1 -*- coding: utf-8 -*- 2 3Changes with Apache 2.4.9 4 5 *) mod_ssl: Work around a bug in some older versions of OpenSSL that 6 would cause a crash in SSL_get_certificate for servers where the 7 certificate hadn't been sent. [Stephen Henson] 8 9 *) mod_lua: Add a fixups hook that checks if the original request is intended 10 for LuaMapHandler. This fixes a bug where FallbackResource invalidates the 11 LuaMapHandler directive in certain cases by changing the URI before the map 12 handler code executes [Daniel Gruno, Daniel Ferradal <dferradal gmail com>]. 13 14Changes with Apache 2.4.8 15 16 *) SECURITY: CVE-2014-0098 (cve.mitre.org) 17 Clean up cookie logging with fewer redundant string parsing passes. 18 Log only cookies with a value assignment. Prevents segfaults when 19 logging truncated cookies. 20 [William Rowe, Ruediger Pluem, Jim Jagielski] 21 22 *) SECURITY: CVE-2013-6438 (cve.mitre.org) 23 mod_dav: Keep track of length of cdata properly when removing 24 leading spaces. Eliminates a potential denial of service from 25 specifically crafted DAV WRITE requests 26 [Amin Tora <Amin.Tora neustar.biz>] 27 28 *) core: Support named groups and backreferences within the LocationMatch, 29 DirectoryMatch, FilesMatch and ProxyMatch directives. (Requires 30 non-ancient PCRE library) [Graham Leggett] 31 32 *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding 33 TE/CL conflicts. [Yann Ylavic <ylavic.dev gmail com>, Jim Jagielski] 34 35 *) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping 36 execution when a handler is already set. PR53929. [Eric Covener] 37 38 *) mod_ssl: Do not perform SNI / Host header comparison in case of a 39 forward proxy request. [Ruediger Pluem] 40 41 *) mod_ssl: Remove the hardcoded algorithm-type dependency for the 42 SSLCertificateFile and SSLCertificateKeyFile directives, to enable 43 future algorithm agility, and deprecate the SSLCertificateChainFile 44 directive (obsoleted by SSLCertificateFile). [Kaspar Brand] 45 46 *) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore, 47 and IgnoreInherit to allow RewriteRules to be pushed from parent scopes 48 to child scopes without explicitly configuring each child scope. 49 PR56153. [Edward Lu <Chaosed0 gmail com>] 50 51 *) prefork: Fix long delays when doing a graceful restart. 52 PR 54852 [Jim Jagielski, Arkadiusz Miskiewicz <arekm maven pl>] 53 54 *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions 55 5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick] 56 57 *) mod_proxy_wstunnel: Avoid busy loop on client errors, drop message 58 IDs 02445, 02446, and 02448 to TRACE1 from DEBUG. PR 56145. 59 [Joffroy Christen <joffroy.christen solvaxis com>, Eric Covener] 60 61 *) mod_remoteip: Correct the trusted proxy match test. PR 54651. 62 [Yoshinori Ehara <yoshinori ehara gmail com>, Eugene L <eugenel amazon com>] 63 64 *) mod_proxy_fcgi: Fix error message when an unexpected protocol version 65 number is received from the application. PR 56110. [Jeff Trawick] 66 67 *) mod_remoteip: Use the correct IP addresses to populate the proxy_ips field. 68 PR 55972. [Mike Rumph] 69 70 *) mod_lua: Update r:setcookie() to accept a table of options and add domain, 71 path and httponly to the list of options available to set. 72 PR 56128 [Edward Lu <Chaosed0 gmail com>, Daniel Gruno] 73 74 *) mod_lua: Fix r:setcookie() to add, rather than replace, 75 the Set-Cookie header. PR56105 76 [Kevin J Walters <kjw ms com>, Edward Lu <Chaosed0 gmail com>] 77 78 *) mod_lua: Allow for database results to be returned as a hash with 79 row-name/value pairs instead of just row-number/value. [Daniel Gruno] 80 81 *) mod_rewrite: Add %{CONN_REMOTE_ADDR} as the non-useragent counterpart to 82 %{REMOTE_ADDR}. PR 56094. [Edward Lu <Chaosed0 gmail com>] 83 84 *) WinNT MPM: If ap_run_pre_connection() fails or sets c->aborted, don't 85 save the socket for reuse by the next worker as if it were an 86 APR_SO_DISCONNECTED socket. Restores 2.2 behavior. [Eric Covener] 87 88 *) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a URL 89 that was just rewritten by mod_rewrite. PR53929. [Eric Covener] 90 91 *) mod_session: When we have a session we were unable to decode, 92 behave as if there was no session at all. [Thomas Eckert 93 <thomas.r.w.eckert gmail com>] 94 95 *) mod_session: Fix problems interpreting the SessionInclude and 96 SessionExclude configuration. PR 56038. [Erik Pearson 97 <erik adaptations.com>] 98 99 *) mod_authn_core: Allow <AuthnProviderAlias>'es to be seen from auth 100 stanzas under virtual hosts. PR 55622. [Eric Covener] 101 102 *) mod_proxy_fcgi: Use apr_socket_timeout_get instead of hard-coded 103 30 seconds timeout. [Jan Kaluza] 104 105 *) mod_proxy: Added support for unix domain sockets as the 106 backend server endpoint [Jim Jagielski, Blaise Tarr 107 <blaise tarr gmail com>] 108 109 *) build: only search for modules (config*.m4) in known subdirectories, see 110 build/config-stubs. [Stefan Fritsch] 111 112 *) mod_cache_disk: Fix potential hangs on Windows when using mod_cache_disk. 113 PR 55833. [Eric Covener] 114 115 *) mod_ssl: Add support for OpenSSL configuration commands by introducing 116 the SSLOpenSSLConfCmd directive. [Stephen Henson, Kaspar Brand] 117 118 *) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which 119 is equivalent to <ProxyMatch wildcard-url>. [Christophe Jaillet] 120 121 *) mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm, 122 mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the 123 require directives. [Graham Leggett] 124 125 *) mod_proxy_http: Core dumped under high load. PR 50335. 126 [Jan Kaluza <jkaluza redhat.com>] 127 128 *) mod_socache_shmcb.c: Remove arbitrary restriction on shared memory size 129 previously limited to 64MB. [Jens Låås <jelaas gmail.com>] 130 131 *) mod_lua: Use binary copy when dealing with uploads through r:parsebody() 132 to prevent truncating files. [Daniel Gruno] 133 134Changes with Apache 2.4.7 135 136 *) APR 1.5.0 or later is now required for the event MPM. 137 138 *) slotmem_shm: Error detection. [Jim Jagielski] 139 140 *) event: Use skiplist data structure. [Jim Jagielski] 141 142 *) event: Fail at startup with message AP02405 if the APR atomic 143 implementation is not compatible with the MPM. [Jim Jagielski] 144 145 *) mpm_unix: Add ap_mpm_podx_* implementation to avoid code duplication 146 and align w/ trunk. [Jim Jagielski] 147 148 *) Fix potential rejection of valid MaxMemFree and ThreadStackSize 149 directives. [Mike Rumph <mike.rumph oracle.com>] 150 151 *) mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars. 152 An individual envvar with an encoded length of more than 16K will be 153 omitted. [Jeff Trawick] 154 155 *) mod_proxy_fcgi: Handle reading protocol data that is split between 156 packets. [Jeff Trawick] 157 158 *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by 159 allowing custom parameters to be configured via SSLCertificateFile, 160 and by adding standardized DH parameters for 1024/2048/3072/4096 bits. 161 Unless custom parameters are configured, the standardized parameters 162 are applied based on the certificate's RSA/DSA key size. [Kaspar Brand] 163 164 *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand] 165 166 *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA 167 keys, and unconditionally disable aNULL, eNULL and EXP ciphers 168 (not overridable via SSLCipherSuite). [Kaspar Brand] 169 170 *) mod_proxy: Added support for unix domain sockets as the 171 backend server endpoint [Jim Jagielski, Blaise Tarr 172 <blaise tarr gmail com>] 173 174 *) Add experimental cmake-based build system for Windows. [Jeff Trawick, 175 Tom Donovan] 176 177 *) event MPM: Fix possible crashes (third party modules accessing c->sbh) 178 or occasional missed mod_status updates for some keepalive requests 179 under load. [Eric Covener] 180 181 *) mod_authn_socache: Support optional initialization arguments for 182 socache providers. [Chris Darroch] 183 184 *) mod_session: Reset the max-age on session save. PR 47476. [Alexey 185 Varlamov <alexey.v.varlamov gmail com>] 186 187 *) mod_session: After parsing the value of the header specified by the 188 SessionHeader directive, remove the value from the response. PR 55279. 189 [Graham Leggett] 190 191 *) mod_headers: Allow for format specifiers in the substitution string 192 when using Header edit. [Daniel Ruggeri] 193 194 *) mod_dav: dav_resource->uri is treated as unencoded. This was an 195 unnecessary ABI changed introduced in 2.4.6. PR 55397. 196 197 *) mod_dav: Don't require lock tokens for COPY source. PR 55306. 198 199 *) core: Don't truncate output when sending is interrupted by a signal, 200 such as from an exiting CGI process. PR 55643. [Jeff Trawick] 201 202 *) WinNT MPM: Exit the child if the parent process crashes or is terminated. 203 [Oracle Corporation] 204 205 *) Windows: Correct failure to discard stderr in some error log 206 configurations. (Error message AH00093) [Jeff Trawick] 207 208 *) mod_session_crypto: Allow using exec: calls to obtain session 209 encryption key. [Daniel Ruggeri] 210 211 *) core: Add missing Reason-Phrase in HTTP response headers. 212 PR 54946. [Rainer Jung] 213 214 *) mod_rewrite: Make rewrite websocket-aware to allow proxying. 215 PR 55598. [Chris Harris <chris.harris kitware com>] 216 217 *) mod_ldap: When looking up sub-groups, use an implicit objectClass=* 218 instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>] 219 220 *) ab: Add wait time, fix processing time, and output write errors only if 221 they occured. [Christophe Jaillet] 222 223 *) worker MPM: Don't forcibly kill worker threads if the child process is 224 exiting gracefully. [Oracle Corporation] 225 226 *) core: apachectl -S prints wildcard name-based virtual hosts twice. 227 PR54948 [Eric Covener] 228 229 *) mod_auth_basic: Add AuthBasicUseDigestAlgorithm directive to 230 allow migration of passwords from digest to basic authentication. 231 [Chris Darroch] 232 233 *) ab: Add a new -l parameter in order not to check the length of the responses. 234 This can be usefull with dynamic pages. 235 PR9945, PR27888, PR42040 [<ccikrs1 cranbrook edu>] 236 237 *) Suppress formatting of startup messages written to the console when 238 ErrorLogFormat is used. [Jeff Trawick] 239 240 *) mod_auth_digest: Be more specific when the realm mismatches because the 241 realm has not been specified. [Graham Leggett] 242 243 *) mod_proxy: Add a note in the balancer manager stating whether changes 244 will or will not be persisted and whether settings are inherited. 245 [Daniel Ruggeri, Jim Jagielski] 246 247 *) mod_cache: Avoid a crash with strcmp() when the hostname is not provided. 248 [Graham Leggett] 249 250 *) core: Add util_fcgi.h and associated definitions and support 251 routines for FastCGI, based largely on mod_proxy_fcgi. 252 [Jeff Trawick] 253 254 *) mod_headers: Add 'Header note header-name note-name' for copying a response 255 headers value into a note. [Eric Covener] 256 257 *) mod_headers: Add 'setifempty' command to Header and RequestHeader. 258 [Eric Covener] 259 260 *) mod_logio: new format-specifier %S (sum) which is the sum of received 261 and sent byte counts. 262 PR54015 [Christophe Jaillet] 263 264 *) mod_deflate: Improve error detection when decompressing request bodies 265 with trailing garbage: handle case where trailing bytes are in 266 the same bucket. [Rainer Jung] 267 268 *) mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663 269 from ERROR to DEBUG, since these modules do not know what mod_authz_core 270 is doing with their AUTHZ_DENIED return value. [Eric Covener] 271 272 *) mod_ldap: add TRACE5 for LDAP retries. [Eric Covener] 273 274 *) mod_ldap: retry on an LDAP timeout during authn. [Eric Covener] 275 276 *) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP 277 SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK 278 default, sans rebind authentication callback. 279 [Jan Kaluza <kaluze AT redhat.com>] 280 281 *) core: Log a message at TRACE1 when the client aborts a connection. 282 [Eric Covener] 283 284 *) WinNT MPM: Don't crash during child process initialization if the 285 Listen protocol is unrecognized. [Jeff Trawick] 286 287 *) modules: Fix some compiler warnings. [Guenter Knauf] 288 289 *) Sync 2.4 and trunk 290 - Avoid some memory allocation and work when TRACE1 is not activated 291 - fix typo in include guard 292 - indent 293 - No need to lower the string before removing the path, it is just a waste of time... 294 - Save a few cycles 295 [Christophe Jaillet <christophe.jaillet wanadoo.fr>] 296 297 *) mod_filter: Add "change=no" as a proto-flag to FilterProtocol 298 to remove a providers initial flags set at registration time. 299 [Eric Covener] 300 301 *) core, mod_ssl: Enable the ability for a module to reverse the sense of 302 a poll event from a read to a write or vice versa. This is a step on 303 the way to allow mod_ssl taking full advantage of the event MPM. 304 [Graham Leggett] 305 306 *) Makefile.win: Install proper pcre DLL file during debug build install. 307 PR 55235. [Ben Reser <ben reser org>] 308 309 *) mod_ldap: Fix a potential memory leak or corruption. PR 54936. 310 [Zhenbo Xu <zhenbo1987 gmail com>] 311 312 *) ab: Fix potential buffer overflows when processing the T and X 313 command-line options. PR 55360. 314 [Mike Rumph <mike.rumph oracle.com>] 315 316 *) fcgistarter: Specify SO_REUSEADDR to allow starting a server 317 with old connections in TIME_WAIT. [Jeff Trawick] 318 319 *) core: Add open_htaccess hook which, in conjunction with dirwalk_stat 320 and post_perdir_config (introduced in 2.4.5), allows mpm-itk to be 321 used without patches to httpd core. [Stefan Fritsch] 322 323 *) support/htdbm: fix processing of -t command line switch. Regression 324 introduced in 2.4.4 325 PR 55264 [Jo Rhett <jrhett netconsonance com>] 326 327 *) mod_lua: add websocket support via r:wsupgrade, r:wswrite, r:wsread 328 and r:wsping. [Daniel Gruno] 329 330 *) mod_lua: add support for writing/reading cookies via r:getcookie and 331 r:setcookie. [Daniel Gruno] 332 333 *) mod_lua: If the first yield() of a LuaOutputFilter returns a string, it should 334 be prefixed to the response as documented. [Eric Covener] 335 Note: Not present in 2.4.7 CHANGES 336 337 *) mod_lua: Remove ETAG, Content-Length, and Content-MD5 when a LuaOutputFilter 338 is configured without mod_filter. [Eric Covener] 339 Note: Not present in 2.4.7 CHANGES 340 341 *) mod_lua: Register LuaOutputFilter scripts as changing the content and 342 content-length by default, when run my mod_filter. Previously, 343 growing or shrinking a response that started with Content-Length set 344 would require mod_filter and FilterProtocol change=yes. [Eric Covener] 345 Note: Not present in 2.4.7 CHANGES 346 347 *) mod_lua: Return a 500 error if a LuaHook* script doesn't return a 348 numeric return code. [Eric Covener] 349 Note: Not present in 2.4.7 CHANGES 350 351Changes with Apache 2.4.6 352 353 *) Revert a broken fix for PR54948 that was applied to 2.4.5 (which was 354 not released) and found post-2.4.5 tagging. 355 356Changes with Apache 2.4.5 357 358 *) SECURITY: CVE-2013-1896 (cve.mitre.org) 359 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with 360 the source href (sent as part of the request body as XML) pointing to a 361 URI that is not configured for DAV will trigger a segfault. [Ben Reser 362 <ben reser.org>] 363 364 *) SECURITY: CVE-2013-2249 (cve.mitre.org) 365 mod_session_dbd: Make sure that dirty flag is respected when saving 366 sessions, and ensure the session ID is changed each time the session 367 changes. This changes the format of the updatesession SQL statement. 368 Existing configurations must be changed. 369 [Takashi Sato, Graham Leggett] 370 371 *) mod_auth_basic: Add a generic mechanism to fake basic authentication 372 using the ap_expr parser. AuthBasicFake allows the administrator to 373 construct their own username and password for basic authentication based 374 on their needs. [Graham Leggett] 375 376 *) mpm_event: Check that AsyncRequestWorkerFactor is not negative. PR 54254. 377 [Jackie Zhang <jackie qq zhang gmail com>] 378 379 *) mod_proxy: Ensure we don't attempt to amend a table we are iterating 380 through, ensuring that all headers listed by Connection are removed. 381 [Graham Leggett, Co-Advisor <coad measurement-factory.com>] 382 383 *) mod_proxy_http: Make the proxy-interim-response environment variable 384 effective by formally overriding origin server behaviour. [Graham 385 Leggett, Co-Advisor <coad measurement-factory.com>] 386 387 *) mod_proxy: Fix seg-faults when using the global pool on threaded 388 MPMs [Thomas Eckert <thomas.r.w.eckert gmail.com>, Graham Leggett, 389 Jim Jagielski] 390 391 *) mod_deflate: Remove assumptions as to when an EOS bucket might arrive. 392 Gracefully step aside if the body size is zero. [Graham Leggett] 393 394 *) mod_ssl: Fix possible truncation of OCSP responses when reading from the 395 server. [Joe Orton] 396 397 *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization 398 on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun 399 <apache heilbrun.org>] 400 401 *) mod_cache_socache: Make sure the CacheSocacheMaxSize directive is merged 402 correctly. [Jens Låås <jelaas gmail.com>] 403 404 *) rotatelogs: add -n number-of-files option to rotate through a number 405 of fixed-name logfiles. [Eric Covener] 406 407 *) mod_proxy: Support web-socket tunnels via mod_proxy_wstunnel. 408 [Jim Jagielski] 409 410 *) mod_cache_socache: Use the name of the socache implementation when performing 411 a lookup rather than using the raw arguments. [Martin Ksellmann 412 <martin@ksellmann.de>] 413 414 *) core: Add dirwalk_stat hook. [Jeff Trawick] 415 416 *) core: Add post_perdir_config hook. 417 [Steinar Gunderson <sgunderson bigfoot.com>] 418 419 *) proxy_util: NULL terminate the right buffer in 'send_http_connect'. 420 [Christophe Jaillet] 421 422 *) mod_remoteip: close file in error path. [Christophe Jaillet] 423 424 *) core: make the "default" parameter of the "ErrorDocument" option case 425 insensitive. PR 54419 [Tianyin Xu <tixu cs ucsd edu>] 426 427 *) mod_proxy_html: make the "ProxyHTMLFixups" options case insensitive. 428 PR 54420 [Tianyin Xu <tixu cs ucsd edu>] 429 430 *) mod_cache: Make option "CacheDisable" in mod_cache case insensitive. 431 PR 54462 [Tianyin Xu <tixu cs ucsd edu>] 432 433 *) mod_cache: If a 304 response indicates an entity not currently cached, then 434 the cache MUST disregard the response and repeat the request without the 435 conditional. [Graham Leggett, Co-Advisor <coad measurement-factory.com>] 436 437 *) mod_cache: Ensure that we don't attempt to replace a cached response 438 with an older response as per RFC2616 13.12. [Graham Leggett, Co-Advisor 439 <coad measurement-factory.com>] 440 441 *) core, mod_cache: Ensure RFC2616 compliance in ap_meets_conditions() 442 with weak validation combined with If-Range and Range headers. Break 443 out explicit conditional header checks to be useable elsewhere in the 444 server. Ensure weak validation RFC compliance in the byteranges filter. 445 Ensure RFC validation compliance when serving cached entities. PR 16142 446 [Graham Leggett, Co-Advisor <coad measurement-factory.com>] 447 448 *) core: Add the ability to do explicit matching on weak and strong ETags 449 as per RFC2616 Section 13.3.3. [Graham Leggett, Co-Advisor 450 <coad measurement-factory.com>] 451 452 *) mod_cache: Ensure that updated responses to HEAD requests don't get 453 mistakenly paired with a previously cached body. Ensure that any existing 454 body is removed when a HEAD request is cached. [Graham Leggett, 455 Co-Advisor <coad measurement-factory.com>] 456 457 *) mod_cache: Honour Cache-Control: no-store in a request. [Graham Leggett] 458 459 *) mod_cache: Make sure that contradictory entity headers present in a 304 460 Not Modified response are caught and cause the entity to be removed. 