Home Apache 2.2.x
Apache 2.2 Change Log
Written by Administrator   

Changes with Apache 2.2.22

  • SECURITY: CVE-2011-3368 (cve.mitre.org)
    Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations. [Joe Orton]
  • SECURITY: CVE-2011-3607 (cve.mitre.org)
    Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. [Stefan Fritsch, Greg Ames]
  • SECURITY: CVE-2011-4317 (cve.mitre.org)
    Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations. [Joe Orton]
  • SECURITY: CVE-2012-0021 (cve.mitre.org)
    mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format string is in use and a client sends a nameless, valueless cookie, causing a denial of service. The issue existed since version 2.2.17. PR 52256. [Rainer Canavan (rainer-apache 7val com)]
  • SECURITY: CVE-2012-0031 (cve.mitre.org)
    Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly. [Joe Orton]
  • SECURITY: CVE-2012-0053 (cve.mitre.org)
    Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. [Eric Covener]
  • mod_proxy_ajp: Try to prevent a single long request from marking a worker in error. [Jean-Frederic Clere]
  • config: Update the default mod_ssl configuration: Disable SSLv2, only allow >= 128bit ciphers, add commented example for speed optimized cipher list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]
  • core: Fix segfault in ap_send_interim_response(). PR 52315. [Stefan Fritsch]
  • mod_log_config: Prevent segfault. PR 50861. [Torsten Foertsch (torsten.foertsch gmx.net)]
  • mod_win32: Invert logic for env var UTF-8 fixing.
    Now we exclude a list of vars which we know for sure they dont hold UTF-8 chars; all other vars will be fixed. This has the benefit that now also all vars from 3rd-party modules will be fixed. PR 13029 / 34985. [Guenter Knauf]
  • core: Fix hook sorting for Perl modules, a regression introduced in 2.2.21. PR: 45076. [Torsten Foertsch (torsten foertsch gmx net)]
  • Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20: A range of '0-' will now return 206 instead of 200. PR 51878. [Jim Jagielski]
  • Example configuration: Fix entry for MaxRanges (use "unlimited" instead of "0"). [Rainer Jung]
  • mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung]

Changes with Apache 2.2.21

 

  • SECURITY: CVE-2011-3348 (cve.mitre.org)
    mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized. [Jean-Frederic Clere]
  • Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20. PR 51748. [<lowprio20 gmail.com>]
  • mod_filter: Instead of dropping the Accept-Ranges header when a filter registered with AP_FILTER_PROTO_NO_BYTERANGE is present, set the header value to "none". [Eric Covener, Ruediger Pluem]
  • mod_proxy_ajp: Ignore flushing if headers have not been sent. PR 51608 [Ruediger Pluem]
  • mod_dav_fs: Fix segfault if apr DBM driver cannot be loaded. PR 51751. [Stefan Fritsch]
  • mod_alias: Adjust log severity of "incomplete redirection target" message. PR 44020.
  • mod_rewrite: Check validity of each internal (int:) RewriteMap even if the RewriteEngine is disabled in server context, avoiding a crash while referencing the invalid int: map at runtime. PR 50994. [Ben Noordhuis <info noordhuis nl>]
  • core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none' in the case Ranges are being ignored with MaxRanges none. [Eric Covener]
  • mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets. [Rainer Jung]

 

Changes with Apache 2.2.20

 

  • SECURITY: CVE-2011-3192 (cve.mitre.org)
    core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
  • mod_authnz_ldap: If the LDAP server returns constraint violation, don't treat this as an error but as "auth denied". [Stefan Fritsch]
  • mod_filter: Fix FilterProvider conditions of type "resp=" (response headers) for CGI. [Joe Orton, Rainer Jung]
  • mod_reqtimeout: Fix a timed out connection going into the keep-alive state after a timeout when discarding a request body. PR 51103. [Stefan Fritsch]
  • core: Do the hook sorting earlier so that the hooks are properly sorted for the pre_config hook and during parsing the config. [Stefan Fritsch]

 

 

Changes with Apache 2.2.19

 

  • Revert ABI breakage in 2.2.18 caused by the function signature change of ap_unescape_url_keep2f(). This release restores the signature from 2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex(). [Eric Covener]

 

Changes with Apache 2.2.18 May 11, 2011

 

