You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2016/07/04 19:50:54 UTC
svn commit: r14264 - in /release/httpd: Announcement2.4.html
Announcement2.4.txt CHANGES_2.4 CHANGES_2.4.23
Author: jim
Date: Mon Jul 4 19:50:54 2016
New Revision: 14264
Log:
prep for announcement
Added:
release/httpd/CHANGES_2.4.23
Modified:
release/httpd/Announcement2.4.html
release/httpd/Announcement2.4.txt
release/httpd/CHANGES_2.4
Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Mon Jul 4 19:50:54 2016
@@ -15,12 +15,12 @@
<img src="../../images/apache_sub.gif" alt="" />
<h1>
- Apache HTTP Server 2.4.20 Released
+ Apache HTTP Server 2.4.23 Released
</h1>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to <a href="http://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
- the release of version 2.4.20 of the Apache
+ the release of version 2.4.23 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of
@@ -29,14 +29,14 @@
and bug fix release.
</p>
<p>
- We consider this release to be the best version of Apache available, and
- encourage users of all prior versions to upgrade.
+NOTE: Versions 2.4.22 and 2.4.21 were not released.
</p>
<p>
- NOTE: Apache httpd 2.4.19 was not released.
+ We consider this release to be the best version of Apache available, and
+ encourage users of all prior versions to upgrade.
</p>
<p>
- Apache HTTP Server 2.4.20 is available for download from:
+ Apache HTTP Server 2.4.23 is available for download from:
</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi"
@@ -44,7 +44,7 @@
</dl>
<p>
Please see the CHANGES_2.4 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.4.20 includes only
+ full list of changes. A condensed list, CHANGES_2.4.23 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
@@ -84,5 +84,14 @@ href="http://svn.apache.org/repos/asf/ht
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
</p>
+<p>
+ Please note that Apache Web Server Project will only provide maintenance
+ releases of the 2.2.x flavor through June of 2017, and will provide some
+ security patches beyond this date through at least December of 2017.
+ Minimal maintenance patches of 2.2.x are expected throughout this period,
+ and users are strongly encouraged to promptly complete their transitions
+ to the the 2.4.x flavor of httpd to benefit from a much larger assortment
+ of minor security and bug fixes as well as new features.
+</p>
</body>
</html>
Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Mon Jul 4 19:50:54 2016
@@ -1,19 +1,19 @@
- Apache HTTP Server 2.4.20 Released
+ Apache HTTP Server 2.4.23 Released
The Apache Software Foundation and the Apache HTTP Server Project
- are pleased to announce the release of version 2.4.20 of the Apache
+ are pleased to announce the release of version 2.4.23 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
principally a feature and bug fix release.
+ NOTE: Versions 2.4.22 and 2.4.21 were not released.
+
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
- Note: Apache httpd 2.4.19 was not released.
-
- Apache HTTP Server 2.4.20 is available for download from:
+ Apache HTTP Server 2.4.23 is available for download from:
http://httpd.apache.org/download.cgi
@@ -24,7 +24,7 @@
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.4.20 includes only
+ full list of changes. A condensed list, CHANGES_2.4.23 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
@@ -45,3 +45,11 @@
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
+
+ Please note that Apache Web Server Project will only provide maintenance
+ releases of the 2.2.x flavor through June of 2017, and will provide some
+ security patches beyond this date through at least December of 2017.
+ Minimal maintenance patches of 2.2.x are expected throughout this period,
+ and users are strongly encouraged to promptly complete their transitions
+ to the the 2.4.x flavor of httpd to benefit from a much larger assortment
+ of minor security and bug fixes as well as new features.
Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Mon Jul 4 19:50:54 2016
@@ -1,7 +1,160 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.4.23
+
+ *) mod_ssl: reset client-verify state of ssl when aborting renegotiations.
+ [Erki Aring <er...@example.ee>, Stefan Eissing]
+
+ *) mod_sed: Fix 'x' command processing. [Christophe Jaillet]
+
+ *) configure: Fix ./configure edge-case failures around dependencies
+ of mod_proxy_hcheck. [William Rowe, Ruediger Pluem, Jeff Trawick]
+
+Changes with Apache 2.4.22
+
+ *) mod_http2: fix for request abort when connections drops, introduced in
+ 1.5.8
+
+Changes with Apache 2.4.21
+
+ *) mod_http2: more rigid error handling in DATA frame assembly, leading
+ to deterministic connection errors if assembly fails.
