Changes with Apache 2.0.65
*) SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. [Eric Covener, Jeff Trawick, Joe Orton]
*) SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
*) SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
to cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]
*) SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. [Joe Orton]
*) SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Fix handling of byte-range requests to use less memory, to avoid
denial of service. If the sum of all ranges in a request is larger than
the original file, ignore the ranges and send the complete file.
bug#51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem,
Eric Covener, <lowprio20 gmail.com>]
*) SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file. [Stefan Fritsch, Greg Ames]
NOTE: it remains possible to exhaust all memory using a carefully
crafted .htaccess rule, which will not be addressed in 2.0; enabling
processing of .htaccess files authored by untrusted users is the root
of such security risks. Upgrade to httpd 2.2.25 or later to limit
this specific risk.
*) core: Add MaxRanges directive to control the number of ranges permitted
before returning the entire resource, with a default limit of 200.
[Eric Covener, Rainer Jung]
*) Set 'Accept-Ranges: none' in the case Ranges are being ignored with
MaxRanges none. [Eric Covener, Rainer Jung]
*) mod_rewrite: Allow merging RewriteBase down to subdirectories
if new option 'RewriteOptions MergeBase' is configured.
[Eric Covener]
*) mod_rewrite: Fix the RewriteEngine directive to work within a
location. Previously, once RewriteEngine was switched on globally,
it was impossible to switch off. [Graham Leggett]
*) mod_rewrite: Add "AllowAnyURI" option. bug#52774. [Joe Orton]
*) htdigest: Fix buffer overflow when reading digest password file
with very long lines. bug#54893. [Rainer Jung]
*) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
OpenSSL 0.9.7 flag which uses the server's cipher order rather
than the client's. bug#28665.
[Jim Schneider <jschneid netilla.com>]
*) mod_include: Prevent a case of SSI timefmt-smashing with filter chains
including multiple INCLUDES filters. bug#39369 [Joe Orton]
*) mod_rewrite: When evaluating a proxy rule in directory context, do
escape the filename by default. bug#46428 [Joe Orton]
*) Improve platform detection for bundled PCRE by updating config.guess
and config.sub. [Rainer Jung]
*) ssl-std.conf: Disable AECDH ciphers in example config. bug#51363.
[Rob Stradling <rob comodo com>]
*) ssl-std.conf: Change the SSLCipherSuite default to a shorter,
whitelist oriented definition. [Rainer Jung, Kaspar Brand]
*) ssl-std.conf: Only select old MSIE browsers for the downgrade
in http/https behavior. [Greg Stein, Stefan Fritsch]
261de71c06