dc9fbb8810
add default vhost configs OBS-URL: https://build.opensuse.org/request/show/102748 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=355
3688 lines
166 KiB
Plaintext
3688 lines
166 KiB
Plaintext
-------------------------------------------------------------------
|
|
Sat Jan 21 13:54:01 CET 2012 - draht@suse.de
|
|
|
|
- enable mod_reqtimeout by default via APACHE_MODULES in
|
|
/etc/sysconfig/apache2, configuration
|
|
/etc/apache2/mod_reqtimeout.conf .
|
|
Of course, the existing configuration remains unchanged.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 16 20:53:39 UTC 2011 - chris@computersalat.de
|
|
|
|
- add default vhost configs
|
|
* default-vhost.conf, default-vhost-ssl.conf, README.default-vhost
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Dec 10 10:34:26 CET 2011 - meissner@suse.de
|
|
|
|
- openldap2 is not necessary, just openldap2-devel as buildrequires
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 2 07:18:56 UTC 2011 - coolo@suse.com
|
|
|
|
- add automake as buildrequire to avoid implicit dependency
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 18 15:04:12 CET 2011 - draht@suse.de
|
|
|
|
- update to /etc/init.d/apache2: handle reload with deleted
|
|
binaries after package update more thoughtfully: If the binaries
|
|
have been replaced, then a dlopen(3) on the apache modules is
|
|
prone to fail. => Don't reload then, but complain and fail.
|
|
Especially important for logrotate!
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 7 17:11:56 CEST 2011 - draht@suse.de
|
|
|
|
- httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff fixes mod_proxy
|
|
reverse exposure via RewriteRule or ProxyPassMatch directives.
|
|
This is CVE-2011-3368.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 7 14:36:31 UTC 2011 - fcrozat@suse.com
|
|
|
|
- Ensure service_add_pre macro is correctly called for
|
|
openSUSE 12.1 or later.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 27 08:19:35 UTC 2011 - fcrozat@suse.com
|
|
|
|
- Fix systemd files packaging, %ghost is not a good idea.
|
|
- Use systemd rpm macros for openSUSE 12.1 and later.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 15 13:33:30 CEST 2011 - draht@suse.de
|
|
|
|
- don't create $RPM_BUILD_ROOT/etc/init.d twice in %install.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 14 01:11:55 CEST 2011 - draht@suse.de
|
|
|
|
- Update to 2.2.21. News therein:
|
|
* re-worked CVE-2011-3192 (byterange_filter.c) with a regression
|
|
fix. New config option: MaxRanges (PR 51748)
|
|
* multi fixes in mod_filter, mod_proxy_ajp, mod_dav_fs,
|
|
mod_alias, mod_rewrite. As always, see CHANGES file.
|
|
- added httpd-%{realver}.tar.bz2.asc to source, along with
|
|
60C5442D.key which the tarball was signed with.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 13 10:37:37 CEST 2011 - draht@suse.de
|
|
|
|
- need to add %ghost /lib/systemd to satisfy distributions that
|
|
have no systemd yet.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 1 09:43:49 UTC 2011 - fcrozat@suse.com
|
|
|
|
- Add apache2-systemd-ask-pass / apache2.service / start_apache2
|
|
and modify apache2-ssl-global.conf for systemd support
|
|
(bnc#697137).
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 31 12:52:22 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
- Update to version 2.2.20, fix CVE-2011-3192
|
|
mod_deflate D.o.S.
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 5 06:02:35 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
- Fix apache PR 45076
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jul 17 19:49:55 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
- Use SSL_MODE_RELEASE_BUFFERS to reduce mod_ssl memory usage
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 22 16:12:10 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
- Add 2 patches from the "low hanging fruit" warnings in apache
|
|
STATUS page.
|
|
* mod_deflate: Stop compressing HEAD requests
|
|
if there is not Content-Length header
|
|
* mod_reqtimeout: Disable keep-alive after read timeout
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 10 00:59:53 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
- Remove -fno-strict-aliasing from CFLAGS, no longer needed.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 8 19:10:41 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
- Allow KeepAliveTimeout to be expressed in miliseconds
|
|
sometimes one second is too long, upstream r733557.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 6 18:16:05 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
- When linux changes to version 3.x configure tests are gonna break.
|
|
remove version check, assuming kernel 2.2 or later.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 26 03:35:05 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
- Update to 2.2.19, only one bugfix.
|
|
*) Revert ABI breakage in 2.2.18 caused by the function signature change
|
|
of ap_unescape_url_keep2f(). This release restores the signature from
|
|
2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
|
|
[Eric Covener]
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 20 19:28:03 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
- Remove SSLv2 disabled patch, already in upstream.
|
|
- Update to version 2.2.18
|
|
* mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
|
|
* core: Treat timeout reading request as 408 error, not 400.
|
|
* core: Only log a 408 if it is no keepalive timeout.
|
|
* mod_rewrite: Allow to unset environment variables.
|
|
* prefork: Update MPM state in children during a graceful restart.
|
|
* Other fixes in mod_cache,mod_dav,mod_proxy se NEWS for detail.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 20 23:24:26 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
- Fix regular expression in vhost ssl template IE workaround
|
|
it is obsolete see https://issues.apache.org/bugzilla/show_bug.cgi?id=49484
|
|
You should apply this update to fix painfully slow SSL
|
|
connections when using IE.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 11 16:19:14 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
- Allow usage of an openSSL library compiled without SSlv2
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 8 13:41:48 UTC 2011 - lnussel@suse.de
|
|
|
|
- set sane default cipher string in apache2-vhost-ssl.template
|
|
- remove useless example snakeoil certs
|
|
- remove broken mkcert script
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 17 12:39:06 CET 2011 - werner@suse.de
|
|
|
|
- Tag boot script as interactive as systemd uses it
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 7 16:25:16 UTC 2011 - lnussel@suse.de
|
|
|
|
- recommend the default mpm package (bnc#670027)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 19 17:16:16 UTC 2010 - poeml@cmdline.net
|
|
|
|
- update to 2.2.17:
|
|
SECURITY: CVE-2010-1623 (cve.mitre.org)
|
|
Fix a denial of service attack against apr_brigade_split_line().
|
|
[Actual fix is in the libapr 1.3 line, which we don't use // poeml]
|
|
SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
|
|
Fix two buffer over-read flaws in the bundled copy of expat which could
|
|
cause applications to crash while parsing specially-crafted XML documents.
|
|
[We build with system expat library // poeml]
|
|
prefork MPM: Run cleanups for final request when process exits gracefully
|
|
to work around a flaw in apr-util. PR 43857
|
|
core:
|
|
- check symlink ownership if both FollowSymlinks and
|
|
SymlinksIfOwnerMatch are set
|
|
- fix origin checking in SymlinksIfOwnerMatch PR 36783
|
|
- (re)-introduce -T commandline option to suppress documentroot
|
|
check at startup. PR 41887
|
|
vhost:
|
|
- A purely-numeric Host: header should not be treated as a port. PR 44979
|
|
rotatelogs:
|
|
- Fix possible buffer overflow if admin configures a
|
|
mongo log file path.
|
|
Proxy balancer: support setting error status according to HTTP response
|
|
code from a backend. PR 48939.
|
|
mod_authnz_ldap:
|
|
- If AuthLDAPCharsetConfig is set, also convert the
|
|
password to UTF-8. PR 45318.
|
|
mod_dir, mod_negotiation:
|
|
- Pass the output filter information to newly created sub requests; as these
|
|
are later on used as true requests with an internal redirect. This allows
|
|
for mod_cache et.al. to trap the results of the redirect. PR 17629, 43939
|
|
mod_headers:
|
|
- Enable multi-match-and-replace edit option PR 46594
|
|
mod_log_config:
|
|
- Make ${cookie}C correctly match whole cookie names
|
|
instead of substrings. PR 28037.
|
|
mod_reqtimeout:
|
|
- Do not wrongly enforce timeouts for mod_proxy's backend
|
|
connections and other protocol handlers (like mod_ftp). Enforce the
|
|
timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering
|
|
close time from 30 to 2 seconds.
|
|
mod_ssl:
|
|
- Do not do overlapping memcpy. PR 45444
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 5 18:25:39 UTC 2010 - cristian.rodriguez@opensuse.org
|
|
|
|
- Add missing libcap-devel to BuildRequires, wanted by "itk" MPM.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 29 15:40:29 UTC 2010 - poeml@cmdline.net
|
|
|
|
- update to 2.2.16:
|
|
SECURITY: CVE-2010-1452 (cve.mitre.org)
|
|
mod_dav, mod_cache: Fix Handling of requests without a path segment.
|
|
PR: 49246
|
|
SECURITY: CVE-2010-2068 (cve.mitre.org)
|
|
mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection
|
|
for platforms Windows, Netware and OS2. PR: 49417.
|
|
core:
|
|
- Filter init functions are now run strictly once per request
|
|
before handler invocation. The init functions are no longer run
|
|
for connection filters. PR 49328.
|
|
mod_filter:
|
|
- enable it to act on non-200 responses. PR 48377
|
|
mod_ldap:
|
|
- LDAP caching was suppressed (and ldap-status handler returns
|
|
title page only) when any mod_ldap directives were used in VirtualHost
|
|
context.
|
|
mod_ssl:
|
|
- Fix segfault at startup if proxy client certs are shared
|
|
across multiple vhosts. PR 39915.
|
|
mod_proxy_http:
|
|
- Log the port of the remote server in various messages.
|
|
PR 48812.
|
|
apxs:
|
|
- Fix -A and -a options to ignore whitespace in httpd.conf
|
|
mod_dir:
|
|
- add FallbackResource directive, to enable admin to specify
|
|
an action to happen when a URL maps to no file, without resorting
|
|
to ErrorDocument or mod_rewrite. PR 47184
|
|
mod_rewrite:
|
|
- Allow to set environment variables without explicitely
|
|
giving a value.
|
|
- add Requires and BuildRequires on libapr1 >= 1.4.2. In the past, libapr1 >=
|
|
1.0 was sufficient. But since 2.2.16, a failure to create listen sockets can
|
|
occur, unless newer libapr1 is used. See
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=516331
|
|
- remove obsolete httpd-2.2.15-deprecated_use_of_build_in_variable.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 17 14:33:47 UTC 2010 - poeml@cmdline.net
|
|
|
|
- add type and encoding for zipped SVG images (.svgz)
|
|
Thanks to Sebastian Siebert (via Submit Request #40059)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 11 21:42:11 UTC 2010 - lars@linux-schulserver.de
|
|
|
|
- fix deprecated usage of $[ in apxs2
|
|
(httpd-2.2.15-deprecated_use_of_build_in_variable.patch)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 7 12:38:10 UTC 2010 - aj@suse.de
|
|
|
|
- Do not compile in build time but use mtime of changes file instead.
|
|
This allows build-compare to identify that no changes have happened.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 30 23:49:28 UTC 2010 - poeml@cmdline.net
|
|
|
|
- add apache2-prefork to the Requires of apache2-devel, because apxs2 will
|
|
build for prefork, if not called as apxs2-worker (which should rarely be the
|
|
case). Also added gcc to the Requires.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 8 12:34:18 UTC 2010 - poeml@cmdline.net
|
|
|
|
- update to 2.2.15:
|
|
SECURITY: CVE-2009-3555 (cve.mitre.org)
|
|
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
|
|
attack when compiled against OpenSSL version 0.9.8m or later. Introduces
|
|
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and
|
|
offer unsafe legacy renegotiation with clients which do not yet support
|
|
the new secure renegotiation protocol, RFC 5746.
|
|
SECURITY: CVE-2009-3555 (cve.mitre.org)
|
|
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
|
|
by rejecting any client-initiated renegotiations. Forcibly disable
|
|
keepalive for the connection if there is any buffered data readable. Any
|
|
configuration which requires renegotiation for per-directory/location
|
|
access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
|
|
SECURITY: CVE-2010-0408 (cve.mitre.org)
|
|
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
|
|
when request headers indicate a request body is incoming; not a case of
|
|
HTTP_INTERNAL_SERVER_ERROR.
|
|
SECURITY: CVE-2010-0425 (cve.mitre.org)
|
|
mod_isapi: Do not unload an isapi .dll module until the request processing
|
|
is completed, avoiding orphaned callback pointers.
|
|
SECURITY: CVE-2010-0434 (cve.mitre.org)
|
|
Ensure each subrequest has a shallow copy of headers_in so that the parent
|
|
request headers are not corrupted. Elimiates a problematic optimization
|
|
in the case of no request body. PR 48359
|
|
mod_reqtimeout:
|
|
- New module to set timeouts and minimum data rates for receiving requests
|
|
from the client.
|
|
core:
|
|
- Fix potential memory leaks by making sure to not destroy bucket brigades
|
|
that have been created by earlier filters.
|
|
- Return APR_EOF if request body is shorter than the length announced by the
|
|
client. PR 33098
|
|
- Preserve Port information over internal redirects PR 35999
|
|
- Build: fix --with-module to work as documented PR 43881
|
|
worker:
|
|
- Don't report server has reached MaxClients until it has. Add message when
|
|
server gets within MinSpareThreads of MaxClients. PR 46996.
|
|
ab, mod_ssl:
|
|
- Restore compatibility with OpenSSL < 0.9.7g.
|
|
mod_authnz_ldap:
|
|
- Add AuthLDAPBindAuthoritative to allow Authentication to try other
|
|
providers in the case of an LDAP bind failure. PR 46608
|
|
- Failures to map a username to a DN, or to check a user password now result
|
|
in an informational level log entry instead of warning level.
|
|
mod_cache:
|
|
- Introduce the thundering herd lock, a mechanism to keep the flood of
|
|
requests at bay that strike a backend webserver as a cached entity goes
|
|
stale.
|
|
- correctly consider s-maxage in cacheability decisions.
|
|
mod_disk_cache, mod_mem_cache:
|
|
- don't cache incomplete responses, per RFC 2616, 13.8. PR15866.
|
|
mod_charset_lite:
|
|
- Honor 'CharsetOptions NoImplicitAdd'.
|
|
mod_filter:
|
|
- fix FilterProvider matching where "dispatch" string doesn't exist. PR 48054
|
|
mod_include:
|
|
- Allow fine control over the removal of Last-Modified and ETag headers
|
|
within the INCLUDES filter, making it possible to cache responses if
|
|
desired. Fix the default value of the SSIAccessEnable directive.
|
|
mod_ldap:
|
|
- If LDAPSharedCacheSize is too small, try harder to purge some cache
|
|
entries and log a warning. Also increase the default LDAPSharedCacheSize
|
|
to 500000. This is a more realistic size suitable for the default values
|
|
of 1024 for LdapCacheEntries/LdapOpCacheEntries. PR 46749.
|
|
mod_log_config:
|
|
- Add the R option to log the handler used within the request.
|
|
mod_mime:
|
|
- Make RemoveType override the info from TypesConfig. PR 38330.
|
|
- Detect invalid use of MultiviewsMatch inside Location and LocationMatch
|
|
sections. PR 47754.
|
|
mod_negotiation:
|
|
- Preserve query string over multiviews negotiation. This buglet was fixed
|
|
for type maps in 2.2.6, but the same issue affected multiviews and was
|
|
overlooked. PR 33112
|
|
mod_proxy:
|
|
- unable to connect to a backend is SERVICE_UNAVAILABLE, rather than
|
|
BAD_GATEWAY or (especially) NOT_FOUND. PR 46971
|
|
mod_proxy, mod_proxy_http:
|
|
- Support remote https proxies by using HTTP CONNECT. PR 19188.
|
|
mod_proxy_http:
|
|
- Make sure that when an ErrorDocument is served from a reverse proxied URL,
|
|
that the subrequest respects the status of the original request. This
|
|
brings the behaviour of proxy_handler in line with default_handler. PR
|
|
47106.
|
|
mod_proxy_ajp:
|
|
- Really regard the operation a success, when the client aborted the
|
|
connection. In addition adjust the log message if the client aborted the
|
|
connection.
|
|
mod_rewrite:
|
|
- Make sure that a hostname:port isn't fully qualified if the request is a
|
|
CONNECT request. PR 47928
|
|
- Add scgi scheme detection.
|
|
mod_ssl:
|
|
- Fix a potential I/O hang if a long list of trusted CAs is configured for
|
|
client cert auth. PR 46952.
|
|
- When extracting certificate subject/issuer names to the SSL_*_DN_*
|
|
variables, handle RDNs with duplicate tags by exporting multiple
|
|
varialables with an "_n" integer suffix. PR 45875.
|
|
- obsolete patch CVE-2009-3555-2.2.patch removed
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 5 09:29:10 UTC 2010 - coolo@novell.com
|
|
|
|
- readd whitespace removed by autobuild
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 16 10:56:35 CET 2009 - jengelh@medozas.de
|
|
|
|
- package documentation as noarch
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Nov 7 11:30:06 UTC 2009 - poeml@cmdline.net
|
|
|
|
- add patch for CVE-2009-3555 (cve.mitre.org)
|
|
http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
|
|
http://mail-archives.apache.org/mod_mbox/httpd-announce/200911.mbox/%3c20091107013220.31376.qmail@minotaur.apache.org%3e
|
|
A partial fix for the TLS renegotiation prefix injection attack by rejecting
|
|
any client-initiated renegotiations. Any configuration which requires
|
|
renegotiation for per-directory/location access control is still vulnerable,
|
|
unless using OpenSSL >= 0.9.8l.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 26 12:48:11 UTC 2009 - poeml@cmdline.net
|
|
|
|
- update to 2.2.14:
|
|
*) SECURITY: CVE-2009-2699 (cve.mitre.org)
|
|
Fixed in APR 1.3.9. Faulty error handling in the Solaris pollset support
|
|
(Event Port backend) which could trigger hangs in the prefork and event
|
|
MPMs on that platform. PR 47645. [Jeff Trawick]
|
|
*) SECURITY: CVE-2009-3095 (cve.mitre.org)
|
|
mod_proxy_ftp: sanity check authn credentials.
|
|
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
|
|
*) SECURITY: CVE-2009-3094 (cve.mitre.org)
|
|
mod_proxy_ftp: NULL pointer dereference on error paths.
|
|
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
|
|
*) mod_proxy_scgi: Backport from trunk. [André Malo]
|
|
*) mod_ldap: Don't try to resolve file-based user ids to a DN when AuthLDAPURL
|
|
has been defined at a very high level. PR 45946. [Eric Covener]
|
|
*) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
|
|
*) mod_ldap: Bring the LDAPCacheEntries and LDAPOpCacheEntries
|
|
usage() in synch with the manual and the implementation (0 and -1
|
|
both disable the cache). [Eric Covener]
|
|
*) mod_ssl: The error message when SSLCertificateFile is missing should
|
|
at least give the name or position of the problematic virtual host
|
|
definition. [Stefan Fritsch sf sfritsch.de]
|
|
*) htdbm: Fix possible buffer overflow if dbm database has very
|
|
long values. PR 30586 [Dan Poirier]
|
|
*) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
|
|
*) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute
|
|
type. PR 45107. [Michael Ströder <michael stroeder.com>,
|
|
Peter Sylvester <peter.sylvester edelweb.fr>]
|
|
*) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore
|
|
defined session identifiers encoded in the URL when caching.
|
|
[Ruediger Pluem]
|
|
*) mod_mem_cache: fix seg fault under load due to pool concurrency problem
|
|
PR: 47672 [Dan Poirier <poirier pobox.com>]
|
|
*) mod_autoindex: Correctly create an empty cell if the description
|
|
for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 10 03:15:09 CEST 2009 - poeml@suse.de
|
|
|
|
- update to 2.2.13:
|
|
*) SECURITY: CVE-2009-2412 (cve.mitre.org)
|
|
Distributed with APR 1.3.8 and APR-util 1.3.9 to fix potential overflow
|
|
in pools and rmm, where size alignment was taking place.
|
|
*) mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas. Report
|
|
warnings compiling mod_ssl against OpenSSL to the httpd developers.
|
|
*) mod_cgid: Do not add an empty argument when calling the CGI script.
|
|
PR 46380
|
|
*) Fix potential segfaults with use of the legacy ap_rputs() etc
|
|
interfaces, in cases where an output filter fails. PR 36780.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 27 22:20:11 CEST 2009 - poeml@suse.de
|
|
|
|
- update to 2.2.12:
|
|
SECURITY: CVE-2009-1891 (cve.mitre.org)
|
|
Fix a potential Denial-of-Service attack against mod_deflate or other
|
|
modules, by forcing the server to consume CPU time in compressing a
|
|
large file after a client disconnects. PR 39605.
|
|
SECURITY: CVE-2009-1195 (cve.mitre.org)
|
|
Prevent the "Includes" Option from being enabled in an .htaccess
|
|
file if the AllowOverride restrictions do not permit it.
|
|
SECURITY: CVE-2009-1890 (cve.mitre.org)
|
|
Fix a potential Denial-of-Service attack against mod_proxy in a
|
|
reverse proxy configuration, where a remote attacker can force a
|
|
proxy process to consume CPU time indefinitely.
|
|
SECURITY: CVE-2009-1191 (cve.mitre.org)
|
|
mod_proxy_ajp: Avoid delivering content from a previous request which
|
|
failed to send a request body. PR 46949
|
|
SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org)
|
|
The bundled copy of the APR-util library has been updated, fixing three
|
|
different security issues which may affect particular configurations
|
|
and third-party modules.
|
|
core:
|
|
- New piped log syntax: Use "||process args" to launch the given process
|
|
without invoking the shell/command interpreter. Use "|$command line"
|
|
(the default behavior of "|command line" in 2.2) to invoke using shell,
|
|
consuming an additional shell process for the lifetime of the logging
|
|
pipe program but granting additional process invocation flexibility.
