K 10 svn:author V 6 ohauer K 8 svn:date V 27 2014-03-22T21:18:21.577305Z K 7 svn:log V 14993 - update to 2.4.9 - enforcing use libapr-1.so.5 (apr-1.5.0 instead apr-1.4.8) Changes with Apache 2.4.9 *) mod_ssl: Work around a bug in some older versions of OpenSSL that would cause a crash in SSL_get_certificate for servers where the certificate hadn't been sent. [Stephen Henson] *) mod_lua: Add a fixups hook that checks if the original request is intended for LuaMapHandler. This fixes a bug where FallbackResource invalidates the LuaMapHandler directive in certain cases by changing the URI before the map handler code executes [Daniel Gruno, Daniel Ferradal ]. Changes with Apache 2.4.8 *) SECURITY: CVE-2014-0098 (cve.mitre.org) Clean up cookie logging with fewer redundant string parsing passes. Log only cookies with a value assignment. Prevents segfaults when logging truncated cookies. [William Rowe, Ruediger Pluem, Jim Jagielski] *) SECURITY: CVE-2013-6438 (cve.mitre.org) mod_dav: Keep track of length of cdata properly when removing leading spaces. Eliminates a potential denial of service from specifically crafted DAV WRITE requests [Amin Tora ] *) core: Support named groups and backreferences within the LocationMatch, DirectoryMatch, FilesMatch and ProxyMatch directives. (Requires non-ancient PCRE library) [Graham Leggett] *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding TE/CL conflicts. [Yann Ylavic , Jim Jagielski] *) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping execution when a handler is already set. PR53929. [Eric Covener] *) mod_ssl: Do not perform SNI / Host header comparison in case of a forward proxy request. [Ruediger Pluem] *) mod_ssl: Remove the hardcoded algorithm-type dependency for the SSLCertificateFile and SSLCertificateKeyFile directives, to enable future algorithm agility, and deprecate the SSLCertificateChainFile directive (obsoleted by SSLCertificateFile). [Kaspar Brand] *) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore, and IgnoreInherit to allow RewriteRules to be pushed from parent scopes to child scopes without explicitly configuring each child scope. PR56153. [Edward Lu ] *) prefork: Fix long delays when doing a graceful restart. PR 54852 [Jim Jagielski, Arkadiusz Miskiewicz ] *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions 5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick] *) mod_proxy_wstunnel: Avoid busy loop on client errors, drop message IDs 02445, 02446, and 02448 to TRACE1 from DEBUG. PR 56145. [Joffroy Christen , Eric Covener] *) mod_remoteip: Correct the trusted proxy match test. PR 54651. [Yoshinori Ehara , Eugene L ] *) mod_proxy_fcgi: Fix error message when an unexpected protocol version number is received from the application. PR 56110. [Jeff Trawick] *) mod_remoteip: Use the correct IP addresses to populate the proxy_ips field. PR 55972. [Mike Rumph] *) mod_lua: Update r:setcookie() to accept a table of options and add domain, path and httponly to the list of options available to set. PR 56128 [Edward Lu , Daniel Gruno] *) mod_lua: Fix r:setcookie() to add, rather than replace, the Set-Cookie header. PR56105 [Kevin J Walters , Edward Lu ] *) mod_lua: Allow for database results to be returned as a hash with row-name/value pairs instead of just row-number/value. [Daniel Gruno] *) mod_rewrite: Add %{CONN_REMOTE_ADDR} as the non-useragent counterpart to %{REMOTE_ADDR}. PR 56094. [Edward Lu ] *) WinNT MPM: If ap_run_pre_connection() fails or sets c->aborted, don't save the socket for reuse by the next worker as if it were an APR_SO_DISCONNECTED socket. Restores 2.2 behavior. [Eric Covener] *) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a URL that was just rewritten by mod_rewrite. PR53929. [Eric Covener] *) mod_session: When we have a session we were unable to decode, behave as if there was no session at all. [Thomas Eckert ] *) mod_session: Fix problems interpreting the SessionInclude and SessionExclude configuration. PR 56038. [Erik Pearson ] *) mod_authn_core: Allow 'es to be seen from auth stanzas under virtual hosts. PR 55622. [Eric Covener] *) mod_proxy_fcgi: Use apr_socket_timeout_get instead of hard-coded 30 seconds timeout. [Jan Kaluza] *) mod_proxy: Added support for unix domain sockets as the backend server endpoint [Jim Jagielski, Blaise Tarr ] *) build: only search for modules (config*.m4) in known subdirectories, see build/config-stubs. [Stefan Fritsch] *) mod_cache_disk: Fix potential hangs on Windows when using mod_cache_disk. PR 55833. [Eric Covener] *) mod_ssl: Add support for OpenSSL configuration commands by introducing the SSLOpenSSLConfCmd directive. [Stephen Henson, Kaspar Brand] *) mod_proxy: Remove (never documented) syntax which is equivalent to . [Christophe Jaillet] *) mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm, mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the require directives. [Graham Leggett] *) mod_proxy_http: Core dumped under high load. PR 50335. [Jan Kaluza ] *) mod_socache_shmcb.c: Remove arbitrary restriction on shared memory size previously limited to 64MB. [Jens Låås ] *) mod_lua: Use binary copy when dealing with uploads through r:parsebody() to prevent truncating files. [Daniel Gruno] Changes with Apache 2.4.7 *) APR 1.5.0 or later is now required for the event MPM. *) slotmem_shm: Error detection. [Jim Jagielski] *) event: Use skiplist data structure. [Jim Jagielski] *) event: Fail at startup with message AP02405 if the APR atomic implementation is not compatible with the MPM. [Jim Jagielski] *) mpm_unix: Add ap_mpm_podx_* implementation to avoid code duplication and align w/ trunk. [Jim Jagielski] *) Fix potential rejection of valid MaxMemFree and ThreadStackSize directives. [Mike Rumph ] *) mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars. An individual envvar with an encoded length of more than 16K will be omitted. [Jeff Trawick] *) mod_proxy_fcgi: Handle reading protocol data that is split between packets. [Jeff Trawick] *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by allowing custom parameters to be configured via SSLCertificateFile, and by adding standardized DH parameters for 1024/2048/3072/4096 bits. Unless custom parameters are configured, the standardized parameters are applied based on the certificate's RSA/DSA key size. [Kaspar Brand] *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand] *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA keys, and unconditionally disable aNULL, eNULL and EXP ciphers (not overridable via SSLCipherSuite). [Kaspar Brand] *) mod_proxy: Added support for unix domain sockets as the backend server endpoint [Jim Jagielski, Blaise Tarr ] *) Add experimental cmake-based build system for Windows. [Jeff Trawick, Tom Donovan] *) event MPM: Fix possible crashes (third party modules accessing c->sbh) or occasional missed mod_status updates for some keepalive requests under load. [Eric Covener] *) mod_authn_socache: Support optional initialization arguments for socache providers. [Chris Darroch] *) mod_session: Reset the max-age on session save. PR 47476. [Alexey Varlamov ] *) mod_session: After parsing the value of the header specified by the SessionHeader directive, remove the value from the response. PR 55279. [Graham Leggett] *) mod_headers: Allow for format specifiers in the substitution string when using Header edit. [Daniel Ruggeri] *) mod_dav: dav_resource->uri is treated as unencoded. This was an unnecessary ABI changed introduced in 2.4.6. PR 55397. *) mod_dav: Don't require lock tokens for COPY source. PR 55306. *) core: Don't truncate output when sending is interrupted by a signal, such as from an exiting CGI process. PR 55643. [Jeff Trawick] *) WinNT MPM: Exit the child if the parent process crashes or is terminated. [Oracle Corporation] *) Windows: Correct failure to discard stderr in some error log configurations. (Error message AH00093) [Jeff Trawick] *) mod_session_crypto: Allow using exec: calls to obtain session encryption key. [Daniel Ruggeri] *) core: Add missing Reason-Phrase in HTTP response headers. PR 54946. [Rainer Jung] *) mod_rewrite: Make rewrite websocket-aware to allow proxying. PR 55598. [Chris Harris ] *) mod_ldap: When looking up sub-groups, use an implicit objectClass=* instead of an explicit cn=* filter. [David Hawes ] *) ab: Add wait time, fix processing time, and output write errors only if they occured. [Christophe Jaillet] *) worker MPM: Don't forcibly kill worker threads if the child process is exiting gracefully. [Oracle Corporation] *) core: apachectl -S prints wildcard name-based virtual hosts twice. PR54948 [Eric Covener] *) mod_auth_basic: Add AuthBasicUseDigestAlgorithm directive to allow migration