Changelog Apache 2.2 win32 binary
9-Oct-2008 Changes with Apache 2.2.10
*) Upgraded apr to 1.3.3, apr-util to 1.3.4 and openssl to 0.9.8i
*) SECURITY: CVE-2008-2939 (cve.mitre.org)
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
*) Allow for smax to be 0 for balancer members so that all idle
connections are able to be dropped should they exceed ttl.
PR 43371 [Phil Endecott , Jim Jagielski]
*) mod_proxy_http: Don't trigger a retry by the client if a failure to
read the response line was the result of a timeout.
[Adam Woodworth]
*) Support chroot on Unix-family platforms
PR 43596 [Dimitar Pashev]
*) mod_ssl: implement dynamic mutex callbacks for the benefit of
OpenSSL. [Sander Temme]
*) mod_proxy_balancer: Add 'bybusyness' load balance method.
[Joel Gluth, Jim Jagielski]
*) mod_authn_alias: Detect during startup when AuthDigestProvider
is configured to use an incompatible provider via AuthnProviderAlias.
PR 45196 [Eric Covener]
*) mod_proxy: Add 'scolonpathdelim' parameter to allow for ';' to also be
used as a session path separator/delim PR 45158. [Jim Jagielski]
*) mod_charset_lite: Avoid dropping error responses by handling meta buckets
correctly. PR 45687 [Dan Poirier]
*) mod_proxy_http: Introduce environment variable proxy-initial-not-pooled to
avoid reusing pooled connections if the client connection is an initial
connection. PR 37770. [Ruediger Pluem]
*) mod_rewrite: Allow Cookie option to set secure and HttpOnly flags.
PR 44799 [Christian Wenz]
*) mod_ssl: Rewrite shmcb to avoid memory alignment issues. PR 42101.
[Geoff Thorpe]
*) mod_proxy: Add connectiontimeout parameter for proxy workers in order to
be able to set the timeout for connecting to the backend separately.
PR 45445. [Ruediger Pluem, rahul]
*) mod_dav_fs: Retrieve minimal system information about directory
entries when walking a DAV fs, resolving a performance degradation on
Windows. PR 45464. [Joe Orton, Jeff Trawick]
*) mod_cgid: Pass along empty command line arguments from an ISINDEX
query that has consecutive '+' characters in the QUERY_STRING,
matching the behavior of mod_cgi.
[Eric Covener]
*) mod_headers: Prevent Header edit from processing only the first header
of possibly multiple headers with the same name and deleting the
remaining ones. PR 45333. [Ruediger Pluem]
*) mod_proxy_balancer: Move nonce field in the balancer manager page inside
the html form where it belongs. PR 45578. [Ruediger Pluem]
*) mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to
known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
[Ruediger Pluem]
*) mod_rewrite: Preserve the query string when [proxy,noescape]. PR 45247.
[Tom Donovan]
12-Jun-2008 Changes with Apache 2.2.9
See important notes Here
*) APR updated to version 1.3.0
*) SECURITY: CVE-2008-2364 (cve.mitre.org)
mod_proxy_http: Better handling of excessive interim responses
from origin server to prevent potential denial of service and high
memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
Joe Orton, Jim Jagielski]
*) SECURITY: CVE-2007-6420 (cve.mitre.org)
mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager
interface. [Joe Orton]
*) core: Fix address-in-use startup failure on some platforms caused
by creating an IPv4 listener which overlaps with an existing IPv6
listener. [Jeff Trawick]
*) mod_proxy: Make all proxy modules nocanon aware and do not add the
query string again in this case. PR 44803.
[Jim Jagielski, Ruediger Pluem]
*) mod_unique_id: Fix timestamp value in UNIQUE_ID.
PR 37064 [Kobayashi]
*) htpasswd: Fix salt generation weakness. PR 31440
[Andreas Krennmair , Peter Watkins ,
Paul Querna]
*) core: Add the filename of the configuration file to the warning message
about the useless use of AllowOverride. PR 39992.
[Darryl Miles ]
*) scoreboard: Remove unused proxy load balancer elements from scoreboard
image (not scoreboard memory itself). [Chris Darroch]
*) mod_proxy: Support environment variable interpolation in reverse
proxying directives. [Nick Kew]
*) suexec: When group is given as a numeric gid, validate it by looking up
the actual group name such that the name can be used in log entries.
PR 7862 [Leif W ]
*) Fix garbled TRACE response on EBCDIC platforms.
[David Jones ]
*) ab: Include limits.h earlier if available since we may need
INT_MAX (defined there on Windows) for the definition of MAX_REQUESTS.
PR 45024 [Ruediger Pluem]
*) ab: Improve client performance by clearing connection pool instead
of destroying it. PR 40054 [Brad Roberts ]
*) ab: Don't stop sending a request if EAGAIN is returned, which
will only happen if both the write and subsequent wait are
returning EAGAIN, and count posted bytes correctly when the initial
write of a request is not complete. PR 10038, 38861, 39679
[Patrick McManus, Stefan Fleiter, Davanum Srinivas, Roy T. Fielding]
*) ab: Overhaul stats collection and reporting to avoid integer
truncation and time divisions within the test loop, retain
native time resolution until output, remove unused data,
consistently round milliseconds, and generally avoid losing
accuracy of calculation due to type casts. PR 44878, 44931.
[Roy T. Fielding]
*) ab: Add -r option to continue after socket receive errors.