|
|
- prefork: Fix child process hang during graceful restart/stop in
|
|
configurations with multiple listening sockets. PR 42829.
|
|
- Translate the status line to ASCII on EBCDIC platforms in
|
|
ap_send_interim_response() and for locally generated "100
|
|
Continue" responses.
|
|
- CGI: return 504 (Gateway timeout) rather than 500 when a
|
|
script times out before returning status line/headers. PR 42190
|
|
- prefork: Log an error instead of segfaulting when child startup fails
|
|
due to pollset creation failures. PR 46467.
|
|
- core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars
|
|
- Set Listen protocol to "https" if port is set to 443 and no proto is specified
|
|
(as documented but not implemented). PR 46066
|
|
- Output -M and -S dumps (modules and vhosts) to stdout instead of stderr.
|
|
PR 42571 and PR 44266 (dup).
|
|
mod_alias:
|
|
- check sanity in Redirect arguments. PR 44729
|
|
- Ensure Redirect emits HTTP-compliant URLs. PR 44020
|
|
mod_authnz_ldap:
|
|
- Reduce number of initialization debug messages and make
|
|
information more clear. PR 46342
|
|
mod_cache:
|
|
- Introduce 'no-cache' per-request environment variable to
|
|
prevent the saving of an otherwise cacheable response.
|
|
- Correctly save Content-Encoding of cachable entity. PR 46401
|
|
- When an explicit Expires or Cache-Control header is set, cache
|
|
normally non-cacheable response statuses. PR 46346.
|
|
mod_cgid:
|
|
- fix segfault problem on solaris. PR 39332
|
|
mod_disk_cache:
|
|
- The module now turns off sendfile support if 'EnableSendfile
|
|
off' is defined globally. PR 41218.
|
|
mod_disk_cache/mod_mem_cache:
|
|
- Fix handling of CacheIgnoreHeaders directive to correctly
|
|
remove headers before storing them.
|
|
mod_deflate:
|
|
- revert changes in 2.2.8 that caused an invalid etag to be
|
|
emitted for on-the-fly gzip content-encoding. PR 39727 will
|
|
require larger fixes and this fix was far more harmful than
|
|
the original code. PR 45023.
|
|
mod_ext_filter:
|
|
- fix error handling when the filter prog fails to start, and
|
|
introduce an onfail configuration option to abort the request
|
|
or to remove the broken filter and continue. PR 41120
|
|
mod_include:
|
|
- fix potential segfault when handling back references on an
|
|
empty SSI variable.
|
|
- Prevent a case of SSI timefmt-smashing with filter chains
|
|
including multiple INCLUDES filters. PR 39369
|
|
- support generating non-ASCII characters as entities in SSI PR
|
|
25202
|
|
mod_ldap:
|
|
- Avoid a segfault when result->rc is checked in
|
|
uldap_connection_init when result is NULL. This could happen
|
|
if LDAP initialization failed. PR 45994.
|
|
mod_negotiation:
|
|
- Escape pathes of filenames in 406 responses to avoid HTML
|
|
injections and HTTP response splitting. PR 46837.
|
|
mod_proxy:
|
|
- Complete ProxyPassReverse to handle balancer URL's. Given;
|
|
BalancerMember balancer://alias http://example.com/foo
|
|
ProxyPassReverse /bash balancer://alias/bar backend url
|
|
http://example.com/foo/bar/that is now translated /bash/that
|
|
mod_proxy_ajp:
|
|
- Check more strictly that the backend follows the AJP protocol.
|
|
- Forward remote port information by default.
|
|
mod_proxy_http:
|
|
- fix Host: header for literal IPv6 addresses. PR 47177
|
|
- fix case sensitivity checking transfer encoding PR 47383
|
|
mod_rewrite:
|
|
- Remove locking for writing to the rewritelog. PR 46942
|
|
- Fix the error string returned by RewriteRule. RewriteRule
|
|
returned "RewriteCond: bad flag delimiters" when the 3rd
|
|
argument of RewriteRule was not started with "[" or not ended
|
|
with "]". PR 45082
|
|
- When evaluating a proxy rule in directory context, do escape
|
|
the filename by default. PR 46428
|
|
- Introduce DiscardPathInfo|DPI flag to stop the troublesome way
|
|
that per-directory rewrites append the previous notion of
|
|
PATH_INFO to each substitution before evaluating subsequent
|
|
rules. PR38642
|
|
- fix "B" flag breakage by reverting r589343 PR 45529
|
|
mod_ssl:
|
|
- Add server name indication support (RFC 4366) and better
|
|
support for name based virtual hosts with SSL. PR 34607
|
|
- Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
|
|
to enable stricter checking of remote server certificates.
|
|
- Add SSLRenegBufferSize directive to allow changing the size of
|
|
the buffer used for the request-body where necessary during a
|
|
per-dir renegotiation. PR 39243.
|
|
mod_substitute:
|
|
- Fix a memory leak. PR 44948
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 14 14:14:22 CEST 2009 - hvogel@suse.de
|
|
|
|
- Fix missing -Y option in gensslcert [bnc#416888]
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 9 17:09:35 CEST 2009 - poeml@suse.de
|
|
|
|
- merge changes from openSUSE:Factory:
|
|
- trailing spaces removed from robots.txt
|
|
- moved Snakeoil certificates to separate subpackage
|
|
example-certificates [bnc#419601]
|
|
- removed outdated ca-bundle.crt
|
|
- NOT merging the change from [bnc#301380] (setting TraceEnable
|
|
Off), since there is no reason to deviate from upstream
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 9 08:52:34 CEST 2009 - poeml@suse.de
|
|
|
|
- avoid useless (and potentially irritating) messages from usermod
|
|
called in %post when updating the package - this should probably
|
|
only be run when updating from very old installs anyway.
|
|
- likewise, avoid similar useless messages about creation of the
|
|
httpd user when installing on Fedora.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 5 12:43:29 CEST 2009 - poeml@suse.de
|
|
|
|
- fix hyperref to the quickstart howto in the installed httpd.conf
|
|
[bnc#500938] Thanks, Frank!
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 27 16:12:46 CEST 2009 - poeml@suse.de
|
|
|
|
- add ITK MPM (apache2.2-mpm-itk-20090414-00.patch)
|
|
see http://mpm-itk.sesse.net/
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 27 11:21:43 CEST 2009 - poeml@suse.de
|
|
|
|
- buildfix (from Factory): replace "shadow" by "pwdutils" in requires
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 12 07:01:58 CET 2009 - crrodriguez@suse.de
|
|
|
|
- update apache2-vhost.template mod_php4 references [bnc#444205]
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 9 15:33:40 CET 2009 - poeml@suse.de
|
|
|
|
- fixed the ed script which turns apxs into
|
|
apxs-{prefork,worker,event) to work on Fedora, by using - instead
|
|
of ^ to go "up" one line. Thereby fixing Fedora build. (Package
|
|
probably needs further tuning to fit into a Fedora environment.)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Dec 20 00:49:29 CET 2008 - poeml@suse.de
|
|
|
|
- update to 2.2.11:
|
|
core:
|
|
- Worker MPM: Crosscheck that idle workers are still available
|
|
before using them and thus preventing an overflow of the
|
|
worker queue which causes a SegFault. PR 45605
|
|
- Add ap_timeout_parameter_parse to public API.
|
|
- When the ap_http_header_filter processes an error bucket,
|
|
cleanup the passed brigade before returning AP_FILTER_ERROR
|
|
down the filter chain. This unambiguously ensures the same
|
|
error bucket isn't revisited
|
|
- Error responses set by filters were being coerced into 500
|
|
errors, sometimes appended to the original error response. Log
|
|
entry of: 'Handler for (null) returned invalid result code -3'
|
|
- configure: Don't reject libtool 2.x PR 44817
|
|
- Build: Correctly set SSL_LIBS during openssl detection if
|
|
pkgconfig is not available. PR 46018
|
|
mod_autoindex:
|
|
- add configuration option to insert string in HTML HEAD (IndexHeadInsert).
|
|
mod_cache:
|
|
- Convert age of cached object to seconds before comparing it to
|
|
age supplied by the request when checking whether to send a
|
|
Warning header for a stale response. PR 39713.
|
|
mod_expires:
|
|
- Do not sets negative max-age / Expires header in the past. PR 39774
|
|
mod_info:
|
|
- Was displaying the wrong value for the KeepAliveTimeout value.
|
|
mod_log_config:
|
|
- Add new LogFormat parameter, %k, which logs the number of
|
|
keepalive requests on this connection for this request. PR 45762
|
|
mod_proxy:
|
|
- Add the possibility to set the worker parameters
|
|
connectiontimeout and ping in milliseconds.
|
|
- Prevent segmentation faults by correctly adjusting the
|
|
lifetime of the buckets read from the proxy backend. PR 45792
|
|
mod_proxy_ajp:
|
|
- Do not fail if response data is sent before all request
|
|
data is read. PR 45911
|
|
- Fix wrongly formatted requests where client sets
|
|
Content-Length header, but doesn't provide a body. Servlet
|
|
container always expects that next packet is body whenever C-L
|
|
is present in the headers. This can lead to wrong
|
|
interpretation of the packets. In this case send the empty
|
|
body packet, so container can deal with that.
|
|
mod_proxy_balancer:
|
|
- Add in forced recovery for balancer members if
|
|
all are in error state.
|
|
mod_rewrite:
|
|
- Export and install the mod_rewrite.h header to ensure the optional
|
|
rewrite_mapfunc_t and ap_register_rewrite_mapfunc functions are
|
|
available to third party modules.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 17 15:45:07 CET 2008 - poeml@suse.de
|
|
|
|
- remove mod_authn_dbm and mod_suexec from the default module list.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 21 12:01:00 CET 2008 - skh@suse.de
|
|
|
|
- apache2-server-tuning.conf:
|
|
Enclose module-specific configuration in IfModule tags [bnc#440584]
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 14 09:40:05 CET 2008 - poeml@suse.de
|
|
|
|
- apply Dirks fix for [bnc#444878], making the packaging of per-mpm
|
|
modules more deterministic. They'll reliably put into the
|
|
subpackage or main package now, which varied in a ping-pong way
|
|
from build to build in the past.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 29 18:38:17 CET 2008 - poeml@suse.de
|
|
|
|
- update year of copyright in rc.apache2
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 29 00:13:58 CET 2008 - poeml@suse.de
|
|
|
|
- update to 2.2.10:
|
|
SECURITY: CVE-2008-2939 (cve.mitre.org)
|
|
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
|
|
the FTP URL. Discovered by Marc Bevand of Rapid7.
|
|
core:
|
|
- Support chroot on Unix-family platforms. PR 43596
|
|
mod_authn_alias:
|
|
- Detect during startup when AuthDigestProvider is configured to
|
|
use an incompatible provider via AuthnProviderAlias. PR 45196
|
|
mod_cgid:
|
|
- Pass along empty command line arguments from an ISINDEX query
|
|
that has consecutive '+' characters in the QUERY_STRING,
|
|
matching the behavior of mod_cgi.
|
|
mod_charset_lite:
|
|
- Avoid dropping error responses by handling meta buckets
|
|
correctly. PR 45687
|
|
mod_dav_fs:
|
|
- Retrieve minimal system information about directory entries
|
|
when walking a DAV fs, resolving a performance degradation on
|
|
Windows. PR 45464.
|
|
mod_headers:
|
|
- Prevent Header edit from processing only the first header of
|
|
possibly multiple headers with the same name and deleting the
|
|
remaining ones. PR 45333.
|
|
mod_proxy:
|
|
- Allow for smax to be 0 for balancer members so that all idle
|
|
connections are able to be dropped should they exceed ttl. PR 43371
|
|
- Add 'scolonpathdelim' parameter to allow for ';' to also be
|
|
used as a session path separator/delim PR 45158.
|
|
- Add connectiontimeout parameter for proxy workers in order to
|
|
be able to set the timeout for connecting to the backend separately.
|
|
PR 45445.
|
|
mod_proxy_http:
|
|
- Don't trigger a retry by the client if a failure to
|
|
read the response line was the result of a timeout.
|
|
- Introduce environment variable proxy-initial-not-pooled to
|
|
avoid reusing pooled connections if the client connection is an initial
|
|
connection. PR 37770.
|
|
- Do not forward requests with 'Expect: 100-continue' to
|
|
known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
|
|
mod_proxy_balancer:
|
|
- Move nonce field in the balancer manager page inside
|
|
the html form where it belongs. PR 45578.
|
|
- Add 'bybusyness' load balance method.
|
|
mod_rewrite:
|
|
- Allow Cookie option to set secure and HttpOnly flags. PR 44799
|
|
- Preserve the query string when [proxy,noescape]. PR 45247.
|
|
mod_ssl:
|
|
- implement dynamic mutex callbacks for the benefit of OpenSSL.
|
|
- Rewrite shmcb to avoid memory alignment issues. PR 42101.
|
|
- drop obsolete patch httpd-2.2.x-CVE-2008-2939.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 24 13:23:41 CEST 2008 - skh@suse.de
|
|
|
|
- apache2.firewall, apache2.ssl-firewall
|
|
Use unique name tags "HTTP Server" and "HTTPS Server" in for
|
|
SuSEFirewall2 configuration [bnc#414962]
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 19 16:18:39 CEST 2008 - skh@suse.de
|
|
|
|
- add httpd-2.x.x-logresolve.patch again [bnc#210904]
|
|
- add httpd-2.2.x-CVE-2008-2939.patch [bnc#415061]:
|
|
mod_proxy_ftp: Prevent XSS attacks when using wildcards in
|
|
the path of the FTP URL. Discovered by Marc Bevand of Rapid7.
|
|
[Ruediger Pluem]
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 26 22:59:55 CEST 2008 - poeml@suse.de
|
|
|
|
- drop rc.config handling (was removed in or after SuSE Linux 8.0)
|
|
- don't use fillup_insserv options which have been removed lately
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 15 11:25:47 CEST 2008 - poeml@suse.de
|
|
|
|
- fix init script LSB headers
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 25 14:36:06 CEST 2008 - poeml@suse.de
|
|
|
|
- add note to /etc/sysconfig/apache2 and /etc/init.d/apache2 about
|
|
how to set ulimits when starting the server
|
|
- undocument APACHE_BUFFERED_LOGS and APACHE_TIMEOUT in the
|
|
sysconfig template. They still work but I think it is good to
|
|
keep this stuff out of the beginner's config, first because both
|
|
features are sophisticated enough to not being tweaked in most
|
|
cases, second because it only confuses people I guess, and makes
|
|
the sysconfig file larger than necessary.
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jun 15 19:39:46 CEST 2008 - poeml@suse.de
|
|
|
|
- update to 2.2.9:
|
|
SECURITY: CVE-2008-2364 (cve.mitre.org)
|
|
mod_proxy_http: Better handling of excessive interim responses
|
|
from origin server to prevent potential denial of service and
|
|
high memory usage. Reported by Ryujiro Shibuya.
|
|
SECURITY: CVE-2007-6420 (cve.mitre.org)
|
|
mod_proxy_balancer: Prevent CSRF attacks against the
|
|
balancer-manager interface.
|
|
- htpasswd: Fix salt generation weakness. PR 31440
|
|
worker/event MPM:
|
|
- Fix race condition in pool recycling that leads to
|
|
segmentation faults under load. PR 44402
|
|
core:
|
|
- Fix address-in-use startup failure on some platforms caused by
|
|
creating an IPv4 listener which overlaps with an existing IPv6
|
|
listener.
|
|
- Add the filename of the configuration file to the warning
|
|
message about the useless use of AllowOverride. PR 39992.
|
|
- Do not allow Options ALL if not all options are allowed to be
|
|
overwritten. PR 44262
|
|
- reinstate location walk to fix config for subrequests PR 41960
|
|
- Fix garbled TRACE response on EBCDIC platforms.
|
|
- gen_test_char: add double-quote to the list of
|
|
T_HTTP_TOKEN_STOP. PR 9727
|
|
http_filters:
|
|
- Don't return 100-continue on redirects. PR 43711
|
|
- Don't return 100-continue on client error PR 43711
|
|
- Don't spin if get an error when reading the next chunk. PR 44381
|
|
- Don't add bogus duplicate Content-Language entries
|
|
suexec:
|
|
- When group is given as a numeric gid, validate it by looking up
|
|
the actual group name such that the name can be used in log entries.
|
|
PR 7862
|
|
mod_authn_dbd:
|
|
- Disambiguate and tidy database authentication error messages. PR 43210.
|
|
mod_cache:
|
|
- Handle If-Range correctly if the cached resource was stale. PR 44579
|
|
- Revalidate cache entities which have Cache-Control: no-cache
|
|
set in their response headers. PR 44511
|
|
mod_cgid:
|
|
- Explicitly set permissions of the socket (ScriptSock) shared
|
|
by mod_cgid and request processing threads, for OS'es such as
|
|
HPUX and AIX that do not use umask for AF_UNIX socket permissions.
|
|
- Don't try to restart the daemon if it fails to initialize the socket.
|
|
mod_charset_lite:
|
|
- Add TranslateAllMimeTypes sub-option to CharsetOptions,
|
|
allowing the administrator to skip the mimetype checking that
|
|
precedes translation.
|
|
mod_dav:
|
|
- Return "method not allowed" if the destination URI of a WebDAV
|
|
copy / move operation is no DAV resource. PR 44734
|
|
mod_headers:
|
|
- Add 'merge' option to avoid duplicate values within the same header.
|
|
mod_include:
|
|
- Correctly handle SSI directives split over multiple filter
|
|
mod_log_config:
|
|
- Add format options for %p so that the actual local or remote
|
|
port can be logged. PR 43415.
|
|
mod_logio:
|
|
- Provide optional function to allow modules to adjust the
|
|
bytes_in count
|
|
mod_proxy:
|
|
- Make all proxy modules nocanon aware and do not add the
|
|
query string again in this case. PR 44803.
|
|
- scoreboard: Remove unused proxy load balancer elements from scoreboard
|
|
image (not scoreboard memory itself).
|
|
- Support environment variable interpolation in reverse
|
|
proxying directives.
|
|
- Do not try a direct connection if the connection via a
|
|
remote proxy failed before and the request has a request body.
|
|
- ProxyPassReverse is now balancer aware.
|
|
- Lower memory consumption for short lived connections.
|
|
PR 44026.
|
|
- Keep connections to the backend persistent in the HTTPS case.
|
|
mod_proxy_ajp:
|
|
- Do not retry request in the case that we either failed to
|
|
sent a part of the request body or if the request is not idempotent.
|
|
PR 44334
|
|
mod_proxy_ftp:
|
|
- Fix base for directory listings. PR 27834
|
|
mod_proxy_http:
|
|
- Fix processing of chunked responses if Connection:
|
|
Transfer-Encoding is set in the response of the proxied
|
|
system. PR 44311
|
|
- Return HTTP status codes instead of apr_status_t values for
|
|
errors encountered while forwarding the request body PR 44165
|
|
mod_rewrite:
|
|
- Initialize hash needed by ap_register_rewrite_mapfunc early
|
|
enough. PR 44641
|
|
- Check all files used by DBM maps for freshness, mod_rewrite
|
|
didn't pick up on updated sdbm maps due to this. PR41190
|
|
- Don't canonicalise URLs with [P,NE] PR 43319
|
|
mod_speling:
|
|
- remove regression from 1.3/2.0 behavior and drop dependency
|
|
between mod_speling and AcceptPathInfo.
|
|
mod_ssl:
|
|
- Fix a memory leak with connections that have zlib compression
|
|
turned on. PR 44975
|
|
mod_substitute:
|
|
- The default is now flattening the buckets after each
|
|
substitution. The newly added 'q' flag allows for the quicker,
|
|
more efficient bucket-splitting if the user so
|
|
mod_unique_id:
|
|
- Fix timestamp value in UNIQUE_ID. PR 37064
|
|
ab (apache benchmark):
|
|
- Include <limits.h> earlier if available since we may need
|
|
INT_MAX (defined there on Windows) for the definition of MAX_REQUESTS.
|
|
- Improve client performance by clearing connection pool instead
|
|
- Don't stop sending a request if EAGAIN is returned, which
|
|
will only happen if both the write and subsequent wait are
|
|
returning EAGAIN, and count posted bytes correctly when the initial
|
|
write of a request is not complete. PR 10038, 38861, 39679
|
|
- Overhaul stats collection and reporting to avoid integer
|
|
truncation and time divisions within the test loop, retain
|
|
native time resolution until output, remove unused data,
|
|
consistently round milliseconds, and generally avoid losing
|
|
accuracy of calculation due to type casts. PR 44878, 44931.
|
|
- Add -r option to continue after socket receive errors.
|
|
- Do not try to read non existing response bodies of HEAD requests.
|
|
- Use a 64 bit unsigned int instead of a signed long to count the
|
|
rotatelogs:
|
|
- Log the current file size and error code/description when
|
|
failing to write to the log file.
|
|
- Added '-f' option to force rotatelogs to create the logfile as
|
|
soon as started, and not wait until it reads the first entry.
