-*- coding: utf-8 -*- Changes with Apache 2.2.29 *) Corrected docs/manual pages for new MergeTrailers directive and other out of date documentation. [William Rowe] Changes with Apache 2.2.28 *) SECURITY: CVE-2014-0118 (cve.mitre.org) mod_deflate: The DEFLATE input filter (inflates request bodies) now limits the length and compression ratio of inflated request bodies to avoid denial of service via highly compressed bodies. See directives DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener] *) SECURITY: CVE-2014-0231 (cve.mitre.org) mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. By default, the client I/O timeout (Timeout directive) now applies to communication with scripts. The CGIDScriptTimeout directive can be used to set a different timeout for communication with scripts. [Rainer Jung, Eric Covener, Yann Ylavic] *) SECURITY: CVE-2014-0226 (cve.mitre.org) Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow. [Joe Orton, Eric Covener, Jeff Trawick] *) SECURITY: CVE-2013-5704 (cve.mitre.org) core: HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. Adds "MergeTrailers" directive to restore legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] *) core: Detect incomplete request and response bodies, log an error and forward it to the underlying filters. PR 55475. [Yann Ylavic] *) mod_deflate: Handle Zlib header and validation bytes received in multiple chunks. PR 46146. [Yann Ylavic] *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI differs. PR 55782. [Yann Ylavic] *) mod_deflate: Fix inflation of files larger than 4GB. PR 56062. [Lukas Bezdicka ] *) mod_dav: Fix improper encoding in PROPFIND responses. PR 56480. [Ben Reser] *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions resumed by TLS session resumption (RFC 5077). [Rainer Jung] *) mod_proxy_ajp: Forward local IP address as a custom request attribute like we already do for the remote port. [Rainer Jung] *) mod_deflate: Don't fail when flushing inflated data to the user-agent and that coincides with the end of stream ("Zlib error flushing inflate buffer"). PR 56196. [Christoph Fausak ] *) mod_cache, mod_disk_cache: With CacheLock enabled, responses with a Vary header might not get the benefit of the thundering herd protection due to an incorrect internal cache key. PR 50317. [Ruediger Pluem, Jan Kaluza, Yann Ylavic] *) mod_rewrite: Support session cookies with the CO= flag when later parameters are used. The doc for this implied the feature had been backported for quite some time. PR56014 [Eric Covener] *) mod_cache: Don't remove stale cache entries that cannot be conditionally revalidated. This prevents the thundering herd protection from serving stale responses during a revalidation. PR 50317. [Eric Covener, Jan Kaluza, Ruediger Pluem] *) core: Increase TCP_DEFER_ACCEPT socket option to from 1 to 30 seconds. PR 41270. [Dean Gaudet ]