+ [Stefan Eissing, Pal Nilsen <https://github.com/maedox>]
+
+ *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
+ failures under Visual Studio 2015 and other mismatched MSVCRT flavors.
+ PR59630 [Jan Ehrhardt <phpdev ehrhardt.nl>]
+
+ *) mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive
+ to opt-in previous behaviour (2.2) with CRLs verification when checking
+ certificate(s) with no corresponding CRL. [Yann Ylavic]
+
+ *) mpm_event, mpm_worker: Fix computation of MinSpareThreads' lower bound
+ according the number of listeners buckets. [Yann Ylavic]
+
+ *) Add ap_cstr_casecmp[n]() - placeholder of apr_cstr_casecmp[n] functions
+ for case-insensitive C/POSIX-locale token comparison.
+ [Jim Jagielski, William Rowe, Yann Ylavic, Branko Čibej]
+
+ *) mod_userdir: Constify and save a few bytes in the conf pool when
+ parsing the "UserDir" directive. [Christophe Jaillet]
+
+ *) mod_cache: Fix (max-stale with no '=') and enforce (check
+ integers after '=') Cache-Control header parsing.
+ [Christophe Jaillet]
+
+ *) core: Add -DDUMP_INCLUDES configtest option to show the tree
+ of Included configuration files.
+ [Jacob Champion <champion.pxi gmail.com>]
+
+ *) mod_proxy_fcgi: Avoid passing a filename of proxy:fcgi:// as
+ SCRIPT_FILENAME to a FastCGI server. PR59618.
+ [Jacob Champion <champion.pxi gmail.com>]
+
+ *) mod_dav: Add dav_get_provider_name() function to obtain the name
+ of the provider from mod_dav.
+ [Jari Urpalainen <jari.urpalainen nokia.com>]
+
+ *) mod_proxy_http2: properly care for HTTP2 flow control of the frontend
+ connection is HTTP/1.1. [Patch supplied by Evgeny Kotkov]
+
+ *) mod_http2: improved cleanup of connection/streams/tasks to always
+ have deterministic order regardless of event initiating it. Addresses
+ reported crashes due to memory read after free issues.
+ [Stefan Eissing]
+
+ *) mod_ssl: Correct the interaction between SSLProxyCheckPeerCN and newer
+ SSLProxyCheckPeerName directives since release 2.4.5, such that disabling
+ either disables both, and that enabling either triggers the new, more
+ comprehensive SSLProxyCheckPeerName behavior. Only a single configuration
+ remains to enable the legacy behavior, which is to explicitly disable
+ SSLProxyCheckPeerName, and enable SSLProxyCheckPeerCN. [William Rowe]
+
+ *) mod_include: add the <!--#comment ...> syntax in order to include comments
+ in a SSI file. [Christophe Jaillet based on a suggestion from Rob]
+
+ *) mod_http2: improved event handling for suspended streams, responses
+ and window updates. [Stefan Eissing]
+
+ *) mod_proxy_hcheck: Provide for dynamic background health
+ checks on reverse proxies associated with BalancerMember
+ workers. [Jim Jagielski]
+
+ *) mod_http2: Fix async write issue that led to selection of wrong timeout
+ vs. keepalive timeout selection for idle sessions. [Stefan Eissing]
+
+ *) mod_http2: checking LimitRequestLine, LimitRequestFields and
+ LimitRequestFieldSize configurated values for incoming streams. Returning
+ HTTP status 431 for too long/many headers fields and 414 for a too long
+ pseudo header. [Stefan Eissing]
+
+ *) mod_http2: tracking conn_rec->current_thread on slave connections, so
+ that mod_lua finds the correct one. Fixes PR 59542. [Stefan Eissing]
+
+ *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
+ urls. Part of the httpd mod_proxy framework, common settings apply.
+ Requests from the same HTTP/2 frontend connection against the same backend
+ are aggregated on a single connection.
+ [Stefan Eissing]
+
+ *) mod_http2: slave connections have conn_rec->aborted flag set when a stream
+ has been reset by the client. [Stefan Eissing]
+
+ *) mod_http2: merge of some 2.4.x adaptions re filters on slave connections.