|
|
- Don't leak memory when reopening the logfile. PR 40183
|
|
- Improve atomicity when using -l and cleaup code. PR 44004
|
|
- drop obsolete patches httpd-2.1.3alpha-autoconf-2.59.dif
|
|
httpd-2.2.x-CVE-2008-1678.patch
|
|
- don't run autoreconf on SLES9
|
|
- remove the addition of -g to the CFLAGS, since the build service
|
|
handles debuginfo packages now
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 9 17:18:03 CEST 2008 - poeml@suse.de
|
|
|
|
- build service supports the debuginfo flag in metadata now; remove
|
|
debug_package macro from the specfile therefore.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 26 16:55:37 CEST 2008 - skh@suse.de
|
|
|
|
- CVE-2008-1678: modules/ssl/mod_ssl.c (ssl_cleanup_pre_config):
|
|
Remove the call to CRYPTO_cleanup_all_ex_data here, fixing a
|
|
per-connection memory leak which occurs if the client indicates
|
|
support for a compression algorithm in the initial handshake, and
|
|
mod_ssl is linked against OpenSSL >= 0.9.8f. [bnc#392096]
|
|
httpd-2.2.x-CVE-2008-1678.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 15 01:58:08 CEST 2008 - poeml@suse.de
|
|
|
|
- fix build on Mandriva 2007, by escaping commented %build macro
|
|
- make filelist of man pages independant of the compression method
|
|
(gz, bz2, lzma)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 18 11:55:14 CEST 2008 - poeml@suse.de
|
|
|
|
- fix from Factory:
|
|
- remove dir /usr/share/omc/svcinfo.d as it is provided now
|
|
by filesystem
|
|
- remove obsolete httpd-2.2.x.doublefree.patch file, which isn't
|
|
used since quite some time since the issue is resolved.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 17 17:58:02 CEST 2008 - poeml@suse.de
|
|
|
|
- new implementation of sysconf_addword, using sed instead of ed.
|
|
Moving it from the -utils subpackage into the parent package,
|
|
where it's actually needed. If sysconf_addword is already present
|
|
in the system, it is preferred (by PATH). That's because the tool
|
|
has been integrated into aaa_base.rpm with openSUSE 11.0.
|
|
Removing the requires on the ed package. [bnc#377131]
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 12 14:29:04 CET 2008 - poeml@suse.de
|
|
|
|
- require ed package, since ed is needed by sysconf_addword, which
|
|
in turn is used by a2enmod/a2enflag
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 29 14:06:52 CET 2008 - poeml@suse.de
|
|
|
|
- better documentation how to enable SSL in /etc/sysconfig/apache2
|
|
- quickstart readme: the link to the openSUSE wiki is about to move
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 19 13:14:45 CET 2008 - poeml@suse.de
|
|
|
|
- add "127.0.0.1" to the local access list in mod_status.conf,
|
|
because on some systems "localhost" seems to resolve only to IPv6
|
|
localhost
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Feb 2 05:37:34 CET 2008 - crrodriguez@suse.de
|
|
|
|
- upstream 2.2.8
|
|
SECURITY: CVE-2007-6421 (cve.mitre.org)
|
|
mod_proxy_balancer: Correctly escape the worker route and the worker
|
|
redirect string in the HTML output of the balancer manager.
|
|
Reported by SecurityReason.
|
|
SECURITY: CVE-2007-6422 (cve.mitre.org)
|
|
Prevent crash in balancer manager if invalid balancer name is passed
|
|
as parameter. Reported by SecurityReason.
|
|
SECURITY: CVE-2007-6388 (cve.mitre.org)
|
|
mod_status: Ensure refresh parameter is numeric to prevent
|
|
a possible XSS attack caused by redirecting to other URLs.
|
|
Reported by SecurityReason.
|
|
SECURITY: CVE-2007-5000 (cve.mitre.org)
|
|
mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
|
|
SECURITY: CVE-2008-0005 (cve.mitre.org)
|
|
Introduce the ProxyFtpDirCharset directive, allowing the administrator
|
|
to identify a default, or specific servers or paths which list their
|
|
contents in other-than ISO-8859-1 charset (e.g. utf-8).
|
|
mod_autoindex:
|
|
- Generate valid XHTML output by adding the xhtml namespace. PR 43649
|
|
mod_charset_lite:
|
|
- Don't crash when the request has no associated filename.
|
|
mod_dav:
|
|
- Fix evaluation of If-Match * and If-None-Match * conditionals. PR 38034
|
|
- Adjust etag generation to produce identical results on 32-bit
|
|
and 64-bit platforms and avoid a regression with conditional PUT's on lock
|
|
and etag. PR 44152.
|
|
mod_deflate:
|
|
- initialise inflate-out filter correctly when the first brigade
|
|
contains no data buckets. PR 43512
|
|
mod_disk_cache:
|
|
- Delete temporary files if they cannot be renamed to their final
|
|
name.
|
|
mod_filter:
|
|
- Don't segfault on (unsupported) chained FilterProvider usage. PR 43956
|
|
mod_include:
|
|
- Add an "if" directive syntax to test whether an URL is
|
|
accessible, and if so, conditionally display content. This
|
|
allows a webmaster to hide a link to a private page when the
|
|
user has no access to that page.
|
|
mod_ldap:
|
|
- Try to establish a new backend LDAP connection when the
|
|
Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g.
|
|
after the LDAP server has closed the connection due to a
|
|
timeout. PR 39095
|
|
- Give callers a reference to data copied into the request pool
|
|
instead of references directly into the cache PR 43786
|
|
- Stop passing a reference to pconf around for (limited) use
|
|
during request processing, avoiding possible memory corruption
|
|
and crashes.
|
|
mod_proxy:
|
|
- Canonicalisation improvements. Add "nocanon" keyword to
|
|
ProxyPass, to suppress URI-canonicalisation in a reverse proxy. Also,
|
|
don't escape/unescape forward-proxied URLs. PR 41798, 42592
|
|
- Don't by default violate RFC2616 by setting Max-Forwards when
|
|
the client didn't send it to us. Leave that as a
|
|
configuration option. PR 16137
|
|
- Fix persistent backend connections. PR 43472
|
|
- escape error-notes correctly PR 40952
|
|
- check ProxyBlock for all blocked addresses PR 36987
|
|
- Don't lose bytes when a response line arrives in small chunks.
|
|
PR 40894
|
|
mod_proxy_ajp:
|
|
- Use 64K as maximum AJP packet size. This is the maximum length
|
|
we can squeeze inside the AJP message packet.
|
|
- Ignore any ajp13 flush packets received before we send the
|
|
response headers. See Tomcat PR 43478.
|
|
- Differentiate within AJP between GET and HEAD requests. PR 43060
|
|
mod_proxy_balancer:
|
|
- Do not reset lbstatus, lbfactor and lbset when starting a new
|
|
child. PR 39907
|
|
mod_proxy_http:
|
|
- Remove Warning headers with wrong date PR 16138
|
|
- Correctly parse all Connection headers in proxy. PR 43509
|
|
- add Via header correctly (if enabled) to response, even where
|
|
other Via headers exist. PR 19439
|
|
- Correctly forward unexpected interim (HTTP 1xx) responses from
|
|
the backend according to RFC2616. But make it configurable in
|
|
case something breaks on it. PR 16518
|
|
- strip hop-by-hop response headers PR 43455
|
|
- Propagate Proxy-Authorization header correctly. PR 25947
|
|
- Don't segfault on bad line in FTP listing PR 40733
|
|
mod_rewrite:
|
|
- Add option to suppress URL unescaping PR 34602
|
|
- Add the novary flag to RewriteCond.
|
|
mod_substitute:
|
|
- Added a new output filter, which performs inline response
|
|
content pattern matching (including regex) and substitution.
|
|
mod_ssl:
|
|
- Fix handling of the buffered request body during a per-location
|
|
renegotiation, when an internal redirect occurs. PR 43738.
|
|
- Fix SSL client certificate extensions parsing bug. PR 44073.
|
|
- Prevent memory corruption of version string. PR 43865, 43334
|
|
mod_status:
|
|
- Add SeeRequestTail directive, which determines if
|
|
ExtendedStatus displays the 1st 63 characters of the request
|
|
or the last 63. Useful for those requests with large string
|
|
lengths and which only vary with the last several characters.
|
|
event MPM:
|
|
- Add support for running under mod_ssl, by reverting to the
|
|
Worker MPM behaviors, when run under an input filter that buffers
|
|
its own data.
|
|
core:
|
|
- Fix regression in 2.2.7 in chunk filtering with massively
|
|
chunked requests.
|
|
- Lower memory consumption of ap_r* functions by reusing the
|
|
brigade instead of recreating it during each filter pass.
|
|
- Lower memory consumption in case that flush buckets are passed
|
|
thru the chunk filter as last bucket of a brigade. PR 23567.
|
|
- Fix broken chunk filtering that causes all non blocking reads
|
|
to be converted into blocking reads. PR 19954, 41056.
|
|
- Change etag generation to produce identical results on 32-bit
|
|
and 64-bit platforms. PR 40064.
|
|
- Handle unrecognised transfer-encodings. PR 43882
|
|
- Avoid some unexpected connection closes by telling the client
|
|
that the connection is not persistent if the MPM process
|
|
handling the request is already exiting when the response
|
|
header is built.
|
|
- fix possible crash at startup in case of nonexistent
|
|
DocumentRoot. PR 39722
|
|
- http_core: OPTIONS * no longer maps to local storage or URI
|
|
space. Note that unlike previous versions, OPTIONS * no longer
|
|
returns an Allow: header. PR 43519
|
|
- scoreboard: improve error message on apr_shm_create failure PR
|
|
40037
|
|
- Don't send spurious "100 Continue" response lines. PR 38014
|
|
- http_protocol:
|
|
- Escape request method in 413 error reporting. Determined to
|
|
be not generally exploitable, but a flaw in any case. PR
|
|
44014
|
|
- Add "DefaultType none" option. PR 13986 and PR 16139
|
|
- Escape request method in 405 error reporting. This has no
|
|
security impact since the browser cannot be tricked into
|
|
sending arbitrary method strings.
|
|
- Various code cleanups. PR 38699, 39518, 42005, 42006, 42007, 42008, 42009
|
|
- Add explicit charset to the output of various modules to work
|
|
around possible cross-site scripting flaws affecting web
|
|
browsers that do not derive the response character set as
|
|
required by RFC2616. One of these reported by SecurityReason
|
|
- rotatelogs: Change command-line parsing to report more types
|
|
of errors. Allow local timestamps to be used when rotating based
|
|
on file size.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 12 20:11:37 CEST 2007 - poeml@suse.de
|
|
|
|
- fix graceful-restart. Wait until the pidfile is gone, but don't
|
|
wait for the parent to disappear. It stays there, after closing
|
|
the listen ports.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 12 15:49:15 CEST 2007 - poeml@suse.de
|
|
|
|
- use debug_package macro only on suse, because it breaks the build
|
|
on Mandriva
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 12 13:41:16 CEST 2007 - poeml@suse.de
|
|
|
|
- don't configure in maintainer-mode. It not only enables compile
|
|
time warnings, but also adds AP_DEBUG into the mix which causes
|
|
enablement of debug code which is not wanted in production
|
|
builds.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 10 17:32:56 CEST 2007 - poeml@suse.de
|
|
|
|
- upstream 2.2.6
|
|
SECURITY: CVE-2007-3847 (cve.mitre.org)
|
|
mod_proxy: Prevent reading past the end of a buffer when parsing
|
|
date-related headers. PR 41144.
|
|
SECURITY: CVE-2007-1863 (cve.mitre.org)
|
|
mod_cache: Prevent a segmentation fault if attributes are listed in a
|
|
Cache-Control header without any value.
|
|
SECURITY: CVE-2007-3304 (cve.mitre.org)
|
|
prefork, worker, event MPMs: Ensure that the parent process cannot
|
|
be forced to kill processes outside its process group.
|
|
SECURITY: CVE-2006-5752 (cve.mitre.org)
|
|
mod_status: Fix a possible XSS attack against a site with a public
|
|
server-status page and ExtendedStatus enabled, for browsers which
|
|
perform charset "detection". Reported by Stefan Esser.
|
|
SECURITY: CVE-2007-1862 (cve.mitre.org)
|
|
mod_mem_cache: Copy headers into longer lived storage; header names and
|
|
values could previously point to cleaned up storage. PR 41551.
|
|
mod_alias:
|
|
- Accept path components (URL part) in Redirects. PR 35314.
|
|
mod_authnz_ldap:
|
|
- Don't return HTTP_UNAUTHORIZED during authorization when
|
|
LDAP authentication is configured but we haven't seen any
|
|
'Require ldap-*' directives, allowing authorization to be passed to lower
|
|
level modules (e.g. Require valid-user) PR 43281
|
|
mod_autoindex:
|
|
- Add in Type and Charset options to IndexOptions
|
|
directive. This allows the admin to explicitly set the
|
|
content-type and charset of the generated page and is therefore
|
|
a viable workaround for buggy browsers affected by CVE-2007-4465
|
|
mod_cache:
|
|
- Remove expired content from cache that cannot be revalidated.
|
|
PR 30370.
|
|
- Do not set Date or Expires when they are missing from the
|
|
original response or are invalid.
|
|
- Correctly handle HEAD requests on expired cache content. PR
|
|
41230.
|
|
- Let Cache-Control max-age set the expiration of the cached
|
|
representation if Expires is not set.
|
|
- Allow caching of requests with query arguments when
|
|
Cache-Control max-age is explicitly specified.
|
|
- Use the same cache key throughout the whole request processing
|
|
to handle escaped URLs correctly. PR 41475.
|
|
- Add CacheIgnoreQueryString directive. PR 41484.
|
|
- While serving a cached entity ensure that filters that have
|
|
been applied to this cached entity before saving it to the
|
|
cache are not applied again. PR 40090.
|
|
- Correctly cache objects whose URL query string has been
|
|
modified by mod_rewrite. PR 40805.
|
|
mod_cgi, mod_cgid:
|
|
- Fix use of CGI scripts as ErrorDocuments. PR 39710.
|
|
mod_dbd:
|
|
- Introduce configuration groups to allow inheritance by virtual
|
|
hosts of database configurations from the main server.
|
|
Determine the minimal set of distinct configurations and share
|
|
connection pools whenever possible. Allow virtual hosts to
|
|
override inherited SQL statements. PR 41302.
|
|
- Create memory sub-pools for each DB connection and close DB
|
|
connections in a pool cleanup function. Ensure prepared
|
|
statements are destroyed before DB connection is closed. When
|
|
using reslists, prevent segfaults when child processes exit,
|
|
and stop memory leakage of ap_dbd_t structures. Avoid use of
|
|
global s->process->pool, which isn't destroyed by exiting
|
|
child processes in most multi-process MPMs. PR 39985.
|
|
- Handle error conditions in dbd_construct() properly. Simplify
|
|
ap_dbd_open() and use correct arguments to apr_dbd_error()
|
|
when non-threaded. Register correct cleanup data in
|
|
non-threaded ap_dbd_acquire() and ap_dbd_cacquire(). Clean up
|
|
configuration data and merge function. Use ap_log_error()
|
|
wherever possible.
|
|
- Stash DBD connections in request_config of initial request
|
|
only, or else sub-requests and internal redirections may cause
|
|
entire DBD pool to be stashed in a single HTTP request.
|
|
mod_deflate:
|
|
- don't try to process metadata buckets as data. what should
|
|
have been a 413 error was logged as a 500 and a blank screen
|
|
appeared at the browser.
|
|
- fix protocol handling in deflate input filter PR 23287
|
|
mod_disk_cache:
|
|
- Allow Vary'd responses to be refreshed properly.
|
|
mod_dumpio:
|
|
- Fix for correct dumping of traffic on EBCDIC hosts Data had
|
|
been incorrectly converted twice, resulting in garbled log
|
|
output.
|
|
mod_expires:
|
|
- don't crash on bad configuration data PR 43213
|
|
mod_filter:
|
|
- fix integer comparisons in dispatch rules PR 41835
|
|
- fix merging of ! and = in FilterChain PR 42186
|
|
mod_headers:
|
|
- Allow % at the end of a Header value. PR 36609.
|
|
mod_info:
|
|
- mod_info outputs invalid XHTML 1.0 transitional. PR 42847
|
|
mod_ldap:
|
|
- Avoid possible crashes, hangs, and busy loops due to improper
|
|
merging of the cache lock in vhost config PR 43164
|
|
mod_ldap:
|
|
- Remove the hardcoded size limit parameter for
|
|
ldap_search_ext_s and replace it with an APR_ defined value
|
|
that is set according to the LDAP SDK being used.
|
|
mod_mem_cache:
|
|
- Increase the minimum and default value for MCacheMinObjectSize
|
|
from 0 to 1, as a MCacheMinObjectSize of 0 does not make sense
|
|
and leads to a division by zero. PR 40576.
|
|
mod_negotiation:
|
|
- preserve Query String in resolving a type map PR 33112
|
|
mod_proxy:
|
|
- mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as
|
|
synonymous. PR 43183
|
|
- Ensure that at least scheme://hostname[:port] matches between
|
|
worker and URL when searching for the best fitting worker for
|
|
a given URL. PR 40910
|
|
- Improve network performance by setting APR_TCP_NODELAY
|
|
(disable Nagle algorithm) on sockets if implemented. PR 42871
|
|
- Add a missing assignment in an error checking code path. PR 40865
|
|
- don't URLencode tilde in path component PR 38448
|
|
- enable Ignore Errors option on ProxyPass Status. PR 43167
|
|
- Allow to use different values for sessionid in url encoded id
|
|
and cookies. PR 41897.
|
|
- Fix the 503 returned when session route does not match any of
|
|
the balancer members.
|
|
- Added ProxyPassMatch directive, which is similar to ProxyPass
|
|
but takes a regex local path prefix.
|
|
- Print the correct error message for erroneous configured
|
|
ProxyPass directives. PR 40439.
|
|
- Fix some proxy setting inheritance problems (eg:
|
|
ProxyTimeout). PR 11540.
|
|
- proxy/ajp_header.c: Fixed header token string comparisons
|
|
Matching of header tokens failed to include the trailing NIL
|
|
byte and could misinterpret a longer header token for a
|
|
shorter. Additionally, a "Content-Type" comparison was made
|
|
case insensitive.
|
|
- proxy/ajp_header.c: Backport of an AJP protocol fix for EBCDIC
|
|
On EBCDIC machines, the status_line string was incorrectly
|
|
converted twice.
|
|
mod_proxy_connect:
|
|
- avoid segfault on DNS lookup failure. PR 40756
|
|
mod_proxy_http:
|
|
- HTTP proxy ProxyErrorOverride: Leave 1xx and 3xx responses
|
|
alone. Only processing of error responses (4xx, 5xx) will be
|
|
altered. PR 39245.
|
|
- Don't try to read body of a HEAD request before responding. PR 41644
|
|
- Handle request bodies larger than 2 GB by converting the
|
|
Content-Length header of the request correctly. PR 40883.
|
|
mod_ssl:
|
|
- Fix spurious hostname mismatch warning for valid wildcard
|
|
certificates. PR 37911.
|
|
- Version reporting update; displays 'compiled against' Apache
|
|
and build-time SSL Library versions at loglevel [info], while
|
|
reporting the run-time SSL Library version in the server info
|
|
tags. Helps to identify a mod_ssl built against one flavor of
|
|
OpenSSL but running against another (also adds SSL-C version
|
|
number reporting.)
|
|
- initialize thread locks before initializing the hardware
|
|
acceleration library, so the latter can make use of the
|
|
former. PR 20951.
|
|
core:
|
|
- Do not replace a Date header set by a proxied backend server. PR 40232
|
|
- log core: ensure we use a special pool for stderr logging, so that
|
|
the stderr channel remains valid from the time plog is destroyed,
|
|
until the time the open_logs hook is called again.
|
|
- main core: Emit errors during the initial apr_app_initialize()
|
|
or apr_pool_create() (when apr-based error reporting is not ready).
|
|
- log core: fix the new piped logger case where we couldn't connect
|
|
the replacement stderr logger's stderr to the NULL stdout stream.
|
|
Continue in this case, since the previous alternative of no error
|
|
logging at all (/dev/null) is far worse.
|
|
- Correct a regression since 2.0.x in the handling of AllowOverride
|
|
Options. PR 41829.
|
|
- Unix MPMs: Catch SIGFPE so that exception hooks and CoreDumpDirectory
|
|
can work after that terminating signal.
|
|
- mod_so: Provide more helpful LoadModule feedback when an error occurs.
|
|
misc:
|
|
- mime.types: Many updates to sync with IANA registry and common
|
|
unregistered types that the owners refuse to register. Admins
|
|
are encouraged to update their installed mime.types file. PR:
|
|
35550, 37798, 39317, 31483
|
|
- mime.types: add Registered Javascript/ECMAScript MIME types
|
|
(RFC4329) PR 40299
|
|
- htdbm: Enable crypt support on platforms with crypt() but not
|
|
<crypt.h>, such as z/OS.
|
|
- ab.c: Correct behavior of HTTP request headers sent by ab in
|
|
presence of -H command-line overrides. PR 31268, 26554.
|
|
- ab.c: The apr_port_t type is unsigned, but ab was using a
|
|
signed format code in its reports. PR 42070.
|
|
- drop obsolete patches apache2-mod_cache-CVE-2007-1863.patch
|
|
apache2-mod_status-CVE-2006-5752.patch
|
|
httpd-2.2.4-mod_autoindex-charset-r570962.patch
|
|
mod_dbd.c-issue18989-autoconnect.dif
|
|
mod_dbd.c-r571441
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 3 13:43:22 CEST 2007 - skh@suse.de
|
|
|
|
- get_module_list: replace loadmodule.conf atomically [bnc #214863]
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Sep 1 01:49:37 CEST 2007 - poeml@suse.de
|
|
|
|
- /etc/init.d/apache2: implement restart-graceful, stop-graceful
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 31 14:21:27 CEST 2007 - poeml@suse.de
|
|
|
|
- update mod_dbd to trunk version (r571441)
|
|
* apr_dbd_check_conn() just returns APR_SUCCESS or
|
|
APR_EGENERAL, so we don't actually have a driver-specific value
|
|
to pass to apr_dbd_error(), but that's OK because most/all
|
|
drivers just ignore this value anyway
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 31 12:37:27 CEST 2007 - poeml@suse.de
|
|
|
|
- replace httpd-2.2.3-AddDirectoryIndexCharset.patch with the upstream
|
|
solution, httpd-2.2.4-mod_autoindex-charset-r570962.patch [#153557]
|
|
(backport from 2.2.6)
|
|
* Merge r570532, r570535, r570558 from trunk:
|
|
IndexOptions ContentType=text/html Charset=UTF-8 magic.
