You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2021/12/20 09:36:03 UTC
svn commit: r51622 - /dev/httpd/ /release/httpd/
Author: icing
Date: Mon Dec 20 09:36:03 2021
New Revision: 51622
Log:
Add release httpd-2.4.52 from voted 2.4.52-rc1
Added:
release/httpd/CHANGES_2.4.52
- copied unchanged from r51621, dev/httpd/CHANGES_2.4.52
release/httpd/httpd-2.4.52.tar.bz2
- copied unchanged from r51621, dev/httpd/httpd-2.4.52-rc1.tar.bz2
release/httpd/httpd-2.4.52.tar.bz2.asc
- copied unchanged from r51621, dev/httpd/httpd-2.4.52-rc1.tar.bz2.asc
release/httpd/httpd-2.4.52.tar.bz2.sha256
- copied, changed from r51621, dev/httpd/httpd-2.4.52-rc1.tar.bz2.sha256
release/httpd/httpd-2.4.52.tar.bz2.sha512
- copied, changed from r51621, dev/httpd/httpd-2.4.52-rc1.tar.bz2.sha512
release/httpd/httpd-2.4.52.tar.gz
- copied unchanged from r51621, dev/httpd/httpd-2.4.52-rc1.tar.gz
release/httpd/httpd-2.4.52.tar.gz.asc
- copied unchanged from r51621, dev/httpd/httpd-2.4.52-rc1.tar.gz.asc
release/httpd/httpd-2.4.52.tar.gz.sha256
- copied, changed from r51621, dev/httpd/httpd-2.4.52-rc1.tar.gz.sha256
release/httpd/httpd-2.4.52.tar.gz.sha512
- copied, changed from r51621, dev/httpd/httpd-2.4.52-rc1.tar.gz.sha512
Removed:
dev/httpd/CHANGES_2.4
dev/httpd/CHANGES_2.4.52
dev/httpd/httpd-2.4.52-rc1-deps.tar.bz2
dev/httpd/httpd-2.4.52-rc1-deps.tar.bz2.asc
dev/httpd/httpd-2.4.52-rc1-deps.tar.bz2.sha256
dev/httpd/httpd-2.4.52-rc1-deps.tar.bz2.sha512
dev/httpd/httpd-2.4.52-rc1-deps.tar.gz
dev/httpd/httpd-2.4.52-rc1-deps.tar.gz.asc
dev/httpd/httpd-2.4.52-rc1-deps.tar.gz.sha256
dev/httpd/httpd-2.4.52-rc1-deps.tar.gz.sha512
dev/httpd/httpd-2.4.52-rc1.tar.bz2
dev/httpd/httpd-2.4.52-rc1.tar.bz2.asc
dev/httpd/httpd-2.4.52-rc1.tar.bz2.sha256
dev/httpd/httpd-2.4.52-rc1.tar.bz2.sha512
dev/httpd/httpd-2.4.52-rc1.tar.gz
dev/httpd/httpd-2.4.52-rc1.tar.gz.asc
dev/httpd/httpd-2.4.52-rc1.tar.gz.sha256
dev/httpd/httpd-2.4.52-rc1.tar.gz.sha512
Modified:
release/httpd/Announcement2.4.html
release/httpd/Announcement2.4.txt
release/httpd/CHANGES_2.4
Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Mon Dec 20 09:36:03 2021
@@ -49,15 +49,15 @@
<div class="banner"></div>
<h1>
- Apache HTTP Server 2.4.51 Released
+ Apache HTTP Server 2.4.52 Released
</h1>
<p>
- October 07, 2021
+ December 20, 2021
</p>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to <a href="https://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
- the release of version 2.4.51 of the Apache
+ the release of version 2.4.52 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
@@ -69,7 +69,7 @@
encourage users of all prior versions to upgrade.
