-*- coding: utf-8 -*- Changes with Apache 2.2.22 *) SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations. [Joe Orton] *) SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. [Stefan Fritsch, Greg Ames] *) SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations. [Joe Orton] *) SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format string is in use and a client sends a nameless, valueless cookie, causing a denial of service. The issue existed since version 2.2.17. PR 52256. [Rainer Canavan ] *) SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly. [Joe Orton] *) SECURITY: CVE-2012-0053 (cve.mitre.org) Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. [Eric Covener] *) mod_proxy_ajp: Try to prevent a single long request from marking a worker in error. [Jean-Frederic Clere] *) config: Update the default mod_ssl configuration: Disable SSLv2, only allow >= 128bit ciphers, add commented example for speed optimized cipher list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand] *) core: Fix segfault in ap_send_interim_response(). PR 52315. [Stefan Fritsch] *) mod_log_config: Prevent segfault. PR 50861. [Torsten F�rtsch ] *) mod_win32: Invert logic for env var UTF-8 fixing. Now we exclude a list of vars which we know for sure they dont hold UTF-8 chars; all other vars will be fixed. This has the benefit that now also all vars from 3rd-party modules will be fixed. PR 13029 / 34985. [Guenter Knauf] *) core: Fix hook sorting for Perl modules, a regression introduced in 2.2.21. PR: 45076. [Torsten Foertsch ] *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20: A range of '0-' will now return 206 instead of 200. PR 51878. [Jim Jagielski] *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead of "0"). [Rainer Jung] *) mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung]