You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2021/10/07 13:13:28 UTC
svn commit: r50307 [2/3] - /dev/httpd/
Added: dev/httpd/CHANGES_2.4
==============================================================================
--- dev/httpd/CHANGES_2.4 (added)
+++ dev/httpd/CHANGES_2.4 Thu Oct 7 13:13:28 2021
@@ -0,0 +1,7080 @@
+ -*- coding: utf-8 -*-
+Changes with Apache 2.4.51
+
+ *) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
+ unused AP_NORMALIZE_DROP_PARAMETERS flag.
+ [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton]
+
+Changes with Apache 2.4.50
+
+ *) SECURITY: CVE-2021-41773: Path traversal and file disclosure
+ vulnerability in Apache HTTP Server 2.4.49 (cve.mitre.org)
+ A flaw was found in a change made to path normalization in
+ Apache HTTP Server 2.4.49. An attacker could use a path
+ traversal attack to map URLs to files outside the expected
+ document root.
+ If files outside of the document root are not protected by
+ "require all denied" these requests can succeed. Additionally
+ this flaw could leak the source of interpreted files like CGI
+ scripts.
+ This issue is known to be exploited in the wild.
+ This issue only affects Apache 2.4.49 and not earlier versions.
+ Credits: This issue was reported by Ash Daulton along with the
+ cPanel Security Team
+
+ *) SECURITY: CVE-2021-41524: null pointer dereference in h2 fuzzing
+ (cve.mitre.org)
+ While fuzzing the 2.4.49 httpd, a new null pointer dereference
+ was detected during HTTP/2 request processing,
+ allowing an external source to DoS the server. This requires a
+ specially crafted request.
+ The vulnerability was recently introduced in version 2.4.49. No
+ exploit is known to the project.
+ Credits: Apache httpd team would like to thank LI ZHI XIN from
+ NSFocus Security Team for reporting this issue.
+
+ *) core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second dot in
+ the uri-path when it's preceded by a dot. [Yann Ylavic]
+
+ *) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
+ fails (!= 0 exit), the renewal process is aborted and an error is
+ reported for the MDomain. This provides scripts that distribute
+ information in a cluster to abort early with bothering an ACME
+ server to validate a dns name that will not work. The common
+ retry logic will make another attempt in the future, as with
+ other failures.
+ Fixed a bug when adding private key specs to an already working
+ MDomain, see <https://github.com/icing/mod_md/issues/260>.
+ [Stefan Eissing]
+
+ *) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they
+ had no hostname ("unix:/..."). [Yann Ylavic]
+
+ *) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could
+ run into an assertion which terminated (and restarted) the child process where
+ the task was running. Eventually, all OCSP responses were collected, but not
+ in the way that things are supposed to work.
+ See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
+ The bug was possibly triggered when more than one OCSP status needed updating
+ at the same time. For example for several renewed certificates after a server
+ reload.
+
+ *) mod_rewrite: Fix UDS ("unix:") scheme for [P] rules. PR 57691 + 65590.
+ [Janne Peltonen <janne.peltonen sange.fi>]
+
+ *) event mpm: Correctly count active child processes in parent process if
+ child process dies due to MaxConnectionsPerChild.
+ PR 65592 [Ruediger Pluem]
+
+ *) mod_http2: when a server is restarted gracefully, any idle h2 worker
+ threads are shut down immediately.
+ Also, change OpenSSL API use for deprecations in OpenSSL 3.0.
+ Adds all other, never proposed code changes to make a clean
+ sync of http2 sources. [Stefan Eissing]
+
+ *) mod_dav: Correctly handle errors returned by dav providers on REPORT
+ requests. [Ruediger Pluem]
+
+ *) core: do not install core input/output filters on secondary
+ connections. [Stefan Eissing]
+
+ *) core: Add ap_pre_connection() as a wrapper to ap_run_pre_connection()
+ and use it to prevent that failures in running the pre_connection
+ hook cause crashes afterwards. [Ruediger Pluem]
+
+ *) mod_speling: Add CheckBasenameMatch PR 44221. [Christophe Jaillet]
+
+Changes with Apache 2.4.49
+
+ *) SECURITY: CVE-2021-40438 (cve.mitre.org)
+ mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]
+
+ *) SECURITY: CVE-2021-39275 (cve.mitre.org)
+ core: ap_escape_quotes buffer overflow
+
+ *) SECURITY: CVE-2021-36160 (cve.mitre.org)
+ mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]
+
+ *) SECURITY: CVE-2021-34798 (cve.mitre.org)
+ core: null pointer dereference on malformed request
+
+ *) SECURITY: CVE-2021-33193 (cve.mitre.org)
+ mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]
+
+ *) core/mod_proxy/mod_ssl:
+ Adding `outgoing` flag to conn_rec, indicating a connection is
+ initiated by the server to somewhere, in contrast to incoming
+ connections from clients.
+ Adding 'ap_ssl_bind_outgoing()` function that marks a connection
+ as outgoing and is used by mod_proxy instead of the previous
+ optional function `ssl_engine_set`. This enables other SSL
+ module to secure proxy connections.
+ The optional functions `ssl_engine_set`, `ssl_engine_disable` and
+ `ssl_proxy_enable` are now provided by the core to have backward
+ compatibility with non-httpd modules that might use them. mod_ssl
+ itself no longer registers these functions, but keeps them in its
+ header for backward compatibility.
+ The core provided optional function wrap any registered function
+ like it was done for `ssl_is_ssl`.
+ [Stefan Eissing]
+
+ *) mod_ssl: Support logging private key material for use with
+ wireshark via log file given by SSLKEYLOGFILE environment
+ variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
+
+ *) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
+ "ProxyPassInterpolateEnv On" are configured. PR 65549.
+ [Joel Self <joelself gmail.com>]
+
+ *) mpm_event: Fix children processes possibly not stopped on graceful
+ restart. PR 63169. [Joel Self <joelself gmail.com>]
+
+ *) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
+ protocols from mod_proxy_http, and a timeout triggering falsely when
+ using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
+ upgrade= setting. PRs 65521 and 65519. [Yann Ylavic]
+
+ *) mod_unique_id: Reduce the time window where duplicates may be generated
+ PR 65159
+ [Christophe Jaillet]
+
+ *) mpm_prefork: Block signals for child_init hooks to prevent potential
+ threads created from there to catch MPM's signals.
+ [Ruediger Pluem, Yann Ylavic]
+
+ *) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
+ PR 65159" added in 2.4.47.
+ This causes issue on Windows.
+ [Christophe Jaillet]
+
+ *) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic]
+
+ *) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
+ as successful or a staged renewal is replacing the existing certificates.
+ This avoid potential mess ups in the md store file system to render the active
+ certificates non-working. [@mkauf]
+
+ *) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
+ [Yann Ylavic]
+
+ *) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
+ connections. If ALPN protocols are provided and sent to the
+ remote server, the received protocol selected is inspected
+ and checked for a match. Without match, the peer handshake
+ fails.
+ An exception is the proposal of "http/1.1" where it is
+ accepted if the remote server did not answer ALPN with
+ a selected protocol. This accomodates for hosts that do
+ not observe/support ALPN and speak http/1.x be default.
+
+ *) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
+ with others when their URLs contain a '$' substitution. PR 65419 + 65429.
+ [Yann Ylavic]
+
+ *) mod_dav: Add method_precondition hook. WebDAV extensions define
+ conditions that must exist before a WebDAV method can be executed.
+ This hook allows a WebDAV extension to verify these preconditions.
+ [Graham Leggett]
+
+ *) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
+ modules apart from versioning implementations to handle the REPORT method.
+ [Graham Leggett]
+
+ *) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
+ dav_get_resource() to mod_dav.h. [Graham Leggett]
+
+ *) core: fix ap_escape_quotes substitution logic. [Eric Covener]
+
+ *) core/mpm: add hook 'child_stopping` that gets called when the MPM is
+ stopping a child process. The additional `graceful` parameter allows
+ registered hooks to free resources early during a graceful shutdown.