|
|
http://svn.apache.org/viewvc?rev=570962&view=rev
|
|
http://issues.apache.org/bugzilla/show_bug.cgi?id=42105
|
|
This means that the AddDirectoryIndexCharset is no longer
|
|
available. Instead, IndexOptions Charset=xyz can be used.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 31 11:42:58 CEST 2007 - poeml@suse.de
|
|
|
|
- remove libexpat-devel in the build service version of the package
|
|
- apply apache2-mod_cache-CVE-2007-1863.patch (patch 152) in the
|
|
buildservice package
|
|
- don't apply mod_dbd.c-issue18989-autoconnect.dif, since it
|
|
patches only modules/database/mod_dbd.c which is replaced with
|
|
trunk version anyway
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 23 11:27:19 CEST 2007 - mskibbe@suse.de
|
|
|
|
- Bug 289996 - VUL-0: mod_status XSS in public server status page
|
|
- Bug 289997 - VUL-0: apache2: mod_cache remote denial of service
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 18 16:04:05 CEST 2007 - skh@suse.de
|
|
|
|
- split off apache2-utils subpackage, containing all helper tools that
|
|
are useful for system administrators in general (b.n.c. #272292 and
|
|
FATE #302059)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 29 19:14:16 CEST 2007 - dmueller@suse.de
|
|
|
|
- add zlib-devel to BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 23 08:55:47 CET 2007 - poeml@suse.de
|
|
|
|
- add mod_dbd.c from trunk (r512038), the version we run ourselves
|
|
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/database/mod_dbd.c?view=log
|
|
- add mod_dbd.c-issue18989-autoconnect.dif, but disabled. It
|
|
applies to 2.2.4 mod_dbd.c but not to the trunk version
|
|
- build mod_version
|
|
- fix documentation link in apache2-httpd.conf
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 20 10:47:18 CET 2007 - mskibbe@suse.de
|
|
|
|
- add firewall file for ssl (#246929)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 19 12:44:22 CET 2007 - mskibbe@suse.de
|
|
|
|
- Apache - Support for FATE #300687: Ports for SuSEfirewall added
|
|
via packages (#246929)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 26 12:44:04 CET 2007 - poeml@suse.de
|
|
|
|
- the QUICKSTART Readmes have been moved to
|
|
http://www.opensuse.org/Apache
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 22 11:24:32 CET 2007 - poeml@suse.de
|
|
|
|
- point out better in README.QUICKSTART.SSL that a vhost needs to
|
|
be created
|
|
- fixes to README.QUICKSTART.WebDAV
|
|
- updated email addresses (now there is apache@suse.de)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jan 20 17:16:20 CET 2007 - poeml@suse.de
|
|
|
|
- add httpd-2.2.x.doublefree.patch, backport of
|
|
http://svn.apache.org/viewvc?diff_format=h&view=rev&revision=496831
|
|
See http://issues.apache.org/bugzilla/show_bug.cgi?id=39985
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 18 22:00:48 CET 2007 - poeml@suse.de
|
|
|
|
- create debuginfo package in the buildservice
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 12 14:25:51 CET 2007 - mskibbe@suse.de
|
|
|
|
- change path to service cml document (fate #301708)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 9 15:59:42 CET 2007 - poeml@suse.de
|
|
|
|
- upstream 2.2.4
|
|
mod_authnz_ldap:
|
|
- Add an AuthLDAPRemoteUserAttribute directive. If set,
|
|
REMOTE_USER will be set to this attribute, rather than the
|
|
username supplied by the user. Useful for example when you
|
|
want users to log in using an email address, but need to
|
|
supply a userid instead to the backend.
|
|
mod_cache:
|
|
- From RFC3986 (section 6.2.3.) if a URI contains an authority
|
|
component and an empty path, the empty path is to be
|
|
equivalent to "/". It explicitly cites the following four URIs
|
|
as equivalents:
|
|
http://example.com
|
|
http://example.com/
|
|
http://example.com:/
|
|
http://example.com:80/
|
|
- Eliminate a bogus error in the log when a filter returns
|
|
AP_FILTER_ERROR.
|
|
- Don't cache requests with a expires date in the past;
|
|
otherwise mod_cache will always try to cache the URL. This bug
|
|
might lead to numerous rename() errors on win32 if the URL was
|
|
previously cached.
|
|
mod_cgi and mod_cgid:
|
|
- Don't use apr_status_t error return from input filters as HTTP
|
|
return value from the handler. PR 31579.
|
|
mod_dbd:
|
|
- share per-request database handles across subrequests and
|
|
internal redirects
|
|
- key connection pools to virtual hosts correctly even when
|
|
ServerName is unset/unavailable
|
|
mod_deflate:
|
|
- Rework inflate output and deflate output filter to fix several
|
|
issues: Incorrect handling of flush buckets, potential memory
|
|
leaks, excessive memory usage in inflate output filter for
|
|
large compressed content. PR 39854.
|
|
mod_disk_cache:
|
|
- Make sure that only positive integers are accepted for the
|
|
CacheMaxFileSize and CacheMinFileSize parameters in the config
|
|
file. PR39380.
|
|
mod_dumpio:
|
|
- Allow mod_dumpio to log at other than DEBUG levels via the new
|
|
DumpIOLogLevel directive.
|
|
mod_echo:
|
|
- Fix precedence problem in if statement. PR 40658.
|
|
mod_ext_filter:
|
|
- Handle filter names which include capital letters. PR 40323.
|
|
mod_headers:
|
|
- Support regexp-based editing of HTTP headers.
|
|
mod_mime_magic:
|
|
- Fix precedence problem in if statement. PR 40656.
|
|
mod_mem_cache:
|
|
- Memory leak fix: Unconditionally free the buffer.
|
|
- Convert mod_mem_cache to use APR memory pool functions by
|
|
creating a root pool for object persistence across requests.
|
|
This also eliminates the need for custom serialization code.
|
|
mod_proxy:
|
|
- Don't try to use dead backend connection. PR 37770.
|
|
- Add explicit flushing feature. When Servlet container sends
|
|
AJP body message with size 0, this means that Servlet
|
|
container has asked for an explicit flush. Create flush bucket
|
|
in that case. This feature has been added to the recent Tomcat
|
|
versions without breaking the AJP protocol.
|
|
mod_proxy_ajp:
|
|
- Close connection to backend if reading of request body fails.
|
|
PR 40310.
|
|
- Added cping/cpong support for the AJP protocol. A new worker
|
|
directive ping=timeout will cause CPING packet to be send
|
|
expecting CPONG packet within defined timeout. In case the
|
|
backend is too busy this will fail instead sending the full
|
|
header.
|
|
mod_proxy_balancer:
|
|
- Workers can now be defined as part of a balancer cluster "set"
|
|
in which members of a lower-numbered set are preferred over
|
|
higher numbered ones.
|
|
- Workers can now be defined as "hot standby" which will only be
|
|
used if all other workers are unusable (eg: in error or
|
|
disabled). Also, the balancer-manager displays the election
|
|
count and I/O counts of all workers.
|
|
- Retry worker chosen by route / redirect worker if it is in
|
|
error state before sending "Service Temporarily Unavailable".
|
|
PR 38962.
|
|
- Extract stickysession routing information contained as
|
|
parameter in the URL correctly. PR 40400.
|
|
- Set the new environment variable BALANCER_ROUTE_CHANGED if a
|
|
worker with a route different from the one supplied by the
|
|
client had been chosen or if the client supplied no routing
|
|
information for a balancer with sticky sessions.
|
|
- Add information about the route, the sticky session and the
|
|
worker used during a request as environment variables. PR
|
|
39806.
|
|
core:
|
|
- Fix issue which could cause piped loggers to be orphaned and
|
|
never terminate after a graceful restart. PR 40651.
|
|
- Fix address-in-use startup failure caused by corruption of the
|
|
list of listen sockets in some configurations with multiple
|
|
generic Listen directives.
|
|
- Fix NONBLOCK status of listening sockets on restart/graceful
|
|
PR 37680.
|
|
- Deal with the widespread use of apr_status_t return values as
|
|
HTTP status codes, as documented in PR#31759 (a bug shared by
|
|
the default handler, mod_cgi, mod_cgid, mod_proxy, and
|
|
probably others). PR31759.
|
|
- The full server version information is now included in the
|
|
error log at startup as well as server status reports,
|
|
irrespective of the setting of the ServerTokens directive.
|
|
ap_get_server_version() is now deprecated, and is replaced by
|
|
ap_get_server_banner() and ap_get_server_description().
|
|
misc:
|
|
- Allow htcacheclean, httxt2dbm, and fcgistarter to link
|
|
apr/apr-util statically like the older support programs.
|
|
- Better detection and clean up of ldap connection that has been
|
|
terminated by the ldap server. PR 40878.
|
|
- rotatelogs: Improve error message for open failures. PR
|
|
39487.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 8 11:57:04 CET 2007 - mskibbe@suse.de
|
|
|
|
- Apache XML Service Description Document (fate #301708)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 21 10:36:14 CET 2006 - poeml@suse.de
|
|
|
|
- add patch to add charset=utf-8 to directory listings generated by
|
|
mod_autoindex, and add a directive to allow overriding the
|
|
charset (testing, needs to be discussed with upstream) [#153557]
|
|
httpd-2.2.3-AddDirectoryIndexCharset.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 20 15:58:35 CET 2006 - poeml@suse.de
|
|
|
|
- set a proper HOME (/var/lib/apache2), otherwise the server might
|
|
end up HOME=/root and some script might try to use that [#132769]
|
|
- add two notes to the QUICKSTART readmes
|
|
- don't install /etc/apache2/extra configuration since this is only
|
|
serving as an example and installed with the documentation anyway
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 26 11:13:52 CEST 2006 - poeml@suse.de
|
|
|
|
- add rpm macro for suexec_safepath
|
|
- use _bindir/_sbindir in a few places [#202355]
|
|
- remove unused /sbin/conf.d directory from build root
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 31 15:26:54 CEST 2006 - poeml@suse.de
|
|
|
|
- Enable fatal exception hook for use by diagnostic modules.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 29 16:33:59 CEST 2006 - poeml@suse.de
|
|
|
|
- move some binaries, where calling by users makes sense (dbmmanage
|
|
htdbm htdigest htpasswd), from /usr/sbin to /usr/bin [#140133]
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 9 16:13:07 CEST 2006 - poeml@suse.de
|
|
|
|
- upstream 2.2.3
|
|
|SECURITY: CVE-2006-3747 (cve.mitre.org)
|
|
| mod_rewrite: Fix an off-by-one security problem in the ldap scheme
|
|
| handling. For some RewriteRules this could lead to a pointer being
|
|
| written out of bounds. Reported by Mark Dowd of McAfee.
|
|
| mod_authn_alias: Add a check to make sure that the base provider and the
|
|
| alias names are different and also that the alias has not been registered
|
|
| before. PR 40051.
|
|
| mod_authnz_ldap: Fix a problem with invalid auth error detection for LDAP
|
|
| client SDKs that don't support the LDAP_SECURITY_ERROR macro. PR 39529.
|
|
| mod_autoindex: Fix filename escaping with FancyIndexing disabled.
|
|
| PR 38910.
|
|
| mod_cache:
|
|
| - Make caching of reverse SSL proxies possible again. PR 39593.
|
|
| - Do not overwrite the Content-Type in the cache, for
|
|
| successfully revalidated cached objects. PR 39647.
|
|
| mod_charset_lite: Bypass translation when the source and dest charsets
|
|
| are the same.
|
|
| mod_dbd: Fix dependence on virtualhost configuration in
|
|
| defining prepared statements (possible segfault at startup
|
|
| in user modules such as mod_authn_dbd).
|
|
| mod_mem_cache: Set content type correctly when delivering data from
|
|
| cache. PR 39266.
|
|
| mod_speling: Add directive to deal with case corrections only
|
|
| and ignore other misspellings
|
|
| miscellaneous:
|
|
| - Add optional 'scheme://' prefix to ServerName directive,
|
|
| allowing correct determination of the canonical server URL
|
|
| for use behind a proxy or offload device handling SSL;
|
|
| fixing redirect generation in those cases. PR 33398.
|
|
| - Added server_scheme field to server_rec for above. Minor MMN bump.
|
|
| - Worker MPM: On graceless shutdown or restart, send signals
|
|
| to each worker thread to wake them up if they're polling on
|
|
| a Keep-Alive connection. PR 38737.
|
|
| - worker and event MPMs: fix excessive forking if fork() or
|
|
| child_init take a long time. PR 39275.
|
|
| - Respect GracefulShutdownTimeout in the worker and event MPMs.
|
|
| - configure: Add "--with-included-apr" flag to force use of
|
|
| the bundled version of APR at build time.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 4 12:20:54 CEST 2006 - poeml@suse.de
|
|
|
|
- a2enmod, a2enflag: add /usr/sbin to PATH so sysconf_addword is
|
|
found
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 23 09:52:17 CEST 2006 - poeml@suse.de
|
|
|
|
- fix typo in apache-20-22-upgrade script: mod_image_map ->
|
|
mod_imagemap
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 12 11:28:59 CEST 2006 - poeml@suse.de
|
|
|
|
- enable logresolve processing of lines longer than 1024 characters
|
|
by compiling with MAXLINE=4096 [#162806]
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 9 23:11:45 CEST 2006 - poeml@suse.de
|
|
|
|
- upstream 2.2.2
|
|
| SECURITY: CVE-2005-3357 (cve.mitre.org)
|
|
| mod_ssl: Fix a possible crash during access control checks
|
|
| if a non-SSL request is processed for an SSL vhost (such as
|
|
| the "HTTP request received on SSL port" error message when
|
|
| an 400 ErrorDocument is configured, or if using "SSLEngine
|
|
| optional"). PR 37791.
|
|
| SECURITY: CVE-2005-3352 (cve.mitre.org)
|
|
| mod_imagemap: Escape untrusted referer header before
|
|
| outputting in HTML to avoid potential cross-site scripting.
|
|
| Change also made to ap_escape_html so we escape quotes.
|
|
| Reported by JPCERT.
|
|
| mod_cache:
|
|
| - Make caching of reverse proxies possible again. PR 38017.
|
|
| mod_disk_cache:
|
|
| - Return the correct error codes from bucket read failures,
|
|
| instead of APR_EGENERAL.
|
|
| mod_dbd:
|
|
| - Update defaults, improve error reporting.
|
|
| - Create own pool and mutex to avoid problem use of process
|
|
| pool in request processing.
|
|
| mod_deflate:
|
|
| - work correctly in an internal redirect
|
|
| mod_proxy:
|
|
| - don't reuse a connection that may be to the wrong backend PR 39253
|
|
| - Do not release connections from connection pool twice. PR 38793.
|
|
| - Fix KeepAlives not being allowed and set to backend servers. PR 38602.
|
|
| - Fix incorrect usage of local and shared worker init. PR 38403.
|
|
| - If we get an error reading the upstream response, close the
|
|
| connection.
|
|
| mod_proxy_balancer:
|
|
| - Initialize members of a balancer correctly. PR 38227.
|
|
| mod_proxy_ajp:
|
|
| - Flushing of the output after each AJP chunk is now
|
|
| configurable at runtime via the 'flushpackets' and 'flushwait'
|
|
| worker params. Minor MMN bump.
|
|
| - Crosscheck the length of the body chunk with the length of the
|
|
| ajp message to prevent mod_proxy_ajp from reading beyond the
|
|
| buffer boundaries and thus revealing possibly sensitive memory
|
|
| contents to the client.
|
|
| - Support common headers of the AJP protocol in responses. PR 38340.
|
|
| mod_proxy_http:
|
|
| - Do send keep-alive header if the client sent connection:
|
|
| keep-alive and do not close backend connection if the client
|
|
| sent connection: close. PR 38524.
|
|
| mod_proxy_balancer:
|
|
| - Do not overwrite the status of initialized workers and respect
|
|
| the configured status of uninitilized workers when creating a
|
|
| new child process.
|
|
| - Fix off-by-one error in proxy_balancer. PR 37753.
|
|
| mod_speling:
|
|
| - Stop crashing with certain non-file requests.
|
|
| mod_ssl:
|
|
| - Fix possible crashes in shmcb with gcc 4 on platforms
|
|
| requiring word-aligned pointers. PR 38838.
|
|
| miscellaneous:
|
|
| - core: Prevent reading uninitialized memory while reading a line of
|
|
| protocol input. PR 39282.
|
|
| - core: Reject invalid Expect header immediately. PR 38123.
|
|
| - Default handler: Don't return output filter apr_status_t values.
|
|
| PR 31759.
|
|
| - Add APR/APR-Util Compiled and Runtime Version numbers to the
|
|
| output of 'httpd -V'.
|
|
| - http: If a connection is aborted while waiting for a chunked line,
|
|
| flag the connection as errored out.
|
|
| - Don't hang on error return from post_read_request. PR 37790.
|
|
| - Fix mis-shifted 32 bit scope, masked to 64 bits as a method.
|
|
| - Fix recursive ErrorDocument handling. PR 36090.
|
|
| - Ensure that the proper status line is written to the client, fixing
|
|
| incorrect status lines caused by filters which modify r->status without
|
|
| resetting r->status_line, such as the built-in byterange filter.
|
|
| - HTML-escape the Expect error message. Not classed as security as
|
|
| an attacker has no way to influence the Expect header a victim will
|
|
| send to a target site.
|
|
| - Chunk filter: Fix chunk filter to create correct chunks in the case that
|
|
| a flush bucket is surrounded by data buckets.
|
|
| - Avoid Server-driven negotiation when a script has emitted an
|
|
| explicit Status: header. PR 38070.
|
|
| - htdbm: Fix crash processing -d option in 64-bit mode on HP-UX.
|
|
| - htdbm: Warn the user when adding a plaintext password on a platform
|
|
| where it wouldn't work with the server (i.e., anywhere that has
|
|
| crypt()).
|
|
- adapted httpd-2.1.3alpha-autoconf-2.59.dif
|
|
- other user visible changes:
|
|
* use a2enmod, a2enflag in apache2-README.QUICKSTART.*
|
|
* add README.QUICKSTART link to httpd.conf
|
|
- when installing/updating, avoid irritating message in
|
|
/var/log/messages ("group is unknown - group=wwwadmin") [#183071]
|
|
- build system changes:
|
|
* clean up old cruft tight to suse_version macros
|
|
* don't run buildconf, and thus don't need python.
|
|
* don't ship uid.conf as source file, but create it dynamically
|
|
instead, according to user/group defined via rpm macro
|
|
* create wwwrun:www user on non-SUSE builds
|
|
* work around missimg macros insserv_prereq and fillup_prereq on non-SUSE builds
|
|
* add openssl-devel and expat-devel to Buildrequires for non-SUSE builds
|
|
* make sure that the rpm macro sles_version is defined
|
|
* remove obsolete VENDOR UnitedLinux macro
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 25 18:10:28 CEST 2006 - poeml@suse.de
|
|
|
|
- obsolete 'apache' package on SLES10 (obsolete it on all platforms
|
|
except SLES9 and old SL releases)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 29 11:54:00 CEST 2006 - poeml@suse.de
|
|
|
|
- remove php4 from default modules [#155333]
|
|
- fix comment in /etc/init.d/apache2 [#148559]
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 20 13:49:07 CET 2006 - poeml@suse.de
|
|
|
|
- fixed comment in init script which indicated wrong version [#148559]
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 30 12:41:20 CET 2006 - poeml@suse.de
|
|
|
|
- added Requires: libapr-util1-devel to apache2-devel package [#146496]
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 27 15:10:15 CET 2006 - poeml@suse.de
|
|
|
|
- add a note about NameVirtualHost statements to the vhost template
|
|
files [#145000]
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 25 21:34:16 CET 2006 - mls@suse.de
|
|
|
|
- converted neededforbuild to BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 20 13:20:04 CET 2006 - poeml@suse.de
|
|
|
|
- cleanup: remove obsolete metuxmpm patch
|
|
- improve informational text in apache-20-22-upgrade
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 18 10:11:12 CET 2006 - poeml@suse.de
|
|
|
|
- the new DYNAMIC_MODULE_LIMIT default in 2.2 is 128, so no need to
|
|
increase it anymore (fixes [#143536])
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 19 13:25:20 CET 2005 - poeml@suse.de
|
|
|
|
- update to 2.2.0
|
|
- enable all new modules
|
|
- replaced modules "auth auth_dbm access" in default configuration
|
|
by "auth_basic authn_file authn_dbm authz_host authz_default
|
|
authz_user""
|
|
- /usr/share/apache2/apache-20-22-upgrade will fix the module list
|
|
on upgrade
|
|
- fix bug in sysconf_addword (used by a2enmod) to respect word
|
|
boundaries when removing a word (but don't count slashes as word
|
|
boundary)
|
|
- remove perchild mpm subpackage, add experimemtal event mpm
|
|
- remove obsolete tool apache2-reconfigure-mpm
|
|
- remove obsolete perchild config from apache2-server-tuning.conf
|
|
- remove libapr0 subpackage; add libapr1 and libapr-util1 to #neededforbuild
|
|
- build against system pcre
|
|
- build with --enable-pie
|
|
- don't modify which libraries are linked in
|
|
- adjust IndexIgnore setting to upstream default. Previously, the
|
|
parent directory (..) was being ignored
|
|
- package the symlinks in ssl.crt
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 7 11:07:21 CET 2005 - poeml@suse.de
|
|
|
|
- patch apxs to use the new a2enmod tool, when called with -a
|
|
- add -l option to a2enmod, which gives a list of active modules
|
|
- adjust feedback address in the readmes
|
|
- update README.QUICKSTART.SSL (mention TinyCA)
|
|
- add more documentation in server-tuning.conf, and adjust defaults
|
|
- do not document the restart-hup action of the init script. It
|
|
should not be used
|
|
- don't install the tool checkgid -- it is only usable during
|
|
installation
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 18 13:22:21 CET 2005 - poeml@suse.de
|
|
|
|
- fix duplicated Source45 tag
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 24 14:17:08 CEST 2005 - poeml@suse.de
|
|
|
|
- update to 2.0.55. Relevant changes:
|
|
| SECURITY: CAN-2005-2700 (cve.mitre.org)
|
|
| mod_ssl: Fix a security issue where "SSLVerifyClient" was
|
|
| not enforced in per-location context if "SSLVerifyClient
|
|
| optional" was configured in the vhost configuration.
