You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2019/03/31 03:42:40 UTC
svn commit: r33341 - /dev/httpd/ /release/httpd/
Author: druggeri
Date: Sun Mar 31 03:42:40 2019
New Revision: 33341
Log:
Push 2.4.39 up to the release directory
Added:
release/httpd/CHANGES_2.4.39
- copied unchanged from r33340, dev/httpd/CHANGES_2.4.39
release/httpd/httpd-2.4.39.tar.bz2
- copied unchanged from r33340, dev/httpd/httpd-2.4.39.tar.bz2
release/httpd/httpd-2.4.39.tar.bz2.asc
- copied unchanged from r33340, dev/httpd/httpd-2.4.39.tar.bz2.asc
release/httpd/httpd-2.4.39.tar.bz2.md5
- copied unchanged from r33340, dev/httpd/httpd-2.4.39.tar.bz2.md5
release/httpd/httpd-2.4.39.tar.bz2.sha1
- copied unchanged from r33340, dev/httpd/httpd-2.4.39.tar.bz2.sha1
release/httpd/httpd-2.4.39.tar.bz2.sha256
- copied unchanged from r33340, dev/httpd/httpd-2.4.39.tar.bz2.sha256
release/httpd/httpd-2.4.39.tar.gz
- copied unchanged from r33340, dev/httpd/httpd-2.4.39.tar.gz
release/httpd/httpd-2.4.39.tar.gz.asc
- copied unchanged from r33340, dev/httpd/httpd-2.4.39.tar.gz.asc
release/httpd/httpd-2.4.39.tar.gz.md5
- copied unchanged from r33340, dev/httpd/httpd-2.4.39.tar.gz.md5
release/httpd/httpd-2.4.39.tar.gz.sha1
- copied unchanged from r33340, dev/httpd/httpd-2.4.39.tar.gz.sha1
release/httpd/httpd-2.4.39.tar.gz.sha256
- copied unchanged from r33340, dev/httpd/httpd-2.4.39.tar.gz.sha256
Removed:
dev/httpd/CHANGES_2.4
dev/httpd/CHANGES_2.4.39
dev/httpd/httpd-2.4.39-deps.tar.bz2
dev/httpd/httpd-2.4.39-deps.tar.bz2.asc
dev/httpd/httpd-2.4.39-deps.tar.bz2.md5
dev/httpd/httpd-2.4.39-deps.tar.bz2.sha1
dev/httpd/httpd-2.4.39-deps.tar.bz2.sha256
dev/httpd/httpd-2.4.39-deps.tar.gz
dev/httpd/httpd-2.4.39-deps.tar.gz.asc
dev/httpd/httpd-2.4.39-deps.tar.gz.md5
dev/httpd/httpd-2.4.39-deps.tar.gz.sha1
dev/httpd/httpd-2.4.39-deps.tar.gz.sha256
dev/httpd/httpd-2.4.39.tar.bz2
dev/httpd/httpd-2.4.39.tar.bz2.asc
dev/httpd/httpd-2.4.39.tar.bz2.md5
dev/httpd/httpd-2.4.39.tar.bz2.sha1
dev/httpd/httpd-2.4.39.tar.bz2.sha256
dev/httpd/httpd-2.4.39.tar.gz
dev/httpd/httpd-2.4.39.tar.gz.asc
dev/httpd/httpd-2.4.39.tar.gz.md5
dev/httpd/httpd-2.4.39.tar.gz.sha1
dev/httpd/httpd-2.4.39.tar.gz.sha256
Modified:
release/httpd/Announcement2.4.html
release/httpd/Announcement2.4.txt
release/httpd/CHANGES_2.4
Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Sun Mar 31 03:42:40 2019
@@ -49,27 +49,27 @@
<div class="banner"></div>
<h1>
- Apache HTTP Server 2.4.38 Released
+ Apache HTTP Server 2.4.39 Released
</h1>
<p>
- January 22, 2019
+ September 21, 2018
</p>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to <a href="https://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
- the release of version 2.4.38 of the Apache
+ the release of version 2.4.39 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a security and bug fix release.
+ a feature and bug fix release.
