Multiple contributors iterating through bugzilla, - Aron Ujvari , Aleksey Midenkov , - ] - - *) mod_dav_fs: Fix broken "creationdate" property. - Regression in version 2.3.7. [Rainer Jung] - -Changes with Apache 2.3.7 - - *) SECURITY: CVE-2010-1452 (cve.mitre.org) - mod_dav, mod_cache, mod_session: Fix Handling of requests without a path - segment. PR: 49246 [Mark Drayton, Jeff Trawick] - - *) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076. - [Stefan Fritsch] - - *) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639. - [Stefan Fritsch] - - *) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers - via leveraging 100-Continue as the initial "request". - [Jim Jagielski] - - *) core/mod_authz_core: Introduce new access_checker_ex hook that enables - mod_authz_core to bypass authentication if access should be allowed by - IP address/env var/... [Stefan Fritsch] - - *) core: Introduce note_auth_failure hook to allow modules to add support - for additional auth types. This makes ap_note_auth_failure() work with - mod_auth_digest again. PR 48807. [Stefan Fritsch] - - *) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew] - - *) mod_authn_socache: new module [Nick Kew] - - *) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch] - - *) Fix Windows build when using VC6. [Gregg L. Smith ] - - *) mod_rewrite: Allow to set environment variables without explicitly - giving a value. [Rainer Jung] - - *) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung] - - *) mod_include: recognise "text/html; parameters" as text/html - PR 49616 [Andrey Chernov ] - - *) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH - PR 43906 [Nick Kew] - - *) Core: Extra robustness: don't try authz and segfault if authn - fails to set r->user. Log bug and return 500 instead. - PR 42995 [Nick Kew] - - *) HTTP protocol filter: fix handling of longer chunk extensions - PR 49474 [] - - *) Update SSL cipher suite and add example for SSLHonorCipherOrder. - [Lars Eilebrecht, Rainer Jung] - - *) move AddOutputFilterByType from core to mod_filter. This should - fix nasty side-effects that happen when content_type is set - more than once in processing a request, and make it fully - compatible with dynamic and proxied contents. [Nick Kew] - - *) mod_log_config: Implement logging for sub second timestamps and - request end time. [Rainer Jung] - -Changes with Apache 2.3.6 - - *) SECURITY: CVE-2009-3555 (cve.mitre.org) - mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection - attack when compiled against OpenSSL version 0.9.8m or later. Introduces - the 'SSLInsecureRenegotiation' directive to reopen this vulnerability - and offer unsafe legacy renegotiation with clients which do not yet - support the new secure renegotiation protocol, RFC 5746. - [Joe Orton, and with thanks to the OpenSSL Team] - - *) SECURITY: CVE-2009-3555 (cve.mitre.org) - mod_ssl: A partial fix for the TLS renegotiation prefix injection attack - by rejecting any client-initiated renegotiations. Forcibly disable - keepalive for the connection if there is any buffered data readable. Any - configuration which requires renegotiation for per-directory/location - access control is still vulnerable, unless using OpenSSL >= 0.9.8l. - [Joe Orton, Ruediger Pluem, Hartmut Keil ] - - *) SECURITY: CVE-2010-0408 (cve.mitre.org) - mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent - when request headers indicate a request body is incoming; not a case of - HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola ] - - *) SECURITY: CVE-2010-0425 (cve.mitre.org) - mod_isapi: Do not unload an isapi .dll module until the request - processing is completed, avoiding orphaned callback pointers. - [Brett Gervasoni , Jeff Trawick] - - *) core: Filter init functions are now run strictly once per request - before handler invocation. The init functions are no longer run - for connection filters. PR 49328. [Joe Orton] - - *) core: Adjust the output filter chain correctly in an internal - redirect from a subrequest, preserving filters from the main - request as necessary. PR 17629. [Joe Orton] - - *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial - Response if they so choose to do so. Previously an attempt to cache a 206 - was arbitrarily allowed if the response contained an Expires or - Cache-Control header, and arbitrarily denied if both headers were missing. - [Graham Leggett] - - *) core: Add microsecond timestamp fractions, process id and thread id - to the error log. [Rainer Jung] - - *) configure: The "most" module set gets build by default. [Rainer Jung] - - *) configure: Building dynamic modules (DSO) by default. [Rainer Jung] - - *) configure: Fix broken VPATH build when using included APR. - [Rainer Jung] - - *) mod_session_crypto: Fix configure problem when building - with APR 2 and for VPATH builds with included APR. - [Rainer Jung] - - *) mod_session_crypto: API compatibility with APR 2 crypto and - APR Util 1.x crypto. [Rainer Jung] - - *) ab: Fix memory leak with -v2 and SSL. PR 49383. - [Pavel Kankovsky ] - - *) core: Add per-module and per-directory loglevel configuration. - Add some more trace logging. - mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels. - mod_ssl: Replace LogLevelDebugDump with trace log levels. - mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info - and debug. - mod_dumpio: Replace DumpIOLogLevel with trace log levels. - [Stefan Fritsch] - - *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns - title page only) when any mod_ldap directives were used in VirtualHost - context. [Eric Covener] - - *) mod_disk_cache: Decline the opportunity to cache if the response is - a 206 Partial Content. This stops a reverse proxied partial response - from becoming cached, and then being served in subsequent responses. - [Graham Leggett] - - *) mod_deflate: avoid the risk of forwarding data before headers are set. - PR 49369 [Matthew Steele ] - - *) mod_authnz_ldap: Ensure nested groups are checked when the - top-level group doesn't have any direct non-group members - of attributes in AuthLDAPGroupAttribute. [Eric Covener] - - *) mod_authnz_ldap: Search or Comparison during authorization phase - can use the credentials from the authentication phase - (AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser). - PR 48340 [Domenico Rotiroti, Eric Covener] - - *) mod_authnz_ldap: Allow the initial DN search during authentication - to use the HTTP