+ [Yann Ylavic, Stefan Eissing]
+
+ *) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
+ balancer-manager, which can lead to a crash. [Yann Ylavic]
+
+ *) mpm_event: Fix graceful stop/restart of children processes if connections
+ are in lingering close for too long. [Yann Ylavic]
+
+ *) mod_md: fixed a potential null pointer dereference if ACME/OCSP
+ server returned 2xx responses without content type. Reported by chuangwen.
+ [chuangwen, Stefan Eissing]
+
+ *) mod_md:
+ - Domain names in `<MDomain ...>` can now appear in quoted form.
+ - Fixed a failure in ACME challenge selection that aborted further searches
+ when the tls-alpn-01 method did not seem to be suitable.
+ - Changed the tls-alpn-01 setup to only become unsuitable when none of the
+ dns names showed support for a configured 'Protocols ... acme-tls/1'. This
+ allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
+ [Stefan Eissing]
+
+ *) Add CPING to health check logic. [Jean-Frederic Clere]
+
+ *) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
+
+ *) core, h2: common ap_parse_request_line() and ap_check_request_header()
+ code. [Yann Ylavic]
+
+ *) core: Add StrictHostCheck to allow unconfigured hostnames to be
+ rejected. [Eric Covener]
+
+ *) htcacheclean: Improve help messages. [Christophe Jaillet]
+
+Changes with Apache 2.4.48
+
+ *) SECURITY: CVE-2021-31618 (cve.mitre.org)
+ mod_http2: Fix a potential NULL pointer dereference [Ivan Zhakov]
+
+ *) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
+ fallback to mod_proxy_http for WebSocket upgrade and tunneling.
+ [Yann Ylavic]
+
+ *) mod_proxy: Fix flushing of THRESHOLD_MIN_WRITE data while tunneling.
+ BZ 65294. [Yann Ylavic]
+
+ *) core: Fix a regression that stripped the ETag header from 304 responses.
+ PR 61820 [Ruediger Pluem, Roy T. Fielding]
+
+ *) core: Adding SSL related inquiry functions to the server API.
+ These function are always available, even when no module providing
+ SSL is loaded. They provide their own "shadowing" implementation for
+ the optional functions of similar name that mod_ssl and impersonators
+ of mod_ssl provide.
+ This enables loading of several SSL providing modules when all but
+ one of them registers itself into the new hooks. Two old-style SSL
+ modules will not work, as they replace the others optional functions
+ with their own.
+ Modules using the old-style optional functions will continue to work
+ as core supplies its own versions of those.
+ The following has been added so far:
+ - ap_ssl_conn_is_ssl() to query if a connection is using SSL.
+ - ap_ssl_var_lookup() to query SSL related variables for a
+ server/connection/request.
+ - Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules
+ providing SSL can install their own value supplying functions.
+ - ap_ssl_add_cert_files() to enable other modules like mod_md to provide
+ certificate and keys for an SSL module like mod_ssl.
+ - ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to
+ provide a fallback certificate in case no 'proper' certificate is
+ available for an SSL module like mod_ssl.
+ - ap_ssl_answer_challenge() to enable other modules like mod_md to
+ provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge
+ for the ACME protocol for an SSL module like mod_ssl. The function
+ and its hook provide PEM encoded data instead of file names.
+ - Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and
+ 'ssl_answer_challenge' where modules like mod_md can provide providers
+ to the above mentioned functions.
+ - These functions reside in the new 'http_ssl.h' header file.
+ [Stefan Eissing]
+
+ *) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. This
+ allows modules to access and provide OCSP response data without being tied
+ of each other. The data is exchanged in standard, portable formats (PEM encoded
+ certificates and DER encoded responses), so that the actual SSL/crypto
+ implementations used by the modules are independant of each other.
+ Registration and retrieval happen in the context of a server (server_rec)
+ which modules may use to decide if they are configured for this or not.
+ The area of changes:
+ 1. core: defines 2 functions in include/http_ssl.h, so that modules may
+ register a certificate, together with its issuer certificate for OCSP
+ response provisioning and ask for current response data (DER bytes) later.
+ Also, 2 hooks are defined that allow modules to implement this OCSP
+ provisioning.
+ 2. mod_ssl uses the new functions, in addition to what it did already, to
+ register its certificates this way. If no one is interested in providing
+ OCSP, it falls back to its own (if configured) stapling implementation.
