-*- coding: utf-8 -*-
Changes with Apache 2.0.55 since 2.0.54 (APR 0.9.7 changes below)
*) SECURITY: CAN-2005-2700 (cve.mitre.org)
mod_ssl: Fix a security issue where "SSLVerifyClient" was not
enforced in per-location context if "SSLVerifyClient optional"
was configured in the vhost configuration. [Joe Orton]
*) worker MPM: Fix a memory leak which can occur after an aborted
connection in some limited circumstances. [Greg Ames]
*) mod_ldap: Fix PR 36563. Keep track of the number of attributes
retrieved from LDAP so that all of the values can be properly
cached even if the value is NULL.
[Brad Nicholes, Ondrej Sury <ondrej sury.org>]
*) SECURITY: CAN-2005-2491 (cve.mitre.org):
Fix integer overflows in PCRE in quantifier parsing which could
be triggered by a local user through use of a carefully-crafted
regex in an .htaccess file. [Philip Hazel]
*) SECURITY: CAN-2005-2088 (cve.mitre.org)
proxy: Correctly handle the Transfer-Encoding and Content-Length
headers. Discard the request Content-Length whenever T-E: chunked
is used, always passing one of either C-L or T-E: chunked whenever
the request includes a request body. Resolves an entire class of
proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]
*) Added TraceEnable [on|off|extended] per-server directive to alter
the behavior of the TRACE method. This addresses a flaw in proxy
conformance to RFC 2616 - previously the proxy server would accept
a TRACE request body although the RFC prohibited it. The default
remains 'TraceEnable on'. [William Rowe]
*) Add ap_log_cerror() for logging messages associated with particular
client connections. [Jeff Trawick]
*) Correct mod_cgid's argv[0] so that the full path can be delved by the
invoked cgi application, to conform to the behavior of mod_cgi.
[Pradeep Kumar S <pradeep.smani gmail.com>]
*) mod_include: Fix possible environment variable corruption when
using nested includes. PR 12655. [Joe Orton]
*) Support the suppress-error-charset setting, as with Apache 1.3.x.
PR 31274. [Jeff Trawick]
*) EBCDIC: Handle chunked input from client or, with proxy, origin
server. [Jeff Trawick]
*) Fix bad globbing comparison which could result in getting
a directory listing when a file was requested. PR 34512.
[sean <infamous41md hotmail.com>]
*) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker()
was called even if mod_auth_ldap_check_user_id() was not
(or if it didn't succeed) for non-authoritative cases.
[Jim Jagielski]
*) SECURITY: CAN-2005-2728 (cve.mitre.org)
Fix cases where the byterange filter would buffer responses
into memory. PR 29962. [Joe Orton]
*) mod_proxy: Fix over-eager handling of '%' for reverse proxies.
PR 15207. [Jim Jagielski]
*) mod_ldap: Fix various shared memory cache handling bugs.
PR 34209. [Joe Orton]
*) Fix a file descriptor leak when starting piped loggers. PR 33748.
[Joe Orton]
*) mod_ldap: Avoid segfaults when opening connections if using a version
of OpenLDAP older than 2.2.21. PR 34618. [Brad Nicholes]
*) mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe]
*) SECURITY: CAN-2005-2088 (cve.mitre.org)
core: If a request contains both Transfer-Encoding and Content-Length
headers, remove the Content-Length, mitigating some HTTP Request
Splitting/Spoofing attacks. [Paul Querna, Joe Orton]
*) proxy HTTP: If a response contains both Transfer-Encoding and a
Content-Length, remove the Content-Length and don't reuse the
connection, mitigating some HTTP Response Splitting attacks.
[Jeff Trawick]
*) Prevent hangs of child processes when writing to piped loggers at
the time of graceful restart. PR 26467. [Jeff Trawick]
*) SECURITY: CAN-2005-1268 (cve.mitre.org)
mod_ssl: Fix off-by-one overflow whilst printing CRL information
at "LogLevel debug" which could be triggered if configured
to use a "malicious" CRL. PR 35081. [Marc Stern <mstern csc.com>]
*) mod_userdir: Fix possible memory corruption issue. PR 34588.
[David Leonard <dleonard vintela.com>]
*) worker mpm: don't take down the whole server for a transient
thread creation failure. PR 34514 [Greg Ames]
*) mod_rewrite: use buffered I/O to improve performance with large
RewriteMap txt: files. [Greg Ames]
*) proxy HTTP: Rework the handling of request bodies to handle
chunked input and input filters which modify content length, and
avoid spooling arbitrary-sized request bodies in memory.
PR 15859. [Jeff Trawick]
Changes with APR 0.9.7 since APR 0.9.6
*) Fix crash in apr_dir_make_recursive() for relative path
when the working directory has been deleted. [Joe Orton]
*) Win32: fix apr_proc_mutex_trylock() to handle WAIT_TIMEOUT,
returning APR_EBUSY. [Ronen Mizrahi <ronen@tversity.com>]
*) Fix apr_file_read() to catch write failures when flushing pending
writes for a buffered file. [Joe Orton]
*) Fix apr_file_write() infinite loop on write failure for buffered
files. [Erik Huelsmann <ehuels gmail.com>]
*) Fix error handling where apr_uid_* and apr_gid_* could segfault
or return APR_SUCCESS in failure cases. PR 34053. [Joe Orton,
Paul Querna]
*) Refactor Win32 condition variables code to address bugs 27654, 34336.
[Henry Jen <henryjen ztune.net>, E Holyat <eholyat yahoo.com>]
*) Support APR_SO_SNDBUF and APR_SO_RCVBUF on Windows. PR 32177.
[Sim <sgobbi datamanagement.it>, Jeff Trawick]
*) Fix detection of rwlocks on Mac OS X. [Aaron Bannert]
*) Fix issue with poll() followed by net I/O yielding EAGAIN on
Mac OS 10.4 (Darwin 8). [Wilfredo Sanchez]
Changes with APR-util 0.9.7 since APR-util 0.9.6
*) Fix apr_rmm_realloc() offset calculation bug. [Keith Kelleman
<keith.kelleman oracle.com>]
*) Fix handling of a premature EOF with the FILE bucket; a new bucket
is not inserted for each attempt to read past EOF. PR 34708.
[Jeff Trawick, Joe Orton]
*) Fix build failure with non-threaded APR on AIX. PR 34655.
[Ryan Murray <rmurray+apache cyberhqz.com>]
*) Backport the apr_reslist_timeout_set and apr_reslist_invalidate
functions already in APR 1.0.x. [Paul Querna]
*) Fix linking problem on cygwin. [Max Bowsher <maxb ukf.net>]
Changes with APR-iconv 0.9.7 since APR-iconv 0.9.6
*) Fixed build .rc version resource for Win32. [Will Rowe]
www.fiveanddime.net