username/pass instead of an anonymous or hard-coded - LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern). - [Eric Covener] - - *) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix - when this module is used for authorization. See AuthLDAPAuthorizePrefix. - PR 45584 [Eric Covener] - - *) apxs -q: Stop filtering out ':' characters from the reported values. - PR 45343. [Bill Cole] - - *) prefork MPM: Work around possible crashes on child exit in APR reslist - cleanup code. PR 43857. [Tom Donovan] - - *) ab: fix number of requests sent by ab when keepalive is enabled. PR 48497. - [Bryn Dole ] - - *) Log an error for failures to read a chunk-size, and return 408 instead of - 413 when this is due to a read timeout. This change also fixes some cases - of two error documents being sent in the response for the same scenario. - [Eric Covener] PR49167 - - *) mod_proxy_balancer: Add new directive BalancerNonce to allow admin - to control/set the nonce used in the balancer-manager application. - [Jim Jagielski] - - *) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673. - [Stefan Fritsch] - - *) Proxy balancer: support setting error status according to HTTP response - code from a backend. PR 48939. [Daniel Ruggeri ] - - *) htcacheclean: Introduce the ability to clean specific URLs from the - cache, if provided as an optional parameter on the command line. - [Graham Leggett] - - *) core: Introduce the IncludeStrict directive, which explicitly fails - server startup if no files or directories match a wildcard path. - [Graham Leggett] - - *) htcacheclean: Report additional statistics about entries deleted. - PR 48944. [Mark Drayton mark markdrayton.info] - - *) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all - builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper - build of openssl is required for 'SSLFIPS on'. PR 46270. - [Dr Stephen Henson , William Rowe] - - *) mod_proxy_http: Log the port of the remote server in various messages. - PR 48812. [Igor Galić ] - - *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend - connections and other protocol handlers (like mod_ftp). [Stefan Fritsch] - - *) mod_proxy_ajp: Really regard the operation a success, when the client - aborted the connection. In addition adjust the log message if the client - aborted the connection. [Ruediger Pluem] - - *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which - allows insecure renegotiation with clients which do not yet - support the secure renegotiation protocol. [Joe Orton] - - *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs - is configured for client cert auth. PR 46952. [Joe Orton] - - *) core: Only log a 408 if it is no keepalive timeout. PR 39785 - [Ruediger Pluem, Mark Montague ] - - *) support/rotatelogs: Add -L option to create a link to the current - log file. PR 48761 [, Dan Poirier] - - *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory - setting only, matching most of the documentation and examples. - PR 46541 [Paul Reder, Eric Covener] - - *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument - types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener] - - *) mod_negotiation: Preserve query string over multiviews negotiation. - This buglet was fixed for type maps in 2.2.6, but the same issue - affected multiviews and was overlooked. - PR 33112 [Joergen Thomsen ] - - *) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert - when some are not password-protected. [Eric Covener] - - *) Fix startup segfault when the Mutex directive is used but no loaded - modules use httpd mutexes. PR 48787. [Jeff Trawick] - - *) Proxy: get the headers right in a HEAD request with - ProxyErrorOverride, by checking for an overridden error - before not after going into a catch-all code path. - PR 41646. [Nick Kew, Stuart Children] - - *) support/rotatelogs: Support the simplest log rotation case, log - truncation. Useful when the log is being processed in real time - using a command like tail. [Graham Leggett] - - *) support/htcacheclean: Teach it how to write a pid file (modelled on - httpd's writing of a pid file) so that it becomes possible to run - more than one instance of htcacheclean on the same machine. - [Graham Leggett] - - *) Log command line on startup, so there's a record of command line - arguments like -f. PR 48752. [Dan Poirier] - - *) Introduce mod_reflector, a handler capable of reflecting POSTed - request bodies back within the response through the output filter - stack. Can be used to turn an output filter into a web service. - [Graham Leggett] - - *) mod_proxy_http: Make sure that when an ErrorDocument is served - from a reverse proxied URL, that the subrequest respects the status - of the original request. This brings the behaviour of proxy_handler - in line with default_handler. PR 47106. [Graham Leggett] - - *) Support wildcards in both the directory and file components of - the path specified by the Include directive. [Graham Leggett] - - *) mod_proxy, mod_proxy_http: Support remote https proxies - by using HTTP CONNECT. PR 19188. - [Philippe Dutrueux , Rainer Jung] - - *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf - [Philip M. Gollucci] - - *) worker: Don't report server has reached MaxClients until it has. - Add message when server gets within MinSpareThreads of MaxClients. - PR 46996. [Dan Poirier] - - *) mod_session: Session expiry was being initialised, but not updated - on each session save, resulting in timed out sessions when there - should not have been. Fixed. [Graham Leggett] - - *) mod_log_config: Add the R option to log the handler used within the - request. [Christian Folini ] - - *) mod_include: Allow fine control over the removal of Last-Modified and - ETag headers within the INCLUDES filter, making it possible to cache - responses if desired. Fix the default value of the SSIAccessEnable - directive. [Graham Leggett] - - *) Add new UnDefine directive to undefine a variable. PR 35350. - [Stefan Fritsch] - - *) Make ap_pregsub(), used by AliasMatch and friends, use the same syntax - for regex backreferences as mod_rewrite and mod_include: Remove the use - of '&' as an alias for '$0' and allow to escape any character with a - backslash. PR 48351. [Stefan Fritsch] - - *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the - password to UTF-8. PR 45318. - [Johannes Müller , Stefan Fritsch] - - *) ab: Fix calculation of requests per second in HTML output. PR 48594. - [Stefan