|
|
| SECURITY: CAN-2005-2491 (cve.mitre.org):
|
|
| Fix integer overflows in PCRE in quantifier parsing which
|
|
| could be triggered by a local user through use of a
|
|
| carefully-crafted regex in an .htaccess file.
|
|
| SECURITY: CAN-2005-2088 (cve.mitre.org)
|
|
| proxy: Correctly handle the Transfer-Encoding and
|
|
| Content-Length headers. Discard the request Content-Length
|
|
| whenever T-E: chunked is used, always passing one of either
|
|
| C-L or T-E: chunked whenever the request includes a request
|
|
| body. Resolves an entire class of proxy HTTP Request
|
|
| Splitting/Spoofing attacks.
|
|
| SECURITY: CAN-2005-2728 (cve.mitre.org)
|
|
| Fix cases where the byterange filter would buffer responses
|
|
| into memory. PR 29962.
|
|
| SECURITY: CAN-2005-2088 (cve.mitre.org)
|
|
| core: If a request contains both Transfer-Encoding and
|
|
| Content-Length headers, remove the Content-Length,
|
|
| mitigating some HTTP Request Splitting/Spoofing attacks.
|
|
| SECURITY: CAN-2005-1268 (cve.mitre.org)
|
|
| mod_ssl: Fix off-by-one overflow whilst printing CRL
|
|
| information at "LogLevel debug" which could be triggered if
|
|
| configured to use a "malicious" CRL. PR 35081.
|
|
| miscellaneous:
|
|
| - worker MPM: Fix a memory leak which can occur after an
|
|
| aborted connection in some limited circumstances.
|
|
| - worker mpm: don't take down the whole server for a transient
|
|
| thread creation failure. PR 34514
|
|
| - Added TraceEnable [on|off|extended] per-server directive to
|
|
| alter the behavior of the TRACE method. This addresses a
|
|
| flaw in proxy conformance to RFC 2616 - previously the proxy
|
|
| server would accept a TRACE request body although the RFC
|
|
| prohibited it. The default remains 'TraceEnable on'.
|
|
| - Add ap_log_cerror() for logging messages associated with
|
|
| particular client connections.
|
|
| - Support the suppress-error-charset setting, as with Apache
|
|
| 1.3.x. PR 31274.
|
|
| - Fix bad globbing comparison which could result in getting a
|
|
| directory listing when a file was requested. PR 34512.
|
|
| - Fix a file descriptor leak when starting piped loggers. PR
|
|
| 33748.
|
|
| - Prevent hangs of child processes when writing to piped
|
|
| loggers at the time of graceful restart. PR 26467.
|
|
| mod_cgid:
|
|
| - Correct mod_cgid's argv[0] so that the full path can be
|
|
| delved by the invoked cgi application, to conform to the
|
|
| behavior of mod_cgi.
|
|
| mod_include:
|
|
| - Fix possible environment variable corruption when using
|
|
| nested includes. PR 12655.
|
|
| mod_ldap:
|
|
| - Fix PR 36563. Keep track of the number of attributes
|
|
| retrieved from LDAP so that all of the values can be
|
|
| properly cached even if the value is NULL.
|
|
| - Fix core dump if mod_auth_ldap's
|
|
| mod_auth_ldap_auth_checker() was called even if
|
|
| mod_auth_ldap_check_user_id() was not (or if it didn't
|
|
| succeed) for non-authoritative cases.
|
|
| - Avoid segfaults when opening connections if using a version
|
|
| of OpenLDAP older than 2.2.21. PR 34618.
|
|
| - Fix various shared memory cache handling bugs. PR 34209.
|
|
| mod_proxy:
|
|
| - Fix over-eager handling of '%' for reverse proxies. PR
|
|
| 15207.
|
|
| - proxy HTTP: If a response contains both Transfer-Encoding
|
|
| and a Content-Length, remove the Content-Length and don't
|
|
| reuse the connection, mitigating some HTTP Response
|
|
| Splitting attacks.
|
|
| - proxy HTTP: Rework the handling of request bodies to handle
|
|
| chunked input and input filters which modify content length,
|
|
| and avoid spooling arbitrary-sized request bodies in memory.
|
|
| PR 15859.
|
|
| mod_ssl:
|
|
| - Fix build with OpenSSL 0.9.8. PR 35757.
|
|
| mod_rewrite:
|
|
| - use buffered I/O to improve performance with large
|
|
| RewriteMap txt: files.
|
|
| mod_userdir:
|
|
| - Fix possible memory corruption issue. PR 34588.
|
|
- drop obsolete patches httpd-2.0.54-openssl-0.9.8.dif
|
|
httpd-2.0.54-CAN-2005-1268-mod_ssl-crl.dif
|
|
apache2-bundled-pcre-5.0-CAN-2005-2491.dif
|
|
httpd-2.0.54-SSLVerifyClient-CAN-2005-2700.diff
|
|
httpd-2.0.54-ap_byterange-CAN-2005-2728.diff
|
|
- add httpd-2.0.55-37145_2.0.x.diff (broken mod_proxy in 2.0.55)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 20 15:50:35 CEST 2005 - poeml@suse.de
|
|
|
|
- rc.apache2: when stopping the server, wait for the actual binary
|
|
of the parent process to disappear. Waiting for the pid file to
|
|
disappear is not sufficient, because not all cleanup might be
|
|
finished at the time of its removal. [#96492], [#85539]
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 12 15:42:47 CEST 2005 - poeml@suse.de
|
|
|
|
- fix security hole by wrongly initializing LD_LIBRARY_PATH in
|
|
/usr/sbin/envvars (used by apache2ctl only) [#118188]
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 30 09:47:20 CEST 2005 - poeml@suse.de
|
|
|
|
- accomodate API changes to OpenSSL 0.9.8 (r209468 from 2.0.x branch)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 26 01:24:18 CEST 2005 - ro@suse.de
|
|
|
|
- define LDAP_DEPRECATED in CFLAGS
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 2 12:55:08 CEST 2005 - poeml@suse.de
|
|
|
|
- security fix [CAN-2005-2728 (cve.mitre.org)]:
|
|
fix memory consumption bug in byterange handling
|
|
- security fix [CAN-2005-2700 (cve.mitre.org)]: [#114701]
|
|
if "SSLVerifyClient optional" has been configured at the vhost
|
|
context then "SSLVerifyClient require" is not enforced in a
|
|
location context within that vhost; effectively allowing clients
|
|
to bypass client-cert authentication checks. [#114701]
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 31 15:39:38 CEST 2005 - poeml@suse.de
|
|
|
|
- Security fix: fix integer overflows in PCRE in quantifier parsing which
|
|
could be triggered by a local user through use of a carefully-crafted
|
|
regex in an .htaccess file. CAN-2005-2491 [#112651] [#106209]
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 30 17:41:46 CEST 2005 - lmuelle@suse.de
|
|
|
|
- Escape also any forward slash while removing a word with sysconf_addword.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 26 14:33:34 CEST 2005 - lmuelle@suse.de
|
|
|
|
- Escape any forward slash in the word argument of sysconf_addword.
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Aug 14 00:20:26 CEST 2005 - ro@suse.de
|
|
|
|
- alingn suexec2 permissions with permissions.secure
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 11 11:09:49 CEST 2005 - poeml@suse.de
|
|
|
|
- the permissions files are now maintained centrally and packaged
|
|
in the permissions package. Package suexec2 with mode 0750. [#66304]
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 5 13:10:21 CEST 2005 - poeml@suse.de
|
|
|
|
- change SSLMutex "default" so APR always picks the best on the
|
|
platform
|
|
- fix Source42 tag which was present twice
|
|
- add a2enmod/a2enflag to add/remove modules/flags conveniently
|
|
- add charset.conv table for mod_auth_ldap
|
|
- make sure that suse_version is defined (it might be unset by e.g.
|
|
ISPs preinstallations)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 12 23:49:29 CEST 2005 - poeml@suse.de
|
|
|
|
- security fix [CAN-2005-2088 (cve.mitre.org)]: core: If a request
|
|
contains both Transfer-Encoding and a Content-Length, remove the
|
|
Content-Length, stopping some HTTP Request smuggling attacks.
|
|
mod_proxy: Reject chunked requests. [#95709]
|
|
- security fix [CAN-2005-1268 (cve.mitre.org)]: mod_ssl: fix
|
|
off-by-one overflow whilst printing CRL information at "LogLevel
|
|
debug" which could be triggered if configured to use a
|
|
"malicious" CRL. PR 35081. [#95709]
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 20 12:57:17 CEST 2005 - poeml@suse.de
|
|
|
|
- add httpd-2.0.47-pie.patch from from 2.1.3-dev to compile with
|
|
-fpie and link with -pie
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 18 16:46:22 CEST 2005 - poeml@suse.de
|
|
|
|
- update to 2.0.54. Relevant changes:
|
|
| mod_cache:
|
|
| - Add CacheIgnoreHeaders directive. PR 30399.
|
|
| mod_dav:
|
|
| - Correctly export all public functions.
|
|
| mod_ldap:
|
|
| - Added the directive LDAPConnectionTimeout to configure the
|
|
| ldap socket connection timeout value.
|
|
| mod_ssl:
|
|
| - If SSLUsername is used, set r->user earlier. PR 31418.
|
|
| miscellaneous:
|
|
| - Unix MPMs: Shut down the server more quickly when child
|
|
| processes are slow to exit.
|
|
| - worker MPM: Fix a problem which could cause httpd processes
|
|
| to remain active after shutdown.
|
|
| - Remove formatting characters from ap_log_error() calls.
|
|
| These were escaped as fallout from CAN-2003-0020.
|
|
| - core_input_filter: Move buckets to a persistent brigade
|
|
| instead of creating a new brigade. This stop a memory leak
|
|
| when proxying a Streaming Media Server. PR 33382.
|
|
| - htdigest: Fix permissions of created files. PR 33765.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 14 17:13:27 CET 2005 - poeml@suse.de
|
|
|
|
- revise README
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 7 17:14:16 CET 2005 - poeml@suse.de
|
|
|
|
- when building the suexec binary, set the "docroot" compile time
|
|
option to the datadir (/srv/www) instead of the htdocsdir
|
|
(/srv/www/htdocs), so it can be used with virtual hosts placed
|
|
e.g. in /srv/www/vhosts [#63845] Suggested by Winfried Kuiper.
|
|
- add php5 to APACHE_MODULES by default, so it can be used simply
|
|
by installing the package. Suppress warning about not-found
|
|
module in the php4/php5 case. [#66729]
|
|
- remove a redundant get_module_list call from the init script
|
|
- add hints about vhost setup to README.QUICKSTART
|
|
- after a change of APACHE_MPM, apache2-reconfigure-mpm is no
|
|
longer needed since SuSEconfig.apache2 is gone. Leave it for
|
|
compatibility, because /etc/sysconfig/apache2 is probably not
|
|
updated and yast may still use it.
|
|
- move the 4 most important variables in sysconfig.apache2 to the
|
|
top of the file
|
|
- add note about the old monolithic configuration file and how to
|
|
use it
|
|
- drop patch httpd-2.0.40-openssl-version.dif (we don't even have
|
|
openssl-0.9.6e anywhere, any longer)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 2 12:38:55 CET 2005 - poeml@suse.de
|
|
|
|
- fix TLS upgrade patch: with SSLEngine set to Optional, an
|
|
additional token in an Upgrade: header before "TLS/1.0" could
|
|
result into an infinite loop [#67126]
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 22 16:23:33 CET 2005 - poeml@suse.de
|
|
|
|
- run /usr/share/apache2/get_module_list post install, which will
|
|
also create the symlink to the httpd2 binary, which might be
|
|
necessary during package building when apache has been installed
|
|
but never been run.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 21 16:16:16 CET 2005 - poeml@suse.de
|
|
|
|
- remove SuSEconfig.apache2
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 11 15:14:14 CET 2005 - poeml@suse.de
|
|
|
|
- raise DYNAMIC_MODULE_LIMIT to 80. The test suite loading all
|
|
available modules plus 9 perl modules was beginning to fail
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 9 11:46:37 CET 2005 - poeml@suse.de
|
|
|
|
- update to 2.0.53. Relevant changes:
|
|
| SECURITY: CAN-2004-0942 (cve.mitre.org)
|
|
| Fix for memory consumption DoS in handling of MIME folded request
|
|
| headers.
|
|
| SECURITY: CAN-2004-0885 (cve.mitre.org)
|
|
| mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
|
|
| bypassed during an SSL renegotiation. PR 31505.
|
|
| mod_dumpio:
|
|
| - new I/O logging/dumping module, added to the
|
|
| modules/expermimental subdirectory.
|
|
| mod_ssl:
|
|
| - fail quickly if SSL connection is aborted rather than making
|
|
| many doomed ap_pass_brigade calls. PR 32699.
|
|
| - Fail at startup rather than segfault at runtime if a client cert
|
|
| is configured with an encrypted private key. PR 24030.
|
|
| mod_include:
|
|
| - Fix bug which could truncate variable expansions of N*64
|
|
| characters by one byte. PR 32985.
|
|
| mod_status:
|
|
| - Start keeping track of time-taken-to-process-request again if
|
|
| ExtendedStatus is enabled.
|
|
| util_ldap:
|
|
| - Util_ldap: Implemented the util_ldap_cache_getuserdn() API so
|
|
| that ldap authorization only modules have access to the
|
|
| util_ldap user cache without having to require ldap
|
|
| authentication as well. PR 31898.
|
|
| mod_ldap:
|
|
| - Fix format strings to use %APR_PID_T_FMT instead of %d.
|
|
| - prevent the possiblity of an infinite loop in the LDAP
|
|
| statistics display. PR 29216.
|
|
| - fix a bogus error message to tell the user which file is causing
|
|
| a potential problem with the LDAP shared memory cache. PR 31431
|
|
| - Fix the re-linking issue when purging elements from the LDAP
|
|
| cache PR 24801.
|
|
| mod_auth_ldap:
|
|
| - Added the directive "Requires ldap-attribute" that allows the
|
|
| module to only authorize a user if the attribute value specified
|
|
| matches the value of the user object. PR 31913
|
|
| - Handle the inconsistent way in which the MS LDAP library handles
|
|
| special characters. PR 24437.
|
|
| mod_proxy:
|
|
| - Fix ProxyRemoteMatch directive. PR 33170.
|
|
| - Respect errors reported by pre_connection hooks.
|
|
| - Handle client-aborted connections correctly. PR 32443.
|
|
| mod_cache:
|
|
| - CacheDisable will only disable the URLs it was meant to disable,
|
|
| not all caching. PR 31128.
|
|
| - Try to correctly follow RFC 2616 13.3 on validating stale cache
|
|
| responses.
|
|
| - Fix Expires handling.
|
|
| mod_disk_cache:
|
|
| - Do not store aborted content. PR 21492.
|
|
| - Correctly store cached content type. PR 30278.
|
|
| - Do not store hop-by-hop headers.
|
|
| - Fix races in saving responses.
|
|
| mod_expires:
|
|
| - Alter mod_expires to run at a different filter priority to allow
|
|
| proper Expires storage by mod_cache.
|
|
| mod_rewrite:
|
|
| - Handle per-location rules when r->filename is unset. Previously
|
|
| this would segfault or simply not match as expected, depending
|
|
| on the platform.
|
|
| - Fix 0 bytes write into random memory position. PR 31036.
|
|
| miscellaneous:
|
|
| - Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740.
|
|
| - apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". PR 31448
|
|
| - Allow for the use of --with-module=foo:bar where the ./modules/foo
|
|
| directory is local only. Assumes, of course, that the required
|
|
| files are in ./modules/foo, but makes it easier to statically
|
|
| build/log "external" modules.
|
|
| - --with-module can now take more than one module to be statically
|
|
| linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
|
|
| If the <modtype>-subdirectory doesn't exist it will be created and
|
|
| populated with a standard Makefile.in.
|
|
| - Fix handling of files >2Gb on all platforms (or builds) where
|
|
| apr_off_t is larger than apr_size_t. PR 28898.
|
|
| - Remove compiled-in upper limit on LimitRequestFieldSize.
|
|
| - Correct handling of certain bucket types in ap_save_brigade, fixing
|
|
| possible segfaults in mod_cgi with #include virtual. PR 31247.
|
|
| - conf: Remove AddDefaultCharset from the default configuration
|
|
| because setting a site-wide default does more harm than good. PR
|
|
| 23421.
|
|
| - Add charset to example CGI scripts.
|
|
- merge tls-upgrade.patch
|
|
- remove obsolete httpd-2.0.47-headtail.dif
|
|
httpd-2.0.52-util_ldap_cache_mgr.c.dif
|
|
httpd-2.0.52-SSLCipherSuite-bypass-CAN-2004-0885.dif
|
|
httpd-2.0.52-ssl-incomplete-keypair.dif
|
|
httpd-2.0.52-memory-consumption-DoS-CAN-2004-0942.dif
|
|
httpd-2.0.52.21492.diff
|
|
httpd-2.0.52.30278.diff
|
|
httpd-2.0.52.30399.diff
|
|
httpd-2.0.52.30419.diff
|
|
httpd-2.0.52.31385.diff
|
|
- sync configuration with upstream changes
|
|
* Remove AddDefaultCharset (see upstream changelog above)
|
|
* LanguagePriority for error documents updated
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jan 15 20:46:53 CET 2005 - schwab@suse.de
|
|
|
|
- Use <owner>:<group> in permissions file.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 11 14:08:35 CET 2005 - schwab@suse.de
|
|
|
|
- Fix /etc/init.d/apache2 to use readlink instead of linkto or file.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Nov 29 14:42:40 CET 2004 - hvogel@suse.de
|
|
|
|
- fix permission handling
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 11 13:06:22 CET 2004 - poeml@suse.de
|
|
|
|
- fix /etc/init.d/apache2 to correctly handle the start of multiple
|
|
instances of the same binary (using startproc -f plus prior check
|
|
for running instance) [#48153]
|
|
- fix helper scripts to allow overriding of $sysconfig_file and
|
|
other useful values
|
|
- remove unused 'rundir' variable from /etc/init.d/apache2
|
|
- removed backward compatibility code for pre-8.0
|
|
- add documentation to the vhost template files and
|
|
README.QUICKSTART
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Nov 8 16:14:23 CET 2004 - poeml@suse.de
|
|
|
|
- security fix [CAN-2004-0942 (cve.mitre.org)]: Fix for memory
|
|
consumption DoS [#47967]
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 4 16:47:59 CET 2004 - poeml@suse.de
|
|
|
|
- remove heimdal-devel from #neededforbuild, it is not needed
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 15 07:44:20 CEST 2004 - poeml@suse.de
|
|
|
|
- fix SSLCipherSuite bypass CAN-2004-0885 (cve.mitre.org) [#47117]
|
|
- update the TLS upgrade patch [#47207]
|
|
- mod_ssl returned invalid method on TLS upgraded connections
|
|
- additional checks for httpd_method and default_port hooks
|
|
- fixed typo in upgrade header
|
|
- add patches from Ruediger Pluem for the experimental modules
|
|
mod_disk_cache, mod_cache
|
|
PR 21492: mod_disk_cache: Do not store aborted content.
|
|
PR 30278: mod_disk_cache: Correctly store cached content type.
|
|
PR 30399: make storing of Set-Cookie headers optional
|
|
PR 30419: weird caching behaviour of mod_cache and old Cookies
|
|
PR 31385: skipping start of file if recaching already cached file
|
|
- patch from 2.0.53: Fail to configure when an SSL proxy is
|
|
configured with incomplete client cert keypair, rather than
|
|
segfaulting at runtime. PR 24030
|
|
http://cvs.apache.org/viewcvs/httpd-2.0/modules/ssl/ssl_engine_init.c.diff?r1=1.118&r2=1.119
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 11 14:31:42 CEST 2004 - poeml@suse.de
|
|
|
|
- add patch fixing re-linking issue when purging elements from the
|
|
LDAP cache. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24801
|
|
http://www.apache.org/dist/httpd/patches/apply_to_2.0.52/util_ldap_cache_mgr.c.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 11 14:07:33 CEST 2004 - poeml@suse.de
|
|
|
|
- sync update configuration with upstream changes (2.0.52)
|
|
(mostly comments; configuration for spanish manual added)
|
|
- add mime type for shortcut icons (favicon.ico)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 8 18:36:21 CEST 2004 - poeml@suse.de
|
|
|
|
- update to 2.0.52. Relevant changes:
|
|
| SECURITY: CAN-2004-0811 (cve.mitre.org)
|
|
| Fix merging of the Satisfy directive, which was applied to
|
|
| the surrounding context and could allow access despite configured
|
|
| authentication. PR 31315.