461 [Graham Leggett] 462 463 *) mod_cache: Make sure Vary processing handles multivalued Vary headers and 464 multivalued headers referred to via Vary. [Graham Leggett] 465 466 *) mod_cache: When serving from cache, only the last header of a multivalued 467 header was taken into account. Fixed. Ensure that Warning headers are 468 correctly handled as per RFC2616. [Graham Leggett] 469 470 *) mod_cache: Ignore response headers specified by no-cache=header and 471 private=header as specified by RFC2616 14.9.1 What is Cacheable. Ensure 472 that these headers are still processed when multiple Cache-Control 473 headers are present in the response. PR 54706 [Graham Leggett, 474 Yann Ylavic <ylavic.dev gmail.com>] 475 476 *) mod_cache: Invalidate cached entities in response to RFC2616 Section 477 13.10 Invalidation After Updates or Deletions. PR 15868 [Graham 478 Leggett] 479 480 *) mod_dav: Improve error handling in dav_method_put(), add new 481 dav_join_error() function. PR 54145. [Ben Reser <ben reser.org>] 482 483 *) mod_dav: Do not fail PROPPATCH when prop namespace is not known. 484 PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>] 485 486 *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead 487 property on a resource for which there is no dead property in the same 488 namespace httpd segfaults. PR 52559 [Diego Santa Cruz 489 <diego.santaCruz spinetix.com>] 490 491 *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't 492 result in a 412 Precondition Failed for a COPY operation. PR54610 493 [Timothy Wood <tjw omnigroup.com>] 494 495 *) mod_dav: Make sure that when we prepare an If URL for Etag comparison, 496 we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>] 497 498 *) mod_deflate: Remove assumptions as to when an EOS bucket might arrive. 499 Gracefully step aside if the body size is zero. [Graham Leggett] 500 501 *) 'AuthGroupFile' and 'AuthUserFile' do not accept anymore the optional 502 'standard' keyword . It was unused and not documented. 503 PR54463 [Tianyin Xu <tixu cs.ucsd.edu> and Christophe Jaillet] 504 505 *) core: Do not over allocate memory within 'ap_rgetline_core' for 506 the common case. [Christophe Jaillet] 507 508 *) core: speed up (for common cases) and reduce memory usage of 509 ap_escape_logitem(). This should save 70-100 bytes in the request 510 pool for a default config. [Christophe Jaillet] 511 512 *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611 513 [Timothy Wood <tjw omnigroup.com>] 514 515 *) mod_proxy: Reject invalid values for Max-Forwards. [Graham Leggett, 516 Co-Advisor <coad measurement-factory.com>] 517 518 *) mod_cache: RFC2616 14.9.3 The s-maxage directive also implies the 519 semantics of the proxy-revalidate directive. [Graham Leggett] 520 521 *) mod_ssl: add support for subjectAltName-based host name checking 522 in proxy mode (SSLProxyCheckPeerName). PR 54030. [Kaspar Brand] 523 524 *) core: Use the proper macro for HTTP/1.1. [Graham Leggett] 525 526 *) event MPM: Provide error handling for ThreadStackSize. PR 54311 527 [Tianyin Xu <tixu cs.ucsd.edu>, Christophe Jaillet] 528 529 *) mod_dav: Do not segfault on PROPFIND with a zero length DBM. 530 PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>] 531 532 *) core: Improve error message where client's request-line exceeds 533 LimitRequestLine. PR 54384 [Christophe Jaillet] 534 535 *) mod_macro: New module that provides macros within configuration files. 536 [Fabien Coelho] 537 538 *) mod_cache_socache: New cache implementation backed by mod_socache 539 that replaces mod_mem_cache known from httpd 2.2. [Graham 540 Leggett] 541 542 *) htpasswd: Add -v option to verify a password. [Stefan Fritsch] 543 544 *) mod_proxy: Add BalancerInherit and ProxyPassInherit to control 545 whether Proxy Balancers and Workers are inherited by vhosts 546 (default is On). [Jim Jagielski] 547 548 *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind 549 password. [Daniel Ruggeri] 550 551 *) Added balancer parameter failontimeout to allow server admin 552 to configure an IO timeout as an error in the balancer. 553 [Daniel Ruggeri] 554 555 *) mod_auth_digest: Fix crashes if shm initialization failed. [Stefan 556 Fritsch] 557 558 *) htpasswd, htdbm: Fix password generation. PR 54735. [Stefan Fritsch] 559 560 *) core: Add workaround for gcc bug on sparc/64bit. PR 52900. 561 [Stefan Fritsch] 562 563 *) mod_setenvif: Fix crash in case SetEnvif and SetEnvIfExpr are used 564 together. PR 54881. [Ruediger Pluem] 565 566 *) htdigest: Fix buffer overflow when reading digest password file 567 with very long lines. PR 54893. [Rainer Jung] 568 569 *) ap_expr: Add the ability to base64 encode and base64 decode 570 strings and to generate their SHA1 and MD5 hash. 571 [Graham Leggett, Stefan Fritsch] 572 573 *) mod_log_config: Fix crash when logging request end time for a failed 574 request. PR 54828 [Rainer Jung] 575 576 *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs 577 with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. 578 [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand] 579 580 *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits 581 in the error log to debug level. [William Rowe] 582 583 *) mod_cache_disk: CacheMinFileSize and CacheMaxFileSize were always 584 using compiled in defaults of 1000000/1 respectively. [Eric Covener] 585 586 *) mod_lbmethod_heartbeat, mod_heartmonitor: Respect DefaultRuntimeDir/ 587 DEFAULT_REL_RUNTIMEDIR for the heartbeat storage file. [Jeff Trawick] 588 589 *) mod_include: Use new ap_expr for 'elif', like 'if', 590 if legacy parser is not specified. PR 54548 [Tom Donovan] 591 592 *) mod_lua: Add some new functions: r:htpassword(), r:mkdir(), r:mkrdir(), 593 r:rmdir(), r:touch(), r:get_direntries(), r.date_parse_rfc(). 594 [Guenter Knauf] 595 596 *) mod_lua: Add multipart form data handling. [Daniel Gruno] 597 598 *) mod_lua: If a LuaMapHandler doesn't return any value, log a warning 599 and treat it as apache2.OK. [Eric Covener] 600 601 *) mod_lua: Add bindings for apr_dbd/mod_dbd database access 602 [Daniel Gruno] 603 604 *) mod_lua: Add LuaInputFilter/LuaOutputFilter for creating content 605 filters in Lua [Daniel Gruno] 606 607 *) mod_lua: Allow scripts handled by the lua-script handler to return 608 a status code to the client (such as a 302 or a 500) [Daniel Gruno] 609 610 *) mod_lua: Decline handling 'lua-script' if the file doesn't exist, 611 rather than throwing an internal server error. [Daniel Gruno] 612 613 *) mod_lua: Add functions r:flush and r:sendfile as well as additional 614 request information to the request_rec structure. [Daniel Gruno] 615 616 *) mod_lua: Add a server scope for Lua states, which creates a pool of 617 states with managable minimum and maximum size. [Daniel Gruno] 618 619 *) mod_lua: Add new directive, LuaMapHandler, for dynamically mapping 620 URIs to Lua scripts and functions using regular expressions. 621 [Daniel Gruno] 622 623 *) mod_lua: Add new directive LuaCodeCache for controlling in-memory 624 caching of lua scripts. [Daniel Gruno] 625 626Changes with Apache 2.4.4 627 628 *) SECURITY: CVE-2012-3499 (cve.mitre.org) 629 Various XSS flaws due to unescaped hostnames and URIs HTML output in 630 mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. 631 [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>] 632 633 *) SECURITY: CVE-2012-4558 (cve.mitre.org) 634 XSS in mod_proxy_balancer manager interface. [Jim Jagielski, 635 Niels Heinen <heinenn google com>] 636 637 *) mod_dir: Add support for the value 'disabled' in FallbackResource. 638 [Vincent Deffontaines] 639 640 *) mod_proxy_connect: Don't keepalive the connection to the client if the 641 backend closes the connection. PR 54474. [Pavel Mateja <pavel netsafe cz>] 642 643 *) mod_lua: Add bindings for mod_dbd/apr_dbd database access. 644 [Daniel Gruno] 645 646 *) mod_proxy: Allow for persistence of local changes made via the 647 balancer-manager between graceful/normal restarts and power 648 cycles. [Jim Jagielski] 649 650 *) mod_proxy: Fix startup crash with mis-defined balancers. 651 PR 52402. [Jim Jagielski] 652 653 *) --with-module: Fix failure to integrate them into some existing 654 module directories. PR 40097. [Jeff Trawick] 655 656 *) htcacheclean: Fix potential segfault if "-p" is omitted. [Joe Orton] 657 658 *) mod_proxy_http: Honour special value 0 (unlimited) of LimitRequestBody 659 PR 54435. [Pavel Mateja <pavel netsafe.cz>] 660 661 *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416. 662 [Rainer Jung] 663 664 *) htcacheclean: Fix list options "-a" and "-A". 665 [Rainer Jung] 666 667 *) mod_slotmem_shm: Fix mistaken reset of num_free for restored shm. 668 [Jim Jagielski] 669 670 *) mod_proxy: non-existance of byrequests is not an immediate error. 671 [Jim Jagielski] 672 673 *) mod_proxy_balancer: Improve output of balancer-manager (re: Drn, 674 Dis, Ign, Stby). PR 52478 [Danijel <dt-ng rbfh de>] 675 676 *) configure: Fix processing of --disable-FEATURE for various features. 677 [Jeff Trawick] 678 679 *) mod_dialup/mod_http: Prevent a crash in mod_dialup in case of internal 680 redirect. PR 52230. 681 682 *) various modules, rotatelogs: Replace use of apr_file_write() with 683 apr_file_write_full() to prevent incomplete writes. PR 53131. 684 [Nicolas Viennot <apache viennot biz>, Stefan Fritsch] 685 686 *) ab: Support socket timeout (-s timeout). 687 [Guido Serra <zeph fsfe org>] 688 689 *) httxt2dbm: Correct length computation for the 'value' stored in the 690 DBM file. PR 47650 [jon buckybox com] 691 692 *) core: Be more correct about rejecting directives that cannot work in <If> 693 sections. [Stefan Fritsch] 694 695 *) core: Fix directives like LogLevel that need to know if they are invoked 696 at virtual host context or in Directory/Files/Location/If sections to 697 work properly in If sections that are not in a Directory/Files/Location. 698 [Stefan Fritsch] 699 700 *) mod_xml2enc: Fix problems with charset conversion altering the 701 Content-Length. [Micha Lenk <micha lenk info>] 702 703 *) ap_expr: Add req_novary function that allows HTTP header lookups 704 without adding the name to the Vary header. [Stefan Fritsch] 705 706 *) mod_slotmem_*: Add in new fgrab() function which forces a grab and 707 slot allocation on a specified slot. Allow for clearing of inuse 708 array. [Jim Jagielski] 709 710 *) mod_proxy_ftp: Fix segfaults on IPv4 requests to hosts with DNS 711 AAAA records. PR 40841. [Andrew Rucker Jones <arjones simultan 712 dyndns org>, <ast domdv de>, Jim Jagielski] 713 714 *) mod_auth_form: Make sure that get_notes_auth() sets the user as does 715 get_form_auth() and get_session_auth(). Makes sure that REMOTE_USER 716 does not vanish during mod_include driven subrequests. [Graham 717 Leggett] 718 719 *) mod_cache_disk: Resolve errors while revalidating disk-cached files on 720 Windows ("...rename tempfile to datafile failed..."). PR 38827 721 [Eric Covener] 722 723 *) mod_proxy_balancer: Bring XML output up to date. [Jim Jagielski] 724 725 *) htpasswd, htdbm: Optionally read passwords from stdin, as more 726 secure alternative to -b. PR 40243. [Adomas Paltanavicius <adomas 727 paltanavicius gmail com>, Stefan Fritsch] 728 729 *) htpasswd, htdbm: Add support for bcrypt algorithm (requires 730 apr-util 1.5 or higher). PR 49288. [Stefan Fritsch] 731 732 *) htpasswd, htdbm: Put full 48bit of entropy into salt, improve 733 error handling. Add some of htpasswd's improvements to htdbm, 734 e.g. warn if password is truncated by crypt(). [Stefan Fritsch] 735 736 *) mod_auth_form: Support the expr parser in the 737 AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and 738 AuthFormLogoutLocation directives. [Graham Leggett] 739 740 *) mod_ssl: Add support for TLS-SRP (Secure Remote Password key exchange 741 for TLS, RFC 5054). PR 51075. [Quinn Slack <sqs cs stanford edu>, 742 Christophe Renou, Peter Sylvester] 743 744 *) mod_rewrite: Stop mergeing RewriteBase down to subdirectories 745 unless new option 'RewriteOptions MergeBase' is configured. 746 PR 53963. [Eric Covener] 747 748 *) mod_header: Allow for exposure of loadavg and server load using new 749 format specifiers %l, %i, %b [Jim Jagielski] 750 751 *) core: Make ap_regcomp() return AP_REG_ESPACE if out of memory. Make 752 ap_pregcomp() abort if out of memory. This raises the minimum PCRE 753 requirement to version 6.0. [Stefan Fritsch] 754 755 *) mod_proxy: Add ability to configure the sticky session separator. 756 PR 53893. [<inu inusasha de>, Jim Jagielski] 757 758 *) mod_dumpio: Correctly log large messages 759 PR 54179 [Marek Wianecki <mieszek2 interia pl>] 760 761 *) core: Don't fail at startup with AH00554 when Include points to 762 a directory without any wildcard character. [Eric Covener] 763 764 *) core: Fail startup if the argument to ServerTokens is unrecognized. 765 [Jackie Zhang <jackie.qq.zhang gmail.com>] 766 767 *) mod_log_forensic: Don't log a spurious "-" if a request has been rejected 768 before mod_log_forensic could attach its id to it. [Stefan Fritsch] 769 770 *) rotatelogs: Omit the second argument for the first invocation of 771 a post-rotate program when -p is used, per the documentation. 772 [Joe Orton] 773 774 *) mod_session_dbd: fix a segmentation fault in the function dbd_remove. 775 PR 53452. [<rebanerebane gmail com>, Reimo Rebane] 776 777 *) core: Functions to provide server load values: ap_get_sload() and 778 ap_get_loadavg(). [Jim Jagielski, Jan Kaluza <jkaluza redhat.com>, 779 Jeff Trawick] 780 781 *) mod_ldap: Fix regression in handling "server unavailable" errors on 782 Windows. PR 54140. [Eric Covener] 783 784 *) syslog logging: Remove stray ", referer" at the end of some messages. 785 [Jeff Trawick] 786 787 *) "Iterate" directives: Report an error if no arguments are provided. 788 [Jeff Trawick] 789 790 *) mod_ssl: Change default for SSLCompression to off, as compression 791 causes security issues in most setups. (The so called "CRIME" attack). 792 [Stefan Fritsch] 793 794 *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output 795 to more accurately report the negotiated protocol. PR 53916. 796 [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand] 797 798 *) core: ErrorDocument now works for requests without a Host header. 799 PR 48357. [Jeff Trawick] 800 801 *) prefork: Avoid logging harmless errors during graceful stop. 802 [Joe Orton, Jeff Trawick] 803 804 *) mod_proxy: When concatting for PPR, avoid cases where we 805 concat ".../" and "/..." to create "...//..." [Jim Jagielski] 806 807 *) mod_cache: Wrong content type and character set when 808 mod_cache serves stale content because of a proxy error. 809 PR 53539. [Rainer Jung, Ruediger Pluem] 810 811 *) mod_proxy_ajp: Fix crash in packet dump code when logging 812 with LogLevel trace7 or trace8. PR 53730. [Rainer Jung] 813 814 *) httpd.conf: Removed the configuration directives setting a bad_DNT 815 environment introduced in 2.4.3. The actual directives are commented 816 out in the default conf file. 817 818 *) core: Apply length limit when logging Status header values. 819 [Jeff Trawick, Chris Darroch] 820 821 *) mod_proxy_balancer: The nonce is only derived from the UUID iff 822 not set via the 'nonce' balancer param. [Jim Jagielski] 823 824 *) mod_ssl: Match wildcard SSL certificate names in proxy mode. 825 PR 53006. [Joe Orton] 826 827 *) Windows: Fix output of -M, -L, and similar command-line options 828 which display information about the server configuration. 829 [Jeff Trawick] 830 831Changes with Apache 2.4.3 832 833 *) SECURITY: CVE-2012-3502 (cve.mitre.org) 834 mod_proxy_ajp, mod_proxy_http: Fix an issue in back end 835 connection closing which could lead to privacy issues due 836 to a response mixup. PR 53727. [Rainer Jung] 837 838 *) SECURITY: CVE-2012-2687 (cve.mitre.org) 839 mod_negotiation: Escape filenames in variant list to prevent a 840 possible XSS for a site where untrusted users can upload files to 841 a location with MultiViews enabled. [Niels Heinen <heinenn google.com>] 842 843 *) mod_authnz_ldap: Don't try a potentially expensive nested groups 844 search before exhausting all AuthLDAPGroupAttribute checks on the 845 current group. PR 52464 [Eric Covener] 846 847 *) mod_lua: Add new directive LuaAuthzProvider to allow implementing an 848 authorization provider in lua. [Stefan Fritsch] 849 850 *) core: Be less strict when checking whether Content-Type is set to 851 "application/x-www-form-urlencoded" when parsing POST data, 852 or we risk losing data with an appended charset. PR 53698 853 [Petter Berntsen <petterb gmail.com>] 854 855 *) httpd.conf: Added configuration directives to set a bad_DNT environment 856 variable based on User-Agent and to remove the DNT header field from 857 incoming requests when a match occurs. This currently has the effect of 858 removing DNT from requests by MSIE 10.0 because it deliberately violates 859 the current specification of DNT semantics for HTTP. [Roy T. Fielding] 860 861 *) mod_socache_shmcb: Fix bus error due to a misalignment 862 in some 32 bit builds, especially on Solaris Sparc. 863 PR 53040. [Rainer Jung] 864 865 *) mod_cache: Set content type in case we return stale content. 866 [Ruediger Pluem] 867 868 *) Windows: Fix SSL failures on windows with AcceptFilter https none. 869 PR 52476. [Jeff Trawick] 870 871 *) ab: Fix read failure when targeting SSL server. [Jeff Trawick] 872 873 *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR: 874 - mod_auth_digest: shared memory file 875 [Jeff Trawick] 876 877 *) htpasswd: Use correct file mode for checking if file is writable. 878 PR 45923. [Stefan Fritsch] 879 880 *) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T. 881 <mi apache aldan algebra com>] 882 883 *) mod_ssl: Add new directive SSLCompression to disable TLS-level 884 compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch] 885 886 *) mod_lua: Add a few missing request_rec fields. Rename remote_ip to 887 client_ip to match conn_rec. [Stefan Fritsch] 888 889 *) mod_lua: Change prototype of vm_construct, to work around gcc bug which 890 causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>] 891 892 *) mpm_event: Don't count connections in lingering close state when 893 calculating how many additional connections may be accepted. 894 [Stefan Fritsch] 895 896 *) mod_ssl: If exiting during initialization because of a fatal error, 897 log a message to the main error log pointing to the appropriate 898 virtual host error log. [Stefan Fritsch] 899 900 *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on 901 one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>] 902 903 *) mod_proxy_balancer: Restore balancing after a failed worker has 904 recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick] 905 906 *) mod_setenvif: Compile some global regex only once during startup. 907 This should save some memory, especially with .htaccess. 908 [Stefan Fritsch] 909 910 *) core: Add the port number to the vhost's name in the scoreboard. 911 [Stefan Fritsch] 912 913 *) mod_proxy: Fix ProxyPassReverse for balancer configurations. 914 PR 45434. [Joe Orton] 915 916 *) mod_lua: Add the parsebody function for parsing POST data. PR 53064. 