-*- coding: utf-8 -*-

Changes with Apache 2.3.16

*) configure: Only load the really imporant modules (i.e. those enabled by

the 'few' selection) by default. Don't handle modules enabled with

--enable-foo specially. [Stefan Fritsch]

*) end-generation hook: Fix false notification of end-of-generation for

temporary intervals with no active MPM children. [Jeff Trawick]

*) mod_ssl: Add support for RFC 5077 TLS Session tickets.

[Paul Querna]

*) mod_usertrack: Use random value instead of remote IP address.

[Stefan Fritsch]

Changes with Apache 2.3.15

*) SECURITY: CVE-2011-3348 (cve.mitre.org)

mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not

recognized. [Jean-Frederic Clere]

*) SECURITY: CVE-2011-3192 (cve.mitre.org)

core: Fix handling of byte-range requests to use less memory, to avoid

denial of service. If the sum of all ranges in a request is larger than

the original file, ignore the ranges and send the complete file.

PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,

<lowprio20 gmail.com>]

*) SECURITY: CVE-2011-3607 (cve.mitre.org)

core: Fix integer overflow in ap_pregsub. This can be triggered e.g.

with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]

*) configure: Load all modules in the generated default configuration

when using --enable-load-all-modules. [Rainer Jung]

*) mod_reqtimeout: Change the default to set some reasonable timeout

values. [Stefan Fritsch]

*) core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove

the inode. PR 49623. [Stefan Fritsch]

*) mod_lua: Expose SSL variables via r:ssl_var_lookup(). [Eric Covener]

*) mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName}

can now additionally be run as "early" or "late" relative to other modules.

[Eric Covener]

*) configure: By default, only load those modules that are either required

or explicitly selected by a configure --enable-foo argument. The

LoadModule statements for modules enabled by --enable-mods-shared=most

and friends will be commented out. [Stefan Fritsch]

*) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and

LuaHookQuickHandler) from being configured in <Directory>, <Files>,

and htaccess where the configuration would have been ignored.

[Eric Covener]

*) mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors

in LuaMapHandler scripts [Eric Covener]

*) mod_log_debug: Rename optional argument from if= to expr=, to be more

in line with other config directives. [Stefan Fritsch]

*) mod_headers: Require an expression to be specified with expr=, to be more

in line with other config directives. [Stefan Fritsch]

*) mod_substitute: To prevent overboarding memory usage, limit line length

to 1MB. [Stefan Fritsch]

*) mod_lua: Make the query string (r.args) writable. [Eric Covener]

*) mod_include: Add support for application/x-www-form-urlencoded encoding

and decoding. [Graham Leggett]

*) rotatelogs: Add -c option to force logfile creation in every rotation

interval, even if empty. [Jan Kaluža <jkaluza redhat.com>]

*) core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings.

[Stefan Fritsch]

*) mod_session_crypto: Refactor to support the new apr_crypto API.

[Graham Leggett]

*) http: Add missing Location header if local URL-path is used as

ErrorDocument for 30x. [Stefan Fritsch]

*) mod_buffer: Make sure we step down for subrequests, but not for internal

redirects triggered by mod_rewrite. [Graham Leggett]

*) mod_lua: add r:construct_url as a wrapper for ap_construct_url.

[Eric Covener]

*) mod_remote_ip: Fix configuration of internal proxies. PR 49272.

[Jim Riggs <jim riggs me>]

*) mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific

server IP endpoint and remote client IP upon connection. [William Rowe]

*) mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with

PeerExtList(). [Stefan Fritsch]

*) mpm_prefork, mpm_worker, mpm_event: If a child is created just before

graceful restart and then exits because of a missing lock file, don't

shutdown the whole server. PR 39311. [Shawn Michael

<smichael rightnow com>]

*) mpm_event: Check the return value from ap_run_create_connection.

PR: 41194. [Davi Arnaut]

*) mod_mime_magic: Add signatures for PNG and SWF to the example config.

PR: 48352. [Jeremy Wagner-Kaiser <jwagner-kaiser adknowledge com>]

*) core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items

from the parsed (or default) config. This is useful for init scripts that

need to setup temporary directories and permissions. [Stefan Fritsch]

*) core, mod_actions, mod_asis: Downgrade error log messages which accompany

a 404 request status from loglevel error to info. PR: 35768. [Stefan

Fritsch]

*) core: Fix hook sorting with Perl modules. PR: 45076. [Torsten Foertsch

<torsten foertsch gmx net>]

*) core: Enforce LimitRequestFieldSize after multiple headers with the same

name have been merged. [Stefan Fritsch]

*) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory

usage. PR 51618. [Cristian Rodríguez <crrodriguez opensuse org>,

Stefan Fritsch]

*) mod_ssl: At startup, when checking a server certificate whether it

matches the configured ServerName, also take dNSName entries in the

subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand]

*) mod_substitute: Reduce memory usage and copying of data. PR 50559.