+ 3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
+ on configuration, it will accept registrations of its own certificates only,
+ all certificates or none.
+ [Stefan Eissing]
+
+ *) mod_md: v2.4.0 with improvements and bugfixes
+ - MDPrivateKeys allows the specification of several types. Beside "RSA" plus
+ optional key lengths elliptic curves can be configured. This means you can
+ have multiple certificates for a Managed Domain with different key types.
+ With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA
+ certificate and all modern client will use the shorter ECDSA, while older
+ client will get the RSA certificate.
+ Many thanks to @tlhackque who pushed and helped on this.
+ - Support added for MDomains consisting of a wildcard. Configuring
+ ```MDomain *.host.net``` will match all virtual hosts matching that pattern
+ and obtain one certificate for it (assuming you have 'dns-01' challenge
+ support configured). Addresses #239.
+ - Removed support for ACMEv1 servers. The only known installation used to
+ be Let's Encrypt which has disabled that version more than a year ago for
+ new accounts.
+ - Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the
+ ```renewing``` call to ```MDMessageCmd``` that can deny a certificate
+ renewal attempt. This is useful in clustered installations, as
+ discussed in #233).
+ - New event ```challenge-setup:<type>:<domain>```, triggered when the
+ challenge data for a domain has been created. This is invoked before the
+ ACME server is told to check for it. The type is one of the ACME challenge
+ types. This is invoked for every DNS name in a MDomain.
+ - The max delay for retries has been raised to daily (this is like all
+ retries jittered somewhat to avoid repeats at fixed time of day).
+ - Certain error codes reported by the ACME server that indicate a problem
+ with the configured data now immediately switch to daily retries. For
+ example: if the ACME server rejects a contact email or a domain name,
+ frequent retries will most likely not solve the problem. But daily retries
+ still make sense as there might be an error at the server and un-supervised
+ certificate renewal is the goal. Refs #222.
+ - Test case and work around for domain names > 64 octets. Fixes #227.
+ When the first DNS name of an MD is longer than 63 octets, the certificate
+ request will not contain a CN field, but leave it up to the CA to choose one.
+ Currently, Lets Encrypt looks for a shorter name in the SAN list given and
+ fails the request if none is found. But it is really up to the CA (and what
+ browsers/libs accept here) and may change over the years. That is why
+ the decision is best made at the CA.
+ - Retry delays now have a random +/-[0-50]% modification applied to let
+ retries from several servers spread out more, should they have been
+ restarted at the same time of day.
+ - Fixed several places where the 'badNonce' return code from an ACME server
+ was not handled correctly. The test server 'pebble' simulates this behaviour
+ by default and helps nicely in verifying this behaviour. Thanks, pebble!
+ - Set the default `MDActivationDelay` to 0. This was confusing to users that
+ new certificates were deemed not usably before a day of delay. When clocks are
+ correct, using a new certificate right away should not pose a problem.
+ - When handling ACME authorization resources, the module no longer requires
+ the server to return a "Location" header, as was necessary in ACMEv1.
+ Fixes #216.
+ - Fixed a theoretical uninitialized read when testing for JSON error responses
+ from the ACME CA. Reported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>.
+ - ACME problem reports from CAs that include parameters in the Content-Type
+ header are handled correctly. (Previously, the problem text would not be
+ reported and retries could exceed CA limits.)
+ - Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
+ Previously, an empty JSON object was sent - which apparently LE accepted,
+ but others reject.