Fritsch] - - *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user - password now result in an informational level log entry instead of - warning level. [Eric Covener] - -Changes with Apache 2.3.5 - - *) SECURITY: CVE-2010-0434 (cve.mitre.org) - Ensure each subrequest has a shallow copy of headers_in so that the - parent request headers are not corrupted. Eliminates a problematic - optimization in the case of no request body. PR 48359 - [Jake Scott, William Rowe, Ruediger Pluem] - - *) Turn static function get_server_name_for_url() into public - ap_get_server_name_for_url() and use it where appropriate. This - fixes mod_rewrite generating invalid URLs for redirects to IPv6 - literal addresses. [Stefan Fritsch] - - *) mod_ldap: Introduce new config option LDAPTimeout to set the timeout - for LDAP operations like bind and search. [Stefan Fritsch] - - *) mod_proxy, mod_proxy_ftp: Move ProxyFtpDirCharset from mod_proxy to - mod_proxy_ftp. [Takashi Sato] - - *) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to - mod_proxy_connect. [Takashi Sato] - - *) mod_cache: Do an exact match of the keys defined by - CacheIgnoreURLSessionIdentifiers against the querystring instead of - a partial match. PR 48401. - [Dodou Wang , Ruediger Pluem] - - *) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung] - - *) Core HTTP: disable keepalive when the Client has sent - Expect: 100-continue - but we respond directly with a non-100 response. - Keepalive here led to data from clients continuing being treated as - a new request. - PR 47087 [Nick Kew] - - *) Core: reject NULLs in request line or request headers. - PR 43039 [Nick Kew] - - *) Core: (re)-introduce -T commandline option to suppress documentroot - check at startup. - PR 41887 [Jan van den Berg ] - - *) mod_autoindex: support XHTML as equivalent to HTML in IndexOptions, - ScanHTMLTitles, ReadmeName, HeaderName - PR 48416 [Dmitry Bakshaev , Nick Kew] - - *) Proxy: Fix ProxyPassReverse with relative URL - Derived (slightly erroneously) from PR 38864 [Nick Kew] - - *) mod_headers: align Header Edit with Header Set when used on Content-Type - PR 48422 [Cyril Bonté , Nick Kew>] - - *) mod_headers: Enable multi-match-and-replace edit option - PR 46594 [Nick Kew] - - *) mod_filter: enable it to act on non-200 responses. - PR 48377 [Nick Kew] - -Changes with Apache 2.3.4 - - *) Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex, - and WatchdogMutexPath with a single Mutex directive. Add APIs to - simplify setup and user customization of APR proc and global mutexes. - (See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer - respected; set DEFAULT_REL_RUNTIMEDIR instead. [Jeff Trawick] - - *) http_core: KeepAlive no longer accepts other than On|Off. - [Takashi Sato] - - *) mod_dav: Remove errno from dav_error interface. Calls to dav_new_error() - and dav_new_error_tag() must be adjusted to add an apr_status_t parameter. - [Jeff Trawick] - - *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to - try other providers in the case of an LDAP bind failure. - PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson] - - *) Build: fix --with-module to work as documented - PR 43881 [Gez Saunders ] - -Changes with Apache 2.3.3 - - *) SECURITY: CVE-2009-3095 (cve.mitre.org) - mod_proxy_ftp: sanity check authn credentials. - [Stefan Fritsch , Joe Orton] - - *) SECURITY: CVE-2009-3094 (cve.mitre.org) - mod_proxy_ftp: NULL pointer dereference on error paths. - [Stefan Fritsch , Joe Orton] - *) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against - OpenSSL 1.0.0b3. [Vipul Gupta , Sander Temme] - - *) mod_dav: Include uri when logging a PUT error due to connection abort. - PR 38149. [Stefan Fritsch] - - *) mod_dav: Return 409 instead of 500 for a LOCK request if the parent - resource does not exist or is not a collection. PR 43465. [Stefan Fritsch] - - *) mod_dav_fs: Return 409 instead of 500 for Litmus test case copy_nodestcoll - (a COPY request where the parent of the destination resource does not - exist). PR 39299. [Stefan Fritsch] - - *) mod_dav_fs: Don't delete the whole file if a PUT with content-range failed. - PR 42896. [Stefan Fritsch] - - *) mod_dav_fs: Make PUT create files atomically and no longer destroy the - old file if the transfer aborted. PR 39815. [Paul Querna, Stefan Fritsch] - - *) mod_dav_fs: Remove inode keyed locking as this conflicts with atomically - creating files. On systems with inode numbers, this is a format change of - the DavLockDB. The old DavLockDB must be deleted on upgrade. - [Stefan Fritsch] - - *) mod_log_config: Make ${cookie}C correctly match whole cookie names - instead of substrings. PR 28037. [Dan Franklin , - Stefan Fritsch] - - *) vhost: A purely-numeric Host: header should not be treated as a port. - PR 44979 [Nick Kew] - - *) mod_ldap: Avoid 500 errors with "Unable to set LDAP_OPT_REFHOPLIMIT option to 5" - when built against openldap by using SDK LDAP_OPT_REFHOPLIMIT defaults unless - LDAPReferralHopLimit is explicitly configured. - [Eric Covener] - - *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'. - [Eric Covener] - - *) mod_ssl: Add support for OCSP Stapling. PR 43822. - [Dr Stephen Henson ] - - *) mod_socache_shmcb: Allow parens in file name if cache size is given. - Fixes SSLSessionCache directive mis-parsing parens in pathname. - PR 47945. [Stefan Fritsch] - - *) htpasswd: Improve out of disk space handling. PR 30877. [Stefan Fritsch] - - *) htpasswd: Use MD5 hash by default on all platforms. [Stefan Fritsch] - - *) mod_sed: Reduce memory consumption when processing very long lines. - PR 48024 [Basant Kumar Kukreja ] - - *) ab: Fix segfault in case the argument for -n is a very large number. - PR 47178. [Philipp Hagemeister ] - - *) Allow ProxyPreserveHost to work in sections. PR 34901. - [Stefan Fritsch] - - *) configure: Fix THREADED_MPMS so that mod_cgid is enabled again - for worker MPM. [Takashi Sato] - - *) mod_dav: Provide a mechanism to obtain the request_rec and pathname - from the dav_resource. [Jari Urpalainen , - Brian France ] - - *) Build: Use install instead of cp if available on installing - modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com] - - *) mod_cache: correctly consider s-maxage in cacheability - decisions. [Dan Poirier] - - *) mod_logio/core: Report more accurate byte counts in mod_status if - mod_logio is loaded. PR 25656. [Stefan Fritsch] - - *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge - some cache entries and log a warning. Also increase the default - LDAPSharedCacheSize to 500000. This is a more realistic size suitable - for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries. - PR 46749. [Stefan Fritsch] - - *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if - the request is a CONNECT request. [Bill Zajac ] - - *) mod_cache: Teach CacheEnable and CacheDisable to work from within a - Location section, in line with how ProxyPass works. [Graham Leggett] - - *) mod_reqtimeout: New module to set timeouts and minimum data rates for - receiving requests from the client. [Stefan Fritsch] - - *) core: Fix potential memory leaks by making sure to not destroy - bucket brigades that have been created by earlier filters. - [Stefan Fritsch] - - *) core, mod_deflate, mod_sed: Reduce memory usage by reusing bucket - brigades in several places. [Stefan Fritsch] - - *) mod_cache: Fix uri_meets_conditions() so that CacheEnable will - match by scheme, or by a wildcarded hostname. PR 40169 - [Peter Grandi , Graham Leggett] - - *) suxec: Allow to log an error if exec fails by setting FD_CLOEXEC - on the log file instead of closing it. PR 10744. [Nicolas Rachinsky] - - *) mod_mime: Make RemoveType override the info from TypesConfig. - PR 38330. [Stefan Fritsch] - - *) mod_cache: Introduce the option to run the cache from within the - normal request handler, and to allow fine grained control over - where in the filter chain content is cached. [Graham Leggett] - - *) core: Treat timeout reading request as 408 error, not 400. - Log 408 errors in access log as was done in Apache 1.3.x. - PR 39785 [Nobutaka Mantani , - Stefan Fritsch , Dan Poirier] - - *) mod_ssl: Reintroduce SSL_CLIENT_S_DN, SSL_CLIENT_I_DN, SSL_SERVER_S_DN, - SSL_SERVER_I_DN back to the environment variables to be set by mod_ssl. - [Peter Sylvester ] - - *) mod_disk_cache: don't cache incomplete responses, per RFC 2616, 13.8. - PR15866. [Dan Poirier] - - *) ab: ab segfaults in verbose mode on https sites - PR46393. [Ryan Niebur] - - *) mod_dav: Allow other modules to become providers and add resource types - to the DAV response. [Jari Urpalainen , - Brian France ] - - *) mod_dav: Allow other modules to add things to the DAV or Allow headers - of an OPTIONS request. [Jari Urpalainen , - Brian France ] - - *) core: Lower memory usage of core output filter. - [Stefan Fritsch ] - - *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and - LocationMatch sections. PR47754. [Dan Poirier] - - *) mod_request: Make sure the KeptBodySize directive rejects values - that aren't valid numbers. [Graham Leggett] - - *) mod_session_crypto: Sanity check should the potentially encrypted - session cookie be too short. [Graham Leggett] - - *) mod_session.c: Prevent a segfault when session is added but not - configured. [Graham Leggett] - - *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett] - - *) mod_auth_digest: Fail server start when nonce count checking - is configured without shared memory, or md5-sess algorithm is - configured. [Dan Poirier] - - *) mod_proxy_connect: The connect method doesn't work if the client is - connecting to the apache proxy through an ssl socket. Fixed. - PR29744. [Brad Boyer, Mark Cave-Ayland, Julian Gilbey, Fabrice Durand, - David Gence, Tim Dodge, Per Gunnar Hans, Emmanuel Elango, - Kevin Croft, Rudolf Cardinal] - - *) mod_ssl: The error message when SSLCertificateFile is missing should - at least give the name or position of the problematic virtual host - definition. [Stefan Fritsch sf sfritsch.de] - - *) mod_auth_digest: Fix null pointer when qop=none. [Dan Poirier] - - *) Add support for HTTP PUT to ab. [Jeff Barnes ] - - *) mod_headers: generalise the envclause to support expression - evaluation with ap_expr parser [Nick Kew] - - *) mod_cache: Introduce the thundering herd lock, a mechanism to keep - the flood of requests at bay that strike a backend webserver as - a cached entity goes stale. [Graham Leggett] - - *) mod_auth_digest: Fix usage of shared memory and re-enable it. - PR 16057 [Dan Poirier] - - *) Preserve Port information over internal redirects - PR 35999 [Jonas Ringh ] - - *) Proxy: unable to connect to a backend is SERVICE_UNAVAILABLE, - rather than BAD_GATEWAY or (especially) NOT_FOUND. - PR 46971 [evanc nortel.com] - - *) Various modules: Do better checking of pollset operations in order to - avoid segmentation faults if they fail. PR 46467 - [Stefan Fritsch ] - - *) mod_autoindex: Correctly create an empty cell if the description - for a file is missing. PR 47682 [Peter Poeml ] - - *) ab: Fix broken error messages after resolver or connect() failures. - [Jeff Trawick] - - *) SECURITY: CVE-2009-1890 (cve.mitre.org) - Fix a potential Denial-of-Service attack against mod_proxy in a - reverse proxy configuration, where a remote attacker can force a - proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton] - - *) SECURITY: CVE-2009-1191 (cve.mitre.org) - mod_proxy_ajp: Avoid delivering content from a previous request which - failed to send a request body. PR 46949 [Ruediger Pluem] - - *) htdbm: Fix possible buffer overflow if dbm database has very - long values. PR 30586 [Dan Poirier] - - *) core: Return APR_EOF if request body is shorter than the length announced - by the client. PR 33098 [ Stefan Fritsch ] - - *) mod_suexec: correctly set suexec_enabled when httpd is run by a - non-root user and may have insufficient permissions. - PR 42175 [Jim Radford ] - - *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute - type. PR 45107. [Michael Ströder , - Peter Sylvester ] - - *) mod_proxy_http: fix case sensitivity checking transfer encoding - PR 47383 [Ryuzo Yamamoto ] - - *) mod_alias: ensure Redirect issues a valid URL. - PR 44020 [Håkon Stordahl ] - - *) mod_dir: add FallbackResource directive, to enable admin to specify - an action to happen when a URL maps to no file, without resorting - to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew] - - *) mod_cgid: Do not leak the listening Unix socket file descriptor to the - CGI process. PR 47335 [Kornél Pál ] - - *) mod_rewrite: Remove locking for writing to the rewritelog. - PR 46942 [Dan Poirier ] - - *) mod_alias: check sanity in Redirect arguments. - PR 44729 [Sönke Tesch , Jim Jagielski] - - *) mod_proxy_http: fix Host: header for literal IPv6 addresses. - PR 47177 [Carlos Garcia Braschi ] - - *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore - defined session identifiers encoded in the URL when caching. - [Ruediger Pluem] - - *) mod_rewrite: Fix the error string returned by RewriteRule. - RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd - argument of RewriteRule was not started with "[" or not ended with "]". - PR 45082 [Vitaly Polonetsky ] - - *) Windows: Fix usage message. - [Rainer Jung] - - *) apachectl: When passing through arguments to httpd in - non-SysV mode, use the "$@" syntax to preserve arguments. - [Eric Covener] - - *) mod_dbd: add DBDInitSQL directive to enable SQL statements to - be run when a connection is opened. PR 46827 - [Marko Kevac ] - - *) mod_cgid: Improve handling of long AF_UNIX socket names (ScriptSock). - PR 47037. [Jeff Trawick] - - *) mod_proxy_ajp: Check more strictly that the backend follows the AJP - protocol. [Mladen Turk] - - *) mod_proxy_ajp: Forward remote port information by default. - [Rainer Jung] - - *) Allow MPMs to be loaded dynamically, as with most other modules. Use - --enable-mpms-shared={list|"all"} to enable. This required changes to - the MPM interfaces. Removed: mpm.h, mpm_default.h (as an installed - header), APACHE_MPM_DIR, MPM_NAME, ap_threads_per_child, - ap_max_daemons_limit, ap_my_generation, etc. ap_mpm_query() can't be - called until after the register-hooks phase. [Jeff Trawick] - - *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives - to enable stricter checking of remote server certificates. - [Ruediger Pluem] - - *) ab: Fix a 100% CPU loop on platforms where a failed non-blocking connect - returns EINPROGRESS and a subsequent poll() returns only POLLERR. - Observed on HP-UX. [Eric Covener] - - *) Remove broken support for BeOS, TPF, and even older platforms such - as A/UX, Next, and Tandem. [Jeff Trawick] - - *) mod_proxy_ftp: Add ProxyFtpListOnWildcard directive to allow files with - globbing characters to be retrieved instead of converted into a - directory listing. PR 46789 [Dan Poirier ] - - *) Provide ap_retained_data_create()/ap_retained_data_get() for preservation - of module state across unload/load. [Jeff Trawick] - - *) mod_substitute: Fix a memory leak. PR 44948 - [Dan Poirier ] - -Changes with Apache 2.3.2 - - *) mod_mime_magic: Fix detection of compressed content. [Rainer Jung] - - *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid - HTML injections and HTTP response splitting. PR 46837. - [Geoff Keating ] - - *) mod_ssl: add support for type-safe STACK constructs in OpenSSL - development HEAD. PR 45521. [Kaspar Brand, Sander Temme] - - *) ab: Fix maintenance of the pollset to resolve EALREADY errors - with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris). - PR 44584. Use APR_POLLSET_NOCOPY for better performance with some - pollset implementations. [Jeff Trawick] - - *) mod_disk_cache: The module now turns off sendfile support if - 'EnableSendfile off' is defined globally. [Lars Eilebrecht] - - *) mod_deflate: Adjust content metadata before bailing out on 304 - responses so that the metadata does not differ from 200 response. - [Roy T. Fielding] - - *) mod_deflate: Fix creation of invalid Etag headers. We now make sure - that the Etag value is properly quoted when adding the gzip marker. - PR 39727, 45023. [Lars Eilebrecht, Roy T. Fielding] - - *) Added 20x22 icons for ODF, SVG, and XML documents. PR 37185. - [Peter Harlow] - - *) Disabled DefaultType directive and removed ap_default_type() - from core. We now exclude Content-Type from responses for which - a media type has not been configured via mime.types, AddType, - ForceType, or some other mechanism. PR 13986. [Roy T. Fielding] - - *) mod_rewrite: Add IPV6 variable to RewriteCond - [Ryan Phillips ] - - *) core: Enhance KeepAliveTimeout to support a value in milliseconds. - PR 46275. [Takashi Sato] - - *) rotatelogs: Allow size units B, K, M, G and combination of - time and size based rotation. [Rainer Jung] - - *) rotatelogs: Add flag for verbose (debug) output. [Rainer Jung] - - *) mod_ssl: Fix merging of SSLRenegBufferSize directive. PR 46508 - [] - - *) core: Translate the the status line to ASCII on EBCDIC platforms in - ap_send_interim_response() and for locally generated "100 Continue" - responses. [Eric Covener] - - *) prefork: Fix child process hang during graceful restart/stop in - configurations with multiple listening sockets. PR 42829. [Joe Orton, - Jeff Trawick] - - *) mod_session_crypto: Ensure that SessionCryptoDriver can only be - set in the global scope. [Graham Leggett] - - *) mod_ext_filter: We need to detect failure to startup the filter - program (a mangled response is not acceptable). Fix to detect - failure, and offer configuration option either to abort or - to remove the filter and continue. - PR 41120 [Nick Kew] - - *) mod_session_crypto: Rewrite the session_crypto module against the - apr_crypto API. [Graham Leggett] - - *) mod_auth_form: Fix a pool lifetime issue, don't remove the subrequest - until the main request is cleaned up. [Graham Leggett] - -Changes with Apache 2.3.1 - - *) ap_slotmem: Add in new slot-based memory access API impl., including - 2 providers (mod_sharedmem and mod_plainmem) [Jim Jagielski, - Jean-Frederic Clere, Brian Akins ] - - *) mod_include: support generating non-ASCII characters as entities in SSI - PR 25202 [Nick Kew] - - *) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars - PR 25202 [Nick Kew] - - *) mod_rewrite: fix "B" flag breakage by reverting r5589343 - PR 45529 [Bob Ionescu ] - - *) CGI: return 504 (Gateway timeout) rather than 500 when a script - times out before returning status line/headers. - PR 42190 [Nick Kew] - - *) mod_cgid: fix segfault problem on solaris. - PR 39332 [Masaoki Kobayashi ] - - *) mod_proxy_scgi: Added. [André Malo] - - *) mod_cache: Introduce 'no-cache' per-request environment variable - to prevent the saving of an otherwise cacheable response. - [Eric Covener] - - *) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome - way that per-directory rewrites append the previous notion of PATH_INFO - to each substitution before evaluating subsequent rules. - PR 38642 [Eric Covener] - - *) mod_cgid: Do not add an empty argument when calling the CGI script. - PR 46380 [Ruediger Pluem] - - *) scoreboard: Remove unused sb_type from process_score. - [Torsten Foertsch , Chris Darroch] - - *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the - size of the buffer used for the request-body where necessary - during a per-dir renegotiation. PR 39243. [Joe Orton] - - *) mod_proxy_fdpass: New module to pass a client connection over to a separate - process that is reading from a unix daemon socket. - - *) mod_ssl: Improve environment variable extraction to be more - efficient and to correctly handle DNs with duplicate tags. - PR 45975. [Joe Orton] - - *) Remove the obsolete serial attribute from the RPM spec file. Compile - against the external pcre. Add missing binaries fcgistarter, and - mod_socache* and mod_session*. [Graham Leggett] - -Changes with Apache 2.3.0 - - *) mod_ratelimit: New module to do bandwidth rate limiting. [Paul Querna] - - *) Remove X-Pad header which was added as a work around to a bug in - Netscape 2.x to 4.0b2. [Takashi Sato ] - - *) Add DTrace Statically Defined Tracing (SDT) probes. - [Theo Schlossnagle , Paul Querna] - - *) mod_proxy_balancer: Move all load balancing implementations - as individual, self-contained mod_proxy submodules under - modules/proxy/balancers [Jim Jagielski] - - *) Rename APIs to include ap_ prefix: - find_child_by_pid -> ap_find_child_by_pid - suck_in_APR -> ap_suck_in_APR - sys_privileges_handlers -> ap_sys_privileges_handlers - unixd_accept -> ap_unixd_accept - unixd_config -> ap_unixd_config - unixd_killpg -> ap_unixd_killpg - unixd_set_global_mutex_perms -> ap_unixd_set_global_mutex_perms - unixd_set_proc_mutex_perms -> ap_unixd_set_proc_mutex_perms - unixd_set_rlimit -> ap_unixd_set_rlimit - [Paul Querna] - - *) mod_lbmethod_heartbeat: New module to load balance mod_proxy workers - based on heartbeats. [Paul Querna] - - *) mod_heartmonitor: New module to collect heartbeats, and write out a file - so that other modules can load balance traffic as needed. [Paul Querna] - - *) mod_heartbeat: New module to generate multicast heartbeats to know if a - server is online. [Paul Querna] - - *) mod_buffer: Honour the flush bucket and flush the buffer in the - input filter. Make sure that metadata buckets are written to - the buffer, not to the final brigade. [Graham Leggett] - - *) mod_buffer: Optimise the buffering of heap buckets when the heap - buckets stay exactly APR_BUCKET_BUFF_SIZE long. [Graham Leggett, - Ruediger Pluem] - - *) mod_buffer: Optional support for buffering of the input and output - filter stacks. Can collapse many small buckets into fewer larger - buckets, and prevents excessively small chunks being sent over - the wire. [Graham Leggett] - - *) mod_privileges: new module to make httpd on Solaris privileges-aware - and to enable different virtualhosts to run with different - privileges and Unix user/group IDs [Nick Kew] - - *) mod_mem_cache: this module has been removed. [William Rowe] - - *) authn/z: Remove mod_authn_default and mod_authz_default. - [Chris Darroch] - - *) authz: Fix handling of authz configurations, make default authz - logic replicate 2.2.x authz logic, and replace , Reject, - and AuthzMergeRules directives with Match, , and AuthzMerge - directives. [Chris Darroch] - - *) mod_authn_core: Prevent crash when provider alias created to - provider which is not yet registered. [Chris Darroch] - - *) mod_authn_core: Add AuthType of None to support disabling - authentication. [Chris Darroch] - - *) core: Allow and directives to nest, and - constrain their use to conform with that of other access control - and authorization directives. [Chris Darroch] - - *) unixd: turn existing code into a module, and turn the set user/group - and chroot into a child_init function. [Nick Kew] - - *) mod_dir: Support "DirectoryIndex disabled" - Suggested By André Warnier [Eric Covener] - - *) mod_ssl: Send Content-Type application/ocsp-request for POST requests to - OSCP responders. PR 46014 [Dr Stephen Henson ] - - *) mod_authnz_ldap: don't return NULL-valued environment variables to - other modules. PR 39045 [Francois Pesce ] - - *) Don't adjust case in pathname components that are not of interest - to mod_mime. Fixes mod_negotiation's use of such components. - PR 43250 [Basant Kumar Kukreja ] - - *) Be tolerant in what you accept - accept slightly broken - status lines from a backend provided they include a valid status code. - PR 44995 [Rainer Jung ] - - *) New module mod_sed: filter Request/Response bodies through sed - [Basant Kumar Kukreja ] - - *) mod_auth_form: Make sure that basic authentication is correctly - faked directly after login. [Graham Leggett] - - *) mod_session_cookie, mod_session_dbd: Make sure cookies are set both - within the output headers and error output headers, so that the - session is maintained across redirects. [Graham Leggett] - - *) mod_auth_form: Make sure the logged in user is populated correctly - after a form login. Fixes a missing REMOTE_USER variable directly - following a login. [Graham Leggett] - - *) mod_session_cookie: Make sure that cookie attributes are correctly - included in the blank cookie when cookies are removed. This fixes an - inability to log out when using mod_auth_form. [Graham Leggett] - - *) mod_session: Prevent a segfault when a CGI script sets a cookie with a - null value. [David Shane Holden ] - - *) core, authn/z: Determine registered authn/z providers directly in - ap_setup_auth_internal(), which allows optional functions that just - wrapped ap_list_provider_names() to be removed from authn/z modules. - [Chris Darroch] - - *) authn/z: Convert common provider version strings to macros. - [Chris Darroch] - - *) core: When testing for slash-terminated configuration paths in - ap_location_walk(), don't look past the start of an empty string - such as that created by a directive. - [Chris Darroch] - - *) core, mod_proxy: If a kept_body is present, it becomes safe for - subrequests to support message bodies. Make sure that safety - checks within the core and within the proxy are not triggered - when kept_body is present. This makes it possible to embed - proxied POST requests within mod_include. [Graham Leggett] - - *) mod_auth_form: Make sure the input filter stack is properly set - up before reading the login form. Make sure the kept body filter - is correctly inserted to ensure the body can be read a second - time safely should the authn be successful. [Graham Leggett, - Ruediger Pluem] - - *) mod_request: Insert the KEPT_BODY filter via the insert_filter - hook instead of during fixups. Add a safety check to ensure the - filters cannot be inserted more than once. [Graham Leggett, - Ruediger