+ Small fixes in bucket beams when forwarding file buckets. Output handling
+ on master connection uses less FLUSH and passes automatically when more
+ than half of H2StreamMaxMemSize bytes have accumulated.
+ Workaround for http: when forwarding partial file buckets to keep the
+ output filter from closing these too early. [Stefan Eissing]
+
+ *) mod_http2: elimination of fixed master connection buffer for TLS
+ connections. New scratch bucket handling optimized for TLS write sizes.
+ File bucket data read directly into scratch buffers, avoiding one
+ copy. Non-TLS connections continue to pass buckets unchanged to the core
+ filters to allow sendfile() usage. [Stefan Eissing]
+
+ *) mod_http2/mod_proxy_http2: h2_request.c is no longer shared between these
+ modules. This simplifies building on platforms such as Windows, as module
+ reference used in logging is now clear. [Stefan Eissing]
+
+ *) Scoreboard: Fix a regression in 2.4.20 that causes wrong request data
+ to be displayed on the status page. PR 59333. [Yann Ylavic, William Rowe]
+
+ *) mod_http2: fixed a bug that caused mod_proxy_http2 to be called for window
+ updates on requests it had already reported done. Added synchronization
+ on early connection/stream close that lets ongoing requests safely drain
+ their input filters.
+ [Stefan Eissing]
+
+ *) mod_http2: scoreboard updates that summarize the h2 session (and replace
+ the last request information) will only happen when the session is idle or
+ in shutdown/done phase. [Stefan Eissing]
+
+ *) mod_http2: new "bucket beam" technology to transport buckets across
+ threads without buffer copy. Delaying response start until flush or
+ enough body data has been accumulated. Overall significantly smaller
+ memory footprint. [Stefan Eissing]
+
+ *) core: New CGIVar directive can configure REQUEST_URI to represent the
+ current URI being processed instead of always the original request.
+ [Jeff Trawick]
+
+ *) scoreboard/status: Restore behavior of showing workers' previous Client,
+ VHost and Request values when idle, like in 2.4.18 and earlier.
+
+ *) mod_http2: r->protocol changed to "HTTP/2.0" (was "HTTP/2") as this will
+ give expected syntax in CGI's SERVER_PROTOCOL is more compatible with
+ existing major/minor handling. Fixes PR 59313.
+
+ *) mod_http2: disabling mmap for file buckets transport due to segmenation
+ faults when files change on the fly.
+
Changes with Apache 2.4.20
+ *) SECURITY: CVE-2016-1546 (cve.mitre.org)
+ mod_http2: restricting number of concurrent stream workers per connection
+ if client is slow.
+
*) core: Do not read .htaccess if AllowOverride and AllowOverrideList
are "None". PR 58528.
[Michael Schlenker <msc contact.de, Ruediger Pluem, Daniel Ruggeri]
@@ -11,7 +164,7 @@ Changes with Apache 2.4.20
*) core/util_script: relax alphanumeric filter of enviroment variable names
on Windows to allow '(' and ')' for passing PROGRAMFILES(X86) et.al.
- unadulterated in 64 bit versions of Windows. PR 46751.
+ unadulterated in 64 bit versions of Windows. PR 46751.
[John <john leineweb de>]
*) mod_http2: incrementing keepalives on each request started so that logging
@@ -25,10 +178,10 @@ Changes with Apache 2.4.20
*) mod_http2: fix for missing score board updates on request count, fix for
memory leak on slave connection reuse. [Stefan Eissing]
-
+
*) mod_http2: Fix build on Windows from dsp files.
[Stefan Eissing]
-
+
Changes with Apache 2.4.19
*) mod_include: Add variable DOCUMENT_ARGS, with the arguments to the
@@ -37,6 +190,11 @@ Changes with Apache 2.4.19
*) mod_authz_host: Add a new "forward-dns" authorization type, not relying on
reverse DNS lookups. [Fabien]
+ *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
+ urls. Uses backend connections for concurrent requests if frontend
+ connection is http2 as well.