917 [Daniel Gruno] 918 919 *) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS. 920 [Stefan Fritsch] 921 922 *) mod_proxy: Fix memory leak or possible corruption in ProxyBlock 923 implementation. [Ruediger Pluem, Joe Orton] 924 925 *) mod_proxy: Check hostname from request URI against ProxyBlock list, 926 not forward proxy, if ProxyRemote* is configured. [Joe Orton] 927 928 *) mod_proxy_connect: Avoid DNS lookup on hostname from request URI 929 if ProxyRemote* is configured. PR 43697. [Joe Orton] 930 931 *) mpm_event, mpm_worker: Remain active amidst prevalent child process 932 resource shortages. [Jeff Trawick] 933 934 *) Add "strict" and "warnings" pragmas to Perl scripts. [Rich Bowen] 935 936 *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR: 937 - core: the scoreboard (ScoreBoardFile), pid file (PidFile), and 938 mutexes (Mutex) 939 [Jim Jagielski] 940 941 *) ab: Fix bind() errors. [Joe Orton] 942 943 *) mpm_event: Don't do a blocking write when starting a lingering close 944 from the listener thread. PR 52229. [Stefan Fritsch] 945 946 *) mod_so: If a filename without slashes is specified for LoadFile or 947 LoadModule and the file cannot be found in the server root directory, 948 try to use the standard dlopen() search path. [Stefan Fritsch] 949 950 *) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced 951 after child process resource shortages. [Jeff Trawick] 952 953 *) mpm_prefork: Reduce spawn rate after a child process exits due to 954 unexpected poll or accept failure. [Jeff Trawick] 955 956 *) core: Log value of Status header line in script responses rather 957 than the fixed header name. [Chris Darroch] 958 959 *) mpm_ssl: Fix handling of empty response from OCSP server. 960 [Jim Meyering <meyering redhat.com>, Joe Orton] 961 962 *) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch] 963 964 *) mod_authz_core: If an expression in "Require expr" returns denied and 965 references %{REMOTE_USER}, trigger authentication and retry. PR 52892. 966 [Stefan Fritsch] 967 968 *) core: Always log if LimitRequestFieldSize triggers. [Stefan Fritsch] 969 970 *) mod_deflate: Skip compression if compression is enabled at SSL level. 971 [Stefan Fritsch] 972 973 *) core: Add missing HTTP status codes registered with IANA. 974 [Julian Reschke <julian.reschke gmx.de>, Rainer Jung] 975 976 *) mod_ldap: Treat the "server unavailable" condition as a transient 977 error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>] 978 979 *) core: Fix spurious "not allowed here" error returned when the Options 980 directive is used in .htaccess and "AllowOverride Options" (with no 981 specific options restricted) is configured. PR 53444. [Eric Covener] 982 983 *) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>. 984 PR 53048. [Stefan Fritsch] 985 986 *) mod_log_config: Fix %{abc}C truncating cookie values at first "=". 987 PR 53104. [Greg Ames] 988 989 *) mod_ext_filter: Fix error_log spam when input filters are configured. 990 [Joe Orton] 991 992 *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton] 993 994 *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). 995 [Paul Wouters <pwouters redhat.com>, Joe Orton] 996 997 *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if 998 the chosen listener is configured for https. [Joe Orton] 999 1000 *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when 1001 forwarding to SSL backends. PR 53134. 1002 [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem] 1003 1004 *) mod_info: Display all registered providers. [Stefan Fritsch] 1005 1006 *) mod_ssl: Send the error message for speaking http to an https port using 1007 HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when 1008 using SNI. PR 50823. [Stefan Fritsch] 1009 1010 *) core: Fix segfault in logging if r->useragent_addr or c->client_addr is 1011 unset. PR 53265. [Stefan Fritsch] 1012 1013 *) log_server_status: Bring Perl style forward to the present, use 1014 standard modules, update for new format of server-status output. 1015 PR 45424. [Richard Bowen, Dave Brondsema, and others] 1016 1017 *) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups. 1018 [Joe Orton, André Malo] 1019 1020 *) core: Prevent "httpd -k restart" from killing server in presence of 1021 config error. [Joe Orton] 1022 1023 *) mod_proxy_fcgi: If there is an error reading the headers from the 1024 backend, send an error to the client. PR 52879. [Stefan Fritsch] 1025 1026Changes with Apache 2.4.2 1027 1028 *) SECURITY: CVE-2012-0883 (cve.mitre.org) 1029 envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the 1030 current working directory to be searched for DSOs. [Stefan Fritsch] 1031 1032 *) mod_slotmem_shm: Honor DefaultRuntimeDir [Jim Jagielski] 1033 1034 *) mod_ssl: Fix crash with threaded MPMs due to race condition when 1035 initializing EC temporary keys. [Stefan Fritsch] 1036 1037 *) mod_rewrite: Fix RewriteCond integer checks to be parsed correctly. 1038 PR 53023. [Axel Reinhold <apache freakout.de>, André Malo] 1039 1040 *) mod_proxy: Add the forcerecovery balancer parameter that determines if 1041 recovery for balancer workers is enforced. [Ruediger Pluem] 1042 1043 *) Fix MPM DSO load failure on AIX. [Jeff Trawick] 1044 1045 *) mod_proxy: Correctly set up reverse proxy worker. PR 52935. 1046 [Petter Berntsen <petterb gmail.com>] 1047 1048 *) mod_sed: Don't define PATH_MAX to a potentially undefined value, causing 1049 compile problems on GNU hurd. [Stefan Fritsch] 1050 1051 *) core: Add ap_runtime_dir_relative() and DefaultRuntimeDir. 1052 [Jeff Trawick] 1053 1054 *) core: Fix breakage of Listen directives with MPMs that use a 1055 per-directory config. PR 52904. [Stefan Fritsch] 1056 1057 *) core: Disallow directives in AllowOverrideList which are only allowed 1058 in VirtualHost or server context. These are usually not prepared to be 1059 called in .htaccess files. [Stefan Fritsch] 1060 1061 *) core: In AllowOverrideList, do not allow 'None' together with other 1062 directives. PR 52823. [Stefan Fritsch] 1063 1064 *) mod_slotmem_shm: Support DEFAULT_REL_RUNTIMEDIR for file-based shm. 1065 [Jim Jagielski] 1066 1067 *) core: Fix merging of AllowOverrideList and ContentDigest. 1068 [Stefan Fritsch] 1069 1070 *) mod_request: Fix validation of the KeptBodySize argument so it 1071 doesn't always throw a configuration error. PR 52981 [Eric Covener] 1072 1073 *) core: Add filesystem paths to access denied / access failed messages 1074 AH00035 and AH00036. [Eric Covener] 1075 1076 *) mod_dumpio: Properly handle errors from subsequent input filters. 1077 PR 52914. [Stefan Fritsch] 1078 1079 *) Unix MPMs: Fix small memory leak in parent process if connect() 1080 failed when waking up children. [Joe Orton] 1081 1082 *) "DirectoryIndex disabled" now undoes DirectoryIndex settings in 1083 the current configuration section, not just previous config sections. 1084 PR 52845. [Eric Covener] 1085 1086 *) mod_xml2enc: Fix broken handling of EOS buckets which could lead to 1087 response headers not being sent. PR 52766. [Stefan Fritsch] 1088 1089 *) mod_ssl: Properly free the GENERAL_NAMEs. PR 32652. [Kaspar Brand] 1090 1091 *) core: Check during config test that directories for the access 1092 logs actually exist. PR 29941. [Stefan Fritsch] 1093 1094 *) mod_xml2enc, mod_proxy_html: Enable per-module loglevels. 1095 [Stefan Fritsch] 1096 1097 *) mod_filter: Fix segfault with AddOutputFilterByType. PR 52755. 1098 [Stefan Fritsch] 1099 1100 *) mod_session: Sessions are encoded as application/x-www-form-urlencoded 1101 strings, however we do not handle the encoding of spaces properly. 1102 Fixed. [Graham Leggett] 1103 1104 *) Configuration: Example in comment should use a path consistent 1105 with the default configuration. PR 52715. 1106 [Rich Bowen, Jens Schleusener, Rainer Jung] 1107 1108 *) Configuration: Switch documentation links from trunk to 2.4. 1109 [Rainer Jung] 1110 1111 *) configure: Fix out of tree build using apr and apr-util in srclib. 1112 [Rainer Jung] 1113 1114Changes with Apache 2.4.1 1115 1116 *) SECURITY: CVE-2012-0053 (cve.mitre.org) 1117 Fix an issue in error responses that could expose "httpOnly" cookies 1118 when no custom ErrorDocument is specified for status code 400. 1119 [Eric Covener] 1120 1121 *) mod_proxy_balancer: Fix crash on Windows. PR 52402 [Mladen Turk] 1122 1123 *) core: Check during configtest that the directories for error logs exist. 1124 PR 29941 [Stefan Fritsch] 1125 1126 *) Core configuration: add AllowOverride option to treat syntax 1127 errors in .htaccess as non-fatal. PR 52439 [Nick Kew, Jim Jagielski] 1128 1129 *) core: Fix memory consumption in core output filter with streaming 1130 bucket types like CGI or PIPE. [Joe Orton, Stefan Fritsch] 1131 1132 *) configure: Disable modules at configure time if a prerequisite module 1133 is not enabled. PR 52487. [Stefan Fritsch] 1134 1135 *) Rewrite and proxy now decline what they don't support rather 1136 than fail the request. [Joe Orton] 1137 1138 *) Fix building against external apr plus apr-util if apr is not installed 1139 in a system default path. [Rainer Jung] 1140 1141 *) Doxygen fixes and improvements. [Joe Orton, Igor Galić] 1142 1143 *) core: Fix building against PCRE 8.30 by switching from the obsolete 1144 pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung] 1145 1146Changes with Apache 2.4.0 1147 1148 *) SECURITY: CVE-2012-0031 (cve.mitre.org) 1149 Fix scoreboard issue which could allow an unprivileged child process 1150 to cause the parent to crash at shutdown rather than terminate 1151 cleanly. [Joe Orton] 1152 1153 *) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch] 1154 1155 *) SECURITY: CVE-2012-0021 (cve.mitre.org) 1156 mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format 1157 string is in use and a client sends a nameless, valueless cookie, causing 1158 a denial of service. The issue existed since version 2.2.17 and 2.3.3. 1159 PR 52256. [Rainer Canavan <rainer-apache 7val com>] 1160 1161 *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit 1162 control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive. 1163 [Kaspar Brand] 1164 1165 *) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1 1166 or later, to improve binary compatibility with future OpenSSL releases. 1167 [Kaspar Brand] 1168 1169 *) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass, 1170 but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime 1171 behave identically in both cases. PR52342. [Graham Leggett] 1172 1173 *) Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with 1174 corresponding man pages. [Graham Leggett] 1175 1176 *) Distinguish properly between the bindir and sbindir directories when 1177 installing binaries. Previously all binaries were silently installed to 1178 sbindir, whether they were system administration commands or not. 1179 [Graham Leggett] 1180 1181Changes with Apache 2.3.16 1182 1183 *) SECURITY: CVE-2011-4317 (cve.mitre.org) 1184 Resolve additional cases of URL rewriting with ProxyPassMatch or 1185 RewriteRule, where particular request-URIs could result in undesired 1186 backend network exposure in some configurations. 1187 [Joe Orton] 1188 1189 *) core: Limit line length in .htaccess to 8K like in 2.2.x, to avoid 1190 additional DoS potential. [Stefan Fritsch] 1191 1192 *) core, all modules: Add unique tag to most error log messages. [Stefan 1193 Fritsch] 1194 1195 *) mod_socache_memcache: Change provider name from "mc" to "memcache" to 1196 match module name. [Stefan Fritsch] 1197 1198 *) mod_slotmem_shm: Change provider name from "shared" to "shm" to match 1199 module name. [Stefan Fritsch] 1200 1201 *) mod_ldap: Fix segfault with Solaris LDAP when enabling ldaps. This 1202 requires an apr-util fix in which is available in apr-util >= 1.4.0. 1203 PR 42682. [Stefan Fritsch] 1204 1205 *) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible 1206 for RewriteRules to be placed in .htaccess files that match the directory 1207 with no trailing slash. PR 48304. 1208 [Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>] 1209 1210 *) mod_session_crypto: Add a SessionCryptoPassphraseFile directive so that 1211 the administrator can hide the keys from the configuration. [Graham 1212 Leggett] 1213 1214 *) Introduce a per request version of the remote IP address, which can be 1215 optionally modified by a module when the effective IP of the client 1216 is not the same as the real IP of the client (such as a load balancer). 1217 Introduce a per connection "peer_ip" and a per request "client_ip" to 1218 distinguish between the raw IP address of the connection and the effective 1219 IP address of the request. [Graham Leggett] 1220 1221 *) ap_pass_brigade_fchk() function added. [Jim Jagielski] 1222 1223 *) core: Pass ap_errorlog_info struct to error log hook. [Stefan Fritsch] 1224 1225 *) mod_cache_disk: Make sure we check return codes on all writes and 1226 attempts to close, and clean up after ourselves in these cases. 1227 PR43589. [Graham Leggett] 1228 1229 *) mod_cache_disk: Remove the unnecessary intermediate brigade while 1230 writing to disk. Fixes a problem where mod_disk_cache was leaving 1231 buckets in the intermediate brigade and not passing them to out on 1232 exit. [Florian S. <f_los_ch yahoo.com>, Graham Leggett] 1233 1234 *) mod_ssl: use a shorter setting for SSLCipherSuite in the default 1235 default configuration file, and add some more information about 1236 configuring a speed-optimized alternative. 1237 [Kaspar Brand] 1238 1239 *) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand] 1240 1241 *) mod_lua: Stop losing track of all but the most specific LuaHook* directives 1242 when multiple per-directory config sections are used. Adds LuaInherit 1243 directive to control how parent sections are merged. [Eric Covener] 1244 1245 *) Server directive display (-L): Include directives of DSOs. 1246 [Jeff Trawick] 1247 1248 *) mod_cache: Make sure we merge headers correctly when we handle a 1249 non cacheable conditional response. PR52120. [Graham Leggett] 1250 1251 *) Pre GA removal of components that will not be included: 1252 - mod_noloris was superseded by mod_reqtimeout 1253 - mod_serf 1254 - mpm_simple 1255 [Rainer Jung] 1256 1257 *) core: Set MaxMemFree 2048 by default. [Stefan Fritsch] 1258 1259 *) mpm_event: Fix assertion failure during very high load. [Stefan Fritsch] 1260 1261 *) configure: Additional modules loaded by default: mod_headers. 1262 Modules moved from module set "few" to "most" and no longer loaded 1263 by default: mod_actions, mod_allowmethods, mod_auth_form, mod_buffer, 1264 mod_cgi(d), mod_include, mod_negotiation, mod_ratelimit, mod_request, 1265 mod_userdir. [Rainer Jung] 1266 1267 *) mod_lua: Use the right lua scope when used as a hook. [Rainer Jung] 1268 1269 *) configure: Only load the really imporant modules (i.e. those enabled by 1270 the 'few' selection) by default. Don't handle modules enabled with 1271 --enable-foo specially. [Stefan Fritsch] 1272 1273 *) end-generation hook: Fix false notification of end-of-generation for 1274 temporary intervals with no active MPM children. [Jeff Trawick] 1275 1276 *) mod_ssl: Add support for configuring persistent TLS session ticket 1277 encryption/decryption keys (useful for clustered environments). 1278 [Paul Querna, Kaspar Brand] 1279 1280 *) mod_usertrack: Use random value instead of remote IP address. 1281 [Stefan Fritsch] 1282 1283Changes with Apache 2.3.15 1284 1285 *) SECURITY: CVE-2011-3348 (cve.mitre.org) 1286 mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not 1287 recognized. [Jean-Frederic Clere] 1288 1289 *) SECURITY: CVE-2011-3192 (cve.mitre.org) 1290 core: Fix handling of byte-range requests to use less memory, to avoid 1291 denial of service. If the sum of all ranges in a request is larger than 1292 the original file, ignore the ranges and send the complete file. 1293 PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener, 1294 <lowprio20 gmail.com>] 1295 1296 *) SECURITY: CVE-2011-3607 (cve.mitre.org) 1297 core: Fix integer overflow in ap_pregsub. This can be triggered e.g. 1298 with mod_setenvif via a malicious .htaccess. [Stefan Fritsch] 1299 1300 *) SECURITY: CVE-2011-3368 (cve.mitre.org) 1301 Reject requests where the request-URI does not match the HTTP 1302 specification, preventing unexpected expansion of target URLs in 1303 some reverse proxy configurations. [Joe Orton] 1304 1305 *) configure: Load all modules in the generated default configuration 1306 when using --enable-load-all-modules. [Rainer Jung] 1307 1308 *) mod_reqtimeout: Change the default to set some reasonable timeout 1309 values. [Stefan Fritsch] 1310 1311 *) core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove 1312 the inode. PR 49623. [Stefan Fritsch] 1313 1314 *) mod_lua: Expose SSL variables via r:ssl_var_lookup(). [Eric Covener] 1315 1316 *) mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName} 1317 can now additionally be run as "early" or "late" relative to other modules. 1318 [Eric Covener] 1319 1320 *) configure: By default, only load those modules that are either required 1321 or explicitly selected by a configure --enable-foo argument. The 1322 LoadModule statements for modules enabled by --enable-mods-shared=most 1323 and friends will be commented out. [Stefan Fritsch] 1324 1325 *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and 1326 LuaHookQuickHandler) from being configured in <Directory>, <Files>, 1327 and htaccess where the configuration would have been ignored. 1328 [Eric Covener] 1329 1330 *) mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors 1331 in LuaMapHandler scripts [Eric Covener] 1332 1333 *) mod_log_debug: Rename optional argument from if= to expr=, to be more 1334 in line with other config directives. [Stefan Fritsch] 1335 1336 *) mod_headers: Require an expression to be specified with expr=, to be more 1337 in line with other config directives. [Stefan Fritsch] 1338 1339 *) mod_substitute: To prevent overboarding memory usage, limit line length 1340 to 1MB. [Stefan Fritsch] 1341 1342 *) mod_lua: Make the query string (r.args) writable. [Eric Covener] 1343 1344 *) mod_include: Add support for application/x-www-form-urlencoded encoding 1345 and decoding. [Graham Leggett] 1346 1347 *) rotatelogs: Add -c option to force logfile creation in every rotation 1348 interval, even if empty. [Jan Kaluža <jkaluza redhat.com>] 1349 1350 *) core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings. 1351 [Stefan Fritsch] 1352 1353 *) mod_session_crypto: Refactor to support the new apr_crypto API. 1354 [Graham Leggett] 1355 1356 *) http: Add missing Location header if local URL-path is used as 1357 ErrorDocument for 30x. [Stefan Fritsch] 1358 1359 *) mod_buffer: Make sure we step down for subrequests, but not for internal 1360 redirects triggered by mod_rewrite. [Graham Leggett] 1361 1362 *) mod_lua: add r:construct_url as a wrapper for ap_construct_url. 1363 [Eric Covener] 1364 1365 *) mod_remote_ip: Fix configuration of internal proxies. PR 49272. 1366 [Jim Riggs <jim riggs me>] 1367 1368 *) mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific 1369 server IP endpoint and remote client IP upon connection. [William Rowe] 1370 1371 *) mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with 1372 PeerExtList(). [Stefan Fritsch] 1373 1374 *) mpm_prefork, mpm_worker, mpm_event: If a child is created just before 1375 graceful restart and then exits because of a missing lock file, don't 1376 shutdown the whole server. PR 39311. [Shawn Michael 1377 <smichael rightnow com>] 1378 1379 *) mpm_event: Check the return value from ap_run_create_connection. 1380 PR: 41194. [Davi Arnaut] 1381 1382 *) mod_mime_magic: Add signatures for PNG and SWF to the example config. 