Pluem] - - *) ap_cache_cacheable_headers_out() will (now) always - merge an error headers _before_ clearing them and _before_ - merging in the actual entity headers and doing normal - hop-by-hop cleansing. [Dirk-Willem van Gulik]. - - *) cache: retire ap_cache_cacheable_hdrs_out() which was used - for both in- and out-put headers; and replace it by a single - ap_cache_cacheable_headers() wrapped in a in- and out-put - specific ap_cache_cacheable_headers_in()/out(). The latter - which will also merge error and ensure content-type. To keep - cache modules consistent with ease. This API change bumps - up the minor MM by one [Dirk-Willem van Gulik]. - - *) Move the KeptBodySize directive, kept_body filters and the - ap_parse_request_body function out of the http module and into a - new module called mod_request, reducing the size of the core. - [Graham Leggett] - - *) mod_dbd: Handle integer configuration directive parameters with a - dedicated function. - - *) Change the directives within the mod_session* modules to be valid - both inside and outside the location/directory sections, as - suggested by wrowe. [Graham Leggett] - - *) mod_auth_form: Add a module capable of allowing end users to log - in using an HTML form, storing the credentials within mod_session. - [Graham Leggett] - - *) Add a function to the http filters that is able to parse an HTML - form request with the type of application/x-www-form-urlencoded. - [Graham Leggett] - - *) mod_session_crypto: Initialise SSL in the post config hook. - [Ruediger Pluem, Graham Leggett] - - *) mod_session_dbd: Add a session implementation capable of storing - session information in a SQL database via the dbd interface. Useful - for sites where session privacy is important. [Graham Leggett] - - *) mod_session_crypto: Add a session encoding implementation capable - of encrypting and decrypting sessions wherever they may be stored. - Introduces a level of privacy when sessions are stored on the - browser. [Graham Leggett] - - *) mod_session_cookie: Add a session implementation capable of storing - session information within cookies on the browser. Useful for high - volume sites where server bound sessions are too resource intensive. - [Graham Leggett] - - *) mod_session: Add a generic session interface to unify the different - attempts at saving persistent sessions across requests. - [Graham Leggett] - - *) core, authn/z: Avoid calling access control hooks for internal requests - with configurations which match those of initial request. Revert to - original behaviour (call access control hooks for internal requests - with URIs different from initial request) if any access control hooks or - providers are not registered as permitting this optimization. - Introduce wrappers for access control hook and provider registration - which can accept additional mode and flag data. [Chris Darroch] - - *) Introduced ap_expr API for expression evaluation. - This is adapted from mod_include, which is the first module - to use the new API. - [Nick Kew] - - *) mod_authz_dbd: When redirecting after successful login/logout per - AuthzDBDRedirectQuery, do not report authorization failure, and use - first row returned by database query instead of last row. - [Chris Darroch] - - *) mod_ldap: Correctly return all requested attribute values - when some attributes have a null value. - PR 44560 [Anders Kaseorg ] - - *) core: check symlink ownership if both FollowSymlinks and - SymlinksIfOwnerMatch are set [Nick Kew] - - *) core: fix origin checking in SymlinksIfOwnerMatch - PR 36783 [Robert L Mathews ] - - *) Activate mod_cache, mod_file_cache and mod_disk_cache as part of the - 'most' set for '--enable-modules' and '--enable-shared-mods'. Include - mod_mem_cache in 'all' as well. [Dirk-Willem van Gulik] - - *) Also install mod_so.h, mod_rewrite.h and mod_cache.h; as these - contain public function declarations which are useful for - third party module authors. PR 42431 [Dirk-Willem van Gulik]. - - *) mod_dir, mod_negotiation: pass the output filter information - to newly created sub requests; as these are later on used - as true requests with an internal redirect. This allows for - mod_cache et.al. to trap the results of the redirect. - [Dirk-Willem van Gulik, Ruediger Pluem] - - *) mod_ldap: Add support (taking advantage of the new APR capability) - for ldap rebind callback while chasing referrals. This allows direct - searches on LDAP servers (in particular MS Active Directory 2003+) - using referrals without the use of the global catalog. - PRs 26538, 40268, and 42557 [Paul J. Reder] - - *) ApacheMonitor.exe: Introduce --kill argument for use by the - installer. This will permit the installation tool to remove - all running instances before attempting to remove the .exe. - [William Rowe] - - *) mod_ssl: Add support for OCSP validation of client certificates. - PR 41123. [Marc Stern , Joe Orton] - - *) mod_serf: New module for Reverse Proxying. [Paul Querna] - - *) core: Add the option to keep aside a request body up to a certain - size that would otherwise be discarded, to be consumed by filters - such as mod_include. When enabled for a directory, POST requests - to shtml files can be passed through to embedded scripts as POST - requests, rather being downgraded to GET requests. [Graham Leggett] - - *) mod_ssl: Fix TLS upgrade (RFC 2817) support. PR 41231. [Joe Orton] - - *) scoreboard: Correctly declare ap_time_process_request. - PR 43789 [Tom Donovan ] - - *) core; scoreboard: ap_get_scoreboard_worker(sbh) now takes the sbh member - from the connection rec, ap_get_scoreboard_worker(proc, thread) will now - provide the unusual legacy lookup. [William Rowe] - - *) mpm winnt: fix null pointer dereference - PR 42572 [Davi Arnaut] - - *) mod_authnz_ldap, mod_authn_dbd: Tidy up the code to expose authn - parameters to the environment. Improve portability to - EBCDIC machines by using apr_toupper(). [Martin Kraemer] - - *) mod_ldap, mod_authnz_ldap: Add support for nested groups (i.e. the ability - to authorize an authenticated user via a "require ldap-group X" directive - where the user is not in group X, but is in a subgroup contained in X. - PR 42891 [Paul J. Reder] - - *) mod_ssl: Add support for caching SSL Sessions in memcached. [Paul Querna] - - *) apxs: Enhance -q flag to print all known variables and their values - when invoked without variable name(s). - [William Rowe, Sander Temme] - - *) apxs: Eliminate run-time check for