|
|
| util_ldap:
|
|
| Fix a segfault in the LDAP cache when it is configured switched off.
|
|
| mod_mem_cache:
|
|
| Fixed race condition causing segfault because of memory being
|
|
| freed twice, or reused after being freed.
|
|
| mod_log_config:
|
|
| Fix a bug which prevented request completion time from being
|
|
| logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
|
|
| processing. PR 29696.
|
|
| miscellaneous:
|
|
| - Use HTML 2.0 <hr> for error pages. PR 30732
|
|
| - Fix the handling of URIs containing %2F when
|
|
| AllowEncodedSlashes is enabled. Previously, such urls would
|
|
| still be rejected.
|
|
| - Fix the global mutex crash when the global mutex is never
|
|
| allocated due to disabled/empty caches.
|
|
| - Add -l option to rotatelogs to let it use local time rather
|
|
| than UTC. PR 24417.
|
|
- changes from 2.0.51:
|
|
| SECURITY: CAN-2004-0786 (cve.mitre.org)
|
|
| Fix an input validation issue in apr-util which could be
|
|
| triggered by malformed IPv6 literal addresses.
|
|
| SECURITY: CAN-2004-0747 (cve.mitre.org)
|
|
| Fix buffer overflow in expansion of environment variables in
|
|
| configuration file parsing.
|
|
| SECURITY: CAN-2004-0809 (cve.mitre.org)
|
|
| mod_dav_fs: Fix a segfault in the handling of an indirect lock
|
|
| refresh. PR 31183.
|
|
| SECURITY: CAN-2004-0751 (cve.mitre.org)
|
|
| mod_ssl: Fix a segfault in the SSL input filter which could be
|
|
| triggered if using "speculative" mode, for instance by a proxy
|
|
| request to an SSL server. PR 30134.
|
|
| SECURITY: CAN-2004-0748 (cve.mitre.org)
|
|
| mod_ssl: Fix a potential infinite loop. PR 29964.
|
|
| mod_include:
|
|
| no longer checks for recursion, because that's done in the core.
|
|
| This allows for careful usage of recursive SSI.
|
|
| mod_rewrite:
|
|
| - Fix memory leak in the cache handlingof mod_rewrite. PR 27862.
|
|
| - Add %{SSL:...} and %{HTTPS} variable lookups. PR 30464.
|
|
| - mod_rewrite now officially supports RewriteRules in <Proxy>
|
|
| sections. PR 27985.
|
|
| - no longer confuse the RewriteMap caches if different maps
|
|
| defined in different virtual hosts use the same map name. PR 26462.
|
|
| mod_ssl:
|
|
| - Add new 'ssl_is_https' optional function.
|
|
| - Add "SSLUserName" directive to set r->user based on a chosen SSL
|
|
| environment variable. PR 20957.
|
|
| - Avoid startup failure after unclean shutdown if using shmcb. PR 18989.
|
|
| mod_autoindex:
|
|
| - Don't truncate the directory listing if a stat() call fails (for
|
|
| instance on a >2Gb file). PR 17357.
|
|
| mod_cache, mod_disk_cache, mod_mem_cache:
|
|
| - Refactor cache modules, and switch to the provider API instead
|
|
| of hooks.
|
|
| mod_disk_cache:
|
|
| - Implement binary format for on-disk header files.
|
|
| - Optimize network performance of disk cache subsystem by allowing
|
|
| zero-copy (sendfile) writes and other miscellaneous fixes.
|
|
| mod_userdir:
|
|
| - Ensure that the userdir identity is used for suexec userdir
|
|
| access in a virtual host which has suexec configured. PR 18156.
|
|
| mod_setenvif:
|
|
| - Remove "support" for Remote_User variable which never worked at
|
|
| all. PR 25725.
|
|
| - Extend the SetEnvIf directive to capture subexpressions of the
|
|
| matched value.
|
|
| mod_headers:
|
|
| - Backport from 2.1 / Regression from 1.3: mod_headers now knows
|
|
| again the functionality of the ErrorHeader directive. But
|
|
| instead using this misnomer additional flags to the Header
|
|
| directive were introduced ("always" and "onsuccess", defaulting
|
|
| to the latter). PR 28657.
|
|
| mod_usertrack:
|
|
| - Escape the cookie name before pasting into the regexp.
|
|
| mod_dir:
|
|
| - the trailing-slash behaviour is now configurable using the
|
|
| DirectorySlash directive.
|
|
| util_ldap:
|
|
| - Switched the lock types on the shared memory cache from thread
|
|
| reader/writer locks to global mutexes in order to provide cross
|
|
| process cache protection.
|
|
| - Reworked the cache locking scheme to eliminate duplicate cache
|
|
| entries in the credentials cache due to race conditions.
|
|
| - Enhanced the util_ldap cache-info display to show more detail
|
|
| about the contents and current state of the cache.
|
|
| mod_ldap:
|
|
| - Enable the option to support anonymous shared memory in
|
|
| mod_ldap. This makes the cache work on Linux again.
|
|
| miscellaneous:
|
|
| - Include directives no longer refuse to process symlinks on
|
|
| directories. Instead there's now a maximum nesting level of
|
|
| included directories (128 as distributed). This is configurable
|
|
| at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch. PR
|
|
| 28492, PR 28370.
|
|
| - Prevent CGI script output which includes a Content-Range header
|
|
| from being passed through the byterange filter.
|
|
| - Satisfy directives now can be influenced by a surrounding
|
|
| <Limit> container. PR 14726.
|
|
| - Makefile fix: httpd is linked against LIBS given to the 'make'
|
|
| invocation. PR 7882.
|
|
| - suexec: Pass the SERVER_SIGNATURE envvar through to CGIs.
|
|
| - apachectl: Fix a problem finding envvars if sbindir != bindir.
|
|
| PR 30723.
|
|
| - Use the higher performing 'httpready' Accept Filter on all
|
|
| platforms except FreeBSD < 4.1.1.
|
|
| - Allow proxying of resources that are invoked via DirectoryIndex.
|
|
| PR 14648, 15112, 29961.
|
|
| - Small fix to allow reverse proxying to an ftp server. Previously
|
|
| an attempt to do this would try and connect to 0.0.0.0,
|
|
| regardless of the server specified. PR 24922
|
|
| - Enable special ErrorDocument value 'default' which restores the
|
|
| canned server response for the scope of the directive.
|
|
| - work around MSIE Digest auth bug - if
|
|
| AuthDigestEnableQueryStringHack is set in r->subprocess_env
|
|
| allow mismatched query strings to pass. PR 27758.
|
|
| - Accept URLs for the ServerAdmin directive. If the supplied
|
|
| argument is not recognized as an URL, assume it's a mail
|
|
| address. PR 28174.
|
|
| - initialize server arrays prior to calling
|
|
| ap_setup_prelinked_modules so that static modules can push
|
|
| Defines values when registering hooks just like DSO modules can
|
|
- drop obsolete security fixes
|
|
httpd-2.0.50-CAN-2004-0751-mod_ssl-proxied-request-segfault.dif
|
|
httpd-2.0.50-CAN-2004-0748-mod_ssl-input-filter-infinite-loop.dif
|
|
httpd-2.0.50-CAN-2004-0747-ENVVAR.dif
|
|
httpd-2.0.50-CAN-2004-0786-apr_uri_parse-IPv6-address-validation.dif
|
|
httpd-2.0.50-CAN-2004-0809-mod_dav-crash.dif
|
|
- httpd-2.0.45-anon-mmap.dif included upstream
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 14 12:11:58 CEST 2004 - poeml@suse.de
|
|
|
|
- security fix [CAN-2004-0809 (cve.mitre.org)]: fix possible DoS in
|
|
mod_dav by remotely triggerable null-pointer dereference
|
|
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183 [#45231]
|
|
- fix hint about vhost checking in the SSL readme
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 8 14:24:19 CEST 2004 - poeml@suse.de
|
|
|
|
- security fix [CAN-2004-0786 (cve.mitre.org)]: fix a vulnerability
|
|
in the apr-util library (lacking input validation on IPv6 literal
|
|
addresses in the apr_uri_parse function [#44736]
|
|
- security fix [CAN-2004-0747 (cve.mitre.org)]: fix a buffer
|
|
overflow that can occur when expanding ${ENVVAR} constructs in
|
|
.htaccess or httpd.conf files. [#44736]
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 6 12:48:21 CEST 2004 - poeml@suse.de
|
|
|
|
- rename check_forensic script to avoid clash with apache 1.3.x
|
|
package
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 27 16:18:41 CEST 2004 - poeml@suse.de
|
|
|
|
- implement action "startssl" in the init script. [#42365]
|
|
- add /usr/bin/check_forensic script to evaluate mod_log_forensic logs.
|
|
- disable building of leader and metuxmpm MPMs.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 25 12:58:20 CEST 2004 - poeml@suse.de
|
|
|
|
- security fix [CAN-2004-0748 (cve.mitre.org)]: fix a potential
|
|
infinite loop in the SSL input filter which can be triggered by
|
|
an aborted connection
|
|
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964 [#44103]
|
|
- security fix [CAN-2004-0751 (cve.mitre.org)]: fix a potential
|
|
segfault in the SSL input filter which can be triggered by the
|
|
response to request which is proxied to a remote SSL server
|
|
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=30134 [#44103]
|
|
- remove the obsolete notify message on package update
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 8 14:17:13 CEST 2004 - poeml@suse.de
|
|
|
|
- update to 2.0.50. Relevant changes:
|
|
| SECURITY: CAN-2004-0493 (cve.mitre.org)
|
|
| Close a denial of service vulnerability identified by Georgi
|
|
| Guninski which could lead to memory exhaustion with certain
|
|
| input data.
|
|
| SECURITY: CAN-2004-0488 (cve.mitre.org)
|
|
| mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for
|
|
| a (trusted) client certificate subject DN which exceeds 6K in
|
|
| length.
|
|
| mod_alias:
|
|
| now emits a warning if it detects overlapping *Alias* directives.
|
|
| mod_cgi: Handle output on stderr during script execution on Unix
|
|
| platforms; preventing deadlock when stderr output fills pipe
|
|
| buffer. Also fixes case where stderr from nph- scripts could be
|
|
| lost. PR 22030, 18348.
|
|
| mod_dav:
|
|
| - Fix a problem that could cause crashes when manipulating locks
|
|
| on some platforms.
|
|
| mod_dav_fs:
|
|
| - Fix MKCOL response for missing parent collections, which caused
|
|
| issues for the Eclipse WebDAV extension. PR 29034.
|
|
| mod_deflate:
|
|
| - Fix memory consumption (which was proportional to the response
|
|
| size). PR 29318.
|
|
| mod_expires:
|
|
| - Fix segfault which occured under certain circumstances. PR 28047.
|
|
| mod_headers:
|
|
| - no longer crashes if an empty header value should be added.
|
|
| mod_log_forensic:
|
|
| - new module.
|
|
| mod_logio:
|
|
| - no longer removes the EOS bucket. PR 27928.
|
|
| mod_proxy:
|
|
| - Fix handling of IPv6 numeric strings.
|
|
| mod_rewrite:
|
|
| no longer turns forward proxy requests into reverse proxy
|
|
| requests. PR 28125
|
|
| mod_ssl:
|
|
| - Log the errors returned on failure to load or initialize a
|
|
| crypto accelerator engine.
|
|
| - Fix a potential segfault in the 'shmcb' session cache for small
|
|
| cache sizes. PR 27751.
|
|
| - Fix memory leak in session cache handling. PR 26562
|
|
| - Fix potential segfaults when performing SSL shutdown from a pool
|
|
| cleanup. PR 27945.
|
|
| mod_auth_ldap/util_ldap:
|
|
| - allow relative paths for LDAPTrustedCA to be resolved against
|
|
| ServerRoot PR#26602
|
|
| - Throw an error message if an attempt is made to use the
|
|
| LDAPTrustedCA or LDAPTrustedCAType directives in a VirtualHost.
|
|
| PR 26390
|
|
| - Fix a potential segfault if the bind password in the LDAP cache
|
|
| is NULL. PR 28250.
|
|
| - Overhaul handling of LDAP error conditions, so that the
|
|
| util_ldap_* functions leave the connections in a sane state
|
|
| after errors have occurred. PR 27748, 17274, 17599, 18661,
|
|
| 21787, 24595, 24683, 27134, 27271
|
|
| - mod_ldap calls ldap_simple_bind_s() to validate the user
|
|
| credentials. If the bind fails, the connection is left in an
|
|
| unbound state. Make sure that the ldap connection record is
|
|
| updated to show that the connection is no longer bound.
|
|
| - Update the bind credentials for the cached LDAP connection to
|
|
| reflect the last bind. This prevents util_ldap from creating
|
|
| unnecessary connections rather than reusing cached connections.
|
|
| - Quotes cannot be used around require group and require dn
|
|
| directives, update the documentation to reflect this. Also add
|
|
| quotes around the dn and group within debug messages, to make it
|
|
| more obvious why authentication is failing if quotes are used in
|
|
| error. PR 19304.
|
|
| miscellaneous:
|
|
| - Allow RequestHeader directives to be conditional. PR 27951.
|
|
| - Allow LimitRequestBody to be reset to unlimited. PR 29106
|
|
| - <VirtualHost myhost> now applies to all IP addresses for myhost
|
|
| instead of just the first one reported by the resolver. This
|
|
| corrects a regression since 1.3.
|
|
| - Fix a bunch of cases where the return code of the regex compiler
|
|
| was not checked properly. This affects: mod_setenvif,
|
|
| mod_usertrack, mod_proxy, mod_proxy_ftp and core. PR 28218.
|
|
| - Remove 2Gb log file size restriction on some 32-bit platforms.
|
|
| PR 13511.
|
|
| - htpasswd no longer refuses to process files that contain empty
|
|
| lines.
|
|
| - Regression from 1.3: At startup, suexec now will be checked for
|
|
| availability, the setuid bit and user root. The works only if
|
|
| httpd is compiled with the shipped APR version (0.9.5). PR
|
|
| 28287.
|
|
| - Unix MPMs: Stop dropping connections when the file descriptor is
|
|
| at least FD_SETSIZE.
|
|
| - Fix a segfault when requests for shared memory fails and returns
|
|
| NULL. Fix a segfault caused by a lack of bounds checking on the
|
|
| cache. PR 24801.
|
|
| - Ensure that lines in the request which are too long are properly
|
|
| terminated before logging.
|
|
| - htpasswd: use apr_temp_dir_get() and general cleanup
|
|
| - logresolve: Allow size of log line buffer to be overridden at
|
|
| build time (MAXLINE). PR 27793.
|
|
| - Fix the comment delimiter in htdbm so that it correctly parses
|
|
| the username comment. Also add a terminate function to allow
|
|
| NetWare to pause the output before the screen is destroyed.
|
|
| - Fix crash when Apache was started with no Listen directives.
|
|
| - core_output_filter: Fix bug that could result in sending garbage
|
|
| over the network when module handlers construct bucket brigades
|
|
| containing multiple file buckets all referencing the same open
|
|
| file descriptor.
|
|
| - Fix memory corruption problem with ap_custom_response()
|
|
| function. The core per-dir config would later point to request
|
|
| pool data that would be reused for different purposes on
|
|
| different requests.
|
|
- drop obsolete patches
|
|
- change vendor string SuSE -> SUSE
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 29 11:35:24 CEST 2004 - poeml@suse.de
|
|
|
|
- security fix [CAN-2004-0493 (cve.mitre.org)]: fix Denial of
|
|
Service vulnaribility which could lead to memory exhaustion with
|
|
certain input data. [#42566]
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jun 18 11:39:53 CEST 2004 - poeml@suse.de
|
|
|
|
- package forgotten CHANGES file
|
|
- package apr and apr-util documentation files
|
|
- fix log_server_status2 to use perl's Socket module
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 19 13:38:41 CEST 2004 - poeml@suse.de
|
|
|
|
- security fix for mod_ssl: fix buffer overflow in
|
|
ssl_util_uuencode() [#40791]
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 28 14:04:34 CEST 2004 - poeml@suse.de
|
|
|
|
- add TLS upgrade patch [#39449]
|
|
- add patch to allow writing log files larger than 2>GB [#39453]
|
|
- obsolete apache and mod_ssl versions only when older than what is
|
|
shipped with 9.1
|
|
- don't provide mod_ssl
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 2 15:56:30 CEST 2004 - cschum@suse.de
|
|
|
|
- Add "suse_help_viewer" provides [#37932]
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 29 17:57:46 CEST 2004 - poeml@suse.de
|
|
|
|
- provide and obsolete packages apache, mod_ssl, apache-doc and
|
|
apache-example-pages [#37084]
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 22 18:37:27 CET 2004 - poeml@suse.de
|
|
|
|
- disable large file support by not building with _FILE_OFFSET_BITS=64,
|
|
in favour of retaining a binary compatible module API.
|
|
Therefore, do not change the module magic number. LFS can be
|
|
enabled by building via rpmbuild --define 'build_with_LFS 1'
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 18 20:35:06 CET 2004 - poeml@suse.de
|
|
|
|
- update to proposed 2.0.49 tarball
|
|
- mod_cgid: Fix storage corruption caused by use of incorrect pool.
|
|
- docs update
|
|
- remove APACHE_DOCUMENT_ROOT from sysconfig.apache2 [#32635]
|
|
- fix a comment in default-server.conf
|
|
- remove obsolete ssl_scache_cleanup support script and ftok helper
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 16 00:41:07 CET 2004 - poeml@suse.de
|
|
|
|
- change mmn in header file as well, for modules that include it
|
|
from there
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 15 17:36:07 CET 2004 - poeml@suse.de
|
|
|
|
- update to 2.0.49-rc2. Relevant changes:
|
|
| The whole codebase was relicensed and is now available under the
|
|
| Apache License, Version 2.0 (http://www.apache.org/licenses).
|
|
| [Apache Software Foundation]
|
|
| Security [CAN-2004-0113 (cve.mitre.org)]: mod_ssl: Fix a memory
|
|
| leak in plain-HTTP-on-SSL-port handling. PR 27106.
|
|
| Security [CAN-2003-0020 (cve.mitre.org)]: Escape arbitrary data
|
|
| before writing into the errorlog. Unescaped errorlogs are still
|
|
| possible using the compile time switch
|
|
| "-DAP_UNSAFE_ERROR_LOG_UNESCAPED".
|
|
| mod_ssl:
|
|
| - Send the Close Alert message to the peer before closing the
|
|
| SSL session. PR 27428.
|
|
| - Fix bug in passphrase handling which could cause spurious
|
|
| failures in SSL functions later. PR 21160.
|
|
| - Fix potential segfault on lookup of SSL_SESSION_ID. PR 15057.
|
|
| - Fix streaming output from an nph- CGI script. PR 21944
|
|
| - Advertise SSL library version as determined at run-time rather
|
|
| than at compile-time. PR 23956.
|
|
| - Fix segfault on a non-SSL request if the 'c' log format code
|
|
| is used. PR 22741.
|
|
| - Fix segfaults at startup if other modules which use OpenSSL
|
|
| are also loaded.
|
|
| - Use human-readable OpenSSL error strings in logs; use
|
|
| thread-safe interface for retrieving error strings.
|
|
| mod_cache:
|
|
| - Fixed cache-removal order in mod_mem_cache.
|
|
| - Fix segfault in mod_mem_cache cache_insert() due to cache size
|
|
| becoming negative. PR: 21285, 21287
|
|
| - Modified the cache code to be header-location agnostic. Also
|
|
| fixed a number of other cache code bugs related to PR 15852.
|
|
| Includes a patch submitted by Sushma Rai <rsushma novell.com>.
|
|
| This fixes mod_mem_cache but not mod_disk_cache yet so I'm not
|
|
| closing the PR since that is what they are using.
|
|
| mod_dav:
|
|
| - Reject requests which include an unescaped fragment in the
|
|
| Request-URI. PR 21779.
|
|
| - Use bucket brigades when reading PUT data. This avoids
|
|
| problems if the data stream is modified by an input filter. PR
|
|
| 22104.
|
|
| - Return a WWW-auth header for MOVE/COPY requests where the
|
|
| destination resource gives a 401. PR 15571.
|
|
| - Fix a problem with namespace mappings being dropped in
|
|
| mod_dav_fs; if any property values were set which defined
|
|
| namespaces these came out mangled in the PROPFIND response.
|
|
| PR 11637.
|
|
| mod_expires:
|
|
| - Initialize ExpiresDefault to NULL instead of "" to avoid
|
|
| reporting an Internal Server error if it is used without
|
|
| having been set in the httpd.conf file. PR: 23748, 24459
|
|
| - Add support for IMT minor-type wildcards (e.g., text/*) to
|
|
| ExpiresByType. PR#7991
|
|
| mod_log_config / logging:
|
|
| - Fix some piped log problems: bogus "piped log program '(null)'
|
|
| failed" messages during restart and problem with the logger
|
|
| respawning again after Apache is stopped. PR 21648, PR 24805.
|
|
| - mod_log_config: Fix corruption of buffered logs with threaded
|
|
| MPMs. PR 25520.