1383 PR: 48352. [Jeremy Wagner-Kaiser <jwagner-kaiser adknowledge com>] 1384 1385 *) core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items 1386 from the parsed (or default) config. This is useful for init scripts that 1387 need to setup temporary directories and permissions. [Stefan Fritsch] 1388 1389 *) core, mod_actions, mod_asis: Downgrade error log messages which accompany 1390 a 404 request status from loglevel error to info. PR: 35768. [Stefan 1391 Fritsch] 1392 1393 *) core: Fix hook sorting with Perl modules. PR: 45076. [Torsten Foertsch 1394 <torsten foertsch gmx net>] 1395 1396 *) core: Enforce LimitRequestFieldSize after multiple headers with the same 1397 name have been merged. [Stefan Fritsch] 1398 1399 *) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory 1400 usage. PR 51618. [Cristian Rodríguez <crrodriguez opensuse org>, 1401 Stefan Fritsch] 1402 1403 *) mod_ssl: At startup, when checking a server certificate whether it 1404 matches the configured ServerName, also take dNSName entries in the 1405 subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand] 1406 1407 *) mod_substitute: Reduce memory usage and copying of data. PR 50559. 1408 [Stefan Fritsch] 1409 1410 *) mod_ssl/proxy: enable the SNI extension for backend TLS connections 1411 [Kaspar Brand] 1412 1413 *) Add wrappers for malloc, calloc, realloc that check for out of memory 1414 situations and use them in many places. PR 51568, PR 51569, PR 51571. 1415 [Stefan Fritsch] 1416 1417 *) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is 1418 false but RLIMIT_* are defined. PR51371. [Eric Covener] 1419 1420 *) core: Correctly obey ServerName / ServerAlias if the Host header from the 1421 request matches the VirtualHost address. 1422 PR 51709. [Micha Lenk <micha lenk.info>] 1423 1424 *) mod_unique_id: Use random number generator to initialize counter. 1425 PR 45110. [Stefan Fritsch] 1426 1427 *) core: Add convenience API for apr_random. [Stefan Fritsch] 1428 1429 *) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control 1430 the number of overlapping and reversing ranges (respectively) permitted 1431 before returning the entire resource, with a default limit of 20. 1432 [Jim Jagielski] 1433 1434 *) mod_ldap: Optional function uldap_ssl_supported(r) always returned false 1435 if called from a virtual host with mod_ldap directives in it. Did not 1436 affect mod_authnz_ldap's usage of mod_ldap. [Eric Covener] 1437 1438 *) mod_filter: Instead of dropping the Accept-Ranges header when a filter 1439 registered with AP_FILTER_PROTO_NO_BYTERANGE is present, 1440 set the header value to "none". [Eric Covener, Ruediger Pluem] 1441 1442 *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none' 1443 in the case Ranges are being ignored with MaxRanges none. 1444 [Eric Covener] 1445 1446 *) mod_ssl: revamp CRL-based revocation checking when validating 1447 certificates of clients or proxied servers. Completely delegate 1448 CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck 1449 directive for controlling the revocation checking mode. [Kaspar Brand] 1450 1451 *) core: Add MaxRanges directive to control the number of ranges permitted 1452 before returning the entire resource, with a default limit of 200. 1453 [Eric Covener] 1454 1455 *) mod_cache: Ensure that CacheDisable can correctly appear within 1456 a LocationMatch. [Graham Leggett] 1457 1458 *) mod_cache: Fix the moving of the CACHE filter, which erroneously 1459 stood down if the original filter was not added by configuration. 1460 [Graham Leggett] 1461 1462 *) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand] 1463 1464 *) mod_authz_groupfile: Increase length limit of lines in the group file to 1465 16MB. PR 43084. [Stefan Fritsch] 1466 1467 *) core: Increase length limit of lines in the configuration file to 16MB. 1468 PR 45888. PR 50824. [Stefan Fritsch] 1469 1470 *) core: Add API for resizable buffers. [Stefan Fritsch] 1471 1472 *) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have 1473 LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such 1474 as Tivoli Directory Server 6.3 and later. [Eric Covener] 1475 1476 *) mod_ldap: Change default number of retries from 10 to 3, and add 1477 an LDAPRetries and LDAPRetryDelay directives. [Eric Covener] 1478 1479 *) mod_authnz_ldap: Don't retry during authentication, because this just 1480 multiplies the ample retries already being done by mod_ldap. [Eric Covener] 1481 1482 *) configure: Allow to explicitly disable modules even with module selection 1483 'reallyall'. [Stefan Fritsch] 1484 1485 *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the 1486 RewriteEngine is disabled in server context, avoiding a crash while 1487 referencing the invalid int: map at runtime. PR 50994. 1488 [Ben Noordhuis <info noordhuis nl>] 1489 1490 *) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand] 1491 1492 *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand] 1493 1494 *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit. 1495 [Kaspar Brand] 1496 1497 *) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the 1498 cookie is set when modules such as mod_rewrite trigger a redirect. Also 1499 use r->err_headers_out for the cookie, for the same reason. PR29755. 1500 [Sami J. Mäkinen <sjm almamedia fi>, Eric Covener] 1501 1502 *) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and 1503 'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch] 1504 1505 *) configure: Enable ldap modules in 'all' and 'most' selections if ldap 1506 is compiled into apr-util. [Stefan Fritsch] 1507 1508 *) core: Add ap_check_cmd_context()-check if a command is executed in 1509 .htaccess file. [Stefan Fritsch] 1510 1511 *) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590. 1512 [Torsten Foertsch <torsten foertsch gmx net>] 1513 1514 *) mod_authn_socache: Fix to work in .htaccess if not configured anywhere 1515 in httpd.conf, and introduce an AuthnCacheEnable directive. 1516 PR 51991 [Nick Kew] 1517 1518 *) mod_xml2enc: new (formerly third-party) module supporting 1519 internationalisation for filters via smart charset sniffing 1520 and conversion. [Nick Kew] 1521 1522 *) mod_proxy_html: new (formerly third-party) module to fix up 1523 HTML links in a reverse proxy situation, where a backend 1524 generates URLs that are not resolvable by Clients. [Nick Kew] 1525 1526Changes with Apache 2.3.14 1527 1528 *) mod_proxy_ajp: Improve trace logging. [Rainer Jung] 1529 1530 *) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets. 1531 [Rainer Jung] 1532 1533 *) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse, 1534 e.g. to reverse proxy "Location: https://other-internal-server/login" 1535 [Nick Kew] 1536 1537 *) prefork, worker, event: Make sure crashes are logged to the error log if 1538 httpd has already detached from the console. [Stefan Fritsch] 1539 1540 *) prefork, worker, event: Reduce period during startup/restart where a 1541 successive signal may be lost. PR 43696. [Arun Bhalla <arun shme net>] 1542 1543 *) mod_allowmethods: Correct Merging of "reset" and do not allow an 1544 empty parameter list for the AllowMethods directive. [Rainer Jung] 1545 1546 *) configure: Update selection of modules for 'all' and 'most'. 'all' will 1547 now enable all modules except for example and test modules. Make the 1548 selection for 'most' more useful (including ssl and proxy). Both 'all' 1549 and 'most' will now disable modules if dependencies are missing instead 1550 of aborting. If a specific module is requested with --enable-XXX=yes, 1551 missing dependencies will still cause configure to exit with an error. 1552 [Stefan Fritsch] 1553 1554 *) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done 1555 in 2.3.13. [Stefan Fritsch] 1556 1557 *) core: For '*' or '_default_' vhosts, use a wildcard address of any 1558 address family, rather than IPv4 only. [Joe Orton] 1559 1560 *) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable 1561 include [ ] for literal IPv6 addresses, as mandated by RFC 3875. 1562 PR 26005. [Stefan Fritsch] 1563 1564 *) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203. 1565 [Nagae Hidetake <nagae eagan jp>] 1566 1567 *) core: Add more logging to ap_scan_script_header_err* functions. Add 1568 ap_scan_script_header_err*_ex functions that take a module index for 1569 logging. 1570 mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the 1571 new functions in order to make logging configurable per-module. 1572 [Stefan Fritsch] 1573 1574 *) mod_dir: Add DirectoryIndexRedirect to send an external redirect to 1575 the proper index. [Eric Covener] 1576 1577 *) mod_deflate: Don't try to compress requests with a zero sized body. 1578 PR 51350. [Stefan Fritsch] 1579 1580 *) core: Fix startup on IPv6-only systems. PR 50592. [Joe Orton, 1581 <root linkage white-void net>] 1582 1583 *) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX, 1584 REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the 1585 whitelist in suexec. PR 51499. [Graham Laverty <graham reg ca>, 1586 Stefan Fritsch] 1587 1588 *) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch] 1589 1590 *) mod_log_debug: New module that allows to log custom messages at various 1591 phases in the request processing. [Stefan Fritsch] 1592 1593 *) mod_ssl: Add some debug logging when loading server certificates. 1594 PR 37912. [Nick Burch <nick burch alfresco com>] 1595 1596 *) configure: Support reallyall option also for --enable-mods-static. 1597 [Rainer Jung] 1598 1599 *) mod_socache_dc: add --with-distcache to configure for choosing 1600 the distcache installation directory. [Rainer Jung] 1601 1602 *) mod_socache_dc: use correct build variable MOD_SOCACHE_DC_LDADD 1603 instead of MOD_SOCACHE_LDADD in build macro. [Rainer Jung] 1604 1605 *) mod_lua, mod_deflate: respect platform specific runpath linker 1606 flag. [Rainer Jung] 1607 1608 *) configure: Only link the httpd binary against PCRE. No other support 1609 binary needs PCRE. [Rainer Jung] 1610 1611 *) configure: tolerate dependency checking failures for modules if 1612 they have been enabled implicitely. [Rainer Jung] 1613 1614 *) configure: Allow to specify module specific custom linker flags via 1615 the MOD_XXX_LDADD variables. [Rainer Jung] 1616 1617Changes with Apache 2.3.13 1618 1619 *) ab: Support specifying the local address to use. PR 48930. 1620 [Peter Schuller <scode spotify com>] 1621 1622 *) core: Add support to ErrorLogFormat for logging the system unique 1623 thread id under Linux. [Stefan Fritsch] 1624 1625 *) event: New AsyncRequestWorkerFactor directive to influence how many 1626 connections will be accepted per process. [Stefan Fritsch] 1627 1628 *) prefork, worker, event: Rename MaxClients to MaxRequestWorkers which 1629 describes more accurately what it does. [Stefan Fritsch] 1630 1631 *) rotatelogs: Add -p argument to specify custom program to invoke 1632 after a log rotation. PR 51285. [Sven Ulland <sveniu ifi.uio.no>, 1633 Joe Orton] 1634 1635 *) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand] 1636 1637 *) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0. 1638 PR 48215. [Kaspar Brand] 1639 1640 *) mod_status: Display information about asynchronous connections in the 1641 server-status. PR 44377. [Stefan Fritsch] 1642 1643 *) mpm_event: If the number of connections of a process is very high, or if 1644 all workers are busy, don't accept new connections in that process. 1645 [Stefan Fritsch] 1646 1647 *) mpm_event: Process lingering close asynchronously instead of tying up 1648 worker threads. [Jeff Trawick, Stefan Fritsch] 1649 1650 *) mpm_event: If MaxMemFree is set, limit the number of pools that is kept 1651 around. [Stefan Fritsch] 1652 1653 *) mpm_event: Fix graceful restart aborting connections. PR 43359. 1654 [Takashi Sato <takashi lans-tv com>] 1655 1656 *) mod_ssl: Disable AECDH ciphers in example config. PR 51363. 1657 [Rob Stradling <rob comodo com>] 1658 1659 *) core: Introduce new function ap_get_conn_socket() to access the socket of 1660 a connection. [Stefan Fritsch] 1661 1662 *) mod_data: Introduce a filter to support RFC2397 data URLs. [Graham 1663 Leggett] 1664 1665 *) mod_userdir/mod_alias/mod_vhost_alias: Correctly set DOCUMENT_ROOT, 1666 CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX. PR 26052. PR 46198. 1667 [Stefan Fritsch] 1668 1669 *) core: Allow to override document_root on a per-request basis. Introduce 1670 new context_document_root and context_prefix which provide information 1671 about non-global URI-to-directory mappings (from e.g. mod_userdir or 1672 mod_alias) to scripts. PR 49705. [Stefan Fritsch] 1673 1674 *) core: Add <ElseIf> and <Else> to complement <If> sections. 1675 [Stefan Fritsch] 1676 1677 *) mod_ext_filter: Remove DebugLevel option in favor of per-module loglevel. 1678 [Stefan Fritsch] 1679 1680 *) mod_include: Make the "#if expr" element use the new "ap_expr" expression 1681 parser. The old parser can still be used by setting the new directive 1682 SSILegacyExprParser. [Stefan Fritsch] 1683 1684 *) core: Add some features to ap_expr for use by mod_include: a restricted 1685 mode that does not allow to bypass request access restrictions; new 1686 variables DOCUMENT_URI (alias for REQUEST_URI), LAST_MODIFIED; -A as an 1687 alias for -U; an additional data entry in ap_expr_eval_ctx_t for use by 1688 the consumer; an extensible ap_expr_exec_ctx() API that allows to use that 1689 data entry. [Stefan Fritsch] 1690 1691 *) mod_include: Merge directory configs instead of one SSI* config directive 1692 causing all other per-directory SSI* config directives to be reset. 1693 [Stefan Fritsch] 1694 1695 *) mod_charset_lite: Remove DebugLevel option in favour of per-module 1696 loglevel. [Stefan Fritsch] 1697 1698 *) core: Add ap_regexec_len() function that works with non-null-terminated 1699 strings. PR 51231. [Yehezkel Horowitz <horowity checkpoint com>] 1700 1701 *) mod_authnz_ldap: If the LDAP server returns constraint violation, 1702 don't treat this as an error but as "auth denied". [Stefan Fritsch] 1703 1704 *) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO 1705 for SCGI/FCGI. PR 50880, 50851. [Mark Montague <mark catseye.org>, 1706 Jim Jagielski] 1707 1708 *) mod_cache: When content is served stale, and there is no means to 1709 revalidate the content using ETag or Last-Modified, and we have 1710 mandated no stale-on-error behaviour, stand down and don't cache. 1711 Saves a cache write that will never be read. 1712 [Graham Leggett] 1713 1714 *) mod_reqtimeout: Fix a timed out connection going into the keep-alive 1715 state after a timeout when discarding a request body. PR 51103. 1716 [Stefan Fritsch] 1717 1718 *) core: Add various file existance test operators to ap_expr. 1719 [Stefan Fritsch] 1720 1721 *) mod_proxy_express: New mass reverse-proxy switch extension for 1722 mod_proxy. [Jim Jagielski] 1723 1724 *) configure: Fix script error when configuring module set "reallyall". 1725 [Rainer Jung] 1726 1727Changes with Apache 2.3.12 1728 1729 *) configure, core: Provide easier support for APR's hook probe 1730 capability. [Jim Jagielski, Jeff Trawick] 1731 1732 *) Silence autoconf 2.68 warnings. [Rainer Jung] 1733 1734 *) mod_authnz_ldap: Resolve crash when LDAP is used for authorization only 1735 [Scott Hill <shill genscape.com>] 1736 1737 *) support: Make sure check_forensic works with mod_unique_id loaded 1738 [Joe Schaefer] 1739 1740 *) Add child_status hook for tracking creation/termination of MPM child 1741 processes. Add end_generation hook for notification when the last 1742 MPM child of a generation exits. [Jeff Trawick] 1743 1744 *) mod_ldap: Make LDAPSharedCacheSize 0 create a non-shared-memory cache per 1745 process as opposed to disabling caching completely. This allows to use 1746 the non-shared-memory cache as a workaround for the shared memory cache 1747 not being available during graceful restarts. PR 48958. [Stefan Fritsch] 1748 1749 *) Add new ap_reserve_module_slots/ap_reserve_module_slots_directive API, 1750 necessary if a module (like mod_perl) registers additional modules late 1751 in the startup phase. [Stefan Fritsch] 1752 1753 *) core: Prevent segfault if DYNAMIC_MODULE_LIMIT is reached. PR 51072. 1754 [Torsten Förtsch <torsten foertsch gmx net>] 1755 1756 *) WinNT MPM: Improve robustness under heavy load. [Jeff Trawick] 1757 1758 *) MinGW build improvements. PR 49535. [John Vandenberg 1759 <jayvdb gmail.com>, Jeff Trawick] 1760 1761 *) core: Support module names with colons in loglevel configuration. 1762 [Torsten Förtsch <torsten foertsch gmx net>] 1763 1764 *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. 1765 [Stefan Fritsch] 1766 1767 *) core: Abort if the MPM is changed across restart. [Jeff Trawick] 1768 1769 *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945. 1770 [Peter Pramberger <peter pramberger.at>, Jim Jagielski] 1771 1772 *) mod_proxy_fcgi: Add support for 'ProxyErrorOverride on'. PR 50913. 1773 [Mark Montague <mark catseye.org>, Jim Jagielski] 1774 1775 *) core: Change the APIs of ap_cfg_getline() and ap_cfg_getc() to return an 1776 error code. Abort with a nice error message if a config line is too long. 1777 Partial fix for PR 50824. [Stefan Fritsch] 1778 1779 *) mod_info: Dump config to stdout during startup if -DDUMP_CONFIG is 1780 specified. PR 31956. [Stefan Fritsch] 1781 1782 *) Restore visibility of DEFAULT_PIDLOG to core and modules. MPM 1783 helper function ap_remove_pid() added. [Jeff Trawick] 1784 1785 *) Enable DEFAULT_REL_RUNTIMEDIR on Windows and NetWare. [various] 1786 1787 *) Correct C++ incompatibility with http_log.h. [Stefan Fritsch, Jeff 1788 Trawick] 1789 1790 *) mod_log_config: Prevent segfault. PR 50861. [Torsten Förtsch 1791 <torsten.foertsch gmx.net>] 1792 1793 *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes 1794 in request URL path info but not decode them. Change behavior of option 1795 "On" to decode the encoded slashes as 2.0 and 2.2 do. PR 35256, 1796 PR 46830. [Dan Poirier] 1797 1798 *) mod_ssl: Check SNI hostname against Host header case-insensitively. 1799 PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>] 1800 1801 *) mod_ldap: Add LDAPConnectionPoolTTL to give control over lifetime 1802 of bound backend LDAP connections. PR47634 [Eric Covener] 1803 1804 *) mod_cache: Make CacheEnable and CacheDisable configurable per 1805 directory in addition to per server, making them work from within 1806 a LocationMatch. [Graham Leggett] 1807 1808 *) worker, event, prefork: Correct several issues when built as 1809 DSOs; most notably, the scoreboard was reinitialized during graceful 1810 restart, such that processes of the previous generation were not 1811 observable. [Jeff Trawick] 1812 1813Changes with Apache 2.3.11 1814 1815 *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI. 1816 Win32's cscript interpreter can only use a single quote as comment char. 1817 [Guenter Knauf] 1818 1819 *) mod_proxy: balancer-manager now uses POST instead of GET. 1820 [Jim Jagielski] 1821 1822 *) core: new util function: ap_parse_form_data(). Previously, 1823 this capability was tucked away in mod_request. [Jim Jagielski] 1824 1825 *) core: new hook: ap_run_pre_read_request. [Jim Jagielski] 1826 1827 *) modules: Fix many modules that were not correctly initializing if they 1828 were not active during server startup but got enabled later during a 1829 graceful restart. [Stefan Fritsch] 1830 1831 *) core: Create new ap_state_query function that allows modules to determine 1832 if the current configuration run is the initial one at server startup, 1833 and if the server is started for testing/config dumping only. 1834 [Stefan Fritsch] 1835 1836 *) mod_proxy: Runtime configuration of many parameters for existing 1837 balancers via the balancer-manager. [Jim Jagielski] 1838 1839 *) mod_proxy: Runtime addition of new workers (BalancerMember) for existing 1840 balancers via the balancer-manager. [Jim Jagielski] 1841 1842 *) mod_cache: When a bad Expires date is present, we need to behave as if 1843 the Expires is in the past, not as if the Expires is missing. PR 16521. 