[Stefan Fritsch]

*) mod_ssl/proxy: enable the SNI extension for backend TLS connections

[Kaspar Brand]

*) Add wrappers for malloc, calloc, realloc that check for out of memory

situations and use them in many places. PR 51568, PR 51569, PR 51571.

[Stefan Fritsch]

*) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is

false but RLIMIT_* are defined. PR51371. [Eric Covener]

*) core: Correctly obey ServerName / ServerAlias if the Host header from the

request matches the VirtualHost address.

PR 51709. [Micha Lenk <micha lenk.info>]

*) mod_unique_id: Use random number generator to initialize counter.

PR 45110. [Stefan Fritsch]

*) core: Add convenience API for apr_random. [Stefan Fritsch]

*) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control

the number of overlapping and reversing ranges (respectively) permitted

before returning the entire resource, with a default limit of 20.

[Jim Jagielski]

*) mod_ldap: Optional function uldap_ssl_supported(r) always returned false

if called from a virtual host with mod_ldap directives in it. Did not

affect mod_authnz_ldap's usage of mod_ldap. [Eric Covener]

*) mod_filter: Instead of dropping the Accept-Ranges header when a filter

registered with AP_FILTER_PROTO_NO_BYTERANGE is present,

set the header value to "none". [Eric Covener, Ruediger Pluem]

*) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'

in the case Ranges are being ignored with MaxRanges none.

[Eric Covener]

*) mod_ssl: revamp CRL-based revocation checking when validating

certificates of clients or proxied servers. Completely delegate

CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck

directive for controlling the revocation checking mode. [Kaspar Brand]

*) core: Add MaxRanges directive to control the number of ranges permitted

before returning the entire resource, with a default limit of 200.

[Eric Covener]

*) mod_cache: Ensure that CacheDisable can correctly appear within

a LocationMatch. [Graham Leggett]

*) mod_cache: Fix the moving of the CACHE filter, which erroneously

stood down if the original filter was not added by configuration.

[Graham Leggett]

*) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]

*) mod_authz_groupfile: Increase length limit of lines in the group file to

16MB. PR 43084. [Stefan Fritsch]

*) core: Increase length limit of lines in the configuration file to 16MB.

PR 45888. PR 50824. [Stefan Fritsch]

*) core: Add API for resizable buffers. [Stefan Fritsch]

*) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have

LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such

as Tivoli Directory Server 6.3 and later. [Eric Covener]

*) mod_ldap: Change default number of retries from 10 to 3, and add

an LDAPRetries and LDAPRetryDelay directives. [Eric Covener]

*) mod_authnz_ldap: Don't retry during authentication, because this just

multiplies the ample retries already being done by mod_ldap. [Eric Covener]

*) configure: Allow to explicitly disable modules even with module selection

'reallyall'. [Stefan Fritsch]

*) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the

RewriteEngine is disabled in server context, avoiding a crash while

referencing the invalid int: map at runtime. PR 50994.

[Ben Noordhuis <info noordhuis nl>]

*) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]

*) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]

*) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.

[Kaspar Brand]

*) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the

cookie is set when modules such as mod_rewrite trigger a redirect. Also

use r->err_headers_out for the cookie, for the same reason. PR29755.

[Sami J. Mäkinen <sjm almamedia fi>, Eric Covener]

*) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and

'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch]

*) configure: Enable ldap modules in 'all' and 'most' selections if ldap

is compiled into apr-util. [Stefan Fritsch]

*) core: Add ap_check_cmd_context()-check if a command is executed in

.htaccess file. [Stefan Fritsch]

*) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590.

[Torsten Foertsch <torsten foertsch gmx net>]

*) mod_authn_socache: Fix to work in .htaccess if not configured anywhere

in httpd.conf, and introduce an AuthnCacheEnable directive.

PR 51991 [Nick Kew]

*) mod_xml2enc: new (formerly third-party) module supporting

internationalisation for filters via smart charset sniffing

and conversion. [Nick Kew]

*) mod_proxy_html: new (formerly third-party) module to fix up

HTML links in a reverse proxy situation, where a backend

generates URLs that are not resolvable by Clients. [Nick Kew]

Changes with Apache 2.3.14

*) mod_proxy_ajp: Improve trace logging. [Rainer Jung]

*) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets.

[Rainer Jung]

*) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse,

e.g. to reverse proxy "Location: https://other-internal-server/login"

[Nick Kew]

*) prefork, worker, event: Make sure crashes are logged to the error log if

httpd has already detached from the console. [Stefan Fritsch]

*) prefork, worker, event: Reduce period during startup/restart where a

successive signal may be lost. PR 43696. [Arun Bhalla <arun shme net>]

*) mod_allowmethods: Correct Merging of "reset" and do not allow an

empty parameter list for the AllowMethods directive. [Rainer Jung]

*) configure: Update selection of modules for 'all' and 'most'. 'all' will

now enable all modules except for example and test modules. Make the

selection for 'most' more useful (including ssl and proxy). Both 'all'

and 'most' will now disable modules if dependencies are missing instead

of aborting. If a specific module is requested with --enable-XXX=yes,

missing dependencies will still cause configure to exit with an error.