|
|
| - mod_log_config: Log the minutes component of the timezone correctly.
|
|
| PR 23642.
|
|
| mod_proxy*:
|
|
| - proxy_http fix: mod_proxy hangs when both KeepAlive and
|
|
| ProxyErrorOverride are enabled, and a non-200 response without a
|
|
| body is generated by the backend server. (e.g.: a client makes a
|
|
| request containing the "If-Modified-Since" and "If-None-Match"
|
|
| headers, to which the backend server respond with status 304.)
|
|
| - Fix memory leak in handling of request bodies during reverse
|
|
| proxy operations. PR 24991.
|
|
| - mod_proxy: Fix cases where an invalid status-line could be sent
|
|
| to the client. PR 23998.
|
|
| mod_rewrite:
|
|
| - Catch an edge case, where strange subsequent RewriteRules
|
|
| could lead to a 400 (Bad Request) response.
|
|
| - Make REMOTE_PORT variable available in mod_rewrite. PR 25772.
|
|
| - In external rewrite maps lookup keys containing
|
|
| a newline now cause a lookup failure. PR 14453.
|
|
| - Fix RewriteBase directive to not add double slashes.
|
|
| mod_usertrack:
|
|
| - Fix bug in mod_usertrack when no CookieName is set.
|
|
| - mod_usertrack no longer inspects the Cookie2 header for
|
|
| the cookie name. PR 11475.
|
|
| - mod_usertrack no longer overwrites other cookies.
|
|
| PR 26002.
|
|
| mod_include, filters:
|
|
| - Backport major overhaul of mod_include's filter parser from 2.1.
|
|
| The new parser code is expected to be more robust and should
|
|
| catch all of the edge cases that were not handled by the previous one.
|
|
| The 2.1 external API changes were hidden by a wrapper which is
|
|
| expected to keep the API backwards compatible.
|
|
| - Add a hook (insert_error_filter) to allow filters to re-insert
|
|
| themselves during processing of error responses. Enable mod_expires
|
|
| to use the new hook to include Expires headers in valid error
|
|
| responses. This addresses an RFC violation. It fixes PRs 19794,
|
|
| 24884, and 25123.
|
|
| - complain via error_log when mod_include's INCLUDES filter is
|
|
| enabled, but the relevant Options flag allowing the filter to run
|
|
| for the specific resource wasn't set, so that the filter won't
|
|
| silently get skipped. next remove itself, so the warning will be
|
|
| logged only once
|
|
| - Fix mod_include's expression parser to recognize strings correctly
|
|
| even if they start with an escaped token.
|
|
| - Fix a problem with the display of empty variables ("SetEnv foo") in
|
|
| mod_include. PR 24734
|
|
| - mod_include no longer allows an ETag header on 304 responses.
|
|
| PR 19355.
|
|
| mod_autoindex:
|
|
| - Don't omit the <tr> start tag if the SuppressIcon option is
|
|
| set. PR 21668.
|
|
| - Restore the ability to add a description for directories that
|
|
| don't contain an index file. (Broken in 2.0.48)
|
|
| - mod_autoindex / core: Don't fail to show filenames containing
|
|
| special characters like '%'. PR 13598.
|
|
| - Add 'XHTML' option in order to allow switching between HTML
|
|
| 3.2 and XHTML 1.0 output. PR 23747.
|
|
| mod_status:
|
|
| - Add mod_status hook to allow modules to add to the mod_status
|
|
| report.
|
|
| - Report total CPU time accurately when using a threaded MPM.
|
|
| PR 23795.
|
|
| mod_info:
|
|
| - Fix mod_info to use the real config file name, not the default
|
|
| config file name.
|
|
| - HTML escape configuration information so it displays
|
|
| correctly. PR 24232.
|
|
| mod_auth_digest:
|
|
| - Allow mod_auth_digest to work with sub-requests with different
|
|
| methods than the original request. PR 25040.
|
|
| mod_auth_ldap:
|
|
| - Fix some segfaults in the cache logic. PR 18756.
|
|
| mod_cgid:
|
|
| - Restart the cgid daemon if it crashes. PR 19849
|
|
| mod_setenvif:
|
|
| - Fix the regex optimizer, which under circumstances
|
|
| treated the supplied regex as literal string. PR 24219.
|
|
| miscellaneous:
|
|
| - core.c: If large file support is enabled, allow any file that is
|
|
| greater than AP_MAX_SENDFILE to be split into multiple buckets.
|
|
| This allows Apache to send files that are greater than 2gig.
|
|
| Otherwise we run into 32/64 bit type mismatches in the file size.
|
|
| - Fixed file extensions for real media files and removed rpm extension
|
|
| from mime.types. PR 26079.
|
|
| - Remove compile-time length limit on request strings. Length is
|
|
| now enforced solely with the LimitRequestLine config directive.
|
|
| - Set the scoreboard state to indicate logging prior to running
|
|
| logging hooks so that server-status will show 'L' for hung loggers
|
|
| instead of 'W'.
|
|
| - Fix the inability to log errors like exec failure in
|
|
| mod_ext_filter/mod_cgi script children. This was broken after
|
|
| such children stopped inheriting the error log handle.
|
|
| - fix "Expected </Foo>> but saw </Foo>" errors in nested,
|
|
| argumentless containers.
|
|
| - ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
|
|
| instead of mmn.
|
|
| - Add Polish translation of error messages. PR 25101.
|
|
| - Add AP_MPMQ_MPM_STATE function code for ap_mpm_query.
|
|
| - Fix htdbm to generate comment fields in DBM files correctly.
|
|
| - Correct UseCanonicalName Off to properly check incoming port number.
|
|
| - Fix slow graceful restarts with prefork MPM.
|
|
| - Keep focus of ITERATE and ITERATE2 on the current module when
|
|
| the module chooses to return DECLINE_CMD for the directive.
|
|
| PR 22299.
|
|
| - Build array of allowed methods with proper dimensions, fixing
|
|
| possible memory corruption.
|
|
| - worker MPM: fix stack overlay bug that could cause the parent
|
|
| process to crash.
|
|
| - Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
|
|
| - Fix build with parallel make. PR 24643.
|
|
| - Add fatal exception hook for use by diagnostic modules. The hook
|
|
| is only available if the --enable-exception-hook configure parm
|
|
| is used and the EnableExceptionHook directive has been set to
|
|
| "on".
|
|
| - Improve 'configure --help' output for some modules.
|
|
- drop two hunks from httpd-2.0.47-headtail.dif (buildcheck.sh is
|
|
fixed)
|
|
- disable automatic restarts, because they do not work properly
|
|
[#35408]
|
|
- change MMN to prevent loading of incompatible modules (modules
|
|
that are not built with `apxs -q CFLAGS` and therefore miss
|
|
_FILE_OFFSET_BITS=64). Provide our old apache_mmn_20020903 in
|
|
addition.
|
|
- use CPPFLAGS for passing preprocessor flags because they are
|
|
removed from CFLAGS
|
|
- Stop dropping connections when the file descriptor
|
|
is at least FD_SETSIZE. This isn't a problem on Linux because
|
|
poll() is used instead of select() by APR. Assert HAVE_POLL.
|
|
[#34178]
|
|
- add modifications to the code to the NOTICE file as required by
|
|
the new license
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 27 17:42:24 CET 2004 - poeml@suse.de
|
|
|
|
- compile with -DSSL_EXPERIMENTAL_ENGINE to allow usage of hardware
|
|
crypto accelerators
|
|
- compile with -DMAX_SERVER_LIMIT=200000
|
|
- if an SSL passphrase is not entered within the timeout, fall back
|
|
to start apache without SSL (with -D NOSSL). This could/should be
|
|
made configurable.
|
|
- clean up output of SuSEconfig.apache2
|
|
- add pre-defined LogFormat "vhost_combined"
|
|
- configure /var/lib/apache2 for WebDAV locks
|
|
- add a readme about configuring WebDAV with digest authentication
|
|
- add default configuration for mod_usertrack (this is the current
|
|
workaround for the problem in the 1.3.29/2.0.48 release that
|
|
occurs if no CookieName is configured)
|
|
- in vhost.template, enclose all virtual host configuration in the
|
|
VirtualHost container
|
|
- update metuxmpm patch to r7
|
|
- fix test run as non-root
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 13 16:38:05 CET 2004 - schwab@suse.de
|
|
|
|
- Fix quoting in autoconf macros.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Dec 13 17:28:48 CET 2003 - poeml@suse.de
|
|
|
|
- add changes to gensslcert from Volker Kuhlmann [#31803]
|
|
- revert default character set from UTF-8 to ISO-8859-1, and revert
|
|
the misleading comment that talked about filenames while it is
|
|
all about content of the files
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 18 14:14:39 CET 2003 - poeml@suse.de
|
|
|
|
- add a ServerLimit directive to server-tuning.conf, so it's
|
|
already in the right place if someone needs to tweak it [#32852]
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 7 13:00:07 CET 2003 - poeml@suse.de
|
|
|
|
- mark apache2-manual.conf in %files doc as %config
|
|
- wrap directives specific to the mod_negotiation module into an
|
|
<IfModule> block [#32848]
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 30 11:41:19 CET 2003 - poeml@suse.de
|
|
|
|
- update to 2.0.48. Relevant / user visible changes are:
|
|
Security [CAN-2003-0789]: Resolve some mishandling of the AF_UNIX
|
|
socket used to communicate with the cgid daemon and the CGI
|
|
script.
|
|
Security [CAN-2003-0542]: Fix buffer overflows in mod_alias and
|
|
mod_rewrite which occurred if one configured a regular
|
|
expression with more than 9 captures.
|
|
mod_rewrite:
|
|
- Don't die silently when failing to open RewriteLogs. PR 23416
|
|
- Fix support of the [P] option to send rewritten request using
|
|
"proxy:". The code was adding multiple "proxy:" fields in the
|
|
rewritten URI. PR: 13946.
|
|
- Ignore RewriteRules in .htaccess files if the directory
|
|
containing the .htaccess file is requested without a trailing
|
|
slash. PR 20195.
|
|
mod_include:
|
|
- Fix a trio of bugs that would cause various unusual sequences
|
|
of parsed bytes to omit portions of the output stream. PR 21095
|
|
- fix segfault which occured if the filename was not set, for
|
|
example, when processing some error conditions.
|
|
mod_cgid: fix a hash table corruption problem which could
|
|
result in the wrong script being cleaned up at the end of a
|
|
request.
|
|
mod_ssl: Fix segfaults after renegotiation failure. PR 21370
|
|
- Fix a problem setting variables that represent the client
|
|
certificate chain. PR 21371
|
|
- Fix FakeBasicAuth for subrequest. Log an error when an
|
|
identity spoof is encountered.
|
|
- Assure that we block properly when reading input bodies with
|
|
SSL. PR 19242.
|
|
mod_autoindex: If a directory contains a file listed in the
|
|
DirectoryIndex directive, the folder icon is no longer replaced
|
|
by the icon of that file. PR 9587.
|
|
mod_usertrack: do not get false positive matches on the
|
|
user-tracking cookie's name. PR 16661.
|
|
mod_cache:
|
|
- Fix the cache code so that responses can be cached if they
|
|
have an Expires header but no Etag or Last-Modified headers.
|
|
PR 23130. cache_util: Fix ap_check_cache_freshness to check
|
|
max_age, smax_age, and expires as directed in RFC 2616.
|
|
mod_deflate:
|
|
- fix to not call deflate() without checking first whether it
|
|
has something to deflate. (Currently this causes deflate to
|
|
generate a fatal error according to the zlib spec.) PR 22259.
|
|
- Don't attempt to hold all of the response until we're done.
|
|
- Fix a bug, where mod_deflate sometimes unconditionally
|
|
compressed the content if the Accept-Encoding header
|
|
contained only other tokens than "gzip" (such as "deflate").
|
|
PR 21523.
|
|
mod_proxy: Don't respect the Server header field as set by
|
|
modules and CGIs. As with 1.3, for proxy requests any such
|
|
field is from the origin server; otherwise it will have our
|
|
server info as controlled by the ServerTokens directive.
|
|
mod_log_config: Fix %b log format to write really "-" when 0
|
|
bytes were sent (e.g. with 304 or 204 response codes).
|
|
mod_ext_filter: Set additional environment variables for use by
|
|
the external filter. PR 20944.
|
|
core:
|
|
- allow <Foo>..</Foo> containers (no arguments in the opening
|
|
tag), as in 1.3. Needed by mod_perl <Perl> sections
|
|
- Fix a misleading message from the some of the threaded MPMs
|
|
when MaxClients has to be lowered due to the setting of
|
|
ServerLimit.
|
|
- Avoid an infinite recursion, which occured if the name of an
|
|
included config file or directory contained a wildcard
|
|
character. PR 22194.
|
|
- MPMs: The bucket brigades subsystem now honors the MaxMemFree
|
|
setting.
|
|
- Lower the severity of the "listener thread didn't exit"
|
|
message to debug, as it is of interest only to developers.
|
|
miscellaneous:
|
|
- Update the header token parsing code to allow LWS between the
|
|
token word and the ':' seperator. [PR 16520]
|
|
- Remember an authenticated user during internal redirects if
|
|
the redirection target is not access protected and pass it to
|
|
scripts using the REDIRECT_REMOTE_USER environment variable.
|
|
PR 10678, 11602.
|
|
- Update mime.types to include latest IANA and W3C types.
|
|
- Modify ap_get_client_block() to note if it has seen EOS.
|
|
ab:
|
|
- Overlong credentials given via command line no longer clobber
|
|
the buffer.
|
|
- Work over non-loopback on Unix again. PR 21495.
|
|
- Fix NULL-pointer issue in ab when parsing an incomplete or
|
|
non-HTTP response. PR 21085.
|
|
- add another example to apache2-listen.conf
|
|
- update apache2-mod_mime-defaults.conf according to 2.0.48 changes
|
|
(be clearer in describing the connection between AddType and
|
|
AddEncoding for defining the meaning of compressed file
|
|
extensions.)
|
|
- use a better example domain name in apache2-vhost-ssl.template
|
|
- the "define version_perl" was nowhere needed
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 22 17:49:40 CEST 2003 - mls@suse.de
|
|
|
|
- don't provide httpddoc in apache2-doc
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 18 18:48:33 CEST 2003 - poeml@suse.de
|
|
|
|
- add mod_php4 to the default list of APACHE_MODULES, and change
|
|
get_module_list to ignore non-existant modules (warnings will
|
|
be issued when it is run from SuSEconfig, but not from the init
|
|
script). How to enable the PHP4 module has been the most
|
|
frequently asked questions in user feedback [cf to #29735].
|
|
This bug is tracked in [#31306]
|
|
- include conf.d/*.conf by default, as it was the case until
|
|
recently. User feedback showed that for many people the
|
|
separation of configuration includes into individual virtual
|
|
hosts is overkill, and it complicates the setup too much. More
|
|
finegrained control can be achieved by commenting out the
|
|
respective line in the default server config. [#30866], [#29735]
|
|
- remove the FIXME at the end of httpd.conf (obsoleted by the above
|
|
change), and place a strategical comment there about .local files
|
|
- add <IfDefine SSL> container around configuration in ssl template
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 9 12:50:47 CEST 2003 - poeml@suse.de
|
|
|
|
- change comment in sysconfig template to work around a fillup bug
|
|
[#30279]
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 8 18:28:12 CEST 2003 - poeml@suse.de
|
|
|
|
- fix wrong variable name in a comment of the sysconfig template
|
|
- update README.QUICKSTART
|
|
- add README.QUICKSTART.SSL
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 8 10:09:53 CEST 2003 - poeml@suse.de
|
|
|
|
- remove unused ENABLE_SUSECONFIG_APACHE from sysconfig template
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 5 16:44:07 CEST 2003 - poeml@suse.de
|
|
|
|
- disallow UserDir for user root
|
|
- cope with "no" or "yes" as values for APACHE_SERVERSIGNATURE, as
|
|
they were set on SuSE Linux 8.1
|
|
- add more documentation to README.QUICKSTART, also mentioning what
|
|
might be too obvious: the document root [#29674]
|
|
- in %post, diff to httpd.conf.default only when .rpmnew is present
|
|
- improve message sent on update
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 29 23:22:31 CEST 2003 - poeml@suse.de
|
|
|
|
- improve documentation on configuration
|
|
- compile with -Wall
|
|
- do not obsolete httpddoc, which is provided by apache-doc package
|
|
from apache1
|
|
- add conflict apache2-example-pages <-> apache-example-pages
|
|
- fix building on older distros
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 19 02:19:18 CEST 2003 - poeml@suse.de
|
|
|
|
- use httpd-2.0.47-metuxmpm-r6.diff, previous one was broken by me
|
|
- don't force setting of a DocumentRoot, because the configuration
|
|
of the default vhost already contains it
|
|
- when testing on SL 8.0, the www group has to be created as well
|
|
- when testing on even older systems, don't add buildroot to
|
|
DocumentRoot in default-server.conf
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 15 21:40:46 CEST 2003 - poeml@suse.de
|
|
|
|
- revamped configuration
|
|
- add some CustomLog formats
|
|
- AddDefaultCharset UTF-8 [#22427]
|
|
- add activation metadata to sysconfig template [#28834]
|
|
- default APACHE_MODULES: add mod_ssl, remove mod_status
|
|
- new sysconfig variables: APACHE_USE_CANONICAL_NAME,
|
|
APACHE_DOCUMENT_ROOT
|
|
- get rid of the "suse_" prefix in generated config snippets, and
|
|
place them below /etc/apache2/sysconfig.d/. On update, convert
|
|
the Include statements in httpd.conf for the new locations
|
|
- add /etc/apache2/vhosts.d and virtual host templates
|
|
- the configuration for the manual is now seperate and installed
|
|
together with apache2-doc (conf.d/apache2-manual.conf)
|
|
- add distilled wisdom in form of README.QUICKSTART
|
|
- change group of wwwrun user: nogroup -> www [#21782]
|
|
- proxycachedir and localstatedir should not be world readable
|
|
- set DEFAULT_PIDLOG to /var/run/httpd2.pid, so we don't need to
|
|
configure the PidFile directive
|
|
- add -fno-strict-aliasing, due to warnings about code where
|
|
dereferencing type-punned pointers will break strict aliasing
|
|
- clean the RPM_BUILD_ROOT, but not in the build system
|
|
- new macros for stop/restart of services on rpm update/removal,
|
|
and improved try-restart section in rc.apache2
|
|
- get rid of "modules" subdir, and remove dead code from
|
|
SuSEconfig.apache2
|
|
- add some tools: get_includes, find_httpd2_includes,
|
|
apache2-reconfigure-mpm
|
|
- rename README.SuSE to README.{SuSE,UnitedLinux}
|
|
- include directories in filelists of MPM subpackages
|
|
- enclose package descriptions of MPMs in %ifdef
|
|
- add a dependency of the MPM subpackages on the version of the
|
|
main package
|
|
- build a new MPM: metuxmpm (httpd-2.0.47-metuxmpm.diff)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 28 18:23:28 CEST 2003 - poeml@suse.de
|
|
|
|
- add new sysconfig variables: APACHE_LOGLEVEL, APACHE_ACCESS_LOG,
|
|
and remove the respective directives from httpd.conf.dist
|
|
- merge the ssl.conf.dif and httpd.conf.dif into one patch
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jul 27 12:22:29 CEST 2003 - poeml@suse.de
|
|
|
|
- build with -D_FILE_OFFSET_BITS=64 when presumably the kernel
|
|
supports sendfile64 [#22191, #22018]. Define APR_HAS_LARGE_FILES
|
|
(which is unconditionally off, otherwise). Keep
|
|
-D_LARGEFILE_SOURCE since some modules might need it.
|
|
- make sure the package can be built as ordinary user
|
|
- special case mod_auth_mysql since its module_id is reversed
|
|
- don't increase DYNAMIC_MODULE_LIMIT (64 should be copious)
|
|
- don't explicitely strip binaries since RPM handles it, and may
|
|
keep the stripped information somewhere
|
|
- reformat the header of the spec file
|
|
- allow to pass a number-of-jobs parameter into spec file via rpm
|
|
--define 'jobs N'
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 10 16:49:50 CEST 2003 - poeml@suse.de
|
|
|
|
- update to 2.0.47. relevant / user visible changes:
|
|
Security [CAN-2003-0192]: Fixed a bug whereby certain sequences
|
|
of per-directory renegotiations and the SSLCipherSuite
|
|
directive being used to upgrade from a weak ciphersuite to a
|
|
strong one could result in the weak ciphersuite being used in
|
|
place of the strong one.
|
|
Security [CAN-2003-0253]: Fixed a bug in prefork MPM causing
|
|
temporary denial of service when accept() on a rarely accessed
|
|
port returns certain errors.
|
|
Security [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
|
|
of service when target host is IPv6 but proxy server can't
|
|
create IPv6 socket. Fixed by the reporter.
|
|
Security [VU#379828]: Prevent the server from crashing when entering
|
|
infinite loops. The new LimitInternalRecursion directive
|
|
configures limits of subsequent internal redirects and nested
|
|
subrequests, after which the request will be aborted. PR 19753+
|
|
core:
|
|
core_output_filter: don't split the brigade after a FLUSH
|
|
bucket if it's the last bucket. This prevents creating
|
|
unneccessary empty brigades which may not be destroyed until
|
|
the end of a keepalive connection.
|
|
mod_cgid:
|
|
Eliminate a double-close of a socket. This resolves various
|
|
operational problems in a threaded MPM, since on the second
|
|
attempt to close the socket, the same descriptor was often
|
|
already in use by another thread for another purpose.