mod_so. PR 40653. - [David M. Lee ] - - *) beos MPM: Create pmain pool and run modules' child_init hooks when - entering ap_mpm_run(), then destroy pmain when exiting ap_mpm_run(). - [Chris Darroch] - - *) netware MPM: Destroy pmain pool when exiting ap_mpm_run() so that - cleanups registered in modules' child_init hooks are performed. - [Chris Darroch] - - *) Fix issue which could cause error messages to be written to access logs - on Win32. PR 40476. [Tom Donovan ] - - *) The LockFile directive, which specifies the location of - the accept() mutex lockfile, is deprecated. Instead, the - AcceptMutex directive now takes an optional lockfile - location parameter, ala SSLMutex. [Jim Jagielski] - - *) mod_authn_dbd: Export any additional columns queried in the SQL select - into the environment with the name AUTHENTICATE_. This brings - mod_authn_dbd behaviour in line with mod_authnz_ldap. [Graham Leggett] - - *) mod_dbd: Key the storage of prepared statements on the hex string - value of server_rec, rather than the server name, as the server name - may change (eg when the server name is set) at any time, causing - weird behaviour in modules dependent on mod_dbd. [Graham Leggett] - - *) mod_proxy_fcgi: Added win32 build. [Mladen Turk] - - *) sendfile_nonblocking() takes the _brigade_ as an argument, gets - the first bucket from the brigade, finds it not to be a FILE - bucket and barfs. The fix is to pass a bucket rather than a brigade. - [Niklas Edmundsson ] - - *) mod_rewrite: support rewritemap by SQL query [Nick Kew] - - *) ap_get_server_version() has been removed. Third-party modules must - now use ap_get_server_banner() or ap_get_server_description(). - [Jeff Trawick] - - *) All MPMs: Introduce a check_config phase between pre_config and - open_logs, to allow modules to review interdependent configuration - directive values and adjust them while messages can still be logged - to the console. Handle relevant MPM directives during this phase - and format messages for both the console and the error log, as - appropriate. [Chris Darroch] - - *) core: Do not allow internal redirects like the DirectoryIndex of mod_dir - to circumvent the symbolic link checks imposed by FollowSymLinks and - SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem, William Rowe] - - *) New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ] - configures the I/O Dump of SSL traffic, when LogLevel is set to Debug. - The default is none as this is far greater debugging resolution than - the typical administrator is prepared to untangle. [William Rowe] - - *) mod_disk_cache: If possible, check if the size of an object to cache is - within the configured boundaries before actually saving data. - [Niklas Edmundsson ] - - *) Worker and event MPMs: Remove improper scoreboard updates which were - performed in the event of a fork() failure. [Chris Darroch] - - *) Add support for fcgi:// proxies to mod_rewrite. - [Markus Schiegl ] - - *) Remove incorrect comments from scoreboard.h regarding conditional - loading of worker_score structure with mod_status, and remove unused - definitions relating to old life_status field. - [Chris Darroch ] - - *) Remove allocation of memory for unused array of lb_score pointers - in ap_init_scoreboard(). [Chris Darroch ] - - *) Add mod_proxy_fcgi, a FastCGI back end for mod_proxy. - [Garrett Rooney, Jim Jagielski, Paul Querna] - - *) Event MPM: Fill in the scoreboard's tid field. PR 38736. - [Chris Darroch ] - - *) mod_charset_lite: Remove Content-Length when output filter can - invalidate it. Warn when input filter can invalidate it. - [Jeff Trawick] - - *) Authz: Add the new module mod_authn_core that will provide common - authn directives such as 'AuthType', 'AuthName'. Move the directives - 'AuthType' and 'AuthName' out of the core module and merge mod_authz_alias - into mod_authn_core. [Brad Nicholes] - - *) Authz: Move the directives 'Order', 'Allow', 'Deny' and 'Satisfy' - into the new module mod_access_compat which can be loaded to provide - support for these directives. - [Brad Nicholes] - - *) Authz: Move the 'Require' directive from the core module as well as - add the directives '', '', '' - and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR' - logic into the authorization processing. [Brad Nicholes] - - *) Authz: Add the new module mod_authz_core which acts as the - authorization provider vector and contains common authz - directives. [Brad Nicholes] - - *) Authz: Renamed mod_authz_dbm authz providers from 'group' and - 'file-group' to 'dbm-group' and 'dbm-file-group'. [Brad Nicholes] - - *) Authz: Added the new authz providers 'env', 'ip', 'host', 'all' to handle - host-based access control provided by mod_authz_host and invoked - through the 'Require' directive. [Brad Nicholes] - - *) Authz: Convert all of the authz modules from hook based to - provider based. [Brad Nicholes] - - *) mod_cache: Add CacheMinExpire directive to set the minimum time in - seconds to cache a document. - [Brian Akins , Ruediger Pluem] - - *) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew] - - *) Fix typo in ProxyStatus syntax error message. - [Christophe Jaillet ] - - *) Asynchronous write completion for the Event MPM. [Brian Pane] - - *) Added an End-Of-Request bucket type. The logging of a request and - the freeing of its pool are now done when the EOR bucket is destroyed. - This has the effect of delaying the logging until right after the last - of the response is sent; ap_core_output_filter() calls the access logger - indirectly when it destroys the EOR bucket. [Brian Pane] - - *) Rewrite of logresolve support utility: IPv6 addresses are now supported - and the format of statistical output has changed. [Colm MacCarthaigh] - - *) Rewrite of ap_coreoutput_filter to do nonblocking writes [Brian Pane] - - *) Added new connection states for handler and write completion - [Brian Pane] - - *) mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264. - [Justin Erenkrantz] - - *) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive, - allowing string-valued client certificate attributes to be used for - access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1") - [Martin Kraemer, David Reid] - - [Apache 2.3.0-dev includes those bug fixes and changes with the - Apache 2.2.xx tree as documented, and except as noted, below.] + *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup Changes with Apache 2.2.x and later: -- 2.40.0