📄 changes
字号:
_ _ _ __ ___ ___ __| | ___ ___| | mod_ssl | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org |_____| _____________________________________________________________________________ ``The difference between a career and a job is about 20 hours a week.'' CHANGES This file summarizes *all* types of changes to the mod_ssl package, i.e. changes between each betalevel and patchlevel, i.e. changes between 2.x.y->2.x.(y+1) and 2.x.y->2.(x+1).0. Take this list as a reference for concrete and detailed information about every single change. There are _INTENTIONALLY_ no contributor names attached to the entries. Instead all contributors are listed in the CREDITS file. ____ ___ |___ \ ( _ ) __) | / _ \ / __/ | (_) | __ |_____(_)___/ ___________________________________________ Changes with mod_ssl 2.8.31 (12-Sep-2007 to 08-Feb-2008) *) Fix a compile-time warning. *) Upgraded to Apache 1.3.41 Changes with mod_ssl 2.8.30 (10-Sep-2007 to 12-Sep-2007) *) Fixed patch generation and this way fix building of patched mod_status Changes with mod_ssl 2.8.29 (28-Jul-2006 to 10-Sep-2007) *) Upgraded to Apache 1.3.39 Changes with mod_ssl 2.8.28 (17-May-2006 to 28-Jul-2006) *) Upgraded to Apache 1.3.37 Changes with mod_ssl 2.8.27 (08-May-2005 to 17-May-2006) *) Upgraded to Apache 1.3.36 Changes with mod_ssl 2.8.26 (18-Oct-2005 to 08-May-2006) *) Upgraded to Apache 1.3.35 *) More correct prototype usage for passphrase callback. *) Some Win32 fixes. Changes with mod_ssl 2.8.25 (02-Sep-2005 to 18-Oct-2005) *) Upgraded to Apache 1.3.34 Changes with mod_ssl 2.8.24 (06-Jul-2005 to 02-Sep-2005) *) Fix a security issue (CAN-2005-2700) where "SSLVerifyClient require" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the global virtual host configuration. Changes with mod_ssl 2.8.23 (30-Oct-2004 to 06-Jul-2005) *) Ported to OpenSSL 0.9.8 *) Fixed connection timeout handling by calling the EAPI connection close hook after (and not before) the B_OUT flag was set on the underlying I/O buffer in order to prevent attempted buffer flushes from blocking the connection. *) Updated the ca-bundle.crt file from Mozilla's "certdata.txt" (CVS revision 1.37). *) Fix timeout handling in POST request processing by resetting timeouts. *) Fixed double-definition of OPENSSL_free under OpenSSL 0.9.6 by fixing the version test in ssl_util_ssl.h *) Adjusted all copyright messages to contain the new year 2005 ;) Changes with mod_ssl 2.8.22 (22-Oct-2004 to 30-Oct-2004) *) Upgraded to Apache 1.3.33 Changes with mod_ssl 2.8.21 (15-Oct-2004 to 22-Oct-2004) *) Upgraded to Apache 1.3.32 Changes with mod_ssl 2.8.20 (16-Jul-2004 to 15-Oct-2004) *) With OpenSSL 0.9.7, prevent session resumption during a renegotiation to force the client to negotiate a new (and acceptable to mod_ssl) cipher suite. Additionally, ensure that a correct cipher suite has been negotiated afterwards (CAN-2004-0885). *) Fixed more printf(3) style format string bugs (not security related) which could crash the server if mod_ssl's trace or debug log level is enabled. Changes with mod_ssl 2.8.19 (27-May-2004 to 16-Jul-2004) *) Fix ssl_log() related format string vulnerability in mod_proxy hook functions. Changes with mod_ssl 2.8.18 (11-May-2004 to 27-May-2004) *) Fix buffer overflow in "SSLOptions +FakeBasicAuth" implementation if the Subject-DN in the client certificate exceeds 6KB in length. (CVE CAN-2004-0488). *) Handle the case of OpenSSL retry requests after interrupted system calls during the SSL handshake phase. *) Remove some unused functions. Changes with mod_ssl 2.8.17 (01-Nov-2003 to 11-May-2004) *) Upgraded to Apache 1.3.31 *) Log the OpenSSL error stack contents if the crypto engine load/init fails. *) Fixed segfault in lookup of variable SESSION_ID in case SSL_get_session() returns NULL. *) Bugfix "dbm" session cache: the DBM file was closed too early (before accessing the data). *) Bugfix "shmcb" session cache for situations where the session data is bigger than the cache size. *) Adjusted all copyright messages to contain the new year 2004 ;) Changes with mod_ssl 2.8.16 (18-Jul-2003 to 01-Nov-2003) *) Upgraded to Apache 1.3.29 *) Avoid memory corruption in certificate handling caused by a heap memory double-freeing situation. *) Allow "HTTPS" variable to be passed through by suEXEC. *) Clear the OpenSSL error code in pass phrase reading code to workaround the following situation: multiple keys, all with different passphrases -- entering the correct pass phrase at each prompt leads to an OpenSSL error message after the last prompt. *) Reverted the recent change where ap_cleanup_for_exec() called ap_kill_alloc_shared(). This caused nasty side-effects in other processes and is not necessary at all (because shared memory segments are not inherited across exec). *) mod_ssl was checking the OpenSSL error reason code against SSL_R_HTTP_REQUEST and concluded the result is an SSL error. Since OpenSSL reason codes are not unique, this