1844 [Co-Advisor <coad measurement-factory.com>] 1845 1846 *) mod_cache: We must ignore quoted-string values that appear in a 1847 Cache-Control header. PR 50199. [Graham Leggett] 1848 1849 *) mod_dav: Revert change to send 501 error if unknown Content-* header is 1850 received for a PUT request. PR 42978. [Stefan Fritsch] 1851 1852 *) mod_cache: Respect s-maxage as described by RFC2616 14.9.3, which must 1853 take precedence if present. PR 35247. [Graham Leggett] 1854 1855 *) mod_ssl: Fix a possible startup failure if multiple SSL vhosts 1856 are configured with the same ServerName and private key file. 1857 [Masahiro Matsuya <mmatsuya redhat.com>, Joe Orton] 1858 1859 *) mod_socache_dc: Make module compile by fixing some typos. 1860 PR 50735 [Mark Montague <mark catseye.org>] 1861 1862 *) prefork: Update MPM state in children during a graceful stop or 1863 restart. PR 41743. [Andrew Punch <andrew.punch 247realmedia.com>] 1864 1865 *) mod_mime: Ignore leading dots when looking for mime extensions. 1866 PR 50434 [Stefan Fritsch] 1867 1868 *) core: Add support to set variables with the 'Define' directive. The 1869 variables that can then be used in the config using the ${VAR} syntax 1870 known from envvar interpolation. [Stefan Fritsch] 1871 1872 *) mod_proxy_http: make adding of X-Forwarded-* headers configurable. 1873 ProxyAddHeaders defaults to On. [Vincent Deffontaines] 1874 1875 *) mod_slotmem_shm: Increase memory alignment for slotmem data. 1876 [Rainer Jung] 1877 1878 *) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout, 1879 SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew. 1880 [Kaspar Brand <httpd-dev.2011 velox.ch>] 1881 1882 *) mod_ssl: Revamp output buffering to reduce network overhead for 1883 output fragmented into many buckets, such as chunked HTTP responses. 1884 [Joe Orton] 1885 1886 *) core: Apply <If> sections to all requests, not only to file base requests. 1887 Allow to use <If> inside <Directory>, <Location>, and <Files> sections. 1888 The merging of <If> sections now happens after the merging of <Location> 1889 sections, even if an <If> section is embedded inside a <Directory> or 1890 <Files> section. [Stefan Fritsch] 1891 1892 *) mod_proxy: Refactor usage of shared data by dropping the scoreboard 1893 and using slotmem. Create foundation for dynamic growth/changes of 1894 members within a balancer. Remove BalancerNonce in favor of a 1895 per-balancer 'nonce' parameter. [Jim Jagielski] 1896 1897 *) mod_status: Don't show slots which are disabled by MaxClients as open. 1898 PR: 47022 [Jordi Prats <jordi prats gmail com>, Stefan Fritsch] 1899 1900 *) mpm_prefork: Fix ap_mpm_query results for AP_MPMQ_MAX_DAEMONS and 1901 AP_MPMQ_MAX_THREADS. 1902 1903 *) mod_authz_core: Fix bug in merging logic if user-based and non-user-based 1904 authorization directives were mixed. [Stefan Fritsch] 1905 1906 *) mod_authn_socache: change directive name from AuthnCacheProvider 1907 to AuthnCacheProvideFor. The term "provider" is overloaded in 1908 this module, and we should avoid confusion between the provider 1909 of a backend (AuthnCacheSOCache) and the authn provider(s) for 1910 which this module provides cacheing (AuthnCacheProvideFor). 1911 [Nick Kew] 1912 1913 *) mod_proxy_http: Allocate the fake backend request from a child pool 1914 of the backend connection, instead of misusing the pool of the frontend 1915 request. Fixes a thread safety issue where buckets set aside in the 1916 backend connection leak into other threads, and then disappear when 1917 the frontend request is cleaned up, in turn causing corrupted buckets 1918 to make other threads spin. [Graham Leggett] 1919 1920 *) mod_ssl: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables 1921 to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and 1922 escape other special characters with backslashes. The old format can 1923 still be used with the LegacyDNStringFormat argument to SSLOptions. 1924 1925 *) core, mod_rewrite: Make the REQUEST_SCHEME variable available to 1926 scripts and mod_rewrite. [Stefan Fritsch] 1927 1928 *) mod_rewrite: Allow to use arbitrary boolean expressions (ap_expr) in 1929 RewriteCond. [Stefan Fritsch] 1930 1931 *) mod_rewrite: Allow to unset environment variables using E=!VAR. 1932 PR 49512. [Mark Drayton <mark markdrayton info>, Stefan Fritsch] 1933 1934 *) mod_headers: Restore the 2.3.8 and earlier default for the first 1935 argument of the Header directive ("onsuccess"). [Eric Covener] 1936 1937 *) core: Disallow the mixing of relative and absolute Options PR 33708. 1938 [Sönke Tesch <st kino-fahrplan.de>] 1939 1940 *) core: When exporting request headers to HTTP_* environment variables, 1941 drop variables whose names contain invalid characters. Describe in the 1942 docs how to restore the old behaviour. [Malte S. Stretz <mss apache org>] 1943 1944 *) core: When selecting an IP-based virtual host, favor an exact match for 1945 the port over a wildcard (or omitted) port instead of favoring the one 1946 that came first in the configuration file. [Eric Covener] 1947 1948 *) core: Overlapping virtual host address/port combinations now implicitly 1949 enable name-based virtual hosting for that address. The NameVirtualHost 1950 directive has no effect, and _default_ is interpreted the same as "*". 1951 [Eric Covener] 1952 1953 *) core: In the absence of any Options directives, the default is now 1954 "FollowSymlinks" instead of "All". [Igor Galić] 1955 1956 *) rotatelogs: Add -e option to write logs through to stdout for optional 1957 further processing. [Graham Leggett] 1958 1959 *) mod_ssl: Correctly read full lines in input filter when the line is 1960 incomplete during first read. PR 50481. [Ruediger Pluem] 1961 1962 *) mod_authz_core: Add AuthzSendForbiddenOnFailure directive to allow 1963 sending '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if authorization 1964 fails for an authenticated user. PR 40721. [Stefan Fritsch] 1965 1966Changes with Apache 2.3.10 1967 1968 *) mod_rewrite: Don't implicitly URL-escape the original query string 1969 when no substitution has changed it. PR 50447. [Eric Covener] 1970 1971 *) core: Honor 'AcceptPathInfo OFF' during internal redirects, 1972 such as per-directory mod_rewrite substitutions. PR 50349. 1973 [Eric Covener] 1974 1975 *) mod_rewrite: Add 'RewriteOptions InheritBefore' to put the base 1976 rules/conditions before the overridden rules/conditions. PR 39313. 1977 [Jérôme Grandjanny <jerome.grandjanny cea.fr>] 1978 1979 *) mod_autoindex: add IndexIgnoreReset to reset the list of IndexIgnored 1980 filenames in higher precedence configuration sections. PR 24243. 1981 [Eric Covener] 1982 1983 *) mod_cgid: RLimit* directive support for mod_cgid. PR 42135 1984 [Eric Covener] 1985 1986 *) core: Fail startup when the argument to ServerName looks like a glob 1987 or a regular expression instead of a hostname (*?[]). PR 39863 1988 [Rahul Nair <rahul.g.nair gmail.com>] 1989 1990 *) mod_userdir: Add merging of enable, disable, and filename arguments 1991 to UserDir directive, leaving enable/disable of userlists unmerged. 1992 PR 44076 [Eric Covener] 1993 1994 *) httpd: When no -k option is provided on the httpd command line, the server 1995 was starting without checking for an existing pidfile. PR 50350 1996 [Eric Covener] 1997 1998 *) mod_proxy: Put the worker in error state if the SSL handshake with the 1999 backend fails. PR 50332. 2000 [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem] 2001 2002 *) mod_cache_disk: Fix Windows build which was broken after renaming 2003 the module. [Gregg L. Smith] 2004 2005Changes with Apache 2.3.9 2006 2007 *) SECURITY: CVE-2010-1623 (cve.mitre.org) 2008 Fix a denial of service attack against mod_reqtimeout. 2009 [Stefan Fritsch] 2010 2011 *) mod_headers: Change default first argument of Header directive 2012 from "onsuccess" to "always". [Eric Covener] 2013 2014 *) mod_include: Add the onerror attribute to the include element, 2015 allowing an URL to be specified to include on error. [Graham 2016 Leggett] 2017 2018 *) mod_cache_disk: mod_disk_cache renamed to mod_cache_disk, to be 2019 consistent with the naming of other modules. [Graham Leggett] 2020 2021 *) mod_setenvif: Add SetEnvIfExpr directive to set env var depending on 2022 expression. [Stefan Fritsch] 2023 2024 *) mod_proxy: Fix ProxyPassInterpolateEnv directive. PR 50292. 2025 [Stefan Fritsch] 2026 2027 *) suEXEC: Add Suexec directive to disable suEXEC without renaming the 2028 binary (Suexec Off), or force startup failure if suEXEC is required 2029 but not supported (Suexec On). Change SuexecUserGroup to fail 2030 startup instead of just printing a warning if suEXEC is disabled. 2031 [Jeff Trawick] 2032 2033 *) core: Add Error directive for aborting startup or htaccess processing 2034 with a specified error message. [Jeff Trawick] 2035 2036 *) mod_rewrite: Fix the RewriteEngine directive to work within a 2037 location. Previously, once RewriteEngine was switched on globally, 2038 it was impossible to switch off. [Graham Leggett] 2039 2040 *) core, mod_include, mod_ssl: Move the expression parser derived from 2041 mod_include back into mod_include. Replace ap_expr with a parser 2042 derived from mod_ssl's parser. Make mod_ssl use the new parser. Rework 2043 ap_expr's public interface and provide hooks for modules to add variables 2044 and functions. [Stefan Fritsch] 2045 2046 *) core: Do the hook sorting earlier so that the hooks are properly sorted 2047 for the pre_config hook and during parsing the config. [Stefan Fritsch] 2048 2049 *) core: In the absence of any AllowOverride directives, the default is now 2050 "None" instead of "All". PR49823 [Eric Covener] 2051 2052 *) mod_proxy: Don't allow ProxyPass or ProxyPassReverse in 2053 <Directory> or <Files>. PR47765 [Eric Covener] 2054 2055 *) prefork/worker/event MPMS: default value (when no directive is present) 2056 of MaxConnectionsPerChild/MaxRequestsPerChild is changed to 0 from 10000 2057 to match default configuration and manual. PR47782 [Eric Covener] 2058 2059 *) proxy_connect: Don't give up in the middle of a CONNECT tunnel 2060 when the child process is starting to exit. PR50220. [Eric Covener] 2061 2062 *) mod_autoindex: Fix inheritance of mod_autoindex directives into 2063 contexts that don't have any mod_autoindex directives. PR47766. 2064 [Eric Covener] 2065 2066 *) mod_rewrite: Add END flag for RewriteRule to prevent further rounds 2067 of rewrite processing when a per-directory substitution occurs. 2068 [Eric Covener] 2069 2070 *) mod_ssl: Make sure to always log an error if loading of CA certificates 2071 fails. PR 40312. [Paul Tiemann <issues apache org ourdetour com>] 2072 2073 *) mod_dav: Send 501 error if unknown Content-* header is received for a PUT 2074 request (RFC 2616 9.6). PR 42978. [Stefan Fritsch] 2075 2076 *) mod_dav: Send 400 error if malformed Content-Range header is received for 2077 a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch] 2078 2079 *) mod_proxy: Release the backend connection as soon as EOS is detected, 2080 so the backend isn't forced to wait for the client to eventually 2081 acknowledge the data. [Graham Leggett] 2082 2083 *) mod_proxy: Optimise ProxyPass within a Location so that it is stored 2084 per-directory, and chosen during the location walk. Make ProxyPass 2085 work correctly from within a LocationMatch. [Graham Leggett] 2086 2087 *) core: Fix segfault if per-module LogLevel is on virtual host 2088 scope. PR 50117. [Stefan Fritsch] 2089 2090 *) mod_proxy: Move the ProxyErrorOverride directive to have per 2091 directory scope. [Graham Leggett] 2092 2093 *) mod_allowmethods: New module to deny certain HTTP methods without 2094 interfering with authentication/authorization. [Paul Querna, 2095 Igor Galić, Stefan Fritsch] 2096 2097 *) mod_ssl: Log certificate information and improve error message if client 2098 cert verification fails. PR 50093, PR 50094. [Lassi Tuura <lat cern ch>, 2099 Stefan Fritsch] 2100 2101 *) htcacheclean: Teach htcacheclean to limit cache size by number of 2102 inodes in addition to size of files. Prevents a cache disk from 2103 running out of space when many small files are cached. 2104 [Graham Leggett] 2105 2106 *) core: Rename MaxRequestsPerChild to MaxConnectionsPerChild, which 2107 describes more accurately what the directive does. The old name 2108 still works but logs a warning. [Stefan Fritsch] 2109 2110 *) mod_cache: Optionally serve stale data when a revalidation returns a 2111 5xx response, controlled by the CacheStaleOnError directive. 2112 [Graham Leggett] 2113 2114 *) htcacheclean: Allow the listing of valid URLs within the cache, with 2115 the option to list entry metadata such as sizes and times. [Graham 2116 Leggett] 2117 2118 *) mod_cache: correctly parse quoted strings in cache headers. 2119 PR 50199 [Nick Kew] 2120 2121 *) mod_cache: Allow control over the base URL of reverse proxied requests 2122 using the CacheKeyBaseURL directive, so that the cache key can be 2123 calculated from the endpoint URL instead of the server URL. [Graham 2124 Leggett] 2125 2126 *) mod_cache: CacheLastModifiedFactor, CacheStoreNoStore, CacheStorePrivate, 2127 CacheStoreExpired, CacheIgnoreNoLastMod, CacheDefaultExpire, 2128 CacheMinExpire and CacheMaxExpire can be set per directory/location. 2129 [Graham Leggett] 2130 2131 *) mod_disk_cache: CacheMaxFileSize, CacheMinFileSize, CacheReadSize and 2132 CacheReadTime can be set per directory/location. [Graham Leggett] 2133 2134 *) core: Speed up config parsing if using a very large number of config 2135 files. PR 50002 [andrew cloudaccess net] 2136 2137 *) mod_cache: Support the caching of HEAD requests. [Graham Leggett] 2138 2139 *) htcacheclean: Allow the option to round up file sizes to a given 2140 block size, improving the accuracy of disk usage. [Graham Leggett] 2141 2142 *) mod_ssl: Add authz providers for use with mod_authz_core and its 2143 RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL), 2144 'ssl-verify-client' (for use with 'SSLVerifyClient optional'), and 2145 'ssl-require' (expressions with same syntax as SSLRequire). 2146 [Stefan Fritsch] 2147 2148 *) mod_ssl: Make the ssl expression parser thread-safe. It now requires 2149 bison instead of yacc. [Stefan Fritsch] 2150 2151 *) mod_disk_cache: Change on-disk header file format to support the 2152 link of the device/inode of the data file to the matching header 2153 file, and to support the option of not writing a data file when 2154 the data file is empty. [Graham Leggett] 2155 2156 *) core/mod_unique_id: Add generate_log_id hook to allow to use 2157 the ID generated by mod_unique_id as error log ID for requests. 2158 [Stefan Fritsch] 2159 2160 *) mod_cache: Make sure that we never allow a 304 Not Modified response 2161 that we asked for to leak to the client should the 304 response be 2162 uncacheable. PR45341 [Graham Leggett] 2163 2164 *) mod_cache: Add the cache_status hook to register the final cache 2165 decision hit/miss/revalidate. Add optional support for an X-Cache 2166 and/or an X-Cache-Detail header to add the cache status to the 2167 response. PR48241 [Graham Leggett] 2168 2169 *) mod_authz_host: Add 'local' provider that matches connections originating 2170 on the local host. PR 19938. [Stefan Fritsch] 2171 2172 *) Event MPM: Fix crash accessing pollset on worker thread when child 2173 process is exiting. [Jeff Trawick] 2174 2175 *) core: For process invocation (cgi, fcgid, piped loggers and so forth) 2176 pass the system library path (LD_LIBRARY_PATH or platform-specific 2177 variables) along with the system PATH, by default. Both should be 2178 overridden together as desired using PassEnv etc; see mod_env. 2179 [William Rowe] 2180 2181 *) mod_cache: Introduce CacheStoreExpired, to allow administrators to 2182 capture a stale backend response, perform If-Modified-Since requests 2183 against the backend, and serving from the cache all 304 responses. 2184 This restores pre-2.2.4 cache behavior. [William Rowe] 2185 2186 *) mod_rewrite: Introduce <=, >= string comparison operators, and integer 2187 comparators -lt, -le, -eq, -ge, and -gt. To help bash users and drop 2188 the ambiguity of the symlink test "-ltest", introduce -h or -L as 2189 symlink test operators. [William Rowe] 2190 2191 *) mod_cache: Give the cache provider the opportunity to choose to cache 2192 or not cache based on the buckets present in the brigade, such as the 2193 presence of a FILE bucket. 2194 [Graham Leggett] 2195 2196 *) mod_authz_core: Allow authz providers to check args while reading the 2197 config and allow to cache parsed args. Move 'all' and 'env' authz 2198 providers from mod_authz_host to mod_authz_core. Add 'method' authz 2199 provider depending on the HTTP method. [Stefan Fritsch] 2200 2201 *) mod_include: Move the request_rec within mod_include to be 2202 exposed within include_ctx_t. [Graham Leggett] 2203 2204 *) mod_include: Reinstate support for UTF-8 character sets by allowing a 2205 variable being echoed or set to be decoded and then encoded as separate 2206 steps. PR47686 [Graham Leggett] 2207 2208 *) mod_cache: Add a discrete commit_entity() provider function within the 2209 mod_cache provider interface which is called to indicate to the 2210 provider that caching is complete, giving the provider the opportunity 2211 to commit temporary files permanently to the cache in an atomic 2212 fashion. Replace the inconsistent use of error cleanups with a formal 2213 set of pool cleanups attached to a subpool, which is destroyed on error. 2214 [Graham Leggett] 2215 2216 *) mod_cache: Change the signature of the store_body() provider function 2217 within the mod_cache provider interface to support an "in" brigade 2218 and an "out" brigade instead of just a single input brigade. This 2219 gives a cache provider the option to consume only part of the brigade 2220 passed to it, rather than the whole brigade as was required before. 2221 This fixes an out of memory and a request timeout condition that would 2222 occur when the original document was a large file. Introduce 2223 CacheReadSize and CacheReadTime directives to mod_disk_cache to control 2224 the amount of data to attempt to cache at a time. [Graham Leggett] 2225 2226 *) core: Add ErrorLogFormat to allow configuring error log format, including 2227 additional information that is logged once per connection or request. Add 2228 error log IDs for connections and request to allow correlating error log 2229 lines and the corresponding access log entry. [Stefan Fritsch] 2230 2231 *) core: Disable sendfile by default. [Stefan Fritsch] 2232 2233 *) mod_cache: Check the request to determine whether we are allowed 2234 to return cached content at all, and respect a "Cache-Control: 2235 no-cache" header from a client. Previously, "no-cache" would 2236 behave like "max-age=0". [Graham Leggett] 2237 2238 *) mod_cache: Use a proper filter context to hold filter data instead 2239 of misusing the per-request configuration. Fixes a segfault on trunk 2240 when the normal handler is used. [Graham Leggett] 2241 2242 *) mod_cgid: Log a warning if the ScriptSock path is truncated because 2243 it is too long. PR 49388. [Stefan Fritsch] 2244 2245 *) vhosts: Do not allow _default_ in NameVirtualHost, or mixing * 2246 and non-* ports on NameVirtualHost, or multiple NameVirtualHost 2247 directives for the same address:port, or NameVirtualHost 2248 directives with no matching VirtualHosts, or multiple ip-based 2249 VirtualHost sections for the same address:port. These were 2250 previously accepted with a warning, but the behavior was 2251 undefined. [Dan Poirier] 2252 2253 *) mod_remoteip: Fix a segfault when using mod_remoteip in conjunction with 2254 Allow/Deny. PR 49838. [Andrew Skalski <voltara gmail.com>] 2255 2256 *) core: DirectoryMatch can now match on the end of line character ($), 2257 and sub-directories of matched directories are no longer implicitly 2258 matched. PR49809 [Eric Covener] 2259 2260 *) Regexps: introduce new higher-level regexp utility including parsing 2261 and executing perl-style regexp ops (e.g s/foo/bar/i) and regexp memory 2262 [Nick Kew] 2263 2264 *) Proxy: support setting source address. PR 29404 2265 [Multiple contributors iterating through bugzilla, 2266 Aron Ujvari <xanco nikhok.hu>, Aleksey Midenkov <asm uezku.kemsu.ru>, 2267 <dan listening-station.net; trunk version Nick Kew] 2268 2269 *) HTTP protocol: return 400 not 503 if we have to abort due to malformed 2270 chunked encoding. [Nick Kew] 2271 2272Changes with Apache 2.3.8 2273 2274 *) suexec: Support large log files. PR 45856. [Stefan Fritsch] 2275 2276 *) core: Abort with sensible error message if no or more than one MPM is 2277 loaded. [Stefan Fritsch] 2278 2279 *) mod_proxy: Rename erroronstatus to failonstatus. 2280 [Daniel Ruggeri <DRuggeri primary.net>] 2281 2282 *) mod_dav_fs: Fix broken "creationdate" property. 2283 Regression in version 2.3.7. [Rainer Jung] 2284 2285Changes with Apache 2.3.7 2286 2287 *) SECURITY: CVE-2010-1452 (cve.mitre.org) 2288 mod_dav, mod_cache, mod_session: Fix Handling of requests without a path 2289 segment. PR: 49246 [Mark Drayton, Jeff Trawick] 2290 2291 *) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076. 2292 [Stefan Fritsch] 2293 2294 *) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639. 2295 [Stefan Fritsch] 2296 2297 *) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers 2298 via leveraging 100-Continue as the initial "request". 2299 [Jim Jagielski] 2300 2301 *) core/mod_authz_core: Introduce new access_checker_ex hook that enables 2302 mod_authz_core to bypass authentication if access should be allowed by 2303 IP address/env var/... [Stefan Fritsch] 2304 2305 *) core: Introduce note_auth_failure hook to allow modules to add support 2306 for additional auth types. This makes ap_note_auth_failure() work with 2307 mod_auth_digest again. PR 48807. [Stefan Fritsch] 2308 2309 *) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew] 2310 2311 *) mod_authn_socache: new module [Nick Kew] 2312 2313 *) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch] 2314 2315 *) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>] 2316 2317 *) mod_rewrite: Allow to set environment variables without explicitly 2318 giving a value. [Rainer Jung] 2319 2320 *) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung] 2321 2322 *) mod_include: recognise "text/html; parameters" as text/html 2323 PR 49616 [Andrey Chernov <ache nagual.pp.ru>] 2324 2325 *) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH 2326 PR 43906 [Nick Kew] 2327 2328 *) Core: Extra robustness: don't try authz and segfault if authn 2329 fails to set r->user. Log bug and return 500 instead. 2330 PR 42995 [Nick Kew] 2331 2332 *) HTTP protocol filter: fix handling of longer chunk extensions 2333 PR 49474 [<tee.bee gmx.de>] 2334 2335 *) Update SSL cipher suite and add example for SSLHonorCipherOrder. 2336 [Lars Eilebrecht, Rainer Jung] 2337 2338 *) move AddOutputFilterByType from core to mod_filter. This should 2339 fix nasty side-effects that happen when content_type is set 2340 more than once in processing a request, and make it fully 2341 compatible with dynamic and proxied contents. [Nick Kew] 2342 2343 *) mod_log_config: Implement logging for sub second timestamps and 2344 request end time. [Rainer Jung] 2345 2346Changes with Apache 2.3.6 2347 2348 *) SECURITY: CVE-2009-3555 (cve.mitre.org) 2349 mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection 2350 attack when compiled against OpenSSL version 0.9.8m or later. Introduces 2351 the 'SSLInsecureRenegotiation' directive to reopen this vulnerability 2352 and offer unsafe legacy renegotiation with clients which do not yet 2353 support the new secure renegotiation protocol, RFC 5746. 2354 [Joe Orton, and with thanks to the OpenSSL Team] 2355 2356 *) SECURITY: CVE-2009-3555 (cve.mitre.org) 2357 mod_ssl: A partial fix for the TLS renegotiation prefix injection attack 2358 by rejecting any client-initiated renegotiations. Forcibly disable 2359 keepalive for the connection if there is any buffered data readable. Any 2360 configuration which requires renegotiation for per-directory/location 2361 access control is still vulnerable, unless using OpenSSL >= 0.9.8l. 2362 [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>] 2363 2364 *) SECURITY: CVE-2010-0408 (cve.mitre.org) 2365 mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent 2366 when request headers indicate a request body is incoming; not a case of 2367 HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>] 2368 2369 *) SECURITY: CVE-2010-0425 (cve.mitre.org) 2370 mod_isapi: Do not unload an isapi .dll module until the request 2371 processing is completed, avoiding orphaned callback pointers. 2372 [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick] 2373 2374 *) core: Filter init functions are now run strictly once per request 2375 before handler invocation. The init functions are no longer run 2376 for connection filters. PR 49328. [Joe Orton] 2377 2378 *) core: Adjust the output filter chain correctly in an internal 2379 redirect from a subrequest, preserving filters from the main 2380 request as necessary. PR 17629. [Joe Orton] 2381 2382 *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial 2383 Response if they so choose to do so. Previously an attempt to cache a 206 2384 was arbitrarily allowed if the response contained an Expires or 2385 Cache-Control header, and arbitrarily denied if both headers were missing. 2386 [Graham Leggett] 2387 2388 *) core: Add microsecond timestamp fractions, process id and thread id 2389 to the error log. [Rainer Jung] 2390 2391 *) configure: The "most" module set gets build by default. [Rainer Jung] 2392 2393 *) configure: Building dynamic modules (DSO) by default. [Rainer Jung] 2394 2395 *) configure: Fix broken VPATH build when using included APR. 2396 [Rainer Jung] 2397 2398 *) mod_session_crypto: Fix configure problem when building 2399 with APR 2 and for VPATH builds with included APR. 2400 [Rainer Jung] 2401 2402 *) mod_session_crypto: API compatibility with APR 2 crypto and 2403 APR Util 1.x crypto. [Rainer Jung] 2404 2405 *) ab: Fix memory leak with -v2 and SSL. PR 49383. 2406 [Pavel Kankovsky <peak argo troja mff cuni cz>] 2407 2408 *) core: Add per-module and per-directory loglevel configuration. 2409 Add some more trace logging. 2410 mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels. 2411 mod_ssl: Replace LogLevelDebugDump with trace log levels. 2412 mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info 2413 and debug. 2414 mod_dumpio: Replace DumpIOLogLevel with trace log levels. 2415 [Stefan Fritsch] 2416 2417 *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns 2418 title page only) when any mod_ldap directives were used in VirtualHost 2419 context. [Eric Covener] 2420 2421 *) mod_disk_cache: Decline the opportunity to cache if the response is 2422 a 206 Partial Content. This stops a reverse proxied partial response 2423 from becoming cached, and then being served in subsequent responses. 2424 [Graham Leggett] 2425 2426 *) mod_deflate: avoid the risk of forwarding data before headers are set. 2427 PR 49369 [Matthew Steele <mdsteele google.com>] 2428 2429 *) mod_authnz_ldap: Ensure nested groups are checked when the 2430 top-level group doesn't have any direct non-group members 2431 of attributes in AuthLDAPGroupAttribute. [Eric Covener] 2432 2433 *) mod_authnz_ldap: Search or Comparison during authorization phase 2434 can use the credentials from the authentication phase 2435 (AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser). 2436 PR 48340 [Domenico Rotiroti, Eric Covener] 2437 2438 *) mod_authnz_ldap: Allow the initial DN search during authentication 2439 to use the HTTP username/pass instead of an anonymous or hard-coded 2440 LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern). 2441 [Eric Covener] 2442 2443 *) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix 2444 when this module is used for authorization. See AuthLDAPAuthorizePrefix. 2445 PR 45584 [Eric Covener] 2446 2447 *) apxs -q: Stop filtering out ':' characters from the reported values. 2448 PR 45343. [Bill Cole] 2449 2450 *) prefork MPM: Work around possible crashes on child exit in APR reslist 2451 cleanup code. PR 43857. [Tom Donovan] 2452 2453 *) ab: fix number of requests sent by ab when keepalive is enabled. PR 48497. 2454 [Bryn Dole <dole blekko.com>] 2455 2456 *) Log an error for failures to read a chunk-size, and return 408 instead of 2457 413 when this is due to a read timeout. This change also fixes some cases 2458 of two error documents being sent in the response for the same scenario. 2459 [Eric Covener] PR49167 2460 2461 *) mod_proxy_balancer: Add new directive BalancerNonce to allow admin 2462 to control/set the nonce used in the balancer-manager application. 2463 [Jim Jagielski] 2464 2465 *) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673. 2466 [Stefan Fritsch] 2467 2468 *) Proxy balancer: support setting error status according to HTTP response 2469 code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>] 2470 2471 *) htcacheclean: Introduce the ability to clean specific URLs from the 2472 cache, if provided as an optional parameter on the command line. 2473 [Graham Leggett] 2474 2475 *) core: Introduce the IncludeStrict directive, which explicitly fails 2476 server startup if no files or directories match a wildcard path. 2477 [Graham Leggett] 2478 2479 *) htcacheclean: Report additional statistics about entries deleted. 2480 PR 48944. [Mark Drayton mark markdrayton.info] 2481 2482 *) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all 2483 builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper 2484 build of openssl is required for 'SSLFIPS on'. PR 46270. 2485 [Dr Stephen Henson <steve openssl.org>, William Rowe] 2486 2487 *) mod_proxy_http: Log the port of the remote server in various messages. 2488 PR 48812. [Igor Galić <i galic brainsware org>] 2489 2490 *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend 2491 connections and other protocol handlers (like mod_ftp). [Stefan Fritsch] 2492 2493 *) mod_proxy_ajp: Really regard the operation a success, when the client 2494 aborted the connection. In addition adjust the log message if the client 2495 aborted the connection. [Ruediger Pluem] 2496 2497 *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which 2498 allows insecure renegotiation with clients which do not yet 2499 support the secure renegotiation protocol. [Joe Orton] 2500 2501 *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs 2502 is configured for client cert auth. PR 46952. [Joe Orton] 2503 2504 *) core: Only log a 408 if it is no keepalive timeout. PR 39785 2505 [Ruediger Pluem, Mark Montague <markmont umich.edu>] 2506 2507 *) support/rotatelogs: Add -L option to create a link to the current 2508 log file. PR 48761 [<lyndon orthanc.ca>, Dan Poirier] 2509 2510 *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory 2511 setting only, matching most of the documentation and examples. 2512 PR 46541 [Paul Reder, Eric Covener] 2513 2514 *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument 2515 types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener] 2516 2517 *) mod_negotiation: Preserve query string over multiviews negotiation. 2518 This buglet was fixed for type maps in 2.2.6, but the same issue 2519 affected multiviews and was overlooked. 2520 PR 33112 [Joergen Thomsen <apache jth.net>] 2521 2522 *) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert 2523 when some are not password-protected. [Eric Covener] 2524 2525 *) Fix startup segfault when the Mutex directive is used but no loaded 2526 modules use httpd mutexes. PR 48787. [Jeff Trawick] 2527 2528 *) Proxy: get the headers right in a HEAD request with 2529 ProxyErrorOverride, by checking for an overridden error 2530 before not after going into a catch-all code path. 2531 PR 41646. [Nick Kew, Stuart Children] 2532 2533 *) support/rotatelogs: Support the simplest log rotation case, log 2534 truncation. Useful when the log is being processed in real time 2535 using a command like tail. [Graham Leggett] 2536 2537 *) support/htcacheclean: Teach it how to write a pid file (modelled on 2538 httpd's writing of a pid file) so that it becomes possible to run 2539 more than one instance of htcacheclean on the same machine. 2540 [Graham Leggett] 2541 2542 *) Log command line on startup, so there's a record of command line 2543 arguments like -f. PR 48752. [Dan Poirier] 2544 2545 *) Introduce mod_reflector, a handler capable of reflecting POSTed 2546 request bodies back within the response through the output filter 2547 stack. Can be used to turn an output filter into a web service. 2548 [Graham Leggett] 2549 2550 *) mod_proxy_http: Make sure that when an ErrorDocument is served 2551 from a reverse proxied URL, that the subrequest respects the status 2552 of the original request. This brings the behaviour of proxy_handler 2553 in line with default_handler. PR 47106. [Graham Leggett] 2554 2555 *) Support wildcards in both the directory and file components of 2556 the path specified by the Include directive. [Graham Leggett] 2557 2558 *) mod_proxy, mod_proxy_http: Support remote https proxies 2559 by using HTTP CONNECT. PR 19188. 2560 [Philippe Dutrueux <lilas evidian.com>, Rainer Jung] 2561 2562 *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf 2563 [Philip M. Gollucci] 2564 2565 *) worker: Don't report server has reached MaxClients until it has. 2566 Add message when server gets within MinSpareThreads of MaxClients. 2567 PR 46996. [Dan Poirier] 2568 2569 *) mod_session: Session expiry was being initialised, but not updated 2570 on each session save, resulting in timed out sessions when there 2571 should not have been. Fixed. [Graham Leggett] 2572 2573 *) mod_log_config: Add the R option to log the handler used within the 2574 request. [Christian Folini <christian.folini netnea com>] 2575 2576 *) mod_include: Allow fine control over the removal of Last-Modified and 2577 ETag headers within the INCLUDES filter, making it possible to cache 2578 responses if desired. Fix the default value of the SSIAccessEnable 2579 directive. [Graham Leggett] 2580 2581 *) Add new UnDefine directive to undefine a variable. PR 35350. 2582 [Stefan Fritsch] 2583 2584 *) Make ap_pregsub(), used by AliasMatch and friends, use the same syntax 2585 for regex backreferences as mod_rewrite and mod_include: Remove the use 2586 of '&' as an alias for '$0' and allow to escape any character with a 2587 backslash. PR 48351. [Stefan Fritsch] 2588 2589 *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the 2590 password to UTF-8. PR 45318. 2591 [Johannes Müller <joh_m gmx.de>, Stefan Fritsch] 2592 2593 *) ab: Fix calculation of requests per second in HTML output. PR 48594. 2594 [Stefan Fritsch] 2595 2596 *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user 2597 password now result in an informational level log entry instead of 2598 warning level. [Eric Covener] 2599 2600Changes with Apache 2.3.5 2601 2602 *) SECURITY: CVE-2010-0434 (cve.mitre.org) 2603 Ensure each subrequest has a shallow copy of headers_in so that the 2604 parent request headers are not corrupted. Eliminates a problematic 2605 optimization in the case of no request body. PR 48359 2606 [Jake Scott, William Rowe, Ruediger Pluem] 2607 2608 *) Turn static function get_server_name_for_url() into public 2609 ap_get_server_name_for_url() and use it where appropriate. This 2610 fixes mod_rewrite generating invalid URLs for redirects to IPv6 2611 literal addresses. [Stefan Fritsch] 2612 2613 *) mod_ldap: Introduce new config option LDAPTimeout to set the timeout 2614 for LDAP operations like bind and search. [Stefan Fritsch] 2615 2616 *) mod_proxy, mod_proxy_ftp: Move ProxyFtpDirCharset from mod_proxy to 2617 mod_proxy_ftp. [Takashi Sato] 2618 2619 *) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to 2620 mod_proxy_connect. [Takashi Sato] 2621 2622 *) mod_cache: Do an exact match of the keys defined by 2623 CacheIgnoreURLSessionIdentifiers against the querystring instead of 2624 a partial match. PR 48401. 2625 [Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem] 2626 2627 *) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung] 2628 2629 *) Core HTTP: disable keepalive when the Client has sent 2630 Expect: 100-continue 2631 but we respond directly with a non-100 response. 2632 Keepalive here led to data from clients continuing being treated as 2633 a new request. 2634 PR 47087 [Nick Kew] 2635 2636 *) Core: reject NULLs in request line or request headers. 2637 PR 43039 [Nick Kew] 2638 2639 *) Core: (re)-introduce -T commandline option to suppress documentroot 2640 check at startup. 2641 PR 41887 [Jan van den Berg <janvdberg gmail.com>] 2642 2643 *) mod_autoindex: support XHTML as equivalent to HTML in IndexOptions, 2644 ScanHTMLTitles, ReadmeName, HeaderName 2645 PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew] 2646 2647 *) Proxy: Fix ProxyPassReverse with relative URL 2648 Derived (slightly erroneously) from PR 38864 [Nick Kew] 2649 2650 *) mod_headers: align Header Edit with Header Set when used on Content-Type 2651 PR 48422 [Cyril Bonté <cyril.bonte free.fr>, Nick Kew>] 2652 2653 *) mod_headers: Enable multi-match-and-replace edit option 2654 PR 46594 [Nick Kew] 2655 2656 *) mod_filter: enable it to act on non-200 responses. 2657 PR 48377 [Nick Kew] 2658 2659Changes with Apache 2.3.4 2660 2661 *) Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex, 2662 and WatchdogMutexPath with a single Mutex directive. Add APIs to 2663 simplify setup and user customization of APR proc and global mutexes. 2664 (See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer 2665 respected; set DEFAULT_REL_RUNTIMEDIR instead. [Jeff Trawick] 2666 2667 *) http_core: KeepAlive no longer accepts other than On|Off. 2668 [Takashi Sato] 2669 2670 *) mod_dav: Remove errno from dav_error interface. Calls to dav_new_error() 2671 and dav_new_error_tag() must be adjusted to add an apr_status_t parameter. 2672 [Jeff Trawick] 2673 2674 *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to 2675 try other providers in the case of an LDAP bind failure. 2676 PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson] 2677 2678 *) Build: fix --with-module to work as documented 2679 PR 43881 [Gez Saunders <gez.saunders virgin.net>] 2680 2681Changes with Apache 2.3.3 2682 2683 *) SECURITY: CVE-2009-3095 (cve.mitre.org) 2684 mod_proxy_ftp: sanity check authn credentials. 2685 [Stefan Fritsch <sf fritsch.de>, Joe Orton] 2686 2687 *) SECURITY: CVE-2009-3094 (cve.mitre.org) 2688 mod_proxy_ftp: NULL pointer dereference on error paths. 2689 [Stefan Fritsch <sf fritsch.de>, Joe Orton] 2690 2691 *) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against 2692 OpenSSL 1.0.0b3. [Vipul Gupta <vipul.gupta sun.com>, Sander Temme] 2693 2694 *) mod_dav: Include uri when logging a PUT error due to connection abort. 