+ [Stefan Eissing, @tlhackque, Andreas Ulm]
+
+Changes with Apache 2.4.47
+
+ *) SECURITY: CVE-2021-30641 (cve.mitre.org)
+ Unexpected <Location> section matching with 'MergeSlashes OFF'
+
+ *) SECURITY: CVE-2020-35452 (cve.mitre.org)
+ mod_auth_digest: possible stack overflow by one nul byte while validating
+ the Digest nonce. [Yann Ylavic]
+
+ *) SECURITY: CVE-2021-26691 (cve.mitre.org)
+ mod_session: Fix possible crash due to NULL pointer dereference, which
+ could be used to cause a Denial of Service with a malicious backend
+ server and SessionHeader. [Yann Ylavic]
+
+ *) SECURITY: CVE-2021-26690 (cve.mitre.org)
+ mod_session: Fix possible crash due to NULL pointer dereference, which
+ could be used to cause a Denial of Service. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-13950 (cve.mitre.org)
+ mod_proxy_http: Fix possible crash due to NULL pointer dereference, which
+ could be used to cause a Denial of Service. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-13938 (cve.mitre.org)
+ Windows: Prevent local users from stopping the httpd process [Ivan Zhakov]
+
+ *) SECURITY: CVE-2019-17567 (cve.mitre.org)
+ mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end
+ negotiation. [Yann Ylavic]
+
+ *) mod_dav_fs: Improve logging output when failing to open files for
+ writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>]
+
+ *) mod_http2: Fixed a race condition that could lead to streams being
+ aborted (RST to the client), although a response had been produced.
+ [Stefan Eissing]
+
+ *) mod_lua: Add support to Lua 5.4 [Joe Orton, Giovanni Bechis, Ruediger Pluem]
+
+ *) MPM event/worker: Fix possible crash in child process on early signal
+ delivery. PR 64533. [Ruediger Pluem]
+
+ *) mod_http2: sync with github standalone version 1.15.17
+ - Log requests and sent the configured error response in case of early detected
+ errors like too many or too long headers. [Ruediger Pluem]
+ - new option 'H2OutputBuffering on/off' which controls the buffering of stream output.
+ The default is on, which is the behaviour of older mod-h2 versions. When off, all
+ bytes are made available immediately to the main connection for sending them
+ out to the client. This fixes interop issues with certain flavours of gRPC, see
+ also <https://github.com/icing/mod_h2/issues/207>.
+ [Stefan Eissing]
+
+ *) mod_unique_id: Fix potential duplicated ID generation under heavy load.
+ PR 65159
+ [Jonas Müntener <jonas.muentener ergon.ch>, Christophe Jaillet]
+
+ *) "[mod_dav_fs etag handling] should really honor the FileETag setting".
+ - It now does.
+ - Add "Digest" to FileETag directive, allowing a strong ETag to be
+ generated using a file digest.
+ - Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over
+ ETag generation.
+ - Add concept of "binary notes" to request_rec, allowing packed bit flags
+ to be added to a request.
+ - First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force
+ the ETag to a strong ETag to comply with RFC requirements, such as those
+ mandated by various WebDAV extensions.
+ [Graham Leggett]
+
+ *) mod_proxy_http: Fix a possibly crash when the origin connection gets
+ interrupted before completion. PR 64234.
+ [Barnim Dzwillo <dzwillo strato.de>, Ruediger Pluem]
+
+ *) mod_ssl: Do not keep connections to OCSP responders alive when doing
+ OCSP requests. PR 64135. [Ruediger Pluem]
+
+ *) mod_ssl: Improve the coalescing filter to buffer into larger TLS
+ records, and avoid revealing the HTTP header size via TLS record
+ boundaries (for common response generators).
+ [Joe Orton, Ruediger Pluem]
+
+ *) mod_proxy_hcheck: Don't pile up health checks if the previous one did
+ not finish before hcinterval. PR 63010. [Yann Ylavic]
+
+ *) mod_session: Improve session parsing. [Yann Yalvic]
+
+ *) mod_authnz_ldap: Prevent authentications with empty passwords for the
+ initial bind to fail with status 500. [Ruediger Pluem]
+
+ *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
+ Transfer-Encoding from the client, spooling the request body when needed
+ to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
+
+ *) mod_proxy: Improve tunneling loop to support half closed connections and
+ pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
+
+ *) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
+ allowing for (non-)Upgrade negotiation with the origin server.
+ [Yann Ylavic]
+
+ *) mod_proxy: Allow ProxyErrorOverride to be restricted to specific status
+ codes. PR63628. [Martin DröÃler <mail martindroessler.de>]
+
+ *) core: Add ReadBufferSize, FlushMaxThreshold and FlushMaxPipelined
+ directives. [Yann Ylavic]
+
+ *) core: Ensure that aborted connections are logged as such. PR 62823
+ [Arnaud Grandville <co...@grandville.net>]
+
+ *) http: Allow unknown response status' lines returned in the form of
+ "HTTP/x.x xxx Status xxx". [Yann Ylavic]
+
+ *) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies,
+ leading to Request Timeout (408). PR 63855. [Yann Ylavic]
+
+ *) core: Remove headers on 304 Not Modified as specified by RFC7234, as
+ opposed to passing an explicit subset of headers. PR 61820.