  • Log an error for failures to read a chunk-size, and return 408 instead 413 when this is due to a read timeout. This change also fixes some cases of two error documents being sent in the response for the same scenario.
    [Eric Covener] PR49167
  • core: Only log a 408 if it is no keepalive timeout.
    PR 39785 [Ruediger Pluem, Mark Montague ]
  • core: Treat timeout reading request as 408 error, not 400. Log 408 errors in access log as was done in Apache 1.3.x.
    PR 39785 [Nobutaka Mantani , Stefan Fritsch, Dan Poirier]
  • Core HTTP: disable keepalive when the Client has sent Expect: 100-continue but we respond directly with a non-100 response. Keepalive here led to data from clients continuing being treated as a new request.
    PR 47087. [Nick Kew]
  • htpasswd: Change the default algorithm for htpasswd to MD5 on all platforms. Crypt with its 8 character limit is not useful anymore; improve out of disk space handling (PR 30877); print a warning if a password is truncated by crypt.
    [Stefan Fritsch]
  • mod_win32: Added shebang check for '! so that .vbs scripts work as CGI. Win32's cscript interpreter can only use a single quote as comment char.
    [Guenter Knauf]
  • configure: Fix htpasswd/htdbm libcrypt link errors with some newer linkers.
    [Stefan Fritsch]
  • MinGW build improvements.
    PR 49535. [John Vandenberg , Jeff Trawick]
  • mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
    [Stefan Fritsch]
  • core: AllowEncodedSlashes new option NoDecode to allow encoded slashes in request URL path info but not decode them.
    PR 35256, PR 46830. [Dan Poirier]
  • mod_rewrite: Allow to unset environment variables.
    PR 50746. [Rainer Jung]
  • suEXEC: Add Suexec directive to disable suEXEC without renaming the binary (Suexec Off), or force startup failure if suEXEC is required but not supported (Suexec On).
    [Jeff Trawick]
  • mod_proxy: Put the worker in error state if the SSL handshake with the backend fails.
    PR 50332. [Daniel Ruggeri , Ruediger Pluem]
  • prefork: Update MPM state in children during a graceful restart. Allow the HTTP connection handling loop to terminate early during a graceful restart.
    PR 41743. [Andrew Punch ]
  • mod_ssl: Correctly read full lines in input filter when the line is incomplete during first read.
    PR 50481. [Ruediger Pluem]
  • mod_autoindex: Merge IndexOptions from server to directory context when the directory has no mod_autoindex directives.
    PR 47766. [Eric Covener]
  • mod_cache: Make sure that we never allow a 304 Not Modified response that we asked for to leak to the client should the 304 response be uncacheable.
    PR45341 [Graham Leggett]
  • mod_dav: Send 400 error if malformed Content-Range header is received for a put request (RFC 2616 14.16).
    PR 49825. [Stefan Fritsch]
  • mod_userdir: Add merging of enable, disable, and filename arguments to UserDir directive, leaving enable/disable of userlists unmerged.
    PR 44076 [Eric Covener]
  • core: Honor 'AcceptPathInfo OFF' during internal redirects, such as per-directory mod_rewrite substitutions.
    PR 50349. [Eric Covener]
  • mod_cache: Check the request to determine whether we are allowed to return cached content at all, and respect a "Cache-Control: no-cache" header from a client. Previously, "no-cache" would behave like "max-age=0".
    [Graham Leggett]
  • mod_mem_cache: Add a debug msg when a streaming response exceeds MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary 'memory allocation failed' debug message.
    PR 49604. [Eric Covener]
  • proxy_connect: Don't give up in the middle of a CONNECT tunnel when the child process is starting to exit.
    PR50220. [Eric Covener]


Changes with Apache 2.2.17 October 18, 2010

 

  • SECURITY: CVE-2010-1623 (cve.mitre.org) [apr-util 1.3.10]
    Fix a denial of service attack against apr_brigade_split_line(). [Stefan Fritsch]
  • SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) [apr-util 1.3.10]
    Fix two buffer over-read flaws in the bundled copy of expat which could cause applications to crash while parsing specially-crafted XML documents. [Joe Orton]
  • prefork MPM: Run cleanups for final request when process exits gracefully to work around a flaw in apr-util. PR 43857. [Tom Donovan]
  • mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend connections and other protocol handlers (like mod_ftp). Enforce the timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering close time from 30 to 2 seconds. [Stefan Fritsch]
  • Proxy balancer: support setting error status according to HTTP response code from a backend. PR 48939. [Daniel Ruggeri ]
  • mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the password to UTF-8. PR 45318. [Johannes Müller , Stefan Fritsch]
  • core: check symlink ownership if both FollowSymlinks and SymlinksIfOwnerMatch are set [Nick Kew]
  • core: fix origin checking in SymlinksIfOwnerMatch PR 36783 [Robert L Mathews ]
  • mod_headers: Enable multi-match-and-replace edit option PR 46594 [Nick Kew]
  • mod_log_config: Make ${cookie}C correctly match whole cookie names instead of substrings. PR 28037. [Dan Franklin , Stefan Fritsch]
  • mod_dir, mod_negotiation: Pass the output filter information to newly created sub requests; as these are later on used as true requests with an internal redirect. This allows for mod_cache et.al. to trap the results of the redirect.
    PR 17629, 43939 [Dirk-Willem van Gulik, Jim Jagielski, Joe Orton, Ruediger Pluem]
  • rotatelogs: Fix possible buffer overflow if admin configures a mongo log file path. [Jeff Trawick]
  • mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton]
  • vhost: A purely-numeric Host: header should not be treated as a port. PR 44979 [Nick Kew]
  • core: (re)-introduce -T commandline option to suppress documentroot check at startup.
    PR 41887 [Jan van den Berg ]

Changes with Apache 2.2.16 July 25, 2010

 

  • SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav, mod_cache: Fix Handling of requests without a path segment. PR: 49246 [Mark Drayton, Jeff Trawick]
  • SECURITY: CVE-2010-2068 (cve.mitre.org) mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung]
  • core: Filter init functions are now run strictly once per request before handler invocation. The init functions are no longer run for connection filters. PR 49328. [Joe Orton]
  • mod_filter: enable it to act on non-200 responses. PR 48377 [Nick Kew]
  • mod_ldap: LDAP caching was suppressed (and ldap-status handler returns title page only) when any mod_ldap directives were used in VirtualHost context. [Eric Covener]
  • mod_ssl: Fix segfault at startup if proxy client certs are shared across multiple vhosts. PR 39915. [Joe Orton]
  • mod_proxy_http: Log the port of the remote server in various messages. PR 48812. [Igor Galić ]
  • apxs: Fix -A and -a options to ignore whitespace in httpd.conf [Philip M. Gollucci]
  • mod_dir: add FallbackResource directive, to enable admin to specify an action to happen when a URL maps to no file, without resorting to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew]
  • mod_rewrite: Allow to set environment variables without explicitely giving a value. [Rainer Jung]

Changes with Apache 2.2.15 March 5, 2010

 

