diff options
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 242 |
1 files changed, 239 insertions, 3 deletions
@@ -1,4 +1,241 @@ - -*- coding: utf-8 -*- + -*- coding: utf-8 -*- +Changes with Apache 2.2.8 + + *) core: Fix regression in 2.2.7 in chunk filtering with massively + chunked requests. [Ruediger Pluem, Nick Kew] + + *) winnt_mpm: Resolve modperl issues by redirecting console mode stdout + to /Device/Nul as the server is starting up, mirroring unix MPM's. + PR: 43534 [Tom Donovan <Tom.Donovan acm.org>, William Rowe] + + *) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform + by recreating the bucket allocator each time the trans pool is cleared. + PR: 11427 #16 (follow-on) [Tom Donovan <Tom.Donovan acm.org>] + + *) mod_dav: Fix evaluation of If-Match * and If-None-Match * conditionals. + PR 38034 [Paritosh Shah <shah.paritosh gmail.com>] + +Changes with Apache 2.2.7 (not released) + + *) SECURITY: CVE-2007-6421 (cve.mitre.org) + mod_proxy_balancer: Correctly escape the worker route and the worker + redirect string in the HTML output of the balancer manager. + Reported by SecurityReason. [Ruediger Pluem] + + *) SECURITY: CVE-2007-6422 (cve.mitre.org) + Prevent crash in balancer manager if invalid balancer name is passed + as parameter. Reported by SecurityReason. [Ruediger Pluem] + + *) SECURITY: CVE-2007-6388 (cve.mitre.org) + mod_status: Ensure refresh parameter is numeric to prevent + a possible XSS attack caused by redirecting to other URLs. + Reported by SecurityReason. [Mark Cox, Joe Orton] + + *) SECURITY: CVE-2007-5000 (cve.mitre.org) + mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT. + [Joe Orton] + + *) SECURITY: CVE-2008-0005 (cve.mitre.org) + Introduce the ProxyFtpDirCharset directive, allowing the administrator + to identify a default, or specific servers or paths which list their + contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem] + + *) mod_dav: Adjust etag generation to produce identical results on 32-bit + and 64-bit platforms and avoid a regression with conditional PUT's on lock + and etag. PR 44152. + [Michael Clark <michael metaparadigm.com>, Ruediger Pluem] + + *) mod_ssl: Fix handling of the buffered request body during a per-location + renegotiation, when an internal redirect occurs. PR 43738. + [Joe Orton] + + *) mod_ldap: Try to establish a new backend LDAP connection when the + Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the + LDAP server has closed the connection due to a timeout. + PR 39095 [Eric Covener] + + *) log.c: Ensure Win32 resurrects its lost robust logger processes. + [William Rowe] + + *) mod_disk_cache: Delete temporary files if they cannot be renamed to their + final name. [Davi Arnaut <davi haxent.com.br>] + + *) Add explicit charset to the output of various modules to work around + possible cross-site scripting flaws affecting web browsers that do not + derive the response character set as required by RFC2616. One of these + reported by SecurityReason [Joe Orton] + + *) http_protocol: Escape request method in 405 error reporting. + This has no security impact since the browser cannot be tricked + into sending arbitrary method strings. [Jeff Trawick] + + *) mod_ssl: Fix SSL client certificate extensions parsing bug. PR 44073. + [yl <yl bee-ware.net>] + + *) mod_proxy_ajp: Use 64K as maximum AJP packet size. This is the maximum + length we can squeeze inside the AJP message packet. + [Mladen Turk] + + *) core: Lower memory consumption of ap_r* functions by reusing the brigade + instead of recreating it during each filter pass. + [Stefan Fritsch <sf sfritsch.de>] + + *) core: Lower memory consumption in case that flush buckets are passed thru + the chunk filter as last bucket of a brigade. PR 23567. + [Stefan Fritsch <sf sfritsch.de>] + + *) core: Fix broken chunk filtering that causes all non blocking reads to be + converted into blocking reads. PR 19954, 41056. + [Jean-Frederic Clere, Jim Jagielski] + + *) mod_rewrite: Add the novary flag to RewriteCond. + [Ruediger Pluem] + + *) core: Change etag generation to produce identical results on + 32-bit and 64-bit platforms. PR 40064. [Joe Orton] + + *) http_protocol: Escape request method in 413 error reporting. + Determined to be not generally exploitable, but a flaw in any case. + PR 44014 [Victor Stinner <victor.stinner inl.fr>] + + *) mod_filter: Don't segfault on (unsupported) chained FilterProvider usage. + PR 43956 [Nick Kew, Ruediger Pluem] + + *) core: Handle unrecognised transfer-encodings. + PR 43882 [Nick Kew, Jeff Trawick] + + *) mod_include: Add an "if" directive syntax to test whether an URL + is accessible, and if so, conditionally display content. This + allows a webmaster to hide a link to a private page when the user + has no access to that page. [Graham Leggett] + + *) Various code cleanups. PR 38699, 39518, 42005, 42006, 42007, 42008, 42009 + [Christophe Jaillet <christophe.jaillet wanadoo.fr>] + + *) mod_proxy_http: Correctly forward unexpected interim (HTTP 1xx) + responses from the backend according to RFC2616. But make it + configurable in case something breaks on it. + PR 16518 [Nick Kew] + + *) mod_substitute: Added a new output filter, which performs + inline