</p>
<p>
- Apache HTTP Server 2.4.51 is available for download from:
+ Apache HTTP Server 2.4.52 is available for download from:
</p>
<dl>
<dd><a href="https://httpd.apache.org/download.cgi"
@@ -77,7 +77,7 @@
</dl>
<p>
Please see the <a href="./CHANGES_2.4">CHANGES_2.4</a> file, linked from the download page, for a
- full list of changes. A condensed list, <a href="./CHANGES_2.4.51">CHANGES_2.4.51</a> includes only
+ full list of changes. A condensed list, <a href="./CHANGES_2.4.52">CHANGES_2.4.52</a> includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Mon Dec 20 09:36:03 2021
@@ -1,9 +1,9 @@
- Apache HTTP Server 2.4.51 Released
+ Apache HTTP Server 2.4.52 Released
- October 07, 2021
+ December 20, 2021
The Apache Software Foundation and the Apache HTTP Server Project
- are pleased to announce the release of version 2.4.51 of the Apache
+ are pleased to announce the release of version 2.4.52 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
@@ -13,7 +13,7 @@
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
- Apache HTTP Server 2.4.51 is available for download from:
+ Apache HTTP Server 2.4.52 is available for download from:
https://httpd.apache.org/download.cgi
@@ -24,7 +24,7 @@
https://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.4.51 includes only
+ full list of changes. A condensed list, CHANGES_2.4.52 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Mon Dec 20 09:36:03 2021
@@ -1,4 +1,106 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.4.52
+
+ *) http: Enforce that fully qualified uri-paths not to be forward-proxied
+ have an http(s) scheme, and that the ones to be forward proxied have a
+ hostname, per HTTP specifications. [Ruediger Pluem, Yann Ylavic]
+
+ *) OpenSSL autoconf detection improvement: pick up openssl.pc in the
+ specified openssl path. [Joe Orton]
+
+ *) mod_proxy_connect, mod_proxy: Do not change the status code after we
+ already sent it to the client.
+
+ *) mod_http: Correctly sent a 100 Continue status code when sending an interim
+ response as result of an Expect: 100-Continue in the request and not the
+ current status code of the request. PR 65725 [Ruediger Pluem]
+
+ *) mod_dav: Some DAV extensions, like CalDAV, specify both document
+ elements and property elements that need to be taken into account
+ when generating a property. The document element and property element
+ are made available in the dav_liveprop_elem structure by calling
+ dav_get_liveprop_element(). [Graham Leggett]
+
+ *) mod_dav: Add utility functions dav_validate_root_ns(),
+ dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
+ dav_find_attr() so that other modules get to play too.
+ [Graham Leggett]
+
+ *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.
+ [Yann Ylavic, Ruediger Pluem]
+
+ *) mod_http2: fixes 2 regressions in server limit handling.
+ 1. When reaching server limits, such as MaxRequestsPerChild, the
+ HTTP/2 connection send a GOAWAY frame much too early on new
+ connections, leading to invalid protocol state and a client
+ failing the request. See PR65731.
+ The module now initializes the HTTP/2 protocol correctly and
+ allows the client to submit one request before the shutdown
+ via a GOAWAY frame is being announced.
+ 2. A regression in v1.15.24 was fixed that could lead to httpd
+ child processes not being terminated on a graceful reload or
+ when reaching MaxConnectionsPerChild. When unprocessed h2
+ requests were queued at the time, these could stall.
+ See <https://github.com/icing/mod_h2/issues/212>.
+ [Stefan Eissing]
+
+ *) mod_ssl: Add build support for OpenSSL v3. [Rainer Jung,
+ Stefan Fritsch, Yann Ylavic, Stefan Eissing, Joe Orton,
+ Giovanni Bechis]
+
+ *) mod_proxy_connect: Honor the smallest of the backend or client timeout
+ while tunneling. [Yann Ylavic]
+
+ *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
+ half-close forwarding when tunneling protocols. [Yann Ylavic]
+
+ *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
+ a third-party module. PR 65627.
+ [acmondor <bz.apache.org acmondor.ca>, Yann Ylavic]
+
+ *) mod_md: Fix memory leak in case of failures to load the private key.
+ PR 65620 [ Filipe Casal <fi...@trailofbits.com> ]
+
+ *) mod_md: adding v2.4.8 with the following changes
+ - Added support for ACME External Account Binding (EAB).
+ Use the new directive `MDExternalAccountBinding` to provide the
+ server with the value for key identifier and hmac as provided by
+ your CA.
+ While working on some servers, EAB handling is not uniform
+ across CAs. First tests with a Sectigo Certificate Manager in
+ demo mode are successful. But ZeroSSL, for example, seems to
+ regard EAB values as a one-time-use-only thing, which makes them
+ fail if you create a seconde account or retry the creation of the
+ first account with the same EAB.
+ - The directive 'MDCertificateAuthority' now checks if its parameter
+ is a http/https url or one of a set of known names. Those are
+ 'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
+ for now and they are not case-sensitive.