  • SECURITY:: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. [Joe Orton, and with thanks to the OpenSSL Team] ]
  • SECURITY:: CVE-2010-0408 (cve.mitre.org) mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent when request headers indicate a request body is incoming; not a case of HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola ]
  • SECURITY:: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni , Jeff Trawick]
  • Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body. PR 48359 [Jake Scott, William Rowe, Ruediger Pluem]
  • mod_reqtimeout: New module to set timeouts and minimum data rates for receiving requests from the client. [Stefan Fritsch]
  • mod_proxy_ajp: Really regard the operation a success, when the client aborted the connection. In addition adjust the log message if the client aborted the connection. [Ruediger Pluem]
  • mod_negotiation: Preserve query string over multiviews negotiation. This buglet was fixed for type maps in 2.2.6, but the same issue affected multiviews and was overlooked. PR 33112 [Joergen Thomsen ]
  • mod_cache: Introduce the thundering herd lock, a mechanism to keep the flood of requests at bay that strike a backend webserver as a cached entity goes stale. [Graham Leggett]
  • mod_proxy_http: Make sure that when an ErrorDocument is served from a reverse proxied URL, that the subrequest respects the status of the original request. This brings the behaviour of proxy_handler in line with default_handler. PR 47106. [Graham Leggett]
  • mod_log_config: Add the R option to log the handler used within the request. [Christian Folini ]
  • mod_include: Allow fine control over the removal of Last-Modified and ETag headers within the INCLUDES filter, making it possible to cache responses if desired. Fix the default value of the SSIAccessEnable directive. [Graham Leggett]
  • mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which allows insecure renegotiation with clients which do not yet support the secure renegotiation protocol. [Joe Orton]
  • mod_ssl: Fix a potential I/O hang if a long list of trusted CAs is configured for client cert auth. PR 46952. [Joe Orton]
  • core: Fix potential memory leaks by making sure to not destroy bucket brigades that have been created by earlier filters. [Stefan Fritsch]
  • mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to try other providers in the case of an LDAP bind failure. PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
  • mod_proxy, mod_proxy_http: Support remote https proxies by using HTTP CONNECT. PR 19188. [Philippe Dutrueux , Rainer Jung]
  • worker: Don't report server has reached MaxClients until it has. Add message when server gets within MinSpareThreads of MaxClients. PR 46996. [Dan Poirier]
  • mod_ssl: When extracting certificate subject/issuer names to the SSL_*_DN_* variables, handle RDNs with duplicate tags by exporting multiple varialables with an "_n" integer suffix. PR 45875. [Joe Orton, Peter Sylvester ]
  • mod_authnz_ldap: Failures to map a username to a DN, or to check a user password now result in an informational level log entry instead of warning level. [Eric Covener]
  • core: Preserve Port information over internal redirects PR 35999 [Jonas Ringh ]
  • mod_filter: fix FilterProvider matching where "dispatch" string doesn't exist. PR 48054 []
  • Build: fix --with-module to work as documented PR 43881 [Gez Saunders ]
  • mod_mime: Make RemoveType override the info from TypesConfig. PR 38330. [Stefan Fritsch]
  • mod_proxy: unable to connect to a backend is SERVICE_UNAVAILABLE, rather than BAD_GATEWAY or (especially) NOT_FOUND. PR 46971 [evanc nortel.com]
  • mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'. [Eric Covener]
  • mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge some cache entries and log a warning. Also increase the default LDAPSharedCacheSize to 500000. This is a more realistic size suitable for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries. PR 46749. [Stefan Fritsch]
  • mod_disk_cache, mod_mem_cache: don't cache incomplete responses, per RFC 2616, 13.8. PR15866. [Dan Poirier]
  • mod_rewrite: Make sure that a hostname:port isn't fully qualified if the request is a CONNECT request. PR 47928 [Bill Zajac ]
  • mod_cache: correctly consider s-maxage in cacheability decisions. [Dan Poirier]
  • core: Return APR_EOF if request body is shorter than the length announced by the client. PR 33098 [ Stefan Fritsch ]
  • mod_rewrite: Add scgi scheme detection. [André Malo]
  • mod_mime: Detect invalid use of MultiviewsMatch inside Location and LocationMatch sections. PR 47754. [Dan Poirier]
  • ab, mod_ssl: Restore compatibility with OpenSSL < 0.9.7g. [Guenter Knauf]

Changes with Apache 2.2.14 3 October, 2009

 

  • SECURITY: CVE-2009-2699 (cve.mitre.org) Fixed in APR 1.3.9. Faulty error handling in the Solaris pollset support (Event Port backend) which could trigger hangs in the prefork and event MPMs on that platform. PR 47645. [Jeff Trawick]
  • SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials. [Stefan Fritsch , Joe Orton]
  • SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. [Stefan Fritsch , Joe Orton]
  • mod_proxy_scgi: Backport from trunk. [André Malo]
  • mod_ldap: Don't try to resolve file-based user ids to a DN when AuthLDAPURL has been defined at a very high level. PR 45946. [Eric Covener]
  • htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
  • mod_ldap: Bring the LDAPCacheEntries and LDAPOpCacheEntries usage() in synch with the manual and the implementation (0 and -1 both disable the cache). [Eric Covener]
  • mod_ssl: The error message when SSLCertificateFile is missing should at least give the name or position of the problematic virtual host definition. [Stefan Fritsch sf sfritsch.de]
  • htdbm: Fix possible buffer overflow if dbm database has very long values. PR 30586 [Dan Poirier]
  • Add support for HTTP PUT to ab. [Jeff Barnes ]
  • mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute type. PR 45107. [Michael Ströder , Peter Sylvester ]
  • mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore defined session identifiers encoded in the URL when caching. [Ruediger Pluem]
  • mod_mem_cache: fix seg fault under load due to pool concurrency problem PR: 47672 [Dan Poirier ]
  • mod_autoindex: Correctly create an empty cell if the description for a file is missing. PR 47682 [Peter Poeml ]

Changes with Apache 2.2.13 8 August, 2009

 

  • SECURITY: CVE-2009-2412 (cve.mitre.org) Distributed with APR 1.3.8 and APR-util 1.3.9 to fix potential overflow in pools and rmm, where size alignment was taking place. [Matt Lewis, Sander Striker]
  • mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas. Report warnings compiling mod_ssl against OpenSSL to the httpd developers. [Guenter Knauf]
  • mod_cgid: Do not add an empty argument when calling the CGI script. PR 46380 [Ruediger Pluem]
  • Fix potential segfaults with use of the legacy ap_rputs() etc interfaces, in cases where an output filter fails. PR 36780. [Joe Orton]

Changes with Apache 2.2.12 27 July, 2009

 

  • SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. PR 39605. [Joe Orton, Ruediger Pluem]
  • SECURITY: CVE-2009-1195 (cve.mitre.org) Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it. [Jonathan Peatfield , Joe Orton, Ruediger Pluem, Jeff Trawick]
  • SECURITY: CVE-2009-1890 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration, where a remote attacker can force a proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
  • SECURITY: CVE-2009-1191 (cve.mitre.org) mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. PR 46949 [Ruediger Pluem]
  • SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org) The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules.
  • mod_include: fix potential segfault when handling back references on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew]
  • mod_alias: check sanity in Redirect arguments. PR 44729 [Sönke Tesch , Jim Jagielski]
  • mod_proxy_http: fix Host: header for literal IPv6 addresses. PR 47177 [Carlos Garcia Braschi ]
  • mod_rewrite: Remove locking for writing to the rewritelog. PR 46942
  • mod_alias: Ensure Redirect emits HTTP-compliant URLs. PR 44020
  • mod_proxy_http: fix case sensitivity checking transfer encoding PR 47383 [Ryuzo Yamamoto ]
  • mod_rewrite: Fix the error string returned by RewriteRule. RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd argument of RewriteRule was not started with "[" or not ended with "]". PR 45082 [Vitaly Polonetsky ]
  • mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given; BalancerMember balancer://alias http://example.com/foo ProxyPassReverse /bash balancer://alias/bar backend url http://example.com/foo/bar/that is now translated /bash/that [William Rowe]
  • New piped log syntax: Use "||process args" to launch the given process without invoking the shell/command interpreter. Use "|$command line" (the default behavior of "|command line" in 2.2) to invoke using shell, consuming an additional shell process for the lifetime of the logging pipe program but granting additional process invocation flexibility. [William Rowe]
  • mod_ssl: Add server name indication support (RFC 4366) and better support for name based virtual hosts with SSL. PR 34607 [Peter Sylvester , Kaspar Brand , Guenter Knauf, Joe Orton, Ruediger Pluem]
  • mod_negotiation: Escape pathes of filenames in 406 responses to avoid HTML injections and HTTP response splitting. PR 46837. [Geoff Keating ]
  • mod_include: Prevent a case of SSI timefmt-smashing with filter chains including multiple INCLUDES filters. PR 39369 [Joe Orton]
  • mod_rewrite: When evaluating a proxy rule in directory context, do escape the filename by default. PR 46428 [Joe Orton]
  • mod_proxy_ajp: Check more strictly that the backend follows the AJP protocol. [Mladen Turk]
  • mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates. [Ruediger Pluem]
  • mod_substitute: Fix a memory leak. PR 44948 [Dan Poirier ]
  • mod_proxy_ajp: Forward remote port information by default. [Rainer Jung]
  • mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders directive to correctly remove headers before storing them. [Lars Eilebrecht]
  • mod_deflate: revert changes in 2.2.8 that caused an invalid etag to be emitted for on-the-fly gzip content-encoding. PR 39727 will require larger fixes and this fix was far more harmful than the original code. PR 45023. [Roy T. Fielding]
  • mod_disk_cache: The module now turns off sendfile support if 'EnableSendfile off' is defined globally. PR 41218. [Lars Eilebrecht, Issac Goldstand]
  • prefork: Fix child process hang during graceful restart/stop in configurations with multiple listening sockets. PR 42829. [Joe Orton, Jeff Trawick]
  • mod_ssl: Add SSLRenegBufferSize directive to allow changing the size of the buffer used for the request-body where necessary during a per-dir renegotiation. PR 39243. [Joe Orton]
  • mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome way that per-directory rewrites append the previous notion of PATH_INFO to each substitution before evaluating subsequent rules. PR38642 [Eric Covener]
  • mod_authnz_ldap: Reduce number of initialization debug messages and make information more clear. PR 46342 [Dan Poirier]
  • mod_cache: Introduce 'no-cache' per-request environment variable to prevent the saving of an otherwise cacheable response. [Eric Covener]
  • core: Translate the status line to ASCII on EBCDIC platforms in ap_send_interim_response() and for locally generated "100 Continue" responses. [Eric Covener]
  • CGI: return 504 (Gateway timeout) rather than 500 when a script times out before returning status line/headers. PR 42190 [Nick Kew]
  • prefork: Log an error instead of segfaulting when child startup fails due to pollset creation failures. PR 46467. [Jeff Trawick]
  • mod_ext_filter: fix error handling when the filter prog fails to start, and introduce an onfail configuration option to abort the request or to remove the broken filter and continue. PR 41120 [Nick Kew]
  • mod_include: support generating non-ASCII characters as entities in SSI PR 25202 [Nick Kew]
  • core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars [Nick Kew]
  • mod_rewrite: fix "B" flag breakage by reverting r589343 PR 45529 [Bob Ionescu ]
  • mod_cgid: fix segfault problem on solaris. PR 39332 [Masaoki Kobayashi , Jeff Trawick]
  • mod_ldap: Avoid a segfault when result->rc is checked in uldap_connection_init when result is NULL. This could happen if LDAP initialization failed. PR 45994. [Dan Poirier ]
  • Set Listen protocol to "https" if port is set to 443 and no proto is specified (as documented but not implemented). PR 46066 [Dan Poirier ]
  • mod_cache: Correctly save Content-Encoding of cachable entity. PR 46401 [Dan Poirier ]
  • Output -M and -S dumps (modules and vhosts) to stdout instead of stderr. PR 42571 and PR 44266 (dup). [Dan Poirier ]
  • mod_cache: When an explicit Expires or Cache-Control header is set, cache normally non-cacheable response statuses. PR 46346. [Alex Polvi ]