+ [Stefan Eissing]
+
*) mod_ssl: Add hooks to allow other modules to perform processing at
several stages of initialization and connection handling. See
mod_ssl_openssl.h. [Jeff Trawick]
@@ -260,10 +418,10 @@ Changes with Apache 2.4.18
streams with higher cumulative window size.
Reducing write frequency unless push promises need to be flushed.
[Stefan Eissing]
-
+
*) mod_http2: required minimum version of libnghttp2 is 1.2.1
[Stefan Eissing]
-
+
*) mod_proxy_fdpass: Fix AH01153 error when using the default configuration.
In earlier version of httpd, you can explicitelly set the 'flusher' parameter
to 'flush' as a workaround. (i.e. flusher=flush)
@@ -276,7 +434,7 @@ Changes with Apache 2.4.18
*) mod_http2: new directive 'H2PushPriority' to allow priority specifications
on server pushed streams according to their content-type.
[Stefan Eissing]
-
+
*) mod_http2: fixes crash on connection abort for a busy connection.
fixes crash on a request that did not produce any response.
[Stefan Eissing]
@@ -291,22 +449,22 @@ Changes with Apache 2.4.18
*) mod_http2: new directive 'H2Push' to en-/disable HTTP/2 server
pushes a server/virtual host. Pushes are initiated by the presence
of 'Link:' headers with relation 'preload' on a response. [Stefan Eissing]
-
+
*) mod_http2: write performance of http2 improved for larger resources,
especially static files. [Stefan Eissing]
-
+
*) core: if the first HTTP/1.1 request on a connection goes to a server that
prefers different protocols, these protocols are announced in a Upgrade:
header on the response, mentioning the preferred protocols.
[Stefan Eissing]
-
+
*) mod_http2: new directives 'H2TLSWarmUpSize' and 'H2TLSCoolDownSecs'
to control TLS record sizes during connection lifetime.
[Stefan Eissing]
-
+
*) mod_http2: new directive 'H2ModernTLSOnly' to enforce security
requirements of RFC 7540 on TLS connections. [Stefan Eissing]
-
+
*) core: add ap_get_protocol_upgrades() to retrieve the list of protocols
that a client could possibly upgrade to. Use in first request on a
connection to announce protocol choices. [Stefan Eissing]
@@ -314,7 +472,7 @@ Changes with Apache 2.4.18
*) mod_http2: reworked deallocation on connection shutdown and worker
abort. Separate parent pool for all workers. worker threads are joined
on planned worker shutdown. [Yann Ylavic, Stefan Eissing]
-
+
*) mod_ssl: when receiving requests for other virtual hosts than the handshake
server, the SSL parameters are checked for equality. With equal
configuration, requests are passed for processing. Any change will trigger
@@ -626,7 +784,7 @@ Changes with Apache 2.4.13 (not released
'No such file or directory: unable to connect to cgi daemon...' could
be logged without an actual retry. PR57685.
[Edward Lu <Chaosed0 gmail.com>]
-
+
*) mod_proxy: Use the original (non absolute) form of the request-line's URI
for requests embedded in CONNECT payloads used to connect SSL backends via
a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms <hendrik.harms
@@ -723,7 +881,7 @@ Changes with Apache 2.4.12
(not released).
Changes with Apache 2.4.11 (not released)
-
+
*) SECURITY: CVE-2014-3583 (cve.mitre.org)
mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with
response headers' size above 8K. [Yann Ylavic, Jeff Trawick]
@@ -756,7 +914,7 @@ Changes with Apache 2.4.11 (not released
*) mod_proxy_fcgi: Provide some basic alternate options for specifying
how PATH_INFO is passed to FastCGI backends by adding significance to
the value of proxy-fcgi-pathinfo. PR 55329. [Eric Covener]
-
+
*) mod_proxy_fcgi: Enable UDS backends configured with SetHandler/RewriteRule
to opt-in to connection reuse and other Proxy options via explicitly
declared "proxy workers" (<Proxy unix:... enablereuse=on max=...)
@@ -839,7 +997,7 @@ Changes with Apache 2.4.11 (not released
*) mod_cache: Avoid a 304 response to an unconditional requst when an AH00752
CacheLock error occurs during cache revalidation. [Eric Covener]
-
+
*) mod_ssl: Move OCSP stapling information from a per-certificate store to
a per-server hash. PR 54357, PR 56919. [Alex Bligh <alex alex.org.uk>,
Yann Ylavic, Kaspar Brand]
@@ -861,7 +1019,7 @@ Changes with Apache 2.4.11 (not released
*) mod_substitute: Fix line length limitation in case of regexp plus flatten.