[Stefan Fritsch]

*) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done

in 2.3.13. [Stefan Fritsch]

*) core: For '*' or '_default_' vhosts, use a wildcard address of any

address family, rather than IPv4 only. [Joe Orton]

*) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable

include [ ] for literal IPv6 addresses, as mandated by RFC 3875.

PR 26005. [Stefan Fritsch]

*) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203.

[Nagae Hidetake <nagae eagan jp>]

*) core: Add more logging to ap_scan_script_header_err* functions. Add

ap_scan_script_header_err*_ex functions that take a module index for

logging.

mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the

new functions in order to make logging configurable per-module.

[Stefan Fritsch]

*) mod_dir: Add DirectoryIndexRedirect to send an external redirect to

the proper index. [Eric Covener]

*) mod_deflate: Don't try to compress requests with a zero sized body.

PR 51350. [Stefan Fritsch]

*) core: Fix startup on IPv6-only systems. PR 50592. [Joe Orton,

<root linkage white-void net>]

*) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX,

REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the

whitelist in suexec. PR 51499. [Graham Laverty <graham reg ca>,

Stefan Fritsch]

*) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch]

*) mod_log_debug: New module that allows to log custom messages at various

phases in the request processing. [Stefan Fritsch]

*) mod_ssl: Add some debug logging when loading server certificates.

PR 37912. [Nick Burch <nick burch alfresco com>]

*) configure: Support reallyall option also for --enable-mods-static.

[Rainer Jung]

*) mod_socache_dc: add --with-distcache to configure for choosing

the distcache installation directory. [Rainer Jung]

*) mod_socache_dc: use correct build variable MOD_SOCACHE_DC_LDADD

instead of MOD_SOCACHE_LDADD in build macro. [Rainer Jung]

*) mod_lua, mod_deflate: respect platform specific runpath linker

flag. [Rainer Jung]

*) configure: Only link the httpd binary against PCRE. No other support

binary needs PCRE. [Rainer Jung]

*) configure: tolerate dependency checking failures for modules if

they have been enabled implicitely. [Rainer Jung]

*) configure: Allow to specify module specific custom linker flags via

the MOD_XXX_LDADD variables. [Rainer Jung]

Changes with Apache 2.3.13

*) ab: Support specifying the local address to use. PR 48930.

[Peter Schuller <scode spotify com>]

*) core: Add support to ErrorLogFormat for logging the system unique

thread id under Linux. [Stefan Fritsch]

*) event: New AsyncRequestWorkerFactor directive to influence how many

connections will be accepted per process. [Stefan Fritsch]

*) prefork, worker, event: Rename MaxClients to MaxRequestWorkers which

describes more accurately what it does. [Stefan Fritsch]

*) rotatelogs: Add -p argument to specify custom program to invoke

after a log rotation. PR 51285. [Sven Ulland <sveniu ifi.uio.no>,

Joe Orton]

*) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand]

*) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0.

PR 48215. [Kaspar Brand]

*) mod_status: Display information about asynchronous connections in the

server-status. PR 44377. [Stefan Fritsch]

*) mpm_event: If the number of connections of a process is very high, or if

all workers are busy, don't accept new connections in that process.

[Stefan Fritsch]

*) mpm_event: Process lingering close asynchronously instead of tying up

worker threads. [Jeff Trawick, Stefan Fritsch]

*) mpm_event: If MaxMemFree is set, limit the number of pools that is kept

around. [Stefan Fritsch]

*) mpm_event: Fix graceful restart aborting connections. PR 43359.

[Takashi Sato <takashi lans-tv com>]

*) mod_ssl: Disable AECDH ciphers in example config. PR 51363.

[Rob Stradling <rob comodo com>]

*) core: Introduce new function ap_get_conn_socket() to access the socket of

a connection. [Stefan Fritsch]

*) mod_data: Introduce a filter to support RFC2397 data URLs. [Graham

Leggett]

*) mod_userdir/mod_alias/mod_vhost_alias: Correctly set DOCUMENT_ROOT,

CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX. PR 26052. PR 46198.

[Stefan Fritsch]

*) core: Allow to override document_root on a per-request basis. Introduce

new context_document_root and context_prefix which provide information

about non-global URI-to-directory mappings (from e.g. mod_userdir or

mod_alias) to scripts. PR 49705. [Stefan Fritsch]

*) core: Add <ElseIf> and <Else> to complement <If> sections.

[Stefan Fritsch]

*) mod_ext_filter: Remove DebugLevel option in favor of per-module loglevel.