</p>
<p>
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
</p>
<p>
- Apache HTTP Server 2.4.38 is available for download from:
+ Apache HTTP Server 2.4.39 is available for download from:
</p>
<dl>
<dd><a href="https://httpd.apache.org/download.cgi"
@@ -77,7 +77,7 @@
</dl>
<p>
Please see the <a href="./CHANGES_2.4">CHANGES_2.4</a> file, linked from the download page, for a
- full list of changes. A condensed list, <a href="./CHANGES_2.4.38">CHANGES_2.4.38</a> includes only
+ full list of changes. A condensed list, <a href="./CHANGES_2.4.39">CHANGES_2.4.39</a> includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Sun Mar 31 03:42:40 2019
@@ -1,19 +1,19 @@
- Apache HTTP Server 2.4.38 Released
+ Apache HTTP Server 2.4.39 Released
- January 22, 2019
+ September 21, 2018
The Apache Software Foundation and the Apache HTTP Server Project
- are pleased to announce the release of version 2.4.38 of the Apache
+ are pleased to announce the release of version 2.4.39 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a security and bug fix release.
+ a feature and bug fix release.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
- Apache HTTP Server 2.4.38 is available for download from:
+ Apache HTTP Server 2.4.39 is available for download from:
http://httpd.apache.org/download.cgi
@@ -24,7 +24,7 @@
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.4.38 includes only
+ full list of changes. A condensed list, CHANGES_2.4.39 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Sun Mar 31 03:42:40 2019
@@ -1,4 +1,84 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.4.39
+
+ *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
+ connection is recycled/reused to avoid a possible crash with some SSLProxy
+ configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]
+
+ *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
+ [Michael Kaufmann <mail michael-kaufmann.ch>]
+
+ *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
+ PR 55348
+
+ *) mod_socache_redis: Support for Redis as socache storage provider.
+
+ *) core: new configuration option 'MergeSlashes on|off' that controls handling of
+ multiple, consecutive slash ('/') characters in the path component of the request URL.
+ [Eric Covener]
+
+ *) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
+ in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.
+ Fixed. [Michael Kaufmann]
+
+ *) mod_http2: new configuration directive: `H2Padding numbits` to control
+ padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
+ controlling the range of padding bytes added to a frame. The actual number
+ added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE
+ frames equally. The default continues to be 0, e.g. no padding. [Stefan Eissing]
+
+ *) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2
+ has no more need for it. Optional functions are still declared but no longer implemented.
+ While previous mod_proxy_http2 will work with this, it is recommeneded to run the matching
+ versions of both modules. [Stefan Eissing]
+
+ *) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which
+ resolve PR63170. The proxy module does now a single h2 request on the (reused)
+ connection and returns. [Stefan Eissing]
+
+ *) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status
+ to trigger immediate shutdown of backend connections. This is now always signalled
+ by mod_http2 when the the session is being released.
+ proxy_http2 now only sends a PING frame to the backend when there is not already one
+ in flight. [Stefan Eissing]
+
+ *) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite
+ loop when encountering certain errors on the backend connection.
+ See <https://bz.apache.org/bugzilla/show_bug.cgi?id=63170>. [Stefan Eissing]
+
+ *) mod_http2: Configuration directives H2Push and H2Upgrade can now be specified per
+ Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]
+
+ *) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
+ terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.
+ Fixes <https://github.com/icing/mod_h2/issues/167>. [Michael Kaufmann]
+
+ *) http: Fix possible empty response with mod_ratelimit for HEAD requests.
+ PR 63192. [Yann Ylavic]
+
+ *) mod_cache_socache: Avoid reallocations and be safe with outgoing data
+ lifetime. [Yann Ylavic]
+
+ *) MPMs unix: bind the bucket number of each child to its slot number, for a
+ more efficient per bucket maintenance. [Yann Ylavic]
+
+ *) mod_auth_digest: Fix a race condition. Authentication with valid
+ credentials could be refused in case of concurrent accesses from
+ different users. PR 63124. [Simon Kappel <simon.kappel axis.com>]
+
+ *) mod_http2: enable re-use of slave connections again. Fixed slave connection
+ keepalives counter. [Stefan Eissing]
+
+ *) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.
+ PR 61310. [Yann Ylavic]
+
+ *) mod_proxy_wstunnel: Fix websocket proxy over UDS.
+ PR 62932 <pavel dcmsys.com>
+
+ *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
+ configuration (SSLFIPS on) and not active by default in OpenSSL.
+ PR 63136. [Yann Ylavic]
+
Changes with Apache 2.4.38
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
@@ -117,6 +197,9 @@ Changes with Apache 2.4.36
should be accepted after the authorization scheme. \t are also tolerated.
[Christophe Jaillet]
+ *) mod_socache_redis: New socache submodule provider to allow use
+ of Redis as storage backend. [Jim Jagielski]
+
*) mod_proxy_hcheck: Fix issues with interval determination. PR 62318
[Jim Jagielski]