response content pattern matching (including regex) + and substitution. [Jim Jagielski, Ruediger Pluem] + + *) rotatelogs: Change command-line parsing to report more types + of errors. Allow local timestamps to be used when rotating based + on file size. [Jeff Trawick] + + *) mod_proxy: Canonicalisation improvements. Add "nocanon" keyword to + ProxyPass, to suppress URI-canonicalisation in a reverse proxy. Also, + don't escape/unescape forward-proxied URLs. + PR 41798, 42592 [Nick Kew, Ruediger Pluem, Roy Fielding, Jim Jagielski] + + *) mod_status: Add SeeRequestTail directive, which determines if + ExtendedStatus displays the 1st 63 characters of the request + or the last 63. Useful for those requests with large string + lengths and which only vary with the last several characters. + [Jim Jagielski] + + *) mod_ssl: Prevent memory corruption of version string. + PR 43865, 43334 [William Rowe, Joe Orton] + + *) core: Avoid some unexpected connection closes by telling the client + that the connection is not persistent if the MPM process handling + the request is already exiting when the response header is built. + [Jeff Trawick] + + *) mod_autoindex: Generate valid XHTML output by adding the xhtml + namespace. PR 43649 [Jose Kahan <jose w3.org>] + + *) mod_ldap: Give callers a reference to data copied into the request + pool instead of references directly into the cache + PR 43786 [Eric Covener] + + *) mod_ldap: Stop passing a reference to pconf around for + (limited) use during request processing, avoiding possible + memory corruption and crashes. [Eric Covener] + + *) Event MPM: Add support for running under mod_ssl, by reverting to the + Worker MPM behaviors, when run under an input filter that buffers + its own data. [Paul Querna] + + *) mod_charset_lite: Don't crash when the request has no associated + filename. [Jeff Trawick] + + *) Core: fix possible crash at startup in case of nonexistent DocumentRoot. + PR 39722 [Adrian Buckley <adrian.buckley ntlworld.com>] + + *) HTTP protocol: Add "DefaultType none" option. + PR 13986 and PR 16139 [Nick Kew] + + *) mod_rewrite: Add option to suppress URL unescaping + PR 34602 [Guenther Gsenger <guenther.gsenger gmail.com>] + + *) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean + shutdown of the server when the MaxClients is higher then 257, + in a more responsive manner [Mladen Turk, William Rowe] + + *) mod_proxy_http: Remove Warning headers with wrong date + PR 16138 [Nick Kew] + + *) mod_proxy_http: Correctly parse all Connection headers in proxy. + PR 43509 [Nick Kew] + + *) mod_proxy_http: add Via header correctly (if enabled) to + response, even where other Via headers exist. + PR 19439 [Nick Kew] + + *) http_core: OPTIONS * no longer maps to local storage or URI + space. Note that unlike previous versions, OPTIONS * no + longer returns an Allow: header. PR 43519 [Jim Jagielski] + + *) mod_proxy_http: strip hop-by-hop response headers + PR 43455 [Nick Kew] + + *) mod_proxy: Don't by default violate RFC2616 by setting + Max-Forwards when the client didn't send it to us. + Leave that as a configuration option. + PR 16137 [Nick Kew] + + *) scoreboard: improve error message on apr_shm_create failure + PR 40037 [Nick Kew] + + *) proxy: Fix persistent backend connections. + PR 43472 [Ruediger Pluem] + + *) mod_deflate: initialise inflate-out filter correctly when the + first brigade contains no data buckets. + PR 43512 [Nick Kew] + + *) mod_proxy_ajp: Ignore any ajp13 flush packets received before + we send the response headers. See Tomcat PR 43478. + [Jim Jagielski] + + *) mod_proxy_balancer: Do not reset lbstatus, lbfactor and lbset when + starting a new child. + PR 39907 [Vinicius Petrucci <vpetrucci gmail.com>, Ruediger Pluem] + + *) mod_proxy_http: Propagate Proxy-Authorization header correctly. + PR 25947 [Nick Kew] + + *) mod_proxy_ajp: Differentiate within AJP between GET and HEAD + requests. PR 43060 [Jim Jagielski] + + *) Don't send spurious "100 Continue" response lines. + PR 38014 [Basant Kumar Kukreja <basant.kukreja sun.com>] + + *) mod_proxy_ftp: Don't segfault on bad line in FTP listing + PR 40733 [Ulf Harnhammar <metaur telia.com>] + + *) mod_proxy: escape error-notes correctly + PR 40952 [Thijs Kinkhorst <thijs debian.org>] + + *) mod_proxy: check ProxyBlock for all blocked addresses + PR 36987 [Timo Viipuri <timo.viipuri f-secure.com>] + + *) mod_proxy: Don't lose bytes when a response line arrives in small chunks. + PR 40894 [Andrew Rucker Jones <arjones simultan.dyndns.org>] + Changes with Apache 2.2.6 *) SECURITY: CVE-2007-3847 (cve.mitre.org) @@ -323,7 +560,7 @@ Changes with Apache 2.2.4 *) mod_cgi and mod_cgid: Don't use apr_status_t error return from input filters as HTTP return value from the handler. - PR 31579. [Nick Kew] + PR 31759. [Nick Kew] *) mod_cache: Eliminate a bogus error in the log when a filter returns AP_FILTER_ERROR. [Niklas Edmundsson <nikke acc.umu.se>] @@ -1579,7 +1816,6 @@ Changes with Apache 2.1.1 *) Rewrite of aaa modules to an authn/authz model. [Dirk-Willem van Gulik, Justin Erenkrantz] - [Apache 2.1.0-dev includes those bug fixes and changes with the Apache 2.0.xx tree as documented, and except as noted, below.] |