Changes with Apache 2.2.11

 

  • core: When the ap_http_header_filter processes an error bucket, cleanup the passed brigade before returning AP_FILTER_ERROR down the filter chain. This unambiguously ensures the same error bucket isn't revisited [Ruediger Pluem]
  • core: Error responses set by filters were being coerced into 500 errors, sometimes appended to the original error response. Log entry of: 'Handler for (null) returned invalid result code -3' [Eric Covener]
  • configure: Don't reject libtool 2.x PR 44817 [Arfrever Frehtes Taifersar Arahesis ]
  • mod_autoindex: add configuration option to insert string in HTML HEAD (IndexHeadInsert). [Nick Kew]
  • Add new LogFormat parameter, %k, which logs the number of keepalive requests on this connection for this request. PR 45762 [Dan Poirier , Jim Jagielski]
  • Export and install the mod_rewrite.h header to ensure the optional rewrite_mapfunc_t and ap_register_rewrite_mapfunc functions are available to third party modules. [Graham Leggett]
  • mod_cache: Convert age of cached object to seconds before comparing it to age supplied by the request when checking whether to send a Warning header for a stale response. PR 39713. [Owen Taylor ]
  • Build: Correctly set SSL_LIBS during openssl detection if pkgconfig is not available. PR 46018 [Ruediger Pluem]
  • mod_proxy_ajp: Do not fail if response data is sent before all request data is read. PR 45911 [Ruediger Pluem]
  • mod_proxy_balancer: Add in forced recovery for balancer members if all are in error state. [Mladen Turk]
  • mod_proxy: Prevent segmentation faults by correctly adjusting the lifetime of the buckets read from the proxy backend. PR 45792 [Ruediger Pluem]
  • mod_expires: Do not sets negative max-age / Expires header in the past. PR 39774 [Jim Jagielski]
  • mod_info: Was displaying the wrong value for the KeepAliveTimeout value. [Jim Jagielski]
  • mod_proxy_ajp: Fix wrongly formatted requests where client sets Content-Length header, but doesn't provide a body. Servlet container always expects that next packet is body whenever C-L is present in the headers. This can lead to wrong interpretation of the packets. In this case send the empty body packet, so container can deal with that. [Mladen Turk]
  • core: Add ap_timeout_parameter_parse to public API. [Ruediger Pluem]
  • mod_proxy: Add the possibility to set the worker parameters connectiontimeout and ping in milliseconds. [Ruediger Pluem]
  • Worker MPM: Crosscheck that idle workers are still available before using them and thus preventing an overflow of the worker queue which causes a SegFault. PR 45605 [Denis Ustimenko ]
  • Windows: Always build the odbc dbd driver on windows, to be consistent with the apr-util default. [Tom Donovan]

 

 

 

 
Last Updated on Friday, 27 January 2012 00:46