bcb9c720c6
*) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers. Changes with Apache 2.2.30 (not released) *) SECURITY: CVE-2015-3183 (cve.mitre.org) core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. *) http: Fix LimitRequestBody checks when there is no more bytes to read. *) core: Allow spaces after chunk-size for compatibility with implementations using a pre-filled buffer. *) mod_ssl: bring SNI behavior into better conformance with RFC 6066: no longer send warning-level unrecognized_name(112) alerts. *) http: Make ap_die() robust against any HTTP error code and not modify response status (finally logged) when nothing is to be done. *) core, modules: Avoid error response/document handling by the core if some handler or input filter already did it while reading the request (causing a double response body). *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions 5+ instead of just for FreeBSD 5. *) mod_proxy: use the original (non absolute) form of the request-line's URI for requests embedded in CONNECT payloads used to connect SSL backends via a ProxyRemote forward-proxy. *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for internationalization. *) mod_log_config: Implement logging for sub second timestamps and request end time. *) mod_log_config: Ensure that time data is consistent if multiple duration patterns are used in combination, e.g. %D and %{ms}T. *) mod_log_config: Add "%{UNIT}T" format to output request duration in seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us"). *) In alignment with RFC 7525, the default recommended SSLCipherSuite and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the default recommended SSLProtocol and SSLProxyProtocol directives now exclude SSLv3. Existing configurations must be adjusted by the administrator. *) core: Avoid potential use of uninitialized (NULL) request data in request line error path. *) mod_proxy_http: Use the "Connection: close" header for requests to backends not recycling connections (disablereuse), including the default reverse and forward proxies. *) mod_proxy: Add ap_connection_reusable() for checking if a connection is reusable as of this point in processing. *) mod_proxy: Reuse proxy/balancer workers' parameters and scores across graceful restarts, even if new workers are added, old ones removed, or the order changes. *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by allowing custom parameters to be configured via SSLCertificateFile, and by adding standardized DH parameters for 1024/2048/3072/4096 bits. Unless custom parameters are configured, the standardized parameters are applied based on the certificate's RSA/DSA key size. *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA keys, and unconditionally disable aNULL, eNULL and EXP ciphers (not overridable via SSLCipherSuite). *) mod_ssl: Add support for configuring persistent TLS session ticket encryption/decryption keys (useful for clustered environments). *) SSLProtocol and SSLCipherSuite recommendations in the example/default conf/extra/httpd-ssl.conf file are now global in scope, affecting all VirtualHosts (matching 2.4 default configuration). *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the selected DB engine. *) Turn static function get_server_name_for_url() into public ap_get_server_name_for_url() and use it where appropriate. This fixes mod_rewrite generating invalid URLs for redirects to IPv6 literal addresses. *) dav_validate_request: avoid validating locks and ETags when there are no If headers providing them on a resource we aren't modifying. *) mod_ssl: New directive SSLSessionTickets (On|Off). The directive controls the use of TLS session tickets (RFC 5077), default value is "On" (unchanged behavior). Session ticket creation uses a random key created during web server startup and recreated during restarts. No other key recreation mechanism is available currently. Therefore using session tickets without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy. *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to compile against APR-1.2.x (minimum required version). *) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts computed for subsequent requests. |
||
---|---|---|
.. | ||
files | ||
patches | ||
buildlink3.mk | ||
DESCR | ||
distinfo | ||
Makefile | ||
options.mk | ||
PLIST |