+ [Giovanni Bechis]
+
+ *) mpm_event: Don't reset connections after lingering close, restoring prior
+ to 2.4.28 behaviour. [Yann Ylavic]
+
+ *) mpm_event: Kill connections in keepalive state only when there is no more
+ workers available, not when the maximum number of connections is reached,
+ restoring prior to 2.4.30 behaviour. [Yann Ylavic]
+
+ *) mod_unique_id: Use base64url encoding for UNIQUE_ID variable,
+ avoiding the use of '@'. PR 57044.
+ [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>]
+
+ *) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a
+ SameSite attribute. [Eric Covener]
+
+ *) mod_proxy: Add proxy check_trans hook. This allows proxy
+ modules to decline request handling at early stage.
+
+ *) mod_proxy_wstunnel: Decline requests without an Upgrade
+ header so ws/wss can be enabled overlapping with later
+ http/https.
+
+ *) mod_http2: Log requests and sent the configured error response in case of
+ early detected errors like too many or too long headers.
+ [Ruediger Pluem, Stefan Eissing]
+
+ *) mod_md: Lowered the required minimal libcurl version from 7.50 to 7.29
+ as proposed by <alexander.gerasimov codeit.pro>. [Stefan Eissing]
+
+ *) mod_ssl: Fix request body buffering with PHA in TLSv1.3. [Joe Orton]
+
+ *) mod_proxy_uwsgi: Fix a crash when sending environment variables with no
+ value. PR 64598 [Ruediger Pluem]
+
+ *) mod_proxy: Recognize parameters from ProxyPassMatch workers with dollar
+ substitution, such that they apply to the backend connection. Note that
+ connection reuse is disabled by default to avoid compatibility issues.
+ [Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere]
+
+Changes with Apache 2.4.46
+
+ *) SECURITY: CVE-2020-11984 (cve.mitre.org)
+ mod_proxy_uwsgi: Malicious request may result in information disclosure
+ or RCE of existing file on the server running under a malicious process
+ environment. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-11993 (cve.mitre.org)
+ mod_http2: when throttling connection requests, log statements
+ where possibly made that result in concurrent, unsafe use of
+ a memory pool. [Stefan Eissing]
+
+ *) SECURITY: CVE-2020-9490 (cve.mitre.org)
+ mod_http2: a specially crafted value for the 'Cache-Digest' header
+ request would result in a crash when the server actually tries
+ to HTTP/2 PUSH a resource afterwards. [Stefan Eissing]
+
+ *) mod_proxy_fcgi: Fix missing APLOGNO macro argument
+ [Eric Covener, Christophe Jaillet]
+
+Changes with Apache 2.4.45
+
+ *) mod_http2: remove support for abandoned http-wg draft
+ <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
+ [Stefan Eissing]
+
+Changes with Apache 2.4.44
+
+ *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
+ protocol limit). [Yann Ylavic]
+
+ *) mod_http2:
+ Fixes <https://github.com/icing/mod_h2/issues/200>:
+ "LimitRequestFields 0" now disables the limit, as documented.
+ Fixes <https://github.com/icing/mod_h2/issues/201>:
+ Do not count repeated headers with same name against the field
+ count limit. The are merged internally, as if sent in a single HTTP/1 line.
+ [Stefan Eissing]
+
+ *) mod_http2: Avoid segfaults in case of handling certain responses for
+ already aborted connections. [Stefan Eissing, Ruediger Pluem]
+
+ *) mod_http2: The module now handles master/secondary connections and has marked
+ methods according to use. [Stefan Eissing]
+
+ *) core: Drop an invalid Last-Modified header value coming
+ from a FCGI/CGI script instead of replacing it with Unix epoch.
