"Fossies" - the Fresh Open Source Software Archive

Member "mpm-itk-2.4.7-04/CHANGES" (14 Feb 2016, 7891 Bytes) of package /linux/www/apache_httpd_modules/mpm-itk-2.4.7-04.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "CHANGES": 2.4.7-03_vs_2.4.7-04.

    1 mpm-itk 2.4.7-04, released 2016-02-14:
    2 
    3   - Fix a compilation error on RHEL6; patch from Hans Kristian Rosbach.
    4   - Add a new flag EnableCapabilities (default on), which can be disabled
    5     to revert to the behavior in place before 2.4.2-02, which causes problems
    6     when the filesystem in use does not respect capabilities (in particular
    7     NFS).
    8   - Update copyright to 2016.
    9 
   10 
   11 mpm-itk 2.4.7-03, released 2015-09-09:
   12 
   13   - Fix an issue where connections would be attempted closed in the parent
   14     instead of in the child. This would result in "Connection: close" not being
   15     honored, and various odd effects with SSL keepalive in certain browsers.
   16   - Correct a log message on AssignGroupIDExpr failure; patch from Roland Mas.
   17   - Update copyright to 2015.
   18 
   19 
   20 mpm-itk 2.4.7-02, released 2014-03-01:
   21 
   22   - In the seccomp.c filter, allow -1 as value in certain system calls,
   23     as it means not to change the given value. Heavily based on patch
   24     from Jason Rhineland.
   25   - Update copyright to 2014.
   26   - Fix the minimum required version number in the README.
   27 
   28 
   29 mpm-itk 2.4.7-01, released 2013-11-26:
   30 
   31   - Note: This is almost identical to the previously released 2.4.6-01,
   32     which was later retracted since Apache 2.4.6 did not contain the
   33     required hook in question.
   34   - Changed the htaccess hook to the form that was eventually included
   35     in the Apache 2.4.7 release. This makes 2.4.7-01 the first version of
   36     mpm-itk that can compile against an entirely unpatched Apache from
   37     upstream, as Apache 2.4.7 includes all required patches for mpm-itk.
   38   - Deleted the now obsolete patches/ directory.
   39   - Updated copyright to 2013.
   40 
   41 
   42 mpm-itk 2.4.4-04, released 2013-02-28:
   43 
   44   - Make seccomp.c compile on 64-bit x86. Based on a bug report
   45     and patch from Hans Kristian Rosbach.
   46   - Fix a few compiler warnings, including a bug that could cause
   47     confusing behavior if fork() failed. Now failing fork() should
   48     reliably result in 500 Internal Server Error being sent.
   49 
   50 
   51 mpm-itk 2.4.4-03, released 2012-12-31:
   52 
   53   - Call ap_close_listeners() right after forking. This makes sure
   54     a runaway/rogue process cannot keep the server from restarting,
   55     or worse, call accept() on the listening socket.
   56 
   57 
   58 mpm-itk 2.4.4-02, released 2012-11-12:
   59 
   60   - Change from being an MPM to being a regular module, like
   61     mod_privileges is. This means we no longer need to duplicate
   62     large parts of prefork's functionality; instead, the user needs
   63     to run regular prefork and then load mpm-itk as a regular
   64     module. Note that the name is unchanged, to prevent (or maybe cause)
   65     further confusion.
   66   - Add a configure script (via autoconf), so that HAVE_LIBCAP is set
   67     if the system supports Linux capabilities. (2.2.4-01 always ran
   68     with libcap disabled.)
   69   - Remove a duplicate definition of the MaxClientsVhost directive
   70     (harmless, but stylistically bad).
   71   - Make the .htaccess check more efficient, by using access()
   72     instead of actually opening the file.
   73   - Actually use the post_perdir_config hook Apache has for us;
   74     seemingly it has been unused for a very long time (we hooked into
   75     header_parser instead, which is ever so slightly later, and does not
   76     run for subrequests).
   77   - Drop our extra privileges properly even if we have a vhost
   78     with default uid/gid; keeping them was probably not what the
   79     administrator intended.
   80   - Rewrite the MaxClientsVHost handling so that it properly takes
   81     into account the port the vhost is running on (unless the vhost
   82     name is very long). This matches Apache's existing scoreboard format,
   83     so we don't need to write into it ourselves anymore.