[Rainer Jung]
-
+
*) mod_proxy: Truncated character worker names are no longer fatal
errors. PR53218. [Jim Jagielski]
@@ -1048,7 +1206,7 @@ Changes with Apache 2.4.10
*) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
variables as a result of AliasMatch. [Eric Covener]
-
+
*) mod_cache: Don't add cached/revalidated entity headers to a 304 response.
PR 55547. [Yann Ylavic]
@@ -1152,7 +1310,7 @@ Changes with Apache 2.4.10
[Daniel Gruno]
*) mod_lua: Add r:wspeek for peeking at WebSocket frames. [Daniel Gruno]
-
+
*) mod_lua: Log an error when the initial parsing of a Lua file fails.
[Daniel Gruno, Felipe Daragon <filipe syhunt com>]
@@ -1248,7 +1406,7 @@ Changes with Apache 2.4.8 (not released)
*) mod_lua: Update r:setcookie() to accept a table of options and add domain,
path and httponly to the list of options available to set.
PR 56128 [Edward Lu <Chaosed0 gmail com>, Daniel Gruno]
-
+
*) mod_lua: Fix r:setcookie() to add, rather than replace,
the Set-Cookie header. PR56105
[Kevin J Walters <kjw ms com>, Edward Lu <Chaosed0 gmail com>]
@@ -1313,7 +1471,7 @@ Changes with Apache 2.4.7
configuration. [Graham Leggett]
*) APR 1.5.0 or later is now required for the event MPM.
-
+
*) slotmem_shm: Error detection. [Jim Jagielski]
*) event: Use skiplist data structure. [Jim Jagielski]
@@ -1330,7 +1488,7 @@ Changes with Apache 2.4.7
*) mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars.
An individual envvar with an encoded length of more than 16K will be
omitted. [Jeff Trawick]
-
+
*) mod_proxy_fcgi: Handle reading protocol data that is split between
packets. [Jeff Trawick]
@@ -1347,8 +1505,10 @@ Changes with Apache 2.4.7
(not overridable via SSLCipherSuite). [Kaspar Brand]
*) mod_proxy: Added support for unix domain sockets as the
- backend server endpoint [Jim Jagielski, Blaise Tarr
- <blaise tarr gmail com>]
+ backend server endpoint. This also introduces an unintended
+ incompatibility for third party modules using the mod_proxy
+ proxy_worker_shared structure, especially for balancer lbmethod
+ modules. [Jim Jagielski, Blaise Tarr <blaise tarr gmail com>]
*) Add experimental cmake-based build system for Windows. [Jeff Trawick,
Tom Donovan]
@@ -1412,7 +1572,7 @@ Changes with Apache 2.4.7
*) ab: Add a new -l parameter in order not to check the length of the responses.
This can be usefull with dynamic pages.
PR9945, PR27888, PR42040 [<ccikrs1 cranbrook edu>]
-
+
*) Suppress formatting of startup messages written to the console when
ErrorLogFormat is used. [Jeff Trawick]
@@ -1849,7 +2009,7 @@ Changes with Apache 2.4.4
*) mod_proxy_balancer: Improve output of balancer-manager (re: Drn,
Dis, Ign, Stby). PR 52478 [Danijel <dt-ng rbfh de>]
-
+
*) configure: Fix processing of --disable-FEATURE for various features.
[Jeff Trawick]
@@ -1924,7 +2084,7 @@ Changes with Apache 2.4.4
*) mod_header: Allow for exposure of loadavg and server load using new
format specifiers %l, %i, %b [Jim Jagielski]
-
+
*) core: Make ap_regcomp() return AP_REG_ESPACE if out of memory. Make
ap_pregcomp() abort if out of memory. This raises the minimum PCRE
requirement to version 6.0. [Stefan Fritsch]
@@ -1957,7 +2117,7 @@ Changes with Apache 2.4.4
*) mod_ldap: Fix regression in handling "server unavailable" errors on
Windows. PR 54140. [Eric Covener]
-
+
*) syslog logging: Remove stray ", referer" at the end of some messages.
