Changelog Apache 2.2 win32 binary
25-July-2010 Changes with Apache 2.2.16
No changes applied to the original ASF source
*) Build with the new Windows SDK version 7.1
*) Upgraded OpenSSL to 0.9.8o and zlib to 1.2.5
*) SECURITY: CVE-2010-1452 (cve.mitre.org)
mod_dav, mod_cache: Fix Handling of requests without a path segment.
PR: 49246 [Mark Drayton, Jeff Trawick]
*) SECURITY: CVE-2010-2068 (cve.mitre.org)
mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection
for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung]
*) core: Filter init functions are now run strictly once per request
before handler invocation. The init functions are no longer run
for connection filters. PR 49328. [Joe Orton]
*) mod_filter: enable it to act on non-200 responses.
PR 48377 [Nick Kew]
*) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
title page only) when any mod_ldap directives were used in VirtualHost
context. [Eric Covener]
*) mod_ssl: Fix segfault at startup if proxy client certs are shared
across multiple vhosts. PR 39915. [Joe Orton]
*) mod_proxy_http: Log the port of the remote server in various messages.
PR 48812. [Igor Galic]
*) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
[Philip M. Gollucci]
*) mod_dir: add FallbackResource directive, to enable admin to specify
an action to happen when a URL maps to no file, without resorting
to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew]
*) mod_rewrite: Allow to set environment variables without explicitely
giving a value. [Rainer Jung]
5-March-2010 Changes with Apache 2.2.15
No changes applied to the original ASF source
*) Upgraded APR to 1.4.2 and OpenSSL to 0.9.8m
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
attack when compiled against OpenSSL version 0.9.8m or later. Introduces
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
and offer unsafe legacy renegotiation with clients which do not yet
support the new secure renegotiation protocol, RFC 5746.
[Joe Orton, and with thanks to the OpenSSL Team]
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
by rejecting any client-initiated renegotiations. Forcibly disable
keepalive for the connection if there is any buffered data readable. Any
configuration which requires renegotiation for per-directory/location
access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
[Joe Orton, Ruediger Pluem, Hartmut Keil ]
*) SECURITY: CVE-2010-0408 (cve.mitre.org)
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
when request headers indicate a request body is incoming; not a case of
HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola ]
*) SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
[Brett Gervasoni , Jeff Trawick]
*) Ensure each subrequest has a shallow copy of headers_in so that the
parent request headers are not corrupted. Elimiates a problematic
optimization in the case of no request body. PR 48359
[Jake Scott, William Rowe, Ruediger Pluem]
*) mod_reqtimeout: New module to set timeouts and minimum data rates for
receiving requests from the client. [Stefan Fritsch]
*) mod_proxy_ajp: Really regard the operation a success, when the client
aborted the connection. In addition adjust the log message if the client
aborted the connection. [Ruediger Pluem]
*) mod_negotiation: Preserve query string over multiviews negotiation.
This buglet was fixed for type maps in 2.2.6, but the same issue
affected multiviews and was overlooked.
PR 33112 [Joergen Thomsen ]
*) mod_cache: Introduce the thundering herd lock, a mechanism to keep
the flood of requests at bay that strike a backend webserver as
a cached entity goes stale. [Graham Leggett]
*) mod_proxy_http: Make sure that when an ErrorDocument is served
from a reverse proxied URL, that the subrequest respects the status
of the original request. This brings the behaviour of proxy_handler
in line with default_handler. PR 47106. [Graham Leggett]
*) mod_log_config: Add the R option to log the handler used within the
request. [Christian Folini ]
*) mod_include: Allow fine control over the removal of Last-Modified and
ETag headers within the INCLUDES filter, making it possible to cache
responses if desired. Fix the default value of the SSIAccessEnable
directive. [Graham Leggett]
*) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
allows insecure renegotiation with clients which do not yet
support the secure renegotiation protocol. [Joe Orton]
*) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
is configured for client cert auth. PR 46952. [Joe Orton]
*) core: Fix potential memory leaks by making sure to not destroy
bucket brigades that have been created by earlier filters.
[Stefan Fritsch]
*) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
try other providers in the case of an LDAP bind failure.
PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
*) mod_proxy, mod_proxy_http: Support remote https proxies
by using HTTP CONNECT.