2695 PR 38149. [Stefan Fritsch] 2696 2697 *) mod_dav: Return 409 instead of 500 for a LOCK request if the parent 2698 resource does not exist or is not a collection. PR 43465. [Stefan Fritsch] 2699 2700 *) mod_dav_fs: Return 409 instead of 500 for Litmus test case copy_nodestcoll 2701 (a COPY request where the parent of the destination resource does not 2702 exist). PR 39299. [Stefan Fritsch] 2703 2704 *) mod_dav_fs: Don't delete the whole file if a PUT with content-range failed. 2705 PR 42896. [Stefan Fritsch] 2706 2707 *) mod_dav_fs: Make PUT create files atomically and no longer destroy the 2708 old file if the transfer aborted. PR 39815. [Paul Querna, Stefan Fritsch] 2709 2710 *) mod_dav_fs: Remove inode keyed locking as this conflicts with atomically 2711 creating files. On systems with inode numbers, this is a format change of 2712 the DavLockDB. The old DavLockDB must be deleted on upgrade. 2713 [Stefan Fritsch] 2714 2715 *) mod_log_config: Make ${cookie}C correctly match whole cookie names 2716 instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>, 2717 Stefan Fritsch] 2718 2719 *) vhost: A purely-numeric Host: header should not be treated as a port. 2720 PR 44979 [Nick Kew] 2721 2722 *) mod_ldap: Avoid 500 errors with "Unable to set LDAP_OPT_REFHOPLIMIT option to 5" 2723 when built against openldap by using SDK LDAP_OPT_REFHOPLIMIT defaults unless 2724 LDAPReferralHopLimit is explicitly configured. 2725 [Eric Covener] 2726 2727 *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'. 2728 [Eric Covener] 2729 2730 *) mod_ssl: Add support for OCSP Stapling. PR 43822. 2731 [Dr Stephen Henson <shenson oss-institute.org>] 2732 2733 *) mod_socache_shmcb: Allow parens in file name if cache size is given. 2734 Fixes SSLSessionCache directive mis-parsing parens in pathname. 2735 PR 47945. [Stefan Fritsch] 2736 2737 *) htpasswd: Improve out of disk space handling. PR 30877. [Stefan Fritsch] 2738 2739 *) htpasswd: Use MD5 hash by default on all platforms. [Stefan Fritsch] 2740 2741 *) mod_sed: Reduce memory consumption when processing very long lines. 2742 PR 48024 [Basant Kumar Kukreja <basant.kukreja sun.com>] 2743 2744 *) ab: Fix segfault in case the argument for -n is a very large number. 2745 PR 47178. [Philipp Hagemeister <oss phihag.de>] 2746 2747 *) Allow ProxyPreserveHost to work in <Proxy> sections. PR 34901. 2748 [Stefan Fritsch] 2749 2750 *) configure: Fix THREADED_MPMS so that mod_cgid is enabled again 2751 for worker MPM. [Takashi Sato] 2752 2753 *) mod_dav: Provide a mechanism to obtain the request_rec and pathname 2754 from the dav_resource. [Jari Urpalainen <jari.urpalainen nokia.com>, 2755 Brian France <brian brianfrance.com>] 2756 2757 *) Build: Use install instead of cp if available on installing 2758 modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com] 2759 2760 *) mod_cache: correctly consider s-maxage in cacheability 2761 decisions. [Dan Poirier] 2762 2763 *) mod_logio/core: Report more accurate byte counts in mod_status if 2764 mod_logio is loaded. PR 25656. [Stefan Fritsch] 2765 2766 *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge 2767 some cache entries and log a warning. Also increase the default 2768 LDAPSharedCacheSize to 500000. This is a more realistic size suitable 2769 for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries. 2770 PR 46749. [Stefan Fritsch] 2771 2772 *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if 2773 the request is a CONNECT request. [Bill Zajac <billz consultla.com>] 2774 2775 *) mod_cache: Teach CacheEnable and CacheDisable to work from within a 2776 Location section, in line with how ProxyPass works. [Graham Leggett] 2777 2778 *) mod_reqtimeout: New module to set timeouts and minimum data rates for 2779 receiving requests from the client. [Stefan Fritsch] 2780 2781 *) core: Fix potential memory leaks by making sure to not destroy 2782 bucket brigades that have been created by earlier filters. 2783 [Stefan Fritsch] 2784 2785 *) core, mod_deflate, mod_sed: Reduce memory usage by reusing bucket 2786 brigades in several places. [Stefan Fritsch] 2787 2788 *) mod_cache: Fix uri_meets_conditions() so that CacheEnable will 2789 match by scheme, or by a wildcarded hostname. PR 40169 2790 [Peter Grandi <pg_asf asf.for.sabi.co.uk>, Graham Leggett] 2791 2792 *) suxec: Allow to log an error if exec fails by setting FD_CLOEXEC 2793 on the log file instead of closing it. PR 10744. [Nicolas Rachinsky] 2794 2795 *) mod_mime: Make RemoveType override the info from TypesConfig. 2796 PR 38330. [Stefan Fritsch] 2797 2798 *) mod_cache: Introduce the option to run the cache from within the 2799 normal request handler, and to allow fine grained control over 2800 where in the filter chain content is cached. Adds CacheQuickHandler 2801 directive. [Graham Leggett] 2802 2803 *) core: Treat timeout reading request as 408 error, not 400. 2804 Log 408 errors in access log as was done in Apache 1.3.x. 2805 PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, 2806 Stefan Fritsch <sf fritsch.de>, Dan Poirier] 2807 2808 *) mod_ssl: Reintroduce SSL_CLIENT_S_DN, SSL_CLIENT_I_DN, SSL_SERVER_S_DN, 2809 SSL_SERVER_I_DN back to the environment variables to be set by mod_ssl. 2810 [Peter Sylvester <peter.sylvester edelweb.fr>] 2811 2812 *) mod_disk_cache: don't cache incomplete responses, per RFC 2616, 13.8. 2813 PR15866. [Dan Poirier] 2814 2815 *) ab: ab segfaults in verbose mode on https sites 2816 PR46393. [Ryan Niebur] 2817 2818 *) mod_dav: Allow other modules to become providers and add resource types 2819 to the DAV response. [Jari Urpalainen <jari.urpalainen nokia.com>, 2820 Brian France <brian brianfrance.com>] 2821 2822 *) mod_dav: Allow other modules to add things to the DAV or Allow headers 2823 of an OPTIONS request. [Jari Urpalainen <jari.urpalainen nokia.com>, 2824 Brian France <brian brianfrance.com>] 2825 2826 *) core: Lower memory usage of core output filter. 2827 [Stefan Fritsch <sf sfritsch.de>] 2828 2829 *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and 2830 LocationMatch sections. PR47754. [Dan Poirier] 2831 2832 *) mod_request: Make sure the KeptBodySize directive rejects values 2833 that aren't valid numbers. [Graham Leggett] 2834 2835 *) mod_session_crypto: Sanity check should the potentially encrypted 2836 session cookie be too short. [Graham Leggett] 2837 2838 *) mod_session.c: Prevent a segfault when session is added but not 2839 configured. [Graham Leggett] 2840 2841 *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett] 2842 2843 *) mod_auth_digest: Fail server start when nonce count checking 2844 is configured without shared memory, or md5-sess algorithm is 2845 configured. [Dan Poirier] 2846 2847 *) mod_proxy_connect: The connect method doesn't work if the client is 2848 connecting to the apache proxy through an ssl socket. Fixed. 2849 PR29744. [Brad Boyer, Mark Cave-Ayland, Julian Gilbey, Fabrice Durand, 2850 David Gence, Tim Dodge, Per Gunnar Hans, Emmanuel Elango, 2851 Kevin Croft, Rudolf Cardinal] 2852 2853 *) mod_ssl: The error message when SSLCertificateFile is missing should 2854 at least give the name or position of the problematic virtual host 2855 definition. [Stefan Fritsch sf sfritsch.de] 2856 2857 *) mod_auth_digest: Fix null pointer when qop=none. [Dan Poirier] 2858 2859 *) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>] 2860 2861 *) mod_headers: generalise the envclause to support expression 2862 evaluation with ap_expr parser [Nick Kew] 2863 2864 *) mod_cache: Introduce the thundering herd lock, a mechanism to keep 2865 the flood of requests at bay that strike a backend webserver as 2866 a cached entity goes stale. [Graham Leggett] 2867 2868 *) mod_auth_digest: Fix usage of shared memory and re-enable it. 2869 PR 16057 [Dan Poirier] 2870 2871 *) Preserve Port information over internal redirects 2872 PR 35999 [Jonas Ringh <jonas.ringh cixit.se>] 2873 2874 *) Proxy: unable to connect to a backend is SERVICE_UNAVAILABLE, 2875 rather than BAD_GATEWAY or (especially) NOT_FOUND. 2876 PR 46971 [evanc nortel.com] 2877 2878 *) Various modules: Do better checking of pollset operations in order to 2879 avoid segmentation faults if they fail. PR 46467 2880 [Stefan Fritsch <sf sfritsch.de>] 2881 2882 *) mod_autoindex: Correctly create an empty cell if the description 2883 for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>] 2884 2885 *) ab: Fix broken error messages after resolver or connect() failures. 2886 [Jeff Trawick] 2887 2888 *) SECURITY: CVE-2009-1890 (cve.mitre.org) 2889 Fix a potential Denial-of-Service attack against mod_proxy in a 2890 reverse proxy configuration, where a remote attacker can force a 2891 proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton] 2892 2893 *) SECURITY: CVE-2009-1191 (cve.mitre.org) 2894 mod_proxy_ajp: Avoid delivering content from a previous request which 2895 failed to send a request body. PR 46949 [Ruediger Pluem] 2896 2897 *) htdbm: Fix possible buffer overflow if dbm database has very 2898 long values. PR 30586 [Dan Poirier] 2899 2900 *) core: Return APR_EOF if request body is shorter than the length announced 2901 by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>] 2902 2903 *) mod_suexec: correctly set suexec_enabled when httpd is run by a 2904 non-root user and may have insufficient permissions. 2905 PR 42175 [Jim Radford <radford blackbean.org>] 2906 2907 *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute 2908 type. PR 45107. [Michael Ströder <michael stroeder.com>, 2909 Peter Sylvester <peter.sylvester edelweb.fr>] 2910 2911 *) mod_proxy_http: fix case sensitivity checking transfer encoding 2912 PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>] 2913 2914 *) mod_alias: ensure Redirect issues a valid URL. 2915 PR 44020 [Håkon Stordahl <hakon stordahl.org>] 2916 2917 *) mod_dir: add FallbackResource directive, to enable admin to specify 2918 an action to happen when a URL maps to no file, without resorting 2919 to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew] 2920 2921 *) mod_cgid: Do not leak the listening Unix socket file descriptor to the 2922 CGI process. PR 47335 [Kornél Pál <kornelpal gmail.com>] 2923 2924 *) mod_rewrite: Remove locking for writing to the rewritelog. 2925 PR 46942 [Dan Poirier <poirier pobox.com>] 2926 2927 *) mod_alias: check sanity in Redirect arguments. 2928 PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski] 2929 2930 *) mod_proxy_http: fix Host: header for literal IPv6 addresses. 2931 PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>] 2932 2933 *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore 2934 defined session identifiers encoded in the URL when caching. 2935 [Ruediger Pluem] 2936 2937 *) mod_rewrite: Fix the error string returned by RewriteRule. 2938 RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd 2939 argument of RewriteRule was not started with "[" or not ended with "]". 2940 PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>] 2941 2942 *) Windows: Fix usage message. 2943 [Rainer Jung] 2944 2945 *) apachectl: When passing through arguments to httpd in 2946 non-SysV mode, use the "$@" syntax to preserve arguments. 2947 [Eric Covener] 2948 2949 *) mod_dbd: add DBDInitSQL directive to enable SQL statements to 2950 be run when a connection is opened. PR 46827 2951 [Marko Kevac <mkevac gmail.com>] 2952 2953 *) mod_cgid: Improve handling of long AF_UNIX socket names (ScriptSock). 2954 PR 47037. [Jeff Trawick] 2955 2956 *) mod_proxy_ajp: Check more strictly that the backend follows the AJP 2957 protocol. [Mladen Turk] 2958 2959 *) mod_proxy_ajp: Forward remote port information by default. 2960 [Rainer Jung] 2961 2962 *) Allow MPMs to be loaded dynamically, as with most other modules. Use 2963 --enable-mpms-shared={list|"all"} to enable. This required changes to 2964 the MPM interfaces. Removed: mpm.h, mpm_default.h (as an installed 2965 header), APACHE_MPM_DIR, MPM_NAME, ap_threads_per_child, 2966 ap_max_daemons_limit, ap_my_generation, etc. ap_mpm_query() can't be 2967 called until after the register-hooks phase. [Jeff Trawick] 2968 2969 *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives 2970 to enable stricter checking of remote server certificates. 2971 [Ruediger Pluem] 2972 2973 *) ab: Fix a 100% CPU loop on platforms where a failed non-blocking connect 2974 returns EINPROGRESS and a subsequent poll() returns only POLLERR. 2975 Observed on HP-UX. [Eric Covener] 2976 2977 *) Remove broken support for BeOS, TPF, and even older platforms such 2978 as A/UX, Next, and Tandem. [Jeff Trawick] 2979 2980 *) mod_proxy_ftp: Add ProxyFtpListOnWildcard directive to allow files with 2981 globbing characters to be retrieved instead of converted into a 2982 directory listing. PR 46789 [Dan Poirier <poirier pobox.com>] 2983 2984 *) Provide ap_retained_data_create()/ap_retained_data_get() for preservation 2985 of module state across unload/load. [Jeff Trawick] 2986 2987 *) mod_substitute: Fix a memory leak. PR 44948 2988 [Dan Poirier <poirier pobox.com>] 2989 2990Changes with Apache 2.3.2 2991 2992 *) mod_mime_magic: Fix detection of compressed content. [Rainer Jung] 2993 2994 *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid 2995 HTML injections and HTTP response splitting. PR 46837. 2996 [Geoff Keating <geoffk apple.com>] 2997 2998 *) mod_ssl: add support for type-safe STACK constructs in OpenSSL 2999 development HEAD. PR 45521. [Kaspar Brand, Sander Temme] 3000 3001 *) ab: Fix maintenance of the pollset to resolve EALREADY errors 3002 with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris). 3003 PR 44584. Use APR_POLLSET_NOCOPY for better performance with some 3004 pollset implementations. [Jeff Trawick] 3005 3006 *) mod_disk_cache: The module now turns off sendfile support if 3007 'EnableSendfile off' is defined globally. [Lars Eilebrecht] 3008 3009 *) mod_deflate: Adjust content metadata before bailing out on 304 3010 responses so that the metadata does not differ from 200 response. 3011 [Roy T. Fielding] 3012 3013 *) mod_deflate: Fix creation of invalid Etag headers. We now make sure 3014 that the Etag value is properly quoted when adding the gzip marker. 3015 PR 39727, 45023. [Lars Eilebrecht, Roy T. Fielding] 3016 3017 *) Added 20x22 icons for ODF, SVG, and XML documents. PR 37185. 3018 [Peter Harlow] 3019 3020 *) Disabled DefaultType directive and removed ap_default_type() 3021 from core. We now exclude Content-Type from responses for which 3022 a media type has not been configured via mime.types, AddType, 3023 ForceType, or some other mechanism. PR 13986. [Roy T. Fielding] 3024 3025 *) mod_rewrite: Add IPV6 variable to RewriteCond 3026 [Ryan Phillips <ryan-apache trolocsis.com>] 3027 3028 *) core: Enhance KeepAliveTimeout to support a value in milliseconds. 3029 PR 46275. [Takashi Sato] 3030 3031 *) rotatelogs: Allow size units B, K, M, G and combination of 3032 time and size based rotation. [Rainer Jung] 3033 3034 *) rotatelogs: Add flag for verbose (debug) output. [Rainer Jung] 3035 3036 *) mod_ssl: Fix merging of SSLRenegBufferSize directive. PR 46508 3037 [<tlhackque yahoo.com>] 3038 3039 *) core: Translate the the status line to ASCII on EBCDIC platforms in 3040 ap_send_interim_response() and for locally generated "100 Continue" 3041 responses. [Eric Covener] 3042 3043 *) prefork: Fix child process hang during graceful restart/stop in 3044 configurations with multiple listening sockets. PR 42829. [Joe Orton, 3045 Jeff Trawick] 3046 3047 *) mod_session_crypto: Ensure that SessionCryptoDriver can only be 3048 set in the global scope. [Graham Leggett] 3049 3050 *) mod_ext_filter: We need to detect failure to startup the filter 3051 program (a mangled response is not acceptable). Fix to detect 3052 failure, and offer configuration option either to abort or 3053 to remove the filter and continue. 3054 PR 41120 [Nick Kew] 3055 3056 *) mod_session_crypto: Rewrite the session_crypto module against the 3057 apr_crypto API. [Graham Leggett] 3058 3059 *) mod_auth_form: Fix a pool lifetime issue, don't remove the subrequest 3060 until the main request is cleaned up. [Graham Leggett] 3061 3062Changes with Apache 2.3.1 3063 3064 *) ap_slotmem: Add in new slot-based memory access API impl., including 3065 2 providers (mod_sharedmem and mod_plainmem) [Jim Jagielski, 3066 Jean-Frederic Clere, Brian Akins <brian.akins turner.com>] 3067 3068 *) mod_include: support generating non-ASCII characters as entities in SSI 3069 PR 25202 [Nick Kew] 3070 3071 *) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars 3072 PR 25202 [Nick Kew] 3073 3074 *) mod_rewrite: fix "B" flag breakage by reverting r5589343 3075 PR 45529 [Bob Ionescu <bobsiegen googlemail.com>] 3076 3077 *) CGI: return 504 (Gateway timeout) rather than 500 when a script 3078 times out before returning status line/headers. 3079 PR 42190 [Nick Kew] 3080 3081 *) mod_cgid: fix segfault problem on solaris. 3082 PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>] 3083 3084 *) mod_proxy_scgi: Added. [André Malo] 3085 3086 *) mod_cache: Introduce 'no-cache' per-request environment variable 3087 to prevent the saving of an otherwise cacheable response. 3088 [Eric Covener] 3089 3090 *) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome 3091 way that per-directory rewrites append the previous notion of PATH_INFO 3092 to each substitution before evaluating subsequent rules. 3093 PR 38642 [Eric Covener] 3094 3095 *) mod_cgid: Do not add an empty argument when calling the CGI script. 3096 PR 46380 [Ruediger Pluem] 3097 3098 *) scoreboard: Remove unused sb_type from process_score. 3099 [Torsten Foertsch <torsten.foertsch gmx.net>, Chris Darroch] 3100 3101 *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the 3102 size of the buffer used for the request-body where necessary 3103 during a per-dir renegotiation. PR 39243. [Joe Orton] 3104 3105 *) mod_proxy_fdpass: New module to pass a client connection over to a separate 3106 process that is reading from a unix daemon socket. 3107 3108 *) mod_ssl: Improve environment variable extraction to be more 3109 efficient and to correctly handle DNs with duplicate tags. 3110 PR 45975. [Joe Orton] 3111 3112 *) Remove the obsolete serial attribute from the RPM spec file. Compile 3113 against the external pcre. Add missing binaries fcgistarter, and 3114 mod_socache* and mod_session*. [Graham Leggett] 3115 3116Changes with Apache 2.3.0 3117 3118 *) mod_ratelimit: New module to do bandwidth rate limiting. [Paul Querna] 3119 3120 *) Remove X-Pad header which was added as a work around to a bug in 3121 Netscape 2.x to 4.0b2. [Takashi Sato <takashi lans-tv.com>] 3122 3123 *) Add DTrace Statically Defined Tracing (SDT) probes. 