[Jeff Trawick]
@@ -2523,7 +2683,7 @@ Changes with Apache 2.3.15
*) rotatelogs: Add -c option to force logfile creation in every rotation
interval, even if empty. [Jan Kaluža <jkaluza redhat.com>]
-
+
*) core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings.
[Stefan Fritsch]
@@ -2538,7 +2698,7 @@ Changes with Apache 2.3.15
*) mod_lua: add r:construct_url as a wrapper for ap_construct_url.
[Eric Covener]
-
+
*) mod_remote_ip: Fix configuration of internal proxies. PR 49272.
[Jim Riggs <jim riggs me>]
Added: release/httpd/CHANGES_2.4.23
==============================================================================
--- release/httpd/CHANGES_2.4.23 (added)
+++ release/httpd/CHANGES_2.4.23 Mon Jul 4 19:50:54 2016
@@ -0,0 +1,163 @@
+ -*- coding: utf-8 -*-
+
+Changes with Apache 2.4.23
+
+ *) mod_ssl: reset client-verify state of ssl when aborting renegotiations.
+ [Erki Aring <er...@example.ee>, Stefan Eissing]
+
+ *) mod_sed: Fix 'x' command processing. [Christophe Jaillet]
+
+ *) configure: Fix ./configure edge-case failures around dependencies
+ of mod_proxy_hcheck. [William Rowe, Ruediger Pluem, Jeff Trawick]
+
+Changes with Apache 2.4.22
+
+ *) mod_http2: fix for request abort when connections drops, introduced in
+ 1.5.8
+
+Changes with Apache 2.4.21
+
+ *) mod_http2: more rigid error handling in DATA frame assembly, leading
+ to deterministic connection errors if assembly fails.
+ [Stefan Eissing, Pal Nilsen <https://github.com/maedox>]
+
+ *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
+ failures under Visual Studio 2015 and other mismatched MSVCRT flavors.
+ PR59630 [Jan Ehrhardt <phpdev ehrhardt.nl>]
+
+ *) mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive
+ to opt-in previous behaviour (2.2) with CRLs verification when checking
+ certificate(s) with no corresponding CRL. [Yann Ylavic]
+
+ *) mpm_event, mpm_worker: Fix computation of MinSpareThreads' lower bound
+ according the number of listeners buckets. [Yann Ylavic]
+
+ *) Add ap_cstr_casecmp[n]() - placeholder of apr_cstr_casecmp[n] functions
+ for case-insensitive C/POSIX-locale token comparison.
+ [Jim Jagielski, William Rowe, Yann Ylavic, Branko Čibej]
+
+ *) mod_userdir: Constify and save a few bytes in the conf pool when
+ parsing the "UserDir" directive. [Christophe Jaillet]
+
+ *) mod_cache: Fix (max-stale with no '=') and enforce (check
+ integers after '=') Cache-Control header parsing.
+ [Christophe Jaillet]
+
+ *) core: Add -DDUMP_INCLUDES configtest option to show the tree
+ of Included configuration files.
+ [Jacob Champion <champion.pxi gmail.com>]
+
+ *) mod_proxy_fcgi: Avoid passing a filename of proxy:fcgi:// as
+ SCRIPT_FILENAME to a FastCGI server. PR59618.
+ [Jacob Champion <champion.pxi gmail.com>]
+
+ *) mod_dav: Add dav_get_provider_name() function to obtain the name
+ of the provider from mod_dav.
+ [Jari Urpalainen <jari.urpalainen nokia.com>]
+
+ *) mod_proxy_http2: properly care for HTTP2 flow control of the frontend
+ connection is HTTP/1.1. [Patch supplied by Evgeny Kotkov]
+
+ *) mod_http2: improved cleanup of connection/streams/tasks to always
+ have deterministic order regardless of event initiating it. Addresses
+ reported crashes due to memory read after free issues.