[Filip Hanik ]
*) core: Do not allow Options ALL if not all options are allowed to be
overwritten. PR 44262 [Michal Grzedzicki ]
*) mod_cache: Handle If-Range correctly if the cached resource was stale.
PR 44579 [Ruediger Pluem]
*) mod_proxy: Do not try a direct connection if the connection via a
remote proxy failed before and the request has a request body.
[Ruediger Pluem]
*) mod_proxy_ajp: Do not retry request in the case that we either failed to
sent a part of the request body or if the request is not idempotent.
PR 44334 [Ruediger Pluem]
*) mod_rewrite: Initialize hash needed by ap_register_rewrite_mapfunc early
enough. PR 44641 [Daniel Lescohier ]
*) mod_dav: Return "method not allowed" if the destination URI of a WebDAV
copy / move operation is no DAV resource. PR 44734 [Ruediger Pluem]
*) http_filters: Don't return 100-continue on redirects. PR 43711
[Ruediger Pluem]
*) mod_ssl: Fix a memory leak with connections that have zlib compression
turned on. PR 44975 [Joe Orton, Amund Elstad ,
Dr Stephen Henson ]
*) mod_proxy: Trigger a retry by the client in the case we fail to read the
response line from the backend by closing the connection to the client.
PR 37770 [Ruediger Pluem]
*) gen_test_char: add double-quote to the list of T_HTTP_TOKEN_STOP.
PR 9727 [Ville Skytt ]
*) core: reinstate location walk to fix config for subrequests
PR 41960 [Jose Kahan]
*) rotatelogs: Log the current file size and error code/description
when failing to write to the log file. [Jeff Trawick]
*) rotatelogs: Added '-f' option to force rotatelogs to create the
logfile as soon as started, and not wait until it reads the
first entry. [Jim Jagielski]
*) rotatelogs: Don't leak memory when reopening the logfile.
PR 40183 [Ruediger Pluem, Takashi Sato ]
*) rotatelogs: Improve atomicity when using -l and cleaup code.
PR 44004 [Rainer Jung]
*) mod_authn_dbd: Disambiguate and tidy database authentication
error messages. PR 43210. [Chris Darroch, Phil Endecott]
*) mod_headers: Add 'merge' option to avoid duplicate values within
the same header. [Chris Darroch]
*) mod_cgid: Explicitly set permissions of the socket (ScriptSock) shared by
mod_cgid and request processing threads, for OS'es such as HPUX and AIX
that do not use umask for AF_UNIX socket permissions.
[Eric Covener, Jeff Trawick]
*) mod_cgid: Don't try to restart the daemon if it fails to initialize
the socket. [Jeff Trawick]
*) mod_log_config: Add format options for %p so that the actual local
or remote port can be logged. PR 43415. [Adam Hasselbalch Hansen,
Ruediger Pluem, Jeff Trawick]
*) Added 'disablereuse' option for ProxyPass which, essentially,
disables connection pooling for the backend servers.
[Jim Jagielski]
*) mod_speling: remove regression from 1.3/2.0 behavior and
drop dependency between mod_speling and AcceptPathInfo.
PR 43562 [Jose Kahan ]
*) mod_substitute: The default is now flattening the buckets after
each substitution. The newly added 'q' flag allows for the
quicker, more efficient bucket-splitting if the user so
desires. [Jim Jagielski]
*) http_filters: Don't spin if get an error when reading the
next chunk. PR 44381 [Ruediger Pluem]
*) ab: Do not try to read non existing response bodies of HEAD requests.
PR 34275 [Takashi Sato ]
*) ab: Use a 64 bit unsigned int instead of a signed long to count the
bytes transferred to avoid integer overflows. PR 44346 [Ruediger Pluem]
*) ProxyPassReverse is now balancer aware. [Jim Jagielski]
*) mod_include: Correctly handle SSI directives split over multiple filter
passes. PR 44447 [Harald Niesche ]
*) mod_cache: Revalidate cache entities which have Cache-Control: no-cache
set in their response headers. PR 44511 [Ruediger Pluem]
*) mod_rewrite: Check all files used by DBM maps for freshness, mod_rewrite
didn't pick up on updated sdbm maps due to this.
PR41190 [Niklas Edmundsson]
*) mod_proxy: Lower memory consumption for short lived connections.
PR 44026. [Ruediger Pluem]
*) mod_proxy: Keep connections to the backend persistent in the HTTPS case.
[Ruediger Pluem]
*) Don't add bogus duplicate Content-Language entries
PR 11035 [Davi Arnaut]
*) Worker / Event MPM: Fix race condition in pool recycling that leads to
segmentation faults under load. PR 44402
[Basant Kumar Kukreja ]
*) mod_proxy_ftp: Fix base for directory listings.
PR 27834 [Nick Kew]
*) mod_logio: Provide optional function to allow modules to adjust the
bytes_in count [Eric Covener]
*) http_filters: Don't return 100-continue on client error
PR 43711 [Chetan Reddy ]
*) mod_charset_lite: Add TranslateAllMimeTypes sub-option to
CharsetOptions, allowing the administrator to skip the
mimetype checking that precedes translation.
PR 44458 [Eric Covener]
*) mod_proxy_http: Fix processing of chunked responses if
Connection: Transfer-Encoding is set in the response of the proxied
system. PR 44311 [Ruediger Pluem]
*) mod_proxy_http: Return HTTP status codes instead of apr_status_t
values for errors encountered while forwarding the request body
PR 44165 [Eric Covener]
*) mod_rewrite: Don't canonicalise URLs with [P,NE]
PR 43319 [rahul]
|
on Windows 
