Home Apache 2.4.x
Apache 2.4 Change Log PDF Print E-mail
Written by Gregg   

Changes with Apache 2.4.2 April 17, 2012

 

  • SECURITY: CVE-2012-0883 (cve.mitre.org) envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the current working directory to be searched for DSOs. [Stefan Fritsch]
  • mod_slotmem_shm: Honor DefaultRuntimeDir [Jim Jagielski]
  • mod_ssl: Fix crash with threaded MPMs due to race condition when initializing EC temporary keys. [Stefan Fritsch]
  • mod_proxy: Add the forcerecovery balancer parameter that determines if recovery for balancer workers is enforced. [Ruediger Pluem]
  • Fix MPM DSO load failure on AIX.  [Jeff Trawick]
  • mod_proxy: Correctly set up reverse proxy worker. PR 52935. [Petter Berntsen <petterb gmail.com>]
  • mod_sed: Don't define PATH_MAX to a potentially undefined value, causing compile problems on GNU hurd. [Stefan Fritsch]
  • core: Add ap_runtime_dir_relative() and DefaultRuntimeDir. [Jeff Trawick]
  • core: Fix breakage of Listen directives with MPMs that use a per-directory config. PR 52904. [Stefan Fritsch]
  • core: Disallow directives in AllowOverrideList which are only allowed in VirtualHost or server context. These are usually not prepared to be called in .htaccess files. [Stefan Fritsch]
  • core: In AllowOverrideList, do not allow 'None' together with other directives. PR 52823. [Stefan Fritsch]
  • mod_slotmem_shm: Support DEFAULT_REL_RUNTIMEDIR for file-based shm. [Jim Jagielski]
  • core: Fix merging of AllowOverrideList and ContentDigest. [Stefan Fritsch]
  • mod_request: Fix validation of the KeptBodySize argument so it doesn't always throw a configuration error. PR 52981 [Eric Covener]
  • core: Add filesystem paths to access denied / access failed messages AH00035 and AH00036. [Eric Covener]
  • mod_dumpio: Properly handle errors from subsequent input filters. PR 52914. [Stefan Fritsch]
  • Unix MPMs: Fix small memory leak in parent process if connect() failed when waking up children. [Joe Orton]
  • "DirectoryIndex disabled" now undoes DirectoryIndex settings in the current configuration section, not just previous config sections. PR 52845. [Eric Covener]
  • mod_xml2enc: Fix broken handling of EOS buckets which could lead to response headers not being sent. PR 52766. [Stefan Fritsch]
  • mod_ssl: Properly free the GENERAL_NAMEs. PR 32652. [Kaspar Brand]
  • core: Check during config test that directories for the access logs actually exist. PR 29941. [Stefan Fritsch]
  • od_xml2enc, mod_proxy_html: Enable per-module loglevels. [Stefan Fritsch]
  • mod_filter: Fix segfault with AddOutputFilterByType. PR 52755. [Stefan Fritsch]
  • mod_session: Sessions are encoded as application/x-www-form-urlencoded strings, however we do not handle the encoding of spaces properly. Fixed. [Graham Leggett]
  • Configuration: Example in comment should use a path consistent with the default configuration. PR 52715. [Rich Bowen, Jens Schleusener, Rainer Jung]
  • Configuration: Switch documentation links from trunk to 2.4. [Rainer Jung]
  • configure: Fix out of tree build using apr and apr-util in srclib. [Rainer Jung]

     

Changes with Apache 2.4.1 February 17, 2012

 

  • SECURITY: CVE-2012-0053 (cve.mitre.org) Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. [Eric Covener]
  • mod_proxy_balancer: Fix crash on Windows. PR 52402 [Mladen Turk]
  • core: Check during configtest that the directories for error logs exist. PR 29941 [Stefan Fritsch]
  • Core configuration: add AllowOverride option to treat syntax errors in .htaccess as non-fatal. PR 52439 [Nick Kew, Jim Jagielski]
  • core: Fix memory consumption in core output filter with streaming bucket types like CGI or PIPE. [Joe Orton, Stefan Fritsch]
  • configure: Disable modules at configure time if a prerequisite module is not enabled. PR 52487. [Stefan Fritsch]
  • Rewrite and proxy now decline what they don't support rather than fail the request. [Joe Orton]
  • Fix building against external apr plus ap-util if apr is not installed in a system default path. [Rainer Jung]
  • Doxygen fixes and improvements. [Joe Orton, Igor Galic]
  • core: Fix building against PCRE 8.30 by switching from the obsolete pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]

 


Changes with Apache 2.4.0 Not Released

 

  • SECURITY: CVE-2012-0031 (cve.mitre.org)
    Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly. [Joe Orton]
  • mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch]
  • mod_log_config: Fix segfault when trying to log a nameless, valueless cookie. PR 52256. [Rainer Canavan (rainer-apache 7val com)]
  • mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive. [Kaspar Brand]
  • mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1 or later, to improve binary compatibility with future OpenSSL releases. [Kaspar Brand]
  • mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass, but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime behave identically in both cases. PR52342. [Graham Leggett]
    Below are changes only to Unix type systems

  • Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with corresponding man pages. [Graham Leggett]
  • Distinguish properly between the bindir and sbindir directories when installing binaries. Previously all binaries were silently installed to sbindir, whether they were system administration commands or not. [Graham Leggett]
Next >
Last Updated on Friday, 20 April 2012 10:19