|
|
mod_negotiation:
|
|
Introduce "prefer-language" environment variable, which allows
|
|
to influence the negotiation process on request basis to prefer
|
|
a certain language.
|
|
mod_expire:
|
|
Make ExpiresByType directive work properly, including for
|
|
dynamically-generated documents.
|
|
- apr bugfixes
|
|
- more fixes of deprecated head/tail -1 calls
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 28 20:40:24 CEST 2003 - poeml@suse.de
|
|
|
|
- update to 2.0.46. relevant / user visible changes:
|
|
Security [CAN-2003-0245]: Fixed a bug that could be triggered
|
|
remotely through mod_dav
|
|
Security [CAN-2003-0189]: Fixed a denial-of-service
|
|
vulnerability affecting basic authentication
|
|
Security: forward port of buffer overflow fixes for htdigest.
|
|
mod_ssl:
|
|
- SSL session caching(shmht) : Fix a SEGV problem with SHMHT
|
|
session caching.
|
|
mod_deflate:
|
|
- Add another check for already compressed content
|
|
- Check also err_headers_out for an already set
|
|
Content-Encoding: gzip header. This prevents gzip compressed
|
|
content from a CGI script from being compressed once more.
|
|
mod_mime_magic:
|
|
- If mod_mime_magic does not know the content-type, do not
|
|
attempt to guess.
|
|
mod_rewrite:
|
|
- Fix handling of absolute URIs.
|
|
mod_log_config:
|
|
- Add the ability to log the id of the thread processing the
|
|
request via new %P formats.
|
|
mod_auth_ldap:
|
|
- Use generic whitespace character class when parsing "require"
|
|
directives, instead of literal spaces only.
|
|
mod_proxy:
|
|
- Fixed a segfault when multiple ProxyBlock directives were used.
|
|
- Added AllowEncodedSlashes directive to permit control of
|
|
whether the server will accept encoded slashes ('%2f') in the
|
|
URI path. Default condition is off (the historical behaviour).
|
|
- If Apache is started as root and you code CoreDumpDirectory,
|
|
coredumps are enabled via the prctl() syscall.
|
|
- htpasswd: Check the processed file on validity; add a delete flag.
|
|
- httpd-2.0.45-libtool-1.5.dif is obsolete
|
|
- mark suse_include.conf as %ghost
|
|
- note the rebirth of the httpd and apachectl man pages (thanks to
|
|
RPMv4 :)
|
|
- let the module RPM packages only depend on the _major_ module
|
|
magic number, not on the minor
|
|
- fix some paths in config_vars.mk, which facilitates building of
|
|
certain modules
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 14 14:12:56 CEST 2003 - poeml@suse.de
|
|
|
|
- use mmap() via MAP_ANON as shared memory allocation method, to
|
|
prevent restart problems with stale (or in use) files that are
|
|
associated with shared memory
|
|
- package forgotten files, and remove hack in %clean
|
|
- remove files from the build root that are not packaged
|
|
- remove suse_include.conf from filelist
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 9 14:47:54 CEST 2003 - poeml@suse.de
|
|
|
|
- update to 2.0.45. relevant / user visible changes:
|
|
Security: Eliminated leaks of several file descriptors to
|
|
child processes, such as CGI scripts. This fix depends on the
|
|
latest APR library release 0.9.2, which is distributed with the
|
|
httpd source tarball for Apache 2.0.45. PR 17206
|
|
Security [CAN-2003-0132]: Close a Denial of Service
|
|
vulnerability identified by David Endler <DEndler@iDefense.com>
|
|
on all platforms.
|
|
General:
|
|
- Fix segfault which occurred when a section in an included
|
|
configuration file was not closed. PR 17093.
|
|
- Fix a nasty segfault in mmap_bucket_setaside() caused by
|
|
passing an incompatible pointer type to mmap_bucket_destroy(void*).
|
|
- prevent filters (such as mod_deflate) from adding garbage to
|
|
the response. PR 14451.
|
|
- Simpler, faster code path for request header scanning
|
|
- Try to log an error if a piped log program fails. Try to
|
|
restart a piped log program in more failure situations.
|
|
- Fix bug where 'Satisfy Any' without an AuthType lost all MIME
|
|
information (and more). Related to PR 9076.
|
|
- Fix If header parsing when a non-mod_dav lock token is passed to it.
|
|
- Fix apxs to insert LoadModule directives only outside of
|
|
sections.
|
|
- apxs: Include any special APR ld flags when linking the DSO.
|
|
suexec: Be more pedantic when cleaning environment. Clean it
|
|
immediately after startup. PR 2790, 10449. Use saner default
|
|
config values for suexec. PR 15713.
|
|
mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot
|
|
be started on Unix because of such problems as bad permissions,
|
|
bad shebang line, etc. Fix possible segfaults under obscure
|
|
error conditions within the cgid daemon.
|
|
mod_deflate:
|
|
- you can now specify the compression level.
|
|
- Extend the DeflateFilterNote directive to allow accurate
|
|
logging of the filter's in- and outstream.
|
|
- Fix potential memory leaks in mod_deflate on malformed data. PR 16046.
|
|
mod_ssl:
|
|
Allow SSLMutex to select/use the full range of APR locking
|
|
mechanisms available to it. Also, fix the bug that SSLMutex
|
|
uses APR_LOCK_DEFAULT no matter what. PR 8122
|
|
mod_autoindex no longer forgets output format and enabled version
|
|
sort in linked column headers.
|
|
mod_rewrite:
|
|
- Prevent endless loops of internal redirects in mod_rewrite by
|
|
aborting after exceeding a limit of internal redirects. The
|
|
limit defaults to 10 and can be changed using the
|
|
RewriteOptions directive. PR 17462.
|
|
- Allow "RewriteEngine Off" even if no "Options FollowSymlinks"
|
|
(or SymlinksIfOwnermatch) is set. PR 12395.
|
|
mod_ldap:
|
|
- Updated mod_ldap and mod_auth_ldap to support the Novell LDAP
|
|
SDK SSL and standardized the LDAP SSL support across the
|
|
various LDAP SDKs. Isolated the SSL functionality to
|
|
mod_ldap rather than speading it across mod_auth_ldap and
|
|
mod_ldap. Also added LDAPTrustedCA and LDAPTrustedCAType
|
|
directives to mod_ldap to allow for a more common method of
|
|
specifying the SSL certificate.
|
|
- fix fault when caching was disabled, and some memory leaks
|
|
- Fix mod_ldap to open an existing shared memory file should
|
|
one already exist. PR 12757.
|
|
- Added character set support to mod_auth_LDAP to allow it to
|
|
convert extended characters used in the user ID to UTF-8
|
|
before authenticating against the LDAP directory. The new
|
|
directive AuthLDAPCharsetConfig is used to specify the config
|
|
file that contains the character set conversion table.
|
|
mod_ssl:
|
|
- Fixed mod_ssl's SSLCertificateChain initialization to no
|
|
longer skip the first cert of the chain by default. This
|
|
misbehavior was introduced in 2.0.34. PR 14560
|
|
- Fix 64-bit problem in mod_ssl input logic.
|
|
mod_proxy:
|
|
- Hook mod_proxy's fixup before mod_rewrite's fixup, so that by
|
|
mod_rewrite proxied URLs will not be escaped accidentally by
|
|
mod_proxy's fixup. PR 16368
|
|
- Don't remove the Content-Length from responses in mod_proxy PR: 8677
|
|
mod_auth_digest no longer tries to guess AuthDigestDomain, if it's
|
|
not specified. Now it assumes "/" as already documented. PR 16937.
|
|
mod_file_cache: fix segfaults
|
|
- improve the start/restart section of the init script, and add a
|
|
ssl_scache_cleanup script
|
|
- understand a syntax like -DSTATUS, as described in the sysconfig
|
|
file help text (bug noted in #25404]
|
|
- don't package the *.exp files, as they are needed only on AIX
|
|
- fix filelist for usage of %dir for files
|
|
- fix the cosmetical but irritating "Inappropriate ioctl for
|
|
device" error message, when rcapache2 is called from within YaST
|
|
- remove the unused /etc/apache2/modules directory from the package
|
|
- remove the now unused --enable-experimental-libtool
|
|
- fix to build with libtool-1.5
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 9 02:00:20 CEST 2003 - ro@suse.de
|
|
|
|
- fix deprecated head/tail call syntax "-1"
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 17 11:59:36 CET 2003 - kukuk@suse.de
|
|
|
|
- Remove suse_help_viewer from provides [Bug #25436]
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 13 12:54:59 CET 2003 - poeml@suse.de
|
|
|
|
- security fix: do not write the startup log file to a world
|
|
writable directory, reversing the change of Jan 23 (wasn't in any
|
|
released package) [#25239]
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 10 17:36:00 CET 2003 - poeml@suse.de
|
|
|
|
- change permissions of /var/log/apache2 from wwwrun:root mode 770
|
|
to root:root mode 750 [#24951]
|
|
- fix wrong list() in sysconfig.apache2 [#24719], and add a missing
|
|
default value
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 3 17:41:56 CET 2003 - kukuk@suse.de
|
|
|
|
- Remove ghost entry for pid file [Bug #24566]
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 27 14:43:01 CET 2003 - poeml@suse.de
|
|
|
|
- use the official MIME types, which are more complete [#23988]
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 24 18:17:02 CET 2003 - poeml@suse.de
|
|
|
|
- don't include log files into the package, and don't touch them in
|
|
%post; it's not needed
|
|
- fix comment in httpd.conf talking about SuSEconfig
|
|
- adjust some variable types in the sysconfig template
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 18 11:39:18 CET 2003 - poeml@suse.de
|
|
|
|
- apache2 Makefiles do support DESTDIR now, so let's use that
|
|
instead of the explicit paths (fixes a wrong path in
|
|
config_vars.mk [#23699]). Some files (*.exp, libapr*) are
|
|
automatically installed in the right location now.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 14 16:39:40 CET 2003 - poeml@suse.de
|
|
|
|
- fix configuration script to find apache modules on 64 bit archs
|
|
- mark ssl.conf (noreplace)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 10 18:35:15 CET 2003 - poeml@suse.de
|
|
|
|
- add mod_ldap, mod_auth_ldap, but link only them against the LDAP
|
|
libs. Likewise, do not link everything against ssl libs. This way
|
|
we can avoid RPM package (and build) requirements on a lot of
|
|
libs for subversion and other packages that build on apache.
|
|
- move more code from SuSEconfig into rcapache2 (actually into
|
|
support scripts below /usr/share/apache2/, so apache2 can be
|
|
configured without starting it)
|
|
- improve full-server-status once again
|
|
- remove suse_loadmodule.conf from filelist
|
|
- remove obsolete README.modules
|
|
- rename LOADMODULES -> APACHE_MODULES
|
|
- add APACHE_BUFFERED_LOGS
|
|
- update README.SuSE
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 28 13:32:04 CET 2003 - poeml@suse.de
|
|
|
|
- rc.apache2
|
|
- add extreme-configtest (trying to run server as nobody, which
|
|
detects _all_ config errors)
|
|
- evaluate LOADMODULES from sysconfig.apache2 on-the-fly from
|
|
rcapache2 instead of SuSEconfig
|
|
- when restarting, do something useful instead of 'sleep 3': wait
|
|
just as long until the server has terminated all children
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jan 26 21:27:31 CET 2003 - poeml@suse.de
|
|
|
|
- build mod_logio, mod_case_filter, mod_case_filter_in
|
|
- rename apr subpackage to libapr0 (the library is called libapr-0
|
|
meanwhile). add compatibility links named (libapr{,util}.so.0)
|
|
- configure SSL session caching with shm circular buffer
|
|
SSLSessionCache shm:/var/lib/httpd/ssl_scache
|
|
SSLSessionCacheTimeout 600
|
|
SSLMutex sem
|
|
- SuSEconfig.apache2: prefer prefork MPM over worker, if guessing
|
|
- strip objects
|
|
- rename gensslcert2 to gensslcert
|
|
- show a list all available modules in /etc/sysconfig/apache2
|
|
- nicer output of apache2ctl
|
|
- reorder Requires
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 23 12:05:59 CET 2003 - poeml@suse.de
|
|
|
|
- update to 2.0.44
|
|
- obsoletes patch httpd-2.0.43-mod_ssl-memory-leak.dif
|
|
- the apachectl and httpd man pages have been dropped upstreams
|
|
- add robots.txt to the example-pages subpackage that blocks spiders
|
|
- disable the perchild MPM
|
|
- disable httpd-2.0.36-64bit.dif
|
|
- rename apachectl2 to apache2ctl
|
|
- write the startup log to /var/tmp instead of /var/log/apache2
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jan 12 22:52:50 CET 2003 - poeml@suse.de
|
|
|
|
- fix last fix (rpm macro before hash wasn't expanded)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 10 02:35:58 CET 2003 - poeml@suse.de
|
|
|
|
- fix lib64 path in SuSEconfig
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 3 23:01:14 CET 2003 - poeml@suse.de
|
|
|
|
- fix typo in spec file, preventing replacement of @userdir@ in
|
|
httpd.conf-std.in
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 18 15:11:53 CET 2002 - poeml@suse.de
|
|
|
|
- sysconfig.apache2:
|
|
- add APACHE_SERVER_FLAGS variable
|
|
- change default: APACHE_SERVERSIGNATURE=on to match apache deflt
|
|
- add APACHE_CONF_INCLUDE_DIRS
|
|
- drop bogus APACHE_ACCESS_SERVERINFO variable
|
|
- adapt to our new sysconfig template
|
|
- SuSEconfig.apache2:
|
|
- understand LOADMODULES also if it is not an array [#21816]
|
|
- be very flexible with regard to LOADMODULE input (e.g., say
|
|
mod_php4 and it will find libphp4.so with ID php4_module)
|
|
- also ignore *,v files
|
|
- include APACHE_CONF_INCLUDE_DIRS
|
|
- dump some files: suse_define.conf (not needed) & suse_text.conf
|
|
(too much overhead)
|
|
- rc.apache2:
|
|
- implement most of apachectl's commands (graceful, configtest)
|
|
- use server_flags from sysconfig.apache2
|
|
- pass server flags like -DSTATUS from the command line through
|
|
to httpd2
|
|
- add commmands to show the server status
|
|
- don't quit silently when no apache MPM is installed
|
|
- handle ServerSignature and other stuff on the command line
|
|
(save modifications to httpd.conf)
|
|
- fix the /manual Alias that points to the documentation
|
|
- configure /cgi-bin for cgi execution
|
|
- configure /home/*/public_html for mod_userdir -- if it is loaded
|
|
- configure internationalized error responses
|
|
- fix apachectl2
|
|
- add /etc/apache2/{,modules} to the filelist
|
|
- add /etc/apache2/conf.d as drop-in directory for packages
|
|
- hard code some more default paths into the executable
|
|
- finally, run a test!
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 5 13:55:06 CET 2002 - poeml@suse.de
|
|
|
|
- move ap{r,u}-config* into the apr package, as well
|
|
- add generic ap{r,u}-config
|
|
- add %includedir to filelist
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 5 00:26:22 CET 2002 - poeml@suse.de
|
|
|
|
- more checks and warnings to SuSEconfig.apache2
|
|
- shift APR files into the the apr package
|
|
- try 1.136 revision of perchild.c
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 3 16:27:35 CET 2002 - poeml@suse.de
|
|
|
|
- add forgotten ssl.conf to the filelist (thanks, Robert)
|
|
- add httpd-2.0.43-mod_ssl-memory-leak.dif
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 14 19:34:38 CEST 2002 - poeml@suse.de
|
|
|
|
- update to 2.0.43, that fixes a Cross-Site Scripting bug (CVE:
|
|
CAN-2002-0840)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 7 09:39:45 CEST 2002 - poeml@suse.de
|
|
|
|
- do not append a '2' suffix to the scripts included with the
|
|
documentation
|
|
- move error, icons and manual dir to /usr/share/apache2
|
|
- fix nested array in SuSEconfig.apache2
|
|
- let SuSEconfig pick one MPM that is installed. Do not default to
|
|
"worker". [#20724]
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 3 14:50:20 CEST 2002 - poeml@suse.de
|
|
|
|
- update to 2.0.42 (primarily a bug-fix release, including updates
|
|
to the experimental caching module, the removal of several memory
|
|
leaks, and fixes for several segfaults, one of which could have
|
|
been used as a denial-of-service against mod_dav (VU#406121).)
|
|
- increase flexibility of the spec file: build any set of MPMs,
|
|
depending on RPM %defines. Improve the mechanism that merges the
|
|
modules so it works with any number of MPMs.
|
|
- use a "Server:" header that fits the product apache is built for
|
|
- add an RPM dependency on the module magic number to the MPM
|
|
subpackages
|
|
- build the "leader/follower" MPM. On i686, enable nonportable but
|
|
faster atomics for it.
|
|
- use filelists for more flexibility. APRVARS ceased to exist.
|
|
Don't add README* twice.
|
|
- perchild: use AcceptMutex fcntl to prevent permission conflict as
|
|
suggested in Apache Bugzilla #7921
|
|
- remove mod_rewrite and mod_proxy from the default modules
|
|
- build the mod_auth_digest module
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 9 15:30:34 CEST 2002 - poeml@suse.de
|
|
|
|
- add patch that changes PLATFORM (as seen in the HTTP Server
|
|
header) from "Unix" to "SuSE/Linux" [#18543]
|
|
- add README.SuSE, explaining how to build modules with apxs2
|
|
- fixed some paths in README.modules, put it into docdir and mark
|
|
it as %doc
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 28 16:39:59 CEST 2002 - poeml@suse.de
|
|
|
|
- new package, now building all three MPMs and putting all specific
|
|
modules in specific directories. Branch a subpackage for each
|
|
MPM, containing the server and MPM-specific modules.
|
|
- branch apr package off, so apache2 doesn't need to be installed
|
|
to have the libs. (apr is not released yet, that's why we build
|
|
it here)
|
|
- allow coexistence of apache1 by using directories named apache2
|
|
or suffixed with "2"
|
|
- allow building modules via apxs2 (for all server MPMs) --- or via
|
|
apxs2-{worker,perchild,prefork} for a specific server MPM
|
|
- add permissions.apache2 setting /usr/sbin/suexec2 to 4755
|
|
- rewrite SuSEconfig.apache2 for apache 2.
|
|
- add httpd-2.0.40-cache_util.c.diff that prevents a segfault in
|
|
mod_proxy when given an invalid URL
|
|
- branch apache2-example-pages off (docroot contents)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 19 16:43:37 CEST 2002 - poeml@suse.de
|
|
|
|
- actually use the new SuSE81 layout, and add SuSE81_64 layout
|
|
- cleaned up httpd-2.0.36-conf.dif
|
|
- fixed comment in SuSEconfig.apache
|
|
- drop SuSEconfig subpackage
|
|
- split main package and -devel package in three packages, one for
|
|
each MPM...
|
|
apache2 -> apache2-{worker,perchild,prefork}
|
|
apache2-devel -> apache2-{worker,perchild,prefork}-devel
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 12 17:47:08 CEST 2002 - poeml@suse.de
|
|
|
|
- bugfix update to 2.0.40
|
|
- fix Requires of -devel subpackage
|
|
- add variable to sysconfig.apache to switch off SuSEconfig.apache
|
|
- add new layout SUSE81 to config.layout due to the moved server
|
|
root (so the old SuSE6.1 can be kept for building on older
|
|
distributions)
|
|
- one of the lib64 path fixes could be removed, now included
|
|
upstream
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 7 18:47:33 CEST 2002 - poeml@suse.de
|
|
|
|
- put PreReq in an if-statement to allow building on older distris
|
|
- relax the Requires
|
|
- the apache_mmn macro had to be moved down in the spec file to be
|
|
evaluated
|
|
- libmm is not needed for building (and it is not threadsafe)
|
|
- fix config.layout for the moved server root
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 2 23:44:31 CEST 2002 - poeml@suse.de
|
|
|
|
- fix libdir in config.layout for lib64
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 2 12:22:33 CEST 2002 - poeml@suse.de
|
|
|
|
- fix RPM Requires
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 1 17:50:53 CEST 2002 - poeml@suse.de
|
|
|
|
- move datadir (i.e., ServerRoot) from /usr/local/httpd to /srv/www
|
|
- drop obsolete README.SuSE
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 1 01:01:32 CEST 2002 - poeml@suse.de
|
|
|
|
- spec file: use PreReq
|
|
- don't delete SuSEconfig's md5 files in %post, that's no good
|
|
- add apache.logrotate
|
|
- provide the magic module number as executable script
|
|
(/usr/lib/apache/MMN) and as RPM Provides, indicating API changes
|
|
- mark httpd.conf noreplace
|
|
- fix installbuilddir in config.layout, needed for apxs
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jul 14 15:27:24 CEST 2002 - poeml@suse.de
|
|
|
|
- update to 2.0.39
|
|
- drop obsolete moduledir and apxs patches
|
|
- rc.apache INIT section: use X-UnitedLinux-Should-Start
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 3 01:53:35 CEST 2002 - ro@suse.de
|
|
|
|
- rename to "apache2" again
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 11 17:02:47 CEST 2002 - ro@suse.de
|
|
|
|
- get apxs to work:
|
|
include needed files in devel package
|
|
adapt some pathes in apxs
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 29 18:16:00 CEST 2002 - poeml@suse.de
|
|
|
|
- update to 2.0.36
|
|
- drop mod_ssl subpackage; mod_ssl is part of the apache bsae
|
|
distribution now
|
|
- RPM can be built as user now
|
|
- SuSEconfig.apache: understand relative and absolute pathnames
|
|
- disable experimental auth_digest_module
|
|
|