+ [Yann Ylavic, Luca Toscano]
+
+ *) Add support for strict content-length parsing through addition of
+ ap_parse_strict_length() [Yann Ylavic]
+
+ *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
+ evaluates to false. PR64365. [Michael König <mail ikoenig.net>]
+
+ *) mod_proxy_http: flush spooled request body in one go to avoid
+ leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]
+
+ *) mod_ssl: Fix a race condition and possible crash when using a proxy client
+ certificate (SSLProxyMachineCertificateFile).
+ [Armin Abfalterer <a.abfalterer gmail.com>]
+
+ *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]
+
+ *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
+ PR64330 [Stefan Eissing]
+
+ *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
+ was configured with a handshake timeout. Fixes gitub issue #196.
+ [Stefan Eissing]
+
+ *) mod_proxy_http2: the "ping" proxy parameter
+ (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
+ when checking the liveliness of a new or reused h2 connection to the backend.
+ With short durations, this makes load-balancing more responsive. The module
+ will hold back requests until ping conditions are met, using features of the
+ HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
+
+ *) core: httpd is no longer linked against -lsystemd if mod_systemd
+ is enabled (and built as a DSO). [Rainer Jung]
+
+ *) mod_proxy_http2: respect ProxyTimeout settings on backend connections
+ while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
+
+Changes with Apache 2.4.43
+
+ *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
+
+Changes with Apache 2.4.42
+
+ *) SECURITY: CVE-2020-1934 (cve.mitre.org)
+ mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
+ server. [Eric Covener]
+
+ *) SECURITY: CVE-2020-1927 (cve.mitre.org)
+ rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
+ matches and substitutions with encoded line break characters.
+ The fix for CVE-2019-10098 was not effective. [Ruediger Pluem]
+
+ *) mod_proxy_http: Fix the forwarding of requests with content body when a
+ balancer member is unavailable; the retry on the next member was issued
+ with an empty body (regression introduced in 2.4.41). PR63891.
+ [Yann Ylavic]
+
+ *) core: Use a temporary file when writing the pid file, avoiding
+ startup failure if an empty pidfile is left over from a
+ previous crashed or aborted invocation of httpd. PR 63140.
+ [Nicolas Carrier <carrier.nicolas0 gmail.com>, Joe Orton]
+
+ *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
+ identifier under load, see <https://github.com/icing/mod_h2/issues/195>.
+ [Michael Kaufmann, Stefan Eissing]
+
+ *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
+ PR64140. [Renier Velazco <renier.velazco upr.edu>]
+
+ *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
+ PR64172.
+
+ *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
+ to allow customization of the usertrack cookie. PR64077.
+ [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]
+
+ *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
+ AJP13 authentication. PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]
+
+ *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
+ [Eric Covener, Yann Ylavic]
+
+ *) Add a config layout for OpenWRT. [Graham Leggett]
+
+ *) Add support for cross compiling to apxs. If apxs is being executed from
+ somewhere other than its target location, add that prefix to includes and
+ library directories. Without this, apxs would fail to find config_vars.mk
+ and exit. [Graham Leggett]
+
+ *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
+ issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
+ [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
+
+ *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
+ [Graham Leggett]
+
+ *) mod_ssl: Support use of private keys and certificates from an
+ OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
+ [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]
+
+ *) mod_md:
+ - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
+ thanks to Timothe Litt (@tlhackque).
+ - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
+ check all matching virtual hosts for protocol support. Thanks to @mkauf.
+ - Corrected a check when OCSP stapling was configured for hosts
+ where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
+ - Softening the restrictions where mod_md configuration directives may appear. This should
+ allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
+ you wanted in the first place, is another matter.
+ [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
+ Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
+
+ *) test: Added continuous testing with Travis CI.
+ This tests various scenarios on Ubuntu with the full test suite.
+ Architectures tested: amd64, s390x, ppc64le, arm64
+ The tests pass successfully.
+ [Luca Toscano, Joe Orton, Mike Rumph, and others]
+
+ *) core: Be stricter in parsing of Transfer-Encoding headers.
