From Fedora Project Wiki

Revision as of 13:31, 7 September 2012 by B00blik (talk | contribs)

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
DocsProject Header docTeam1.png


httpd

httpd was updated to 2.4.3-1. The new version has a lot of fixes and improvements:

  • SECURITY: CVE-2012-3502 (cve.mitre.org) mod_proxy_ajp, mod_proxy_http: Fix an issue in back end connection closing which could lead to privacy issues due to a response mixup.
  • SECURITY: CVE-2012-2687 (cve.mitre.org) mod_negotiation: Escape filenames in variant list to prevent a possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled.
  • mod_authnz_ldap: Don't try a potentially expensive nested groups search before exhausting all AuthLDAPGroupAttribute checks on the current group.
  • mod_lua: Add new directive LuaAuthzProvider to allow implementing an authorization provider in lua.
  • core: Be less strict when checking whether Content-Type is set to "application/x-www-form-urlencoded" when parsing POST data, or we risk losing data with an appended charset.
  • httpd.conf: Added configuration directives to set a bad_DNT environment variable based on User-Agent and to remove the DNT header field from incoming requests when a match occurs. This currently has the effect of removing DNT from requests by MSIE 10.0 because it deliberately violates the current specification of DNT semantics for HTTP.
  • mod_cache: Set content type in case we return stale content.
  • ab: Fix read failure when targeting SSL server.
  • htpasswd: Use correct file mode for checking if file is writable.
  • mod_rewrite: Fix crash with dbd RewriteMaps.
  • mod_ssl: Add new directive SSLCompression to disable TLS-level compression.
  • mod_lua: Add a few missing request_rec fields. Rename remote_ip to client_ip to match conn_rec.
  • mod_lua: Change prototype of vm_construct, to work around gcc bug which causes a segfault.
  • mpm_event: Don't count connections in lingering close state when calculating how many additional connections may be accepted.
  • mod_ssl: If exiting during initialization because of a fatal error, log a message to the main error log pointing to the appropriate virtual host error log.
  • mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on one connection.
  • mod_proxy_balancer: Restore balancing after a failed worker has recovered when using lbmethod_bybusyness.
  • mod_setenvif: Compile some global regex only once during startup. This should save some memory, especially with .htaccess.
  • core: Add the port number to the vhost's name in the scoreboard.
  • mod_proxy: Fix ProxyPassReverse for balancer configurations.
  • mod_lua: Add the parsebody function for parsing POST data.
  • apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS.
  • mod_proxy: Fix memory leak or possible corruption in ProxyBlock implementation.
  • mod_proxy: Check hostname from request URI against ProxyBlock list, not forward proxy, if ProxyRemote* is configured.
  • mod_proxy_connect: Avoid DNS lookup on hostname from request URI if ProxyRemote* is configured.
  • mpm_event, mpm_worker: Remain active amidst prevalent child process resource shortages.
  • Add "strict" and "warnings" pragmas to Perl scripts.
  • ab: Fix bind() errors.
  • mpm_event: Don't do a blocking write when starting a lingering close from the listener thread.
  • mod_so: If a filename without slashes is specified for LoadFile or LoadModule and the file cannot be found in the server root directory, try to use the standard dlopen() search path.
  • mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced after child process resource shortages.
  • mpm_prefork: Reduce spawn rate after a child process exits due to unexpected poll or accept failure.
  • core: Log value of Status header line in script responses rather than the fixed header name.
  • mpm_ssl: Fix handling of empty response from OCSP server.
  • mpm_event: Fix handling of MaxConnectionsPerChild.
  • mod_authz_core: If an expression in "Require expr" returns denied and references %{REMOTE_USER}, trigger authentication and retry.
  • core: Always log if LimitRequestFieldSize triggers.
  • mod_deflate: Skip compression if compression is enabled at SSL level.
  • core: Add missing HTTP status codes registered with IANA.
  • mod_ldap: Treat the "server unavailable" condition as a transient error with all LDAP SDKs.
  • core: Fix spurious "not allowed here" error returned when the Options directive is used in .htaccess and "AllowOverride Options" (with no specific options restricted) is configured.
  • mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
  • mod_log_config: Fix %{abc}C truncating cookie values at first "=".
  • mod_ext_filter: Fix error_log spam when input filters are configured.
  • mod_rewrite: Add "AllowAnyURI" option.
  • htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
  • core: Use a TLS 1.0 close_notify alert for internal dummy connection if the chosen listener is configured for https.
  • mod_proxy: Use the the same hostname for SNI as for the HTTP request when forwarding to SSL backends.
  • mod_info: Display all registered providers.
  • mod_ssl: Send the error message for speaking http to an https port using HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when using SNI.
  • core: Fix segfault in logging if r->useragent_addr or c->client_addr is unset.
  • log_server_status: Bring Perl style forward to the present, use standard modules, update for new format of server-status output.
  • mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups.
  • core: Prevent "httpd -k restart" from killing server in presence of config error.
  • mod_proxy_fcgi: If there is an error reading the headers from the backend, send an error to the client.

lighttpd

lighttpd was updated to 1.4.32-2. There are many fixes:

  • [ssl] fix segfault in counting renegotiations for openssl versions without TLSEXT/SNI
  • Move fdevent subsystem includes to implementation files to reduce conflicts
  • [mod_compress] fix handling if etags are disabled but cache-dir is set – may lead to double response
  • disable mmap by default
  • buffer_caseless_compare: always convert letters to lowercase to get transitive results, fixing array lookups
  • Fix handling of empty header list entries in http_request_split_value, fixing invalid read in valgrind
  • Fix access log escaping of ” and \\
  • [mod_auth] Fix digest “md5-sess” implementation (Errata ID 1649, RFC 2617)
  • [auth] Add “AUTH_TYPE” environment (for * cgi), remove fastcgi specific workaround, add fastcgi test case
  • [mod_*cgi,mod_accesslog] Fix splitting :port with ipv6
  • Detect multiple -f options: show error message instead of assert
  • [mod_extforward] Support ipv6 addresses
  • [mod_redirect] Support url.redirect-code option
  • Fix --enable-mmap handling in configure.ac
Retrieved from "https://fedoraproject.org/w/index.php?title=Documentation_Web_Servers_Beat&oldid=300863"