PR 19188. [Philippe Dutrueux , Rainer Jung]
*) worker: Don't report server has reached MaxClients until it has.
Add message when server gets within MinSpareThreads of MaxClients.
PR 46996. [Dan Poirier]
*) mod_ssl: When extracting certificate subject/issuer names to the
SSL_*_DN_* variables, handle RDNs with duplicate tags by
exporting multiple varialables with an "_n" integer suffix.
PR 45875. [Joe Orton, Peter Sylvester ]
*) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
password now result in an informational level log entry instead of
warning level. [Eric Covener]
*) core: Preserve Port information over internal redirects
PR 35999 [Jonas Ringh ]
*) mod_filter: fix FilterProvider matching where "dispatch" string
doesn't exist.
PR 48054 []
*) Build: fix --with-module to work as documented
PR 43881 [Gez Saunders ]
*) mod_mime: Make RemoveType override the info from TypesConfig.
PR 38330. [Stefan Fritsch]
*) mod_proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
rather than BAD_GATEWAY or (especially) NOT_FOUND.
PR 46971 [evanc nortel.com]
*) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'.
[Eric Covener]
*) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
some cache entries and log a warning. Also increase the default
LDAPSharedCacheSize to 500000. This is a more realistic size suitable
for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
PR 46749. [Stefan Fritsch]
*) mod_disk_cache, mod_mem_cache: don't cache incomplete responses,
per RFC 2616, 13.8. PR15866. [Dan Poirier]
*) mod_rewrite: Make sure that a hostname:port isn't fully qualified if
the request is a CONNECT request. PR 47928
[Bill Zajac ]
*) mod_cache: correctly consider s-maxage in cacheability
decisions. [Dan Poirier]
*) core: Return APR_EOF if request body is shorter than the length announced
by the client. PR 33098 [ Stefan Fritsch ]
*) mod_rewrite: Add scgi scheme detection. [André Malo]
*) mod_mime: Detect invalid use of MultiviewsMatch inside Location and
LocationMatch sections. PR 47754. [Dan Poirier]
*) ab, mod_ssl: Restore compatibility with OpenSSL < 0.9.7g.
[Guenter Knauf]
29-September-2009 Changes with Apache 2.2.14
No changes applied to the original ASF source
*) Build with the new Windows SDK version 7.0
*) Upgraded APR to 1.3.9
*) SECURITY: CVE-2009-2699 (cve.mitre.org)
Fixed in APR 1.3.9. Faulty error handling in the Solaris pollset support
(Event Port backend) which could trigger hangs in the prefork and event
MPMs on that platform. PR 47645. [Jeff Trawick]
*) SECURITY: CVE-2009-3095 (cve.mitre.org)
mod_proxy_ftp: sanity check authn credentials.
[Stefan Fritsch, Joe Orton]
*) SECURITY: CVE-2009-3094 (cve.mitre.org)
mod_proxy_ftp: NULL pointer dereference on error paths.
[Stefan Fritsch, Joe Orton]
*) mod_proxy_scgi: Backport from trunk. [André Malo]
*) mod_ldap: Don't try to resolve file-based user ids to a DN when AuthLDAPURL
has been defined at a very high level. PR 45946. [Eric Covener]
*) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
*) mod_ldap: Bring the LDAPCacheEntries and LDAPOpCacheEntries
usage() in synch with the manual and the implementation (0 and -1
both disable the cache). [Eric Covener]
*) mod_ssl: The error message when SSLCertificateFile is missing should
at least give the name or position of the problematic virtual host
definition. [Stefan Fritsch sf sfritsch.de]
*) htdbm: Fix possible buffer overflow if dbm database has very
long values. PR 30586 [Dan Poirier]
*) Add support for HTTP PUT to ab. [Jeff Barnes]
*) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute
type. PR 45107. [Michael Ströder ,
Peter Sylvester]
*) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore
defined session identifiers encoded in the URL when caching.
[Ruediger Pluem]
*) mod_mem_cache: fix seg fault under load due to pool concurrency problem
PR: 47672 [Dan Poirier]
*) mod_autoindex: Correctly create an empty cell if the description
for a file is missing. PR 47682 [Peter Poeml]
|
on Windows 