[Stefan Fritsch]

*) mod_include: Make the "#if expr" element use the new "ap_expr" expression

parser. The old parser can still be used by setting the new directive

SSILegacyExprParser. [Stefan Fritsch]

*) core: Add some features to ap_expr for use by mod_include: a restricted

mode that does not allow to bypass request access restrictions; new

variables DOCUMENT_URI (alias for REQUEST_URI), LAST_MODIFIED; -A as an

alias for -U; an additional data entry in ap_expr_eval_ctx_t for use by

the consumer; an extensible ap_expr_exec_ctx() API that allows to use that

data entry. [Stefan Fritsch]

*) mod_include: Merge directory configs instead of one SSI* config directive

causing all other per-directory SSI* config directives to be reset.

[Stefan Fritsch]

*) mod_charset_lite: Remove DebugLevel option in favour of per-module

loglevel. [Stefan Fritsch]

*) core: Add ap_regexec_len() function that works with non-null-terminated

strings. PR 51231. [Yehezkel Horowitz <horowity checkpoint com>]

*) mod_authnz_ldap: If the LDAP server returns constraint violation,

don't treat this as an error but as "auth denied". [Stefan Fritsch]

*) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO

for SCGI/FCGI. PR 50880, 50851. [Mark Montague <mark catseye.org>,

Jim Jagielski]

*) mod_cache: When content is served stale, and there is no means to

revalidate the content using ETag or Last-Modified, and we have

mandated no stale-on-error behaviour, stand down and don't cache.

Saves a cache write that will never be read.

[Graham Leggett]

*) mod_reqtimeout: Fix a timed out connection going into the keep-alive

state after a timeout when discarding a request body. PR 51103.

[Stefan Fritsch]

*) core: Add various file existance test operators to ap_expr.

[Stefan Fritsch]

*) mod_proxy_express: New mass reverse-proxy switch extension for

mod_proxy. [Jim Jagielski]

*) configure: Fix script error when configuring module set "reallyall".

[Rainer Jung]

Changes with Apache 2.3.12

*) configure, core: Provide easier support for APR's hook probe

capability. [Jim Jagielski, Jeff Trawick]

*) Silence autoconf 2.68 warnings. [Rainer Jung]

*) mod_authnz_ldap: Resolve crash when LDAP is used for authorization only

[Scott Hill <shill genscape.com>]

*) support: Make sure check_forensic works with mod_unique_id loaded

[Joe Schaefer]

*) Add child_status hook for tracking creation/termination of MPM child

processes. Add end_generation hook for notification when the last

MPM child of a generation exits. [Jeff Trawick]

*) mod_ldap: Make LDAPSharedCacheSize 0 create a non-shared-memory cache per

process as opposed to disabling caching completely. This allows to use

the non-shared-memory cache as a workaround for the shared memory cache

not being available during graceful restarts. PR 48958. [Stefan Fritsch]

*) Add new ap_reserve_module_slots/ap_reserve_module_slots_directive API,

necessary if a module (like mod_perl) registers additional modules late

in the startup phase. [Stefan Fritsch]

*) core: Prevent segfault if DYNAMIC_MODULE_LIMIT is reached. PR 51072.

[Torsten Förtsch <torsten foertsch gmx net>]

*) WinNT MPM: Improve robustness under heavy load. [Jeff Trawick]

*) MinGW build improvements. PR 49535. [John Vandenberg

<jayvdb gmail.com>, Jeff Trawick]

*) core: Support module names with colons in loglevel configuration.

[Torsten Förtsch <torsten foertsch gmx net>]

*) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.

[Stefan Fritsch]

*) core: Abort if the MPM is changed across restart. [Jeff Trawick]

*) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.

[Peter Pramberger <peter pramberger.at>, Jim Jagielski]

*) mod_proxy_fcgi: Add support for 'ProxyErrorOverride on'. PR 50913.

[Mark Montague <mark catseye.org>, Jim Jagielski]

*) core: Change the APIs of ap_cfg_getline() and ap_cfg_getc() to return an

error code. Abort with a nice error message if a config line is too long.

Partial fix for PR 50824. [Stefan Fritsch]

*) mod_info: Dump config to stdout during startup if -DDUMP_CONFIG is

specified. PR 31956. [Stefan Fritsch]

*) Restore visibility of DEFAULT_PIDLOG to core and modules. MPM

helper function ap_remove_pid() added. [Jeff Trawick]

*) Enable DEFAULT_REL_RUNTIMEDIR on Windows and NetWare. [various]

*) Correct C++ incompatibility with http_log.h. [Stefan Fritsch, Jeff

Trawick]

*) mod_log_config: Prevent segfault. PR 50861. [Torsten Förtsch

<torsten.foertsch gmx.net>]

*) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes

in request URL path info but not decode them. Change behavior of option

"On" to decode the encoded slashes as 2.0 and 2.2 do. PR 35256,

PR 46830. [Dan Poirier]

*) mod_ssl: Check SNI hostname against Host header case-insensitively.

PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>]

*) mod_ldap: Add LDAPConnectionPoolTTL to give control over lifetime

of bound backend LDAP connections. PR47634 [Eric Covener]

*) mod_cache: Make CacheEnable and CacheDisable configurable per

directory in addition to per server, making them work from within

a LocationMatch. [Graham Leggett]

*) worker, event, prefork: Correct several issues when built as

DSOs; most notably, the scoreboard was reinitialized during graceful

restart, such that processes of the previous generation were not

observable. [Jeff Trawick]

Changes with Apache 2.3.11

*) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.

Win32's cscript interpreter can only use a single quote as comment char.

[Guenter Knauf]

*) mod_proxy: balancer-manager now uses POST instead of GET.

[Jim Jagielski]

*) core: new util function: ap_parse_form_data(). Previously,

this capability was tucked away in mod_request. [Jim Jagielski]

*) core: new hook: ap_run_pre_read_request. [Jim Jagielski]

*) mod_cache: When a request other than GET or HEAD arrives, we must

invalidate existing cache entities as per RFC2616 13.10. PR 15868.

[Graham Leggett]

*) modules: Fix many modules that were not correctly initializing if they

were not active during server startup but got enabled later during a

graceful restart. [Stefan Fritsch]

*) core: Create new ap_state_query function that allows modules to determine

if the current configuration run is the initial one at server startup,

and if the server is started for testing/config dumping only.

[Stefan Fritsch]

*) mod_proxy: Runtime configuration of many parameters for existing

balancers via the balancer-manager. [Jim Jagielski]

*) mod_proxy: Runtime addition of new workers (BalancerMember) for existing

balancers via the balancer-manager. [Jim Jagielski]

*) mod_cache: When a bad Expires date is present, we need to behave as if

the Expires is in the past, not as if the Expires is missing. PR 16521.

[Co-Advisor <coad@measurement-factory.com>]

*) mod_cache: We must ignore quoted-string values that appear in a

Cache-Control header. PR 50199. [Graham Leggett]

*) mod_dav: Revert change to send 501 error if unknown Content-* header is

received for a PUT request. PR 42978. [Stefan Fritsch]

*) mod_cache: Respect s-maxage as described by RFC2616 14.9.3, which must

take precedence if present. PR 35247. [Graham Leggett]

*) mod_ssl: Fix a possible startup failure if multiple SSL vhosts

are configured with the same ServerName and private key file.

[Masahiro Matsuya <mmatsuya redhat.com>, Joe Orton]

*) mod_socache_dc: Make module compile by fixing some typos.

PR 50735 [Mark Montague <mark catseye.org>]

*) prefork: Update MPM state in children during a graceful stop or

restart. PR 41743. [Andrew Punch <andrew.punch 247realmedia.com>]

*) mod_mime: Ignore leading dots when looking for mime extensions.

PR 50434 [Stefan Fritsch]

*) core: Add support to set variables with the 'Define' directive. The

variables that can then be used in the config using the ${VAR} syntax

known from envvar interpolation. [Stefan Fritsch]

*) mod_proxy_http: make adding of X-Forwarded-* headers configurable.

ProxyAddHeaders defaults to On. [Vincent Deffontaines]

*) mod_slotmem_shm: Increase memory alignment for slotmem data.

[Rainer Jung]

*) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout,

SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew.

[Kaspar Brand <httpd-dev.2011 velox.ch>]

*) mod_ssl: Revamp output buffering to reduce network overhead for

output fragmented into many buckets, such as chunked HTTP responses.

[Joe Orton]

*) core: Apply <If> sections to all requests, not only to file base requests.

Allow to use <If> inside <Directory>, <Location>, and <Files> sections.

The merging of <If> sections now happens after the merging of <Location>

sections, even if an <If> section is embedded inside a <Directory> or

<Files> section. [Stefan Fritsch]

*) mod_proxy: Refactor usage of shared data by dropping the scoreboard

and using slotmem. Create foundation for dynamic growth/changes of

members within a balancer. Remove BalancerNonce in favor of a

per-balancer 'nonce' parameter. [Jim Jagielski]

*) mod_status: Don't show slots which are disabled by MaxClients as open.

PR: 47022 [Jordi Prats <jordi prats gmail com>, Stefan Fritsch]

*) mpm_prefork: Fix ap_mpm_query results for AP_MPMQ_MAX_DAEMONS and

AP_MPMQ_MAX_THREADS.

*) mod_authz_core: Fix bug in merging logic if user-based and non-user-based

authorization directives were mixed. [Stefan Fritsch]

*) mod_authn_socache: change directive name from AuthnCacheProvider

to AuthnCacheProvideFor. The term "provider" is overloaded in

this module, and we should avoid confusion between the provider

of a backend (AuthnCacheSOCache) and the authn provider(s) for

which this module provides cacheing (AuthnCacheProvideFor).

[Nick Kew]

*) mod_proxy_http: Allocate the fake backend request from a child pool

of the backend connection, instead of misusing the pool of the frontend

request. Fixes a thread safety issue where buckets set aside in the

backend connection leak into other threads, and then disappear when

the frontend request is cleaned up, in turn causing corrupted buckets

to make other threads spin. [Graham Leggett]

*) mod_ssl: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables

to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and

escape other special characters with backslashes. The old format can

still be used with the LegacyDNStringFormat argument to SSLOptions.

