Imported Upstream version 2.4.3upstream/2.4.3

1 files changed, 199 insertions, 1 deletions

diff --git a/CHANGES b/CHANGES
index acc08b70..33c6b732 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,200 @@
                                                          -*- coding: utf-8 -*-
 
+Changes with Apache 2.4.3
+
+  *) SECURITY: CVE-2012-3502  (cve.mitre.org)
+     mod_proxy_ajp, mod_proxy_http: Fix an issue in back end
+     connection closing which could lead to privacy issues due
+     to a response mixup. PR 53727. [Rainer Jung]
+
+  *) SECURITY: CVE-2012-2687 (cve.mitre.org)
+     mod_negotiation: Escape filenames in variant list to prevent an
+     possible XSS for a site where untrusted users can upload files to
+     a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+
+  *) mod_authnz_ldap: Don't try a potentially expensive nested groups
+     search before exhausting all AuthLDAPGroupAttribute checks on the
+     current group. PR 52464 [Eric Covener]
+
+  *) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
+     authorization provider in lua. [Stefan Fritsch]
+
+  *) core: Be less strict when checking whether Content-Type is set to 
+     "application/x-www-form-urlencoded" when parsing POST data, 
+     or we risk losing data with an appended charset. PR 53698
+     [Petter Berntsen <petterb gmail.com>]
+
+  *) httpd.conf: Added configuration directives to set a bad_DNT environment
+     variable based on User-Agent and to remove the DNT header field from
+     incoming requests when a match occurs. This currently has the effect of
+     removing DNT from requests by MSIE 10.0 because it deliberately violates
+     the current specification of DNT semantics for HTTP. [Roy T. Fielding]
+
+  *) mod_socache_shmcb: Fix bus error due to a misalignment
+     in some 32 bit builds, especially on Solaris Sparc.
+     PR 53040.  [Rainer Jung]
+
+  *) mod_cache: Set content type in case we return stale content.
+     [Ruediger Pluem]
+
+  *) Windows: Fix SSL failures on windows with AcceptFilter https none.
+     PR 52476.  [Jeff Trawick]
+
+  *) ab: Fix read failure when targeting SSL server.  [Jeff Trawick]
+
+  *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
+     - mod_auth_digest: shared memory file
+     [Jeff Trawick]
+
+  *) htpasswd: Use correct file mode for checking if file is writable.
+     PR 45923. [Stefan Fritsch]
+
+  *) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T.
+     <mi apache aldan algebra com>]
+
+  *) mod_ssl: Add new directive SSLCompression to disable TLS-level
+     compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
+
+  *) mod_lua: Add a few missing request_rec fields. Rename remote_ip to
+     client_ip to match conn_rec. [Stefan Fritsch]
+
+  *) mod_lua: Change prototype of vm_construct, to work around gcc bug which
+     causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>]
+
+  *) mpm_event: Don't count connections in lingering close state when
+     calculating how many additional connections may be accepted.
+     [Stefan Fritsch]
+
+  *) mod_ssl: If exiting during initialization because of a fatal error,
+     log a message to the main error log pointing to the appropriate
+     virtual host error log. [Stefan Fritsch]
+
+  *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
+     one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]
+
+  *) mod_proxy_balancer: Restore balancing after a failed worker has
+     recovered when using lbmethod_bybusyness.  PR 48735.  [Jeff Trawick]
+
+  *) mod_setenvif: Compile some global regex only once during startup.
+     This should save some memory, especially with .htaccess.
+     [Stefan Fritsch]
+
+  *) core: Add the port number to the vhost's name in the scoreboard.
+     [Stefan Fritsch]
+
+  *) mod_proxy: Fix ProxyPassReverse for balancer configurations.
+     PR 45434.  [Joe Orton]
+
+  *) mod_lua: Add the parsebody function for parsing POST data. PR 53064.
+     [Daniel Gruno]
+
+  *) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS.
+     [Stefan Fritsch]
+
+  *) mod_proxy: Fix memory leak or possible corruption in ProxyBlock
+     implementation.  [Ruediger Pluem, Joe Orton]
+
+  *) mod_proxy: Check hostname from request URI against ProxyBlock list,
+     not forward proxy, if ProxyRemote* is configured.  [Joe Orton]
+
+  *) mod_proxy_connect: Avoid DNS lookup on hostname from request URI 
+     if ProxyRemote* is configured.  PR 43697.  [Joe Orton]
+
+  *) mpm_event, mpm_worker: Remain active amidst prevalent child process
+     resource shortages.  [Jeff Trawick]
+
+  *) Add "strict" and "warnings" pragmas to Perl scripts.  [Rich Bowen]
+
+  *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
+     - core: the scoreboard (ScoreBoardFile), pid file (PidFile), and
+       mutexes (Mutex)
+     [Jim Jagielski]
+
+  *) ab: Fix bind() errors.  [Joe Orton]
+
+  *) mpm_event: Don't do a blocking write when starting a lingering close
+     from the listener thread. PR 52229. [Stefan Fritsch]
+
+  *) mod_so: If a filename without slashes is specified for LoadFile or
+     LoadModule and the file cannot be found in the server root directory,
+     try to use the standard dlopen() search path. [Stefan Fritsch]
+
+  *) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced
+     after child process resource shortages.  [Jeff Trawick]
+
+  *) mpm_prefork: Reduce spawn rate after a child process exits due to
+     unexpected poll or accept failure.  [Jeff Trawick]
+
+  *) core: Log value of Status header line in script responses rather
+     than the fixed header name.  [Chris Darroch]
+
+  *) mpm_ssl: Fix handling of empty response from OCSP server.
+     [Jim Meyering <meyering redhat.com>, Joe Orton]
+
+  *) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch]
+
+  *) mod_authz_core: If an expression in "Require expr" returns denied and
+     references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
+     [Stefan Fritsch]
+
+  *) core: Always log if LimitRequestFieldSize triggers.  [Stefan Fritsch]
+
+  *) mod_deflate: Skip compression if compression is enabled at SSL level.
+     [Stefan Fritsch]
+
+  *) core: Add missing HTTP status codes registered with IANA.
+     [Julian Reschke <julian.reschke gmx.de>, Rainer Jung]
+
+  *) mod_ldap: Treat the "server unavailable" condition as a transient
+     error with all LDAP SDKs.  [Filip Valder <filip.valder vsb.cz>]
+
+  *) core: Fix spurious "not allowed here" error returned when the Options 
+     directive is used in .htaccess and "AllowOverride Options" (with no 
+     specific options restricted) is configured.  PR 53444. [Eric Covener]
+
+  *) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
+     PR 53048. [Stefan Fritsch]
+
+  *) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
+     PR 53104. [Greg Ames]
+
+  *) mod_ext_filter: Fix error_log spam when input filters are configured.  
+     [Joe Orton]
+
+  *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
+
+  *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). 
+     [Paul Wouters <pwouters redhat.com>, Joe Orton]
+
+  *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
+     the chosen listener is configured for https. [Joe Orton]
+
+  *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
+     forwarding to SSL backends. PR 53134.
+     [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
+
+  *) mod_info: Display all registered providers. [Stefan Fritsch]
+
+  *) mod_ssl: Send the error message for speaking http to an https port using
+     HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
+     using SNI. PR 50823. [Stefan Fritsch]
+
+  *) core: Fix segfault in logging if r->useragent_addr or c->client_addr is
+     unset. PR 53265. [Stefan Fritsch]
+
+  *) log_server_status: Bring Perl style forward to the present, use
+     standard modules, update for new format of server-status output.
+     PR 45424. [Richard Bowen, Dave Brondsema, and others]
+
+  *) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups. 
+     [Joe Orton, André Malo]
+
+  *) core: Prevent "httpd -k restart" from killing server in presence of
+     config error. [Joe Orton]
+
+  *) mod_proxy_fcgi: If there is an error reading the headers from the
+     backend, send an error to the client. PR 52879. [Stefan Fritsch]
+
 Changes with Apache 2.4.2
 
   *) SECURITY: CVE-2012-0883 (cve.mitre.org)
@@ -11,6 +206,9 @@ Changes with Apache 2.4.2
   *) mod_ssl: Fix crash with threaded MPMs due to race condition when
      initializing EC temporary keys. [Stefan Fritsch]
 
+  *) mod_rewrite: Fix RewriteCond integer checks to be parsed correctly.
+     PR 53023. [Axel Reinhold <apache freakout.de>, André Malo]
+
   *) mod_proxy: Add the forcerecovery balancer parameter that determines if
      recovery for balancer workers is enforced. [Ruediger Pluem]
 
@@ -109,7 +307,7 @@ Changes with Apache 2.4.1
   *) Rewrite and proxy now decline what they don't support rather
      than fail the request. [Joe Orton]
 
-  *) Fix building against external apr plus ap-util if apr is not installed
+  *) Fix building against external apr plus apr-util if apr is not installed
      in a system default path. [Rainer Jung]
 
   *) Doxygen fixes and improvements. [Joe Orton, Igor Galić]