of passwords from digest to basic authentication. [Chris Darroch] *) ab: Add a new -l parameter in order not to check the length of the responses. This can be usefull with dynamic pages. PR9945, PR27888, PR42040 [] *) Suppress formatting of startup messages written to the console when ErrorLogFormat is used. [Jeff Trawick] *) mod_auth_digest: Be more specific when the realm mismatches because the realm has not been specified. [Graham Leggett] *) mod_proxy: Add a note in the balancer manager stating whether changes will or will not be persisted and whether settings are inherited. [Daniel Ruggeri, Jim Jagielski] *) mod_cache: Avoid a crash with strcmp() when the hostname is not provided. [Graham Leggett] *) core: Add util_fcgi.h and associated definitions and support routines for FastCGI, based largely on mod_proxy_fcgi. [Jeff Trawick] *) mod_headers: Add 'Header note header-name note-name' for copying a response headers value into a note. [Eric Covener] *) mod_headers: Add 'setifempty' command to Header and RequestHeader. [Eric Covener] *) mod_logio: new format-specifier %S (sum) which is the sum of received and sent byte counts. PR54015 [Christophe Jaillet] *) mod_deflate: Improve error detection when decompressing request bodies with trailing garbage: handle case where trailing bytes are in the same bucket. [Rainer Jung] *) mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663 from ERROR to DEBUG, since these modules do not know what mod_authz_core is doing with their AUTHZ_DENIED return value. [Eric Covener] *) mod_ldap: add TRACE5 for LDAP retries. [Eric Covener] *) mod_ldap: retry on an LDAP timeout during authn. [Eric Covener] *) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK default, sans rebind authentication callback. [Jan Kaluza ] *) core: Log a message at TRACE1 when the client aborts a connection. [Eric Covener] *) WinNT MPM: Don't crash during child process initialization if the Listen protocol is unrecognized. [Jeff Trawick] *) modules: Fix some compiler warnings. [Guenter Knauf] *) Sync 2.4 and trunk - Avoid some memory allocation and work when TRACE1 is not activated - fix typo in include guard - indent - No need to lower the string before removing the path, it is just a waste of time... - Save a few cycles [Christophe Jaillet ] *) mod_filter: Add "change=no" as a proto-flag to FilterProtocol to remove a providers initial flags set at registration time. [Eric Covener] *) core, mod_ssl: Enable the ability for a module to reverse the sense of a poll event from a read to a write or vice versa. This is a step on the way to allow mod_ssl taking full advantage of the event MPM. [Graham Leggett] *) Makefile.win: Install proper pcre DLL file during debug build install. PR 55235. [Ben Reser ] *) mod_ldap: Fix a potential memory leak or corruption. PR 54936. [Zhenbo Xu ] *) ab: Fix potential buffer overflows when processing the T and X command-line options. PR 55360. [Mike Rumph ] *) fcgistarter: Specify SO_REUSEADDR to allow starting a server with old connections in TIME_WAIT. [Jeff Trawick] *) core: Add open_htaccess hook which, in conjunction with dirwalk_stat and post_perdir_config (introduced in 2.4.5), allows mpm-itk to be used without patches to httpd core. [Stefan Fritsch] *) support/htdbm: fix processing of -t command line switch. Regression introduced in 2.4.4 PR 55264 [Jo Rhett ] *) mod_lua: add websocket support via r:wsupgrade, r:wswrite, r:wsread and r:wsping. [Daniel Gruno] *) mod_lua: add support for writing/reading cookies via r:getcookie and r:setcookie. [Daniel Gruno] *) mod_lua: If the first yield() of a LuaOutputFilter returns a string, it should be prefixed to the response as documented. [Eric Covener] Note: Not present in 2.4.7 CHANGES *) mod_lua: Remove ETAG, Content-Length, and Content-MD5 when a LuaOutputFilter is configured without mod_filter. [Eric Covener] Note: Not present in 2.4.7 CHANGES *) mod_lua: Register LuaOutputFilter scripts as changing the content and content-length by default, when run my mod_filter. Previously, growing or shrinking a response that started with Content-Length set would require mod_filter and FilterProtocol change=yes. [Eric Covener] Note: Not present in 2.4.7 CHANGES *) mod_lua: Return a 500 error if a LuaHook* script doesn't return a numeric return code. [Eric Covener] Note: Not present in 2.4.7 CHANGES END