+ [Stefan Eissing]
+
+ *) mod_ssl: Correct the interaction between SSLProxyCheckPeerCN and newer
+ SSLProxyCheckPeerName directives since release 2.4.5, such that disabling
+ either disables both, and that enabling either triggers the new, more
+ comprehensive SSLProxyCheckPeerName behavior. Only a single configuration
+ remains to enable the legacy behavior, which is to explicitly disable
+ SSLProxyCheckPeerName, and enable SSLProxyCheckPeerCN. [William Rowe]
+
+ *) mod_include: add the <!--#comment ...> syntax in order to include comments
+ in a SSI file. [Christophe Jaillet based on a suggestion from Rob]
+
+ *) mod_http2: improved event handling for suspended streams, responses
+ and window updates. [Stefan Eissing]
+
+ *) mod_proxy_hcheck: Provide for dynamic background health
+ checks on reverse proxies associated with BalancerMember
+ workers. [Jim Jagielski]
+
+ *) mod_http2: Fix async write issue that led to selection of wrong timeout
+ vs. keepalive timeout selection for idle sessions. [Stefan Eissing]
+
+ *) mod_http2: checking LimitRequestLine, LimitRequestFields and
+ LimitRequestFieldSize configurated values for incoming streams. Returning
+ HTTP status 431 for too long/many headers fields and 414 for a too long
+ pseudo header. [Stefan Eissing]
+
+ *) mod_http2: tracking conn_rec->current_thread on slave connections, so
+ that mod_lua finds the correct one. Fixes PR 59542. [Stefan Eissing]
+
+ *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
+ urls. Part of the httpd mod_proxy framework, common settings apply.
+ Requests from the same HTTP/2 frontend connection against the same backend
+ are aggregated on a single connection.
+ [Stefan Eissing]
+
+ *) mod_http2: slave connections have conn_rec->aborted flag set when a stream
+ has been reset by the client. [Stefan Eissing]
+
+ *) mod_http2: merge of some 2.4.x adaptions re filters on slave connections.
+ Small fixes in bucket beams when forwarding file buckets. Output handling
+ on master connection uses less FLUSH and passes automatically when more
+ than half of H2StreamMaxMemSize bytes have accumulated.
+ Workaround for http: when forwarding partial file buckets to keep the
+ output filter from closing these too early. [Stefan Eissing]
+
+ *) mod_http2: elimination of fixed master connection buffer for TLS
+ connections. New scratch bucket handling optimized for TLS write sizes.
+ File bucket data read directly into scratch buffers, avoiding one
+ copy. Non-TLS connections continue to pass buckets unchanged to the core
+ filters to allow sendfile() usage. [Stefan Eissing]
+
+ *) mod_http2/mod_proxy_http2: h2_request.c is no longer shared between these
+ modules. This simplifies building on platforms such as Windows, as module
+ reference used in logging is now clear. [Stefan Eissing]
+
+ *) Scoreboard: Fix a regression in 2.4.20 that causes wrong request data
+ to be displayed on the status page. PR 59333. [Yann Ylavic, William Rowe]
+
+ *) mod_http2: fixed a bug that caused mod_proxy_http2 to be called for window
+ updates on requests it had already reported done. Added synchronization
+ on early connection/stream close that lets ongoing requests safely drain
+ their input filters.
+ [Stefan Eissing]
+
+ *) mod_http2: scoreboard updates that summarize the h2 session (and replace
+ the last request information) will only happen when the session is idle or
+ in shutdown/done phase. [Stefan Eissing]
+
+ *) mod_http2: new "bucket beam" technology to transport buckets across
+ threads without buffer copy. Delaying response start until flush or
+ enough body data has been accumulated. Overall significantly smaller
+ memory footprint. [Stefan Eissing]
+
+ *) core: New CGIVar directive can configure REQUEST_URI to represent the
+ current URI being processed instead of always the original request.
+ [Jeff Trawick]
+
+ *) scoreboard/status: Restore behavior of showing workers' previous Client,
+ VHost and Request values when idle, like in 2.4.18 and earlier.
+
+ *) mod_http2: r->protocol changed to "HTTP/2.0" (was "HTTP/2") as this will
+ give expected syntax in CGI's SERVER_PROTOCOL is more compatible with
+ existing major/minor handling. Fixes PR 59313.
+
+ *) mod_http2: disabling mmap for file buckets transport due to segmenation
+ faults when files change on the fly.
+
+
+ [Apache 2.3.0-dev includes those bug fixes and changes with the
+ Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
+