3124 [Theo Schlossnagle <jesus omniti.com>, Paul Querna] 3125 3126 *) mod_proxy_balancer: Move all load balancing implementations 3127 as individual, self-contained mod_proxy submodules under 3128 modules/proxy/balancers [Jim Jagielski] 3129 3130 *) Rename APIs to include ap_ prefix: 3131 find_child_by_pid -> ap_find_child_by_pid 3132 suck_in_APR -> ap_suck_in_APR 3133 sys_privileges_handlers -> ap_sys_privileges_handlers 3134 unixd_accept -> ap_unixd_accept 3135 unixd_config -> ap_unixd_config 3136 unixd_killpg -> ap_unixd_killpg 3137 unixd_set_global_mutex_perms -> ap_unixd_set_global_mutex_perms 3138 unixd_set_proc_mutex_perms -> ap_unixd_set_proc_mutex_perms 3139 unixd_set_rlimit -> ap_unixd_set_rlimit 3140 [Paul Querna] 3141 3142 *) mod_lbmethod_heartbeat: New module to load balance mod_proxy workers 3143 based on heartbeats. [Paul Querna] 3144 3145 *) mod_heartmonitor: New module to collect heartbeats, and write out a file 3146 so that other modules can load balance traffic as needed. [Paul Querna] 3147 3148 *) mod_heartbeat: New module to generate multicast heartbeats to know if a 3149 server is online. [Paul Querna] 3150 3151 *) mod_buffer: Honour the flush bucket and flush the buffer in the 3152 input filter. Make sure that metadata buckets are written to 3153 the buffer, not to the final brigade. [Graham Leggett] 3154 3155 *) mod_buffer: Optimise the buffering of heap buckets when the heap 3156 buckets stay exactly APR_BUCKET_BUFF_SIZE long. [Graham Leggett, 3157 Ruediger Pluem] 3158 3159 *) mod_buffer: Optional support for buffering of the input and output 3160 filter stacks. Can collapse many small buckets into fewer larger 3161 buckets, and prevents excessively small chunks being sent over 3162 the wire. [Graham Leggett] 3163 3164 *) mod_privileges: new module to make httpd on Solaris privileges-aware 3165 and to enable different virtualhosts to run with different 3166 privileges and Unix user/group IDs [Nick Kew] 3167 3168 *) mod_mem_cache: this module has been removed. [William Rowe] 3169 3170 *) authn/z: Remove mod_authn_default and mod_authz_default. 3171 [Chris Darroch] 3172 3173 *) authz: Fix handling of authz configurations, make default authz 3174 logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject, 3175 and AuthzMergeRules directives with Match, <Match*>, and AuthzMerge 3176 directives. [Chris Darroch] 3177 3178 *) mod_authn_core: Prevent crash when provider alias created to 3179 provider which is not yet registered. [Chris Darroch] 3180 3181 *) mod_authn_core: Add AuthType of None to support disabling 3182 authentication. [Chris Darroch] 3183 3184 *) core: Allow <Limit> and <LimitExcept> directives to nest, and 3185 constrain their use to conform with that of other access control 3186 and authorization directives. [Chris Darroch] 3187 3188 *) unixd: turn existing code into a module, and turn the set user/group 3189 and chroot into a child_init function. [Nick Kew] 3190 3191 *) mod_dir: Support "DirectoryIndex disabled" 3192 Suggested By André Warnier <aw ice-sa.com> [Eric Covener] 3193 3194 *) mod_ssl: Send Content-Type application/ocsp-request for POST requests to 3195 OSCP responders. PR 46014 [Dr Stephen Henson <steve openssl.org>] 3196 3197 *) mod_authnz_ldap: don't return NULL-valued environment variables to 3198 other modules. PR 39045 [Francois Pesce <francois.pesce gmail.com>] 3199 3200 *) Don't adjust case in pathname components that are not of interest 3201 to mod_mime. Fixes mod_negotiation's use of such components. 3202 PR 43250 [Basant Kumar Kukreja <basant.kukreja sun.com>] 3203 3204 *) Be tolerant in what you accept - accept slightly broken 3205 status lines from a backend provided they include a valid status code. 3206 PR 44995 [Rainer Jung <rainer.jung kippdata.de>] 3207 3208 *) New module mod_sed: filter Request/Response bodies through sed 3209 [Basant Kumar Kukreja <basant.kukreja sun.com>] 3210 3211 *) mod_auth_form: Make sure that basic authentication is correctly 3212 faked directly after login. [Graham Leggett] 3213 3214 *) mod_session_cookie, mod_session_dbd: Make sure cookies are set both 3215 within the output headers and error output headers, so that the 3216 session is maintained across redirects. [Graham Leggett] 3217 3218 *) mod_auth_form: Make sure the logged in user is populated correctly 3219 after a form login. Fixes a missing REMOTE_USER variable directly 3220 following a login. [Graham Leggett] 3221 3222 *) mod_session_cookie: Make sure that cookie attributes are correctly 3223 included in the blank cookie when cookies are removed. This fixes an 3224 inability to log out when using mod_auth_form. [Graham Leggett] 3225 3226 *) mod_session: Prevent a segfault when a CGI script sets a cookie with a 3227 null value. [David Shane Holden <dpejesh apache.org>] 3228 3229 *) core, authn/z: Determine registered authn/z providers directly in 3230 ap_setup_auth_internal(), which allows optional functions that just 3231 wrapped ap_list_provider_names() to be removed from authn/z modules. 3232 [Chris Darroch] 3233 3234 *) authn/z: Convert common provider version strings to macros. 3235 [Chris Darroch] 3236 3237 *) core: When testing for slash-terminated configuration paths in 3238 ap_location_walk(), don't look past the start of an empty string 3239 such as that created by a <Location ""> directive. 3240 [Chris Darroch] 3241 3242 *) core, mod_proxy: If a kept_body is present, it becomes safe for 3243 subrequests to support message bodies. Make sure that safety 3244 checks within the core and within the proxy are not triggered 3245 when kept_body is present. This makes it possible to embed 3246 proxied POST requests within mod_include. [Graham Leggett] 3247 3248 *) mod_auth_form: Make sure the input filter stack is properly set 3249 up before reading the login form. Make sure the kept body filter 3250 is correctly inserted to ensure the body can be read a second 3251 time safely should the authn be successful. [Graham Leggett, 3252 Ruediger Pluem] 3253 3254 *) mod_request: Insert the KEPT_BODY filter via the insert_filter 3255 hook instead of during fixups. Add a safety check to ensure the 3256 filters cannot be inserted more than once. [Graham Leggett, 3257 Ruediger Pluem] 3258 3259 *) ap_cache_cacheable_headers_out() will (now) always 3260 merge an error headers _before_ clearing them and _before_ 3261 merging in the actual entity headers and doing normal 3262 hop-by-hop cleansing. [Dirk-Willem van Gulik]. 3263 3264 *) cache: retire ap_cache_cacheable_hdrs_out() which was used 3265 for both in- and out-put headers; and replace it by a single 3266 ap_cache_cacheable_headers() wrapped in a in- and out-put 3267 specific ap_cache_cacheable_headers_in()/out(). The latter 3268 which will also merge error and ensure content-type. To keep 3269 cache modules consistent with ease. This API change bumps 3270 up the minor MM by one [Dirk-Willem van Gulik]. 3271 3272 *) Move the KeptBodySize directive, kept_body filters and the 3273 ap_parse_request_body function out of the http module and into a 3274 new module called mod_request, reducing the size of the core. 3275 [Graham Leggett] 3276 3277 *) mod_dbd: Handle integer configuration directive parameters with a 3278 dedicated function. 3279 3280 *) Change the directives within the mod_session* modules to be valid 3281 both inside and outside the location/directory sections, as 3282 suggested by wrowe. [Graham Leggett] 3283 3284 *) mod_auth_form: Add a module capable of allowing end users to log 3285 in using an HTML form, storing the credentials within mod_session. 3286 [Graham Leggett] 3287 3288 *) Add a function to the http filters that is able to parse an HTML 3289 form request with the type of application/x-www-form-urlencoded. 3290 [Graham Leggett] 3291 3292 *) mod_session_crypto: Initialise SSL in the post config hook. 3293 [Ruediger Pluem, Graham Leggett] 3294 3295 *) mod_session_dbd: Add a session implementation capable of storing 3296 session information in a SQL database via the dbd interface. Useful 3297 for sites where session privacy is important. [Graham Leggett] 3298 3299 *) mod_session_crypto: Add a session encoding implementation capable 3300 of encrypting and decrypting sessions wherever they may be stored. 3301 Introduces a level of privacy when sessions are stored on the 3302 browser. [Graham Leggett] 3303 3304 *) mod_session_cookie: Add a session implementation capable of storing 3305 session information within cookies on the browser. Useful for high 3306 volume sites where server bound sessions are too resource intensive. 3307 [Graham Leggett] 3308 3309 *) mod_session: Add a generic session interface to unify the different 3310 attempts at saving persistent sessions across requests. 3311 [Graham Leggett] 3312 3313 *) core, authn/z: Avoid calling access control hooks for internal requests 3314 with configurations which match those of initial request. Revert to 3315 original behaviour (call access control hooks for internal requests 3316 with URIs different from initial request) if any access control hooks or 3317 providers are not registered as permitting this optimization. 3318 Introduce wrappers for access control hook and provider registration 3319 which can accept additional mode and flag data. [Chris Darroch] 3320 3321 *) Introduced ap_expr API for expression evaluation. 3322 This is adapted from mod_include, which is the first module 3323 to use the new API. 3324 [Nick Kew] 3325 3326 *) mod_authz_dbd: When redirecting after successful login/logout per 3327 AuthzDBDRedirectQuery, do not report authorization failure, and use 3328 first row returned by database query instead of last row. 3329 [Chris Darroch] 3330 3331 *) mod_ldap: Correctly return all requested attribute values 3332 when some attributes have a null value. 3333 PR 44560 [Anders Kaseorg <anders kaseorg.com>] 3334 3335 *) core: check symlink ownership if both FollowSymlinks and 3336 SymlinksIfOwnerMatch are set [Nick Kew] 3337 3338 *) core: fix origin checking in SymlinksIfOwnerMatch 3339 PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>] 3340 3341 *) Activate mod_cache, mod_file_cache and mod_disk_cache as part of the 3342 'most' set for '--enable-modules' and '--enable-shared-mods'. Include 3343 mod_mem_cache in 'all' as well. [Dirk-Willem van Gulik] 3344 3345 *) Also install mod_so.h, mod_rewrite.h and mod_cache.h; as these 3346 contain public function declarations which are useful for 3347 third party module authors. PR 42431 [Dirk-Willem van Gulik]. 3348 3349 *) mod_dir, mod_negotiation: pass the output filter information 3350 to newly created sub requests; as these are later on used 3351 as true requests with an internal redirect. This allows for 3352 mod_cache et.al. to trap the results of the redirect. 3353 [Dirk-Willem van Gulik, Ruediger Pluem] 3354 3355 *) mod_ldap: Add support (taking advantage of the new APR capability) 3356 for ldap rebind callback while chasing referrals. This allows direct 3357 searches on LDAP servers (in particular MS Active Directory 2003+) 3358 using referrals without the use of the global catalog. 3359 PRs 26538, 40268, and 42557 [Paul J. Reder] 3360 3361 *) ApacheMonitor.exe: Introduce --kill argument for use by the 3362 installer. This will permit the installation tool to remove 3363 all running instances before attempting to remove the .exe. 3364 [William Rowe] 3365 3366 *) mod_ssl: Add support for OCSP validation of client certificates. 3367 PR 41123. [Marc Stern <marc.stern approach.be>, Joe Orton] 3368 3369 *) mod_serf: New module for Reverse Proxying. [Paul Querna] 3370 3371 *) core: Add the option to keep aside a request body up to a certain 3372 size that would otherwise be discarded, to be consumed by filters 3373 such as mod_include. When enabled for a directory, POST requests 3374 to shtml files can be passed through to embedded scripts as POST 3375 requests, rather being downgraded to GET requests. [Graham Leggett] 3376 3377 *) mod_ssl: Fix TLS upgrade (RFC 2817) support. PR 41231. [Joe Orton] 3378 3379 *) scoreboard: Correctly declare ap_time_process_request. 3380 PR 43789 [Tom Donovan <Tom.Donovan acm.org>] 3381 3382 *) core; scoreboard: ap_get_scoreboard_worker(sbh) now takes the sbh member 3383 from the connection rec, ap_get_scoreboard_worker(proc, thread) will now 3384 provide the unusual legacy lookup. [William Rowe] 3385 3386 *) mpm winnt: fix null pointer dereference 3387 PR 42572 [Davi Arnaut] 3388 3389 *) mod_authnz_ldap, mod_authn_dbd: Tidy up the code to expose authn 3390 parameters to the environment. Improve portability to 3391 EBCDIC machines by using apr_toupper(). [Martin Kraemer] 3392 3393 *) mod_ldap, mod_authnz_ldap: Add support for nested groups (i.e. the ability 3394 to authorize an authenticated user via a "require ldap-group X" directive 3395 where the user is not in group X, but is in a subgroup contained in X. 3396 PR 42891 [Paul J. Reder] 3397 3398 *) mod_ssl: Add support for caching SSL Sessions in memcached. [Paul Querna] 3399 3400 *) apxs: Enhance -q flag to print all known variables and their values 3401 when invoked without variable name(s). 3402 [William Rowe, Sander Temme] 3403 3404 *) apxs: Eliminate run-time check for mod_so. PR 40653. 3405 [David M. Lee <dmlee crossroads.com>] 3406 3407 *) beos MPM: Create pmain pool and run modules' child_init hooks when 3408 entering ap_mpm_run(), then destroy pmain when exiting ap_mpm_run(). 3409 [Chris Darroch] 3410 3411 *) netware MPM: Destroy pmain pool when exiting ap_mpm_run() so that 3412 cleanups registered in modules' child_init hooks are performed. 3413 [Chris Darroch] 3414 3415 *) Fix issue which could cause error messages to be written to access logs 3416 on Win32. PR 40476. [Tom Donovan <Tom.Donovan acm.org>] 3417 3418 *) The LockFile directive, which specifies the location of 3419 the accept() mutex lockfile, is deprecated. Instead, the 3420 AcceptMutex directive now takes an optional lockfile 3421 location parameter, ala SSLMutex. [Jim Jagielski] 3422 3423 *) mod_authn_dbd: Export any additional columns queried in the SQL select 3424 into the environment with the name AUTHENTICATE_<COLUMN>. This brings 3425 mod_authn_dbd behaviour in line with mod_authnz_ldap. [Graham Leggett] 3426 3427 *) mod_dbd: Key the storage of prepared statements on the hex string 3428 value of server_rec, rather than the server name, as the server name 3429 may change (eg when the server name is set) at any time, causing 3430 weird behaviour in modules dependent on mod_dbd. [Graham Leggett] 3431 3432 *) mod_proxy_fcgi: Added win32 build. [Mladen Turk] 3433 3434 *) sendfile_nonblocking() takes the _brigade_ as an argument, gets 3435 the first bucket from the brigade, finds it not to be a FILE 3436 bucket and barfs. The fix is to pass a bucket rather than a brigade. 3437 [Niklas Edmundsson <nikke acc.umu.se>] 3438 3439 *) mod_rewrite: support rewritemap by SQL query [Nick Kew] 3440 3441 *) ap_get_server_version() has been removed. Third-party modules must 3442 now use ap_get_server_banner() or ap_get_server_description(). 3443 [Jeff Trawick] 3444 3445 *) All MPMs: Introduce a check_config phase between pre_config and 3446 open_logs, to allow modules to review interdependent configuration 3447 directive values and adjust them while messages can still be logged 3448 to the console. Handle relevant MPM directives during this phase 3449 and format messages for both the console and the error log, as 3450 appropriate. [Chris Darroch] 3451 3452 *) core: Do not allow internal redirects like the DirectoryIndex of mod_dir 3453 to circumvent the symbolic link checks imposed by FollowSymLinks and 3454 SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem, William Rowe] 3455 3456 *) New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ] 3457 configures the I/O Dump of SSL traffic, when LogLevel is set to Debug. 3458 The default is none as this is far greater debugging resolution than 3459 the typical administrator is prepared to untangle. [William Rowe] 3460 3461 *) mod_disk_cache: If possible, check if the size of an object to cache is 3462 within the configured boundaries before actually saving data. 3463 [Niklas Edmundsson <nikke acc.umu.se>] 3464 3465 *) Worker and event MPMs: Remove improper scoreboard updates which were 3466 performed in the event of a fork() failure. [Chris Darroch] 3467 3468 *) Add support for fcgi:// proxies to mod_rewrite. 3469 [Markus Schiegl <ms schiegl.com>] 3470 3471 *) Remove incorrect comments from scoreboard.h regarding conditional 3472 loading of worker_score structure with mod_status, and remove unused 3473 definitions relating to old life_status field. 3474 [Chris Darroch <chrisd pearsoncmg.com>] 3475 3476 *) Remove allocation of memory for unused array of lb_score pointers 3477 in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>] 3478 3479 *) Add mod_proxy_fcgi, a FastCGI back end for mod_proxy. 3480 [Garrett Rooney, Jim Jagielski, Paul Querna] 3481 3482 *) Event MPM: Fill in the scoreboard's tid field. PR 38736. 3483 [Chris Darroch <chrisd pearsoncmg.com>] 3484 3485 *) mod_charset_lite: Remove Content-Length when output filter can 3486 invalidate it. Warn when input filter can invalidate it. 3487 [Jeff Trawick] 3488 3489 *) Authz: Add the new module mod_authn_core that will provide common 3490 authn directives such as 'AuthType', 'AuthName'. Move the directives 3491 'AuthType' and 'AuthName' out of the core module and merge mod_authz_alias 3492 into mod_authn_core. [Brad Nicholes] 3493 3494 *) Authz: Move the directives 'Order', 'Allow', 'Deny' and 'Satisfy' 3495 into the new module mod_access_compat which can be loaded to provide 3496 support for these directives. 3497 [Brad Nicholes] 3498 3499 *) Authz: Move the 'Require' directive from the core module as well as 3500 add the directives '<SatisfyAll>', '<SatisfyOne>', '<RequireAlias>' 3501 and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR' 3502 logic into the authorization processing. [Brad Nicholes] 3503 3504 *) Authz: Add the new module mod_authz_core which acts as the 3505 authorization provider vector and contains common authz 3506 directives. [Brad Nicholes] 3507 3508 *) Authz: Renamed mod_authz_dbm authz providers from 'group' and 3509 'file-group' to 'dbm-group' and 'dbm-file-group'. [Brad Nicholes] 3510 3511 *) Authz: Added the new authz providers 'env', 'ip', 'host', 'all' to handle 3512 host-based access control provided by mod_authz_host and invoked 3513 through the 'Require' directive. [Brad Nicholes] 3514 3515 *) Authz: Convert all of the authz modules from hook based to 3516 provider based. [Brad Nicholes] 3517 3518 *) mod_cache: Add CacheMinExpire directive to set the minimum time in 3519 seconds to cache a document. 3520 [Brian Akins <brian.akins turner.com>, Ruediger Pluem] 3521 3522 *) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew] 3523 3524 *) Fix typo in ProxyStatus syntax error message. 3525 [Christophe Jaillet <christophe.jaillet wanadoo.fr>] 3526 3527 *) Asynchronous write completion for the Event MPM. [Brian Pane] 3528 3529 *) Added an End-Of-Request bucket type. The logging of a request and 3530 the freeing of its pool are now done when the EOR bucket is destroyed. 3531 This has the effect of delaying the logging until right after the last 3532 of the response is sent; ap_core_output_filter() calls the access logger 3533 indirectly when it destroys the EOR bucket. [Brian Pane] 3534 3535 *) Rewrite of logresolve support utility: IPv6 addresses are now supported 3536 and the format of statistical output has changed. [Colm MacCarthaigh] 3537 3538 *) Rewrite of ap_coreoutput_filter to do nonblocking writes [Brian Pane] 3539 3540 *) Added new connection states for handler and write completion 3541 [Brian Pane] 3542 3543 *) mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264. 3544 [Justin Erenkrantz] 3545 3546 *) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive, 3547 allowing string-valued client certificate attributes to be used for 3548 access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1") 3549 [Martin Kraemer, David Reid] 3550 3551 [Apache 2.3.0-dev includes those bug fixes and changes with the 3552 Apache 2.2.xx tree as documented, and except as noted, below.] 3553 3554Changes with Apache 2.2.x and later: 3555 3556 *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup 3557 3558Changes with Apache 2.0.x and later: 3559 3560 *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup 3561 3562