*) core, mod_rewrite: Make the REQUEST_SCHEME variable available to

scripts and mod_rewrite. [Stefan Fritsch]

*) mod_rewrite: Allow to use arbitrary boolean expressions (ap_expr) in

RewriteCond. [Stefan Fritsch]

*) mod_rewrite: Allow to unset environment variables using E=!VAR.

PR 49512. [Mark Drayton <mark markdrayton info>, Stefan Fritsch]

*) mod_headers: Restore the 2.3.8 and earlier default for the first

argument of the Header directive ("onsuccess"). [Eric Covener]

*) core: Disallow the mixing of relative and absolute Options PR 33708.

[Sönke Tesch <st kino-fahrplan.de>]

*) core: When exporting request headers to HTTP_* environment variables,

drop variables whose names contain invalid characters. Describe in the

docs how to restore the old behaviour. [Malte S. Stretz <mss apache org>]

*) core: When selecting an IP-based virtual host, favor an exact match for

the port over a wildcard (or omitted) port instead of favoring the one

that came first in the configuration file. [Eric Covener]

*) core: Overlapping virtual host address/port combinations now implicitly

enable name-based virtual hosting for that address. The NameVirtualHost

directive has no effect, and _default_ is interpreted the same as "*".

[Eric Covener]

*) core: In the absence of any Options directives, the default is now

"FollowSymlinks" instead of "All". [Igor Galić]

*) rotatelogs: Add -e option to write logs through to stdout for optional

further processing. [Graham Leggett]

*) mod_ssl: Correctly read full lines in input filter when the line is

incomplete during first read. PR 50481. [Ruediger Pluem]

*) mod_authz_core: Add AuthzSendForbiddenOnFailure directive to allow

sending '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if authorization

fails for an authenticated user. PR 40721. [Stefan Fritsch]

Changes with Apache 2.3.10

*) mod_rewrite: Don't implicitly URL-escape the original query string

when no substitution has changed it. PR 50447. [Eric Covener]

*) core: Honor 'AcceptPathInfo OFF' during internal redirects,

such as per-directory mod_rewrite substitutions. PR 50349.

[Eric Covener]

*) mod_rewrite: Add 'RewriteOptions InheritBefore' to put the base

rules/conditions before the overridden rules/conditions. PR 39313.

[Jérôme Grandjanny <jerome.grandjanny cea.fr>]

*) mod_autoindex: add IndexIgnoreReset to reset the list of IndexIgnored

filenames in higher precedence configuration sections. PR 24243.

[Eric Covener]

*) mod_cgid: RLimit* directive support for mod_cgid. PR 42135

[Eric Covener]

*) core: Fail startup when the argument to ServerName looks like a glob

or a regular expression instead of a hostname (*?[]). PR 39863

[Rahul Nair <rahul.g.nair gmail.com>]

*) mod_userdir: Add merging of enable, disable, and filename arguments

to UserDir directive, leaving enable/disable of userlists unmerged.

PR 44076 [Eric Covener]

*) httpd: When no -k option is provided on the httpd command line, the server

was starting without checking for an existing pidfile. PR 50350

[Eric Covener]

*) mod_proxy: Put the worker in error state if the SSL handshake with the

backend fails. PR 50332.

[Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]

*) mod_cache_disk: Fix Windows build which was broken after renaming

the module. [Gregg L. Smith]

Changes with Apache 2.3.9

*) SECURITY: CVE-2010-1623 (cve.mitre.org)

Fix a denial of service attack against mod_reqtimeout.

[Stefan Fritsch]

*) mod_headers: Change default first argument of Header directive

from "onsuccess" to "always". [Eric Covener]

*) mod_include: Add the onerror attribute to the include element,

allowing an URL to be specified to include on error. [Graham

Leggett]

*) mod_cache_disk: mod_disk_cache renamed to mod_cache_disk, to be

consistent with the naming of other modules. [Graham Leggett]

*) mod_setenvif: Add SetEnvIfExpr directive to set env var depending on

expression. [Stefan Fritsch]

*) mod_proxy: Fix ProxyPassInterpolateEnv directive. PR 50292.

[Stefan Fritsch]

*) suEXEC: Add Suexec directive to disable suEXEC without renaming the

binary (Suexec Off), or force startup failure if suEXEC is required

but not supported (Suexec On). Change SuexecUserGroup to fail

startup instead of just printing a warning if suEXEC is disabled.