isn't always the case. It now additionally checks that the library is the SSL library. Changes with mod_ssl 2.8.15 (21-Mar-2003 to 18-Jul-2003) *) Upgraded to Apache 1.3.28 *) Take over security fix from Apache 2.0 related to per-directory renogotiations. Changes with mod_ssl 2.8.14 (18-Mar-2003 to 21-Mar-2003) *) Fixed logic in the destruction of a temporary certificate structure and this way avoid a crash due to freeing NULL object. *) Removed one newly introduced X509_free() call in the context of SSL_get_certificate(), because this function does not increment a reference count (although SSL_get_peer_certificate() does). *) Fixed hash-table based shared memory session cache (shmht) implementation by making sure that the underlying hash table library does not crash if memory cannot be allocated. Changes with mod_ssl 2.8.13 (23-Oct-2002 to 18-Mar-2003) *) Always enforce RSA blinding on RSA private keys in order to be resistent to timing attacks. *) Added timeout also to the "pre-sucking" of the trailing data in POST request handling. *) Correctly shutdown shared memory pools on fork+exec situations. *) Bugfix SSL client certificate verification: OpenSSL was not informed with SSL_set_verify_result(ssl, X509_V_OK) in case mod_ssl forced the verification to be ok. *) Consistently use OPENSSL_free() instead of plain free() to deallocate memory chunks allocated inside OpenSSL. *) Fixed various memory leaks related to X509 certificates. Changes with mod_ssl 2.8.12 (04-Oct-2002 to 23-Oct-2002) *) Fixed potential Cross-Site-Scripting bug. *) Allow also 8192 bytes of shared memory data size. Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002) *) Upgraded to Apache 1.3.27. *) Fixed internal error handling for CRL verification. *) Initialize OpenSSL ENGINE before initializing OpenSSL to workaround problems with the PRNG. *) Also find "openssl" executable in "sbin" directories. *) Honor specified number of maximum bytes on SSLRandomSeed if reading from EGD. *) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables. Changes with mod_ssl 2.8.10 (19-Jun-2002 to 24-Jun-2002) *) Fixed off-by-one buffer overflow bug in the compatibility functionality (mapping of old directives to new ones). *) Fixed memory leak in processing of CA certificates. *) In case there is actually a certificate chain in the session cache, we now use the value of SSL_get_peer_certificate(ssl) to verify as it will have been removed from the chain before it was put in the cache. *) Seed the PRNG with a maximum of 1K from the internal scoreboard. Changes with mod_ssl 2.8.9 (27-Mar-2002 to 19-Jun-2002) *) Upgraded to Apache 1.3.26. *) Support for OpenSSL 0.9.7. *) Open random files in binary mode under Win32 to not stop on EOS characters. *) Additional internal consistency check on vhost sanity checking in case no DNS entries are found for virtual hosts. *) Fixed detection of a faked "Faked Basic Auth" situation for internal redirection situations. Changes with mod_ssl 2.8.8 (23-Feb-2002 to 27-Mar-2002) *) Upgraded to Apache 1.3.24 *) Support leading whitespaces in commands of SSLLog "|..." directives. *) Fixed timeout handling on connection establishment by correctly resetting the timeout on errors. *) Fixed two memory leaks related to CA certificate configuration. *) Fixed memory leak related to temporary DH key handling. *) Fixed memory leak on shutdown if CRLs are used. *) Fixed remaining SIGBUS problems on SPARC inside SHMCB session cache implementation. Changes with mod_ssl 2.8.7 (01-Feb-2002 to 23-Feb-2002) *) Support for the latest OpenSSL 0.9.7 snapshots. *) Fixed potential buffer overflow in DBM and SHMHT session cache if very very large certificate chains are used. *) Compliance with POSIX 1003.1-2001 (SUSv3) by replacing obsolete "head -1" and "tail -1" constructs with sed variants in scripts. *) Fixed file descriptor leakage under Win32. Changes with mod_ssl 2.8.6 (16-Oct-2001 to 01-Feb-2002) *) Upgraded to Apache 1.3.23 *) Fixed a subtle indexing bug in SHMCB. Each sub-cache used an indexing structure that (correctly) used index values (and ranges) as "unsigned int", but the meta-structure in the header had these ranged as "unsigned char". *) Perform the SHMCB remove operation under mutual exclusion to prevent a inter-process synchronization problem. *) Made sure that mod_ssl does not segfault in case of SCOREBOARD_SIZE < 1024. *) Merged in the SDBM patch from Uwe Ohse which fixes a problem with sdbms .dir file, which arrises when a second .dir block is needed for the first time. read() returns 0 in that case, and the library forgot to initialize that new block. A related problem is that the calculation of db->maxbno is wrong. It just appends 4096*BYTESIZ bits, which is not enough except for small databases (.dir basically doubles everytime it's too small). Changes with mod_ssl 2.8.5 (20-May-2001 to 16-Oct-2001) *) Upgraded to Apache 1.3.22⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -