- It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker.
- A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header.
- In situations when httpd could not allocate memory, httpd sometimes terminated unexpectedly with a segmentation fault rather than terminating the process with an error message. With this update, a patch has been applied to correct this bug and httpd no longer crashes in the scenario described.
- When the "SSLCryptoDevice" config variable in "ssl.conf" was set to an unknown or invalid value, the httpd daemon would terminate unexpectedly with a segmentation fault at startup. With this update the code has been corrected, httpd no longer crashes, and httpd issues an appropriate error message in this scenario.
- The rotatelogs program now provides a new "rotatelogs -c" option to create log files for each set interval, even if empty.
- The rotatelogs program now provides a new "rotatelogs -p" option to execute a custom program after each log rotation.
- The Apache module mod_proxy now allows changing the BalancerMember state in the web interface.
- The Apache module mod_alias now supports redirecting to a local path (that is, a partial URL).
- The Apache module mod_proxy now supports the "connectiontimeout" parameter.
- The httpd service is now automatically restarted after a package upgrade, if the service is running.