   84 
   85 
   86 mpm-itk 2.4.4-01, released 2012-11-11:
   87 
   88  - Build completely out-of-tree; thanks to Jeff Trawick for spearheading
   89    this on the Apache side. Note that this requires patches that
   90    are not in any Apache 2.4 release right now, so you will either need to
   91    apply the patches from the patches/ directory (that have been backported
   92    to 2.4.3, from Subversion) or build against httpd trunk. (It is hoped, but
   93    not guaranteed, that they will be part of the Apache 2.4.4 release.)
   94    Also, note that the performance will be ever so slightly lower than the
   95    in-tree versions, due to double statting of .htaccess files. I hope to
   96    fix this eventually.
   97 
   98    I've chosen to keep the version numbers consistent with the previous
   99    release, indicating that this release will probably go along with
  100    Apache 2.4.4, but assuming out-of-tree-builds will be the way forward 
  101    in the 2.4 and newer series, Apache and mpm-itk version numbers will
  102    probably diverge in the future.
  103  - Add a version component ("mpm-itk/2.4.4-01") when the module is loaded,
  104    so maybe over time we can get a better idea of how widespread mpm-itk
  105    really is, and in what versions.
  106 
  107 apache2.4-mpm-itk 2.4.2-02, released 2012-08-05:
  108 
  109  - Take advantage of two new patches from upstream to simplify our code:
  110    First of all, our hook patch is now in Apache proper. Also, a new
  111    ap_stat() hook allows us to do the close-connection-on-EACCES
  112    handling with less patching into Apache itself (and in a future version,
  113    we hope to be able to build entirely out-of-tree). Note that since none
  114    of these patches are currently in a 2.4 release, we add them to the
  115    beginning of the patch series for now, with a “00_upstream” prefix.
  116  - If libcap is available, run as a normal user (the one specified in
  117    httpd.conf) with extra capabilities, instead of restricted root.
  118    Note that this does not really help a lot unless seccomp v2 is
  119    available (see next point), as the process can still call setuid(0)
  120    and then read or write files owned by root.
  121  - If seccomp v2 is available (Linux 3.5.0 or newer), restrict
  122    setuid() and setgid() calls (as well as seteuid() etc.), limiting
  123    their range. By default, only 0 is excluded, but the administrator
  124    can set a custom range with the LimitUIDRange and/or LimitGIDRange
  125    directives (e.g. "LimitUIDRange 1000 2000" to allow only uids
  126    from 1000 to 2000, inclusive). Note due to technical reasons,
  127    setgroups() is _not_ restricted, so a rogue or runaway process
  128    can still get add any group, including the root group, as supplementary.
  129 
  130 
  131 apache2.4-mpm-itk 2.4.2-01, released 2012-07-20:
  132 
  133  - The patch is now against Apache 2.4.2 instead of Apache 2.4.1.
  134    Note that even though the patch set will probably _apply_
  135    to 2.4.1, it will not _work_ properly, due to a missing bugfix
  136    that is no longer in the patch set.
  137  - Support dynamic uid and gid selection through Apache 2.4's new
  138    generic expression syntax. For instance, you can now use mod_rewrite
  139    to do something like this:
  140  
  141      RewriteEngine on
  142      RewriteRule /~([a-z]+)/ - [E=ITKUID:$1]
  143      AssignUserIDExpr %{reqenv:ITKUID}
  144  
  145    which will cause e.g. /~sesse/foo to be run as the user “sesse”.
  146    Obviously, you will need to exercise caution here to avoid opening
  147    up new security holes.
  148  - Fix another case where we should drop the connection instead
  149    of returning 403; this time related to FollowSymLinks and directory
  150    traversal. Bug report and patch by Anton Statutov.
  151  - We now do clean_child_exit() instead of exit() after the request;
  152    this runs pool cleanup hooks, fixing an issue with mod_qos
  153    (reported by Daniele Orlandi). Note that this does not work
  154    properly in the case where we hard-close connections due to uid
  155    switch, so the fix is incomplete.
  156  - Fixed a typo in a comment in itk.c, and removed some stray
  157    trailing whitespace.
  158  - Added CHANGES file for the 2.4 series.
  159 
  160 
  161 apache2.2-mpm-itk 2.4.1-pre01, released 2012-04-01:
  162 
  163  - Backport the bug fix for bug 52904 from upstream, instead of
  164    reverting the entire commit that caused it.
  165  - Fix so AssignUserID can not be given in .htaccess files.
  166 
  167 
  168 apache2.2-mpm-itk 2.4.1-pre00, released 2012-03-14:
  169 
  170   - First port of mpm-itk to Apache 2.4.