-*- coding: utf-8 -*- Changes with Apache 2.0.55 since 2.0.54 (APR 0.9.7 changes below) *) SECURITY: CAN-2005-2700 (cve.mitre.org) mod_ssl: Fix a security issue where "SSLVerifyClient" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the vhost configuration. [Joe Orton] *) worker MPM: Fix a memory leak which can occur after an aborted connection in some limited circumstances. [Greg Ames] *) mod_ldap: Fix PR 36563. Keep track of the number of attributes retrieved from LDAP so that all of the values can be properly cached even if the value is NULL. [Brad Nicholes, Ondrej Sury ] *) SECURITY: CAN-2005-2491 (cve.mitre.org): Fix integer overflows in PCRE in quantifier parsing which could be triggered by a local user through use of a carefully-crafted regex in an .htaccess file. [Philip Hazel] *) SECURITY: CAN-2005-2088 (cve.mitre.org) proxy: Correctly handle the Transfer-Encoding and Content-Length headers. Discard the request Content-Length whenever T-E: chunked is used, always passing one of either C-L or T-E: chunked whenever the request includes a request body. Resolves an entire class of proxy HTTP Request Splitting/Spoofing attacks. [William Rowe] *) Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method. This addresses a flaw in proxy conformance to RFC 2616 - previously the proxy server would accept a TRACE request body although the RFC prohibited it. The default remains 'TraceEnable on'. [William Rowe] *) Add ap_log_cerror() for logging messages associated with particular client connections. [Jeff Trawick] *) Correct mod_cgid's argv[0] so that the full path can be delved by the invoked cgi application, to conform to the behavior of mod_cgi. [Pradeep Kumar S ] *) mod_include: Fix possible environment variable corruption when using nested includes. PR 12655. [Joe Orton] *) Support the suppress-error-charset setting, as with Apache 1.3.x. PR 31274. [Jeff Trawick] *) EBCDIC: Handle chunked input from client or, with proxy, origin server. [Jeff Trawick] *) Fix bad globbing comparison which could result in getting a directory listing when a file was requested. PR 34512. [sean ] *) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker() was called even if mod_auth_ldap_check_user_id() was not (or if it didn't succeed) for non-authoritative cases. [Jim Jagielski] *) SECURITY: CAN-2005-2728 (cve.mitre.org) Fix cases where the byterange filter would buffer responses into memory. PR 29962. [Joe Orton] *) mod_proxy: Fix over-eager handling of '%' for reverse proxies. PR 15207. [Jim Jagielski] *) mod_ldap: Fix various shared memory cache handling bugs. PR 34209. [Joe Orton] *) Fix a file descriptor leak when starting piped loggers. PR 33748. [Joe Orton] *) mod_ldap: Avoid segfaults when opening connections if using a version of OpenLDAP older than 2.2.21. PR 34618. [Brad Nicholes] *) mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe] *) SECURITY: CAN-2005-2088 (cve.mitre.org) core: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks. [Paul Querna, Joe Orton] *) proxy HTTP: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection, mitigating some HTTP Response Splitting attacks. [Jeff Trawick] *) Prevent hangs of child processes when writing to piped loggers at the time of graceful restart. PR 26467. [Jeff Trawick] *) SECURITY: CAN-2005-1268 (cve.mitre.org) mod_ssl: Fix off-by-one overflow whilst printing CRL information at "LogLevel debug" which could be triggered if configured to use a "malicious" CRL. PR 35081. [Marc Stern ] *) mod_userdir: Fix possible memory corruption issue. PR 34588. [David Leonard ] *) worker mpm: don't take down the whole server for a transient thread creation failure. PR 34514 [Greg Ames] *) mod_rewrite: use buffered I/O to improve performance with large RewriteMap txt: files. [Greg Ames] *) proxy HTTP: Rework the handling of request bodies to handle chunked input and input filters which modify content length, and avoid spooling arbitrary-sized request bodies in memory. PR 15859. [Jeff Trawick] Changes with APR 0.9.7 since APR 0.9.6 *) Fix crash in apr_dir_make_recursive() for relative path when the working directory has been deleted. [Joe Orton] *) Win32: fix apr_proc_mutex_trylock() to handle WAIT_TIMEOUT, returning APR_EBUSY. [Ronen Mizrahi ] *) Fix apr_file_read() to catch write failures when flushing pending writes for a buffered file. [Joe Orton] *) Fix apr_file_write() infinite loop on write failure for buffered files. [Erik Huelsmann ] *) Fix error handling where apr_uid_* and apr_gid_* could segfault or return APR_SUCCESS in failure cases. PR 34053. [Joe Orton, Paul Querna] *) Refactor Win32 condition variables code to address bugs 27654, 34336. [Henry Jen , E Holyat ] *) Support APR_SO_SNDBUF and APR_SO_RCVBUF on Windows. PR 32177. [Sim , Jeff Trawick] *) Fix detection of rwlocks on Mac OS X. [Aaron Bannert] *) Fix issue with poll() followed by net I/O yielding EAGAIN on Mac OS 10.4 (Darwin 8). [Wilfredo Sanchez] Changes with APR-util 0.9.7 since APR-util 0.9.6 *) Fix apr_rmm_realloc() offset calculation bug. [Keith Kelleman ] *) Fix handling of a premature EOF with the FILE bucket; a new bucket is not inserted for each attempt to read past EOF. PR 34708. [Jeff Trawick, Joe Orton] *) Fix build failure with non-threaded APR on AIX. PR 34655. [Ryan Murray ] *) Backport the apr_reslist_timeout_set and apr_reslist_invalidate functions already in APR 1.0.x. [Paul Querna] *) Fix linking problem on cygwin. [Max Bowsher ] Changes with APR-iconv 0.9.7 since APR-iconv 0.9.6 *) Fixed build .rc version resource for Win32. [Will Rowe]