[Jeff Trawick]

*) core: Add Error directive for aborting startup or htaccess processing

with a specified error message. [Jeff Trawick]

*) mod_rewrite: Fix the RewriteEngine directive to work within a

location. Previously, once RewriteEngine was switched on globally,

it was impossible to switch off. [Graham Leggett]

*) core, mod_include, mod_ssl: Move the expression parser derived from

mod_include back into mod_include. Replace ap_expr with a parser

derived from mod_ssl's parser. Make mod_ssl use the new parser. Rework

ap_expr's public interface and provide hooks for modules to add variables

and functions. [Stefan Fritsch]

*) core: Do the hook sorting earlier so that the hooks are properly sorted

for the pre_config hook and during parsing the config. [Stefan Fritsch]

*) core: In the absence of any AllowOverride directives, the default is now

"None" instead of "All". PR49823 [Eric Covener]

*) mod_proxy: Don't allow ProxyPass or ProxyPassReverse in

<Directory> or <Files>. PR47765 [Eric Covener]

*) prefork/worker/event MPMS: default value (when no directive is present)

of MaxConnectionsPerChild/MaxRequestsPerChild is changed to 0 from 10000

to match default configuration and manual. PR47782 [Eric Covener]

*) proxy_connect: Don't give up in the middle of a CONNECT tunnel

when the child process is starting to exit. PR50220. [Eric Covener]

*) mod_autoindex: Fix inheritance of mod_autoindex directives into

contexts that don't have any mod_autoindex directives. PR47766.

[Eric Covener]

*) mod_rewrite: Add END flag for RewriteRule to prevent further rounds

of rewrite processing when a per-directory substitution occurs.

[Eric Covener]

*) mod_ssl: Make sure to always log an error if loading of CA certificates

fails. PR 40312. [Paul Tiemann <issues apache org ourdetour com>]

*) mod_dav: Send 501 error if unknown Content-* header is received for a PUT

request (RFC 2616 9.6). PR 42978. [Stefan Fritsch]

*) mod_dav: Send 400 error if malformed Content-Range header is received for

a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]

*) mod_proxy: Release the backend connection as soon as EOS is detected,

so the backend isn't forced to wait for the client to eventually

acknowledge the data. [Graham Leggett]

*) mod_proxy: Optimise ProxyPass within a Location so that it is stored

per-directory, and chosen during the location walk. Make ProxyPass

work correctly from within a LocationMatch. [Graham Leggett]

*) core: Fix segfault if per-module LogLevel is on virtual host

scope. PR 50117. [Stefan Fritsch]

*) mod_proxy: Move the ProxyErrorOverride directive to have per

directory scope. [Graham Leggett]

*) mod_allowmethods: New module to deny certain HTTP methods without

interfering with authentication/authorization. [Paul Querna,

Igor Galić, Stefan Fritsch]

*) mod_ssl: Log certificate information and improve error message if client

cert verification fails. PR 50093, PR 50094. [Lassi Tuura <lat cern ch>,

Stefan Fritsch]

*) htcacheclean: Teach htcacheclean to limit cache size by number of

inodes in addition to size of files. Prevents a cache disk from

running out of space when many small files are cached.

[Graham Leggett]

*) core: Rename MaxRequestsPerChild to MaxConnectionsPerChild, which

describes more accurately what the directive does. The old name

still works but logs a warning. [Stefan Fritsch]

*) mod_cache: Optionally serve stale data when a revalidation returns a

5xx response, controlled by the CacheStaleOnError directive.

[Graham Leggett]

*) htcacheclean: Allow the listing of valid URLs within the cache, with

the option to list entry metadata such as sizes and times. [Graham

Leggett]

*) mod_cache: correctly parse quoted strings in cache headers.

PR 50199 [Nick Kew]

*) mod_cache: Allow control over the base URL of reverse proxied requests

using the CacheKeyBaseURL directive, so that the cache key can be

calculated from the endpoint URL instead of the server URL. [Graham

Leggett]

*) mod_cache: CacheLastModifiedFactor, CacheStoreNoStore, CacheStorePrivate,

CacheStoreExpired, CacheIgnoreNoLastMod, CacheDefaultExpire,

CacheMinExpire and CacheMaxExpire can be set per directory/location.

[Graham Leggett]

*) mod_disk_cache: CacheMaxFileSize, CacheMinFileSize, CacheReadSize and

CacheReadTime can be set per directory/location. [Graham Leggett]

*) core: Speed up config parsing if using a very large number of config

files. PR 50002 [andrew cloudaccess net]

*) mod_cache: Support the caching of HEAD requests. [Graham Leggett]

*) htcacheclean: Allow the option to round up file sizes to a given

block size, improving the accuracy of disk usage. [Graham Leggett]

*) mod_ssl: Add authz providers for use with mod_authz_core and its

RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL),

'ssl-verify-client' (for use with 'SSLVerifyClient optional'), and

'ssl-require' (expressions with same syntax as SSLRequire).

[Stefan Fritsch]

*) mod_ssl: Make the ssl expression parser thread-safe. It now requires

bison instead of yacc. [Stefan Fritsch]

*) mod_disk_cache: Change on-disk header file format to support the

link of the device/inode of the data file to the matching header

file, and to support the option of not writing a data file when

the data file is empty. [Graham Leggett]

*) core/mod_unique_id: Add generate_log_id hook to allow to use

the ID generated by mod_unique_id as error log ID for requests.

[Stefan Fritsch]

*) mod_cache: Make sure that we never allow a 304 Not Modified response

that we asked for to leak to the client should the 304 response be

uncacheable. PR45341 [Graham Leggett]

*) mod_cache: Add the cache_status hook to register the final cache

decision hit/miss/revalidate. Add optional support for an X-Cache

and/or an X-Cache-Detail header to add the cache status to the

response. PR48241 [Graham Leggett]

*) mod_authz_host: Add 'local' provider that matches connections originating

on the local host. PR 19938. [Stefan Fritsch]

*) Event MPM: Fix crash accessing pollset on worker thread when child

process is exiting. [Jeff Trawick]

*) core: For process invocation (cgi, fcgid, piped loggers and so forth)

pass the system library path (LD_LIBRARY_PATH or platform-specific

variables) along with the system PATH, by default. Both should be

overridden together as desired using PassEnv etc; see mod_env.

[William Rowe]

*) mod_cache: Introduce CacheStoreExpired, to allow administrators to

capture a stale backend response, perform If-Modified-Since requests

against the backend, and serving from the cache all 304 responses.

This restores pre-2.2.4 cache behavior. [William Rowe]

*) mod_rewrite: Introduce <=, >= string comparison operators, and integer

comparators -lt, -le, -eq, -ge, and -gt. To help bash users and drop

the ambiguity of the symlink test "-ltest", introduce -h or -L as

symlink test operators. [William Rowe]

*) mod_cache: Give the cache provider the opportunity to choose to cache

or not cache based on the buckets present in the brigade, such as the

presence of a FILE bucket.

[Graham Leggett]

*) mod_authz_core: Allow authz providers to check args while reading the

config and allow to cache parsed args. Move 'all' and 'env' authz

providers from mod_authz_host to mod_authz_core. Add 'method' authz

provider depending on the HTTP method. [Stefan Fritsch]

*) mod_include: Move the request_rec within mod_include to be

exposed within include_ctx_t. [Graham Leggett]

*) mod_include: Reinstate support for UTF-8 character sets by allowing a

variable being echoed or set to be decoded and then encoded as separate

steps. PR47686 [Graham Leggett]

*) mod_cache: Add a discrete commit_entity() provider function within the

mod_cache provider interface which is called to indicate to the

provider that caching is complete, giving the provider the opportunity

to commit temporary files permanently to the cache in an atomic

fashion. Replace the inconsistent use of error cleanups with a formal

set of pool cleanups attached to a subpool, which is destroyed on error.

[Graham Leggett]

*) mod_cache: Change the signature of the store_body() provider function

within the mod_cache provider interface to support an "in" brigade

and an "out" brigade instead of just a single input brigade. This

gives a cache provider the option to consume only part of the brigade

passed to it, rather than the whole brigade as was required before.

This fixes an out of memory and a request timeout condition that would

occur when the original document was a large file. Introduce

CacheReadSize and CacheReadTime directives to mod_disk_cache to control

the amount of data to attempt to cache at a time. [Graham Leggett]

*) core: Add ErrorLogFormat to allow configuring error log format, including

additional information that is logged once per connection or request. Add

error log IDs for connections and request to allow correlating error log

lines and the corresponding access log entry. [Stefan Fritsch]

*) core: Disable sendfile by default. [Stefan Fritsch]

*) mod_cache: Check the request to determine whether we are allowed

to return cached content at all, and respect a "Cache-Control:

no-cache" header from a client. Previously, "no-cache" would

behave like "max-age=0". [Graham Leggett]

*) mod_cache: Use a proper filter context to hold filter data instead

of misusing the per-request configuration. Fixes a segfault on trunk

when the normal handler is used. [Graham Leggett]

*) mod_cgid: Log a warning if the ScriptSock path is truncated because

it is too long. PR 49388. [Stefan Fritsch]

*) vhosts: Do not allow _default_ in NameVirtualHost, or mixing *

and non-* ports on NameVirtualHost, or multiple NameVirtualHost

directives for the same address:port, or NameVirtualHost

directives with no matching VirtualHosts, or multiple ip-based

VirtualHost sections for the same address:port. These were

previously accepted with a warning, but the behavior was

undefined. [Dan Poirier]

*) mod_remoteip: Fix a segfault when using mod_remoteip in conjunction with

Allow/Deny. PR 49838. [Andrew Skalski <voltara gmail.com>]

*) core: DirectoryMatch can now match on the end of line character ($),

and sub-directories of matched directories are no longer implicitly

matched. PR49809 [Eric Covener]

*) Regexps: introduce new higher-level regexp utility including parsing

and executing perl-style regexp ops (e.g s/foo/bar/i) and regexp memory

[Nick Kew]

*) Proxy: support setting source address. PR 29404

[Multiple contributors iterating through bugzilla,

Aron Ujvari <xanco nikhok.hu>, Aleksey Midenkov <asm uezku.kemsu.ru>,

<dan listening-station.net; trunk version Nick Kew]