* Fix security problems.
* Build three Multi-Processing Model shared libraries,
and select default model with option
* Retire mod_cgi.so module, use mod_cgid.so; Add MESSAGE
Changelog:
Changes with Apache 2.4.3
*) SECURITY: CVE-2012-3502 (cve.mitre.org)
mod_proxy_ajp, mod_proxy_http: Fix an issue in back end
connection closing which could lead to privacy issues due
to a response mixup. PR 53727. [Rainer Jung]
*) SECURITY: CVE-2012-2687 (cve.mitre.org)
mod_negotiation: Escape filenames in variant list to prevent an
possible XSS for a site where untrusted users can upload files to
a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
*) mod_authnz_ldap: Don't try a potentially expensive nested groups
search before exhausting all AuthLDAPGroupAttribute checks on the
current group. PR 52464 [Eric Covener]
*) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
authorization provider in lua. [Stefan Fritsch]
*) core: Be less strict when checking whether Content-Type is set to
"application/x-www-form-urlencoded" when parsing POST data,
or we risk losing data with an appended charset. PR 53698
[Petter Berntsen <petterb gmail.com>]
*) httpd.conf: Added configuration directives to set a bad_DNT environment
variable based on User-Agent and to remove the DNT header field from
incoming requests when a match occurs. This currently has the effect of
removing DNT from requests by MSIE 10.0 because it deliberately violates
the current specification of DNT semantics for HTTP. [Roy T. Fielding]
*) mod_socache_shmcb: Fix bus error due to a misalignment
in some 32 bit builds, especially on Solaris Sparc.
PR 53040. [Rainer Jung]
*) mod_cache: Set content type in case we return stale content.
[Ruediger Pluem]
*) Windows: Fix SSL failures on windows with AcceptFilter https none.
PR 52476. [Jeff Trawick]
*) ab: Fix read failure when targeting SSL server. [Jeff Trawick]
*) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
- mod_auth_digest: shared memory file
[Jeff Trawick]
*) htpasswd: Use correct file mode for checking if file is writable.
PR 45923. [Stefan Fritsch]
*) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T.
<mi apache aldan algebra com>]
*) mod_ssl: Add new directive SSLCompression to disable TLS-level
compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
*) mod_lua: Add a few missing request_rec fields. Rename remote_ip to
client_ip to match conn_rec. [Stefan Fritsch]
*) mod_lua: Change prototype of vm_construct, to work around gcc bug which
causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>]
*) mpm_event: Don't count connections in lingering close state when
calculating how many additional connections may be accepted.
[Stefan Fritsch]
*) mod_ssl: If exiting during initialization because of a fatal error,
log a message to the main error log pointing to the appropriate
virtual host error log. [Stefan Fritsch]
*) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]
*) mod_proxy_balancer: Restore balancing after a failed worker has
recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick]
*) mod_setenvif: Compile some global regex only once during startup.
This should save some memory, especially with .htaccess.
[Stefan Fritsch]
*) core: Add the port number to the vhost's name in the scoreboard.
[Stefan Fritsch]
*) mod_proxy: Fix ProxyPassReverse for balancer configurations.
PR 45434. [Joe Orton]
*) mod_lua: Add the parsebody function for parsing POST data. PR 53064.
[Daniel Gruno]
*) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS.
[Stefan Fritsch]
*) mod_proxy: Fix memory leak or possible corruption in ProxyBlock
implementation. [Ruediger Pluem, Joe Orton]
*) mod_proxy: Check hostname from request URI against ProxyBlock list,
not forward proxy, if ProxyRemote* is configured. [Joe Orton]
*) mod_proxy_connect: Avoid DNS lookup on hostname from request URI
if ProxyRemote* is configured. PR 43697. [Joe Orton]
*) mpm_event, mpm_worker: Remain active amidst prevalent child process
resource shortages. [Jeff Trawick]
*) Add "strict" and "warnings" pragmas to Perl scripts. [Rich Bowen]
*) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
- core: the scoreboard (ScoreBoardFile), pid file (PidFile), and
mutexes (Mutex)
[Jim Jagielski]
*) ab: Fix bind() errors. [Joe Orton]
*) mpm_event: Don't do a blocking write when starting a lingering close
from the listener thread. PR 52229. [Stefan Fritsch]
*) mod_so: If a filename without slashes is specified for LoadFile or
LoadModule and the file cannot be found in the server root directory,
try to use the standard dlopen() search path. [Stefan Fritsch]
*) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced
after child process resource shortages. [Jeff Trawick]
*) mpm_prefork: Reduce spawn rate after a child process exits due to
unexpected poll or accept failure. [Jeff Trawick]
*) core: Log value of Status header line in script responses rather
than the fixed header name. [Chris Darroch]
*) mpm_ssl: Fix handling of empty response from OCSP server.
[Jim Meyering <meyering redhat.com>, Joe Orton]
*) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch]
*) mod_authz_core: If an expression in "Require expr" returns denied and
references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
[Stefan Fritsch]
*) core: Always log if LimitRequestFieldSize triggers. [Stefan Fritsch]
*) mod_deflate: Skip compression if compression is enabled at SSL level.
[Stefan Fritsch]
*) core: Add missing HTTP status codes registered with IANA.
[Julian Reschke <julian.reschke gmx.de>, Rainer Jung]
*) mod_ldap: Treat the "server unavailable" condition as a transient
error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>]
*) core: Fix spurious "not allowed here" error returned when the Options
directive is used in .htaccess and "AllowOverride Options" (with no
specific options restricted) is configured. PR 53444. [Eric Covener]
*) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
PR 53048. [Stefan Fritsch]
*) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
PR 53104. [Greg Ames]
*) mod_ext_filter: Fix error_log spam when input filters are configured.
[Joe Orton]
*) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
*) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
[Paul Wouters <pwouters redhat.com>, Joe Orton]
*) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
the chosen listener is configured for https. [Joe Orton]
*) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. PR 53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
*) mod_info: Display all registered providers. [Stefan Fritsch]
*) mod_ssl: Send the error message for speaking http to an https port using
HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
using SNI. PR 50823. [Stefan Fritsch]
*) core: Fix segfault in logging if r->useragent_addr or c->client_addr is
unset. PR 53265. [Stefan Fritsch]
*) log_server_status: Bring Perl style forward to the present, use
standard modules, update for new format of server-status output.
PR 45424. [Richard Bowen, Dave Brondsema, and others]
*) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups.
[Joe Orton, André Malo]
*) core: Prevent "httpd -k restart" from killing server in presence of
config error. [Joe Orton]
*) mod_proxy_fcgi: If there is an error reading the headers from the
backend, send an error to the client. PR 52879. [Stefan Fritsch]
74726659a0