+ The default of LetsEncrypt is unchanged.
+ - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
+ section.
+ - Treating 401 HTTP status codes for orders like 403, since some ACME
+ servers seem to prefer that for accessing oders from other accounts.
+ - When retrieving certificate chains, try to read the repsonse even
+ if the HTTP Content-Type is unrecognized.
+ - Fixed a bug that reset the error counter of a certificate renewal
+ and prevented the increasing delays in further attempts.
+ - Fixed the renewal process giving up every time on an already existing
+ order with some invalid domains. Now, if such are seen in a previous
+ order, a new order is created for a clean start over again.
+ See <https://github.com/icing/mod_md/issues/268>
+ - Fixed a mixup in md-status handler when static certificate files
+ and renewal was configured at the same time.
+
+ *) mod_md: values for External Account Binding (EAB) can
+ now also be configured to be read from a separate JSON
+ file. This allows to keep server configuration permissions
+ world readable without exposing secrets.
+ [Stefan Eissing]
+
+ *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
+ PR 65616. [Ruediger Pluem]
+
Changes with Apache 2.4.51
*) SECURITY: CVE-2021-42013: Path Traversal and Remote Code
Copied: release/httpd/httpd-2.4.52.tar.bz2.sha256 (from r51621, dev/httpd/httpd-2.4.52-rc1.tar.bz2.sha256)
==============================================================================
--- dev/httpd/httpd-2.4.52-rc1.tar.bz2.sha256 (original)
+++ release/httpd/httpd-2.4.52.tar.bz2.sha256 Mon Dec 20 09:36:03 2021
@@ -1 +1 @@
-0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9 *httpd-2.4.52-rc1.tar.bz2
+0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9 *httpd-2.4.52.tar.bz2
Copied: release/httpd/httpd-2.4.52.tar.bz2.sha512 (from r51621, dev/httpd/httpd-2.4.52-rc1.tar.bz2.sha512)
==============================================================================
--- dev/httpd/httpd-2.4.52-rc1.tar.bz2.sha512 (original)
+++ release/httpd/httpd-2.4.52.tar.bz2.sha512 Mon Dec 20 09:36:03 2021
@@ -1 +1 @@
-97c021c576022a9d32f4a390f62e07b5f550973aef2f299fd52defce1a9fa5d27bd4a676e7bf214373ba46063d34aecce42de62fdd93678a4e925cfcbb2afdf6 *httpd-2.4.52-rc1.tar.bz2
+97c021c576022a9d32f4a390f62e07b5f550973aef2f299fd52defce1a9fa5d27bd4a676e7bf214373ba46063d34aecce42de62fdd93678a4e925cfcbb2afdf6 *httpd-2.4.52.tar.bz2
Copied: release/httpd/httpd-2.4.52.tar.gz.sha256 (from r51621, dev/httpd/httpd-2.4.52-rc1.tar.gz.sha256)
==============================================================================
--- dev/httpd/httpd-2.4.52-rc1.tar.gz.sha256 (original)
+++ release/httpd/httpd-2.4.52.tar.gz.sha256 Mon Dec 20 09:36:03 2021
@@ -1 +1 @@
-296c74a8adde1a8acd6617b21fc3d19719ff4fa39319b2bdbd898aca4d5df97f *httpd-2.4.52-rc1.tar.gz
+296c74a8adde1a8acd6617b21fc3d19719ff4fa39319b2bdbd898aca4d5df97f *httpd-2.4.52.tar.gz
Copied: release/httpd/httpd-2.4.52.tar.gz.sha512 (from r51621, dev/httpd/httpd-2.4.52-rc1.tar.gz.sha512)
==============================================================================
--- dev/httpd/httpd-2.4.52-rc1.tar.gz.sha512 (original)
+++ release/httpd/httpd-2.4.52.tar.gz.sha512 Mon Dec 20 09:36:03 2021
@@ -1 +1 @@
-b9012096d6658f7d34a3c655eac31b39ffd439c11de6f3e6e9f309d55f4186a4fb26134eb97522e416ae8ca10ed008a14e96fa01a3e3105d9e547f72e2dc3bc2 *httpd-2.4.52-rc1.tar.gz
+b9012096d6658f7d34a3c655eac31b39ffd439c11de6f3e6e9f309d55f4186a4fb26134eb97522e416ae8ca10ed008a14e96fa01a3e3105d9e547f72e2dc3bc2 *httpd-2.4.52.tar.gz