+ [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]
+
+ *) mod_ssl: negotiate the TLS protocol version per name based vhost
+ configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
+ SSLProtocol (from the first vhost declared on the IP:port) is now only
+ relevant if no SSLProtocol is declared for the vhost or globally,
+ otherwise the vhost or global value apply. [Yann Ylavic]
+
+ *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
+ output. PR 64096. [Joe Orton]
+
+ *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
+ [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]
+
+ *) mod_systemd: New module providing integration with systemd. [Jan Kaluza]
+
+ *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
+ r:notes_table, r:subprocess_env_table as read-only native table alternatives
+ that can be iterated over. [Eric Covener]
+
+ *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
+ [Yann Ylavic, Stefan Eissing]
+
+ *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
+ r.headers_out, etc) to remove the key from the table. PR63971.
+ [Eric Covener]
+
+ *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
+ ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
+ always `on`, regardless of configuration. Found and reported by
+ <Ar...@united-security-providers.ch> and
+ <Ma...@united-security-providers.ch>. [Stefan Eissing]
+
+ *) mod_http2: Multiple field length violations in the same request no longer cause
+ several log entries to be written. [@mkauf]
+
+ *) mod_ssl: OCSP does not apply to proxy mode. PR 63679.
+ [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]
+
+ *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
+ [Jim Jagielski]
+
+ *) mod_authn_socache: Increase the maximum length of strings that can be cached by
+ the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>]
+
+ *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
+ [Ruediger Pluem, Eric Covener]
+
+ *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
+ valid (For example, testing for a file on a flash drive that is not mounted)
+ [Christophe Jaillet]
+
+ *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
+ means 'foo' is "not acceptable". PR 58158 [Chistophe Jaillet]
+
+ *) mod_md v2.2.3:
+ - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
+ had been additive before which was not the intended behaviour. [@mkauf]
+ - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
+ documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
+ - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
+ - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
+ "transfer-encoding" to POST requests. This failed in direct communication with
+ Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]
+
+ *) mod_md: Adding the several new features.
+ The module offers an implementation of OCSP Stapling that can replace fully or
+ for a limited set of domains the existing one from mod_ssl. OCSP handling
+ is part of mod_md's monitoring and message notifications. If can be used
+ for sites that do not have ACME certificates.
+ The url for a CTLog Monitor can be configured. It is used in the server-status
+ to link to the external status page of a certificate.
+ The MDMessageCmd is called with argument "installed" when a new certificate
+ has been activated on server restart/reload. This allows for processing of
+ the new certificate, for example to applications that require it in different
+ locations or formats.
+ [Stefan Eissing]
+
+ *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
+ protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
+
+Changes with Apache 2.4.41
+
+ *) SECURITY: CVE-2019-10097 (cve.mitre.org)
+ mod_remoteip: Fix stack buffer overflow and NULL pointer deference
+ when reading the PROXY protocol header. [Joe Orton,
+ Daniel McCarney <cpu letsencrypt.org>]
+
+ *) SECURITY: CVE-2019-9517 (cve.mitre.org)
+ mod_http2: a malicious client could perform a DoS attack by flooding
+ a connection with requests and basically never reading responses
+ on the TCP connection. Depending on h2 worker dimensioning, it was
+ possible to block those with relatively few connections. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-10098 (cve.mitre.org)
+ rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
+ matches and substitutions with encoded line break characters.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2019-10092 (cve.mitre.org)
+ Remove HTML-escaped URLs from canned error responses to prevent misleading
+ text/links being displayed via crafted links. [Eric Covener]
+
+ *) SECURITY: CVE-2019-10082 (cve.mitre.org)
+ mod_http2: Using fuzzed network input, the http/2 session
+ handling could be made to read memory after being freed,
+ during connection shutdown. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-10081 (cve.mitre.org)
+ mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
+ could lead to an overwrite of memory in the pushing request's pool,
+ leading to crashes. The memory copied is that of the configured push
+ link header values, not data supplied by the client. [Stefan Eissing]
+
+ *) mod_proxy_balancer: Improve balancer-manager protection against
+ XSS/XSRF attacks from trusted users. [Joe Orton,
+ Niels Heinen <heinenn google.com>]
+
+ *) mod_session: Introduce SessionExpiryUpdateInterval which allows to
+ configure the session/cookie expiry's update interval. PR 57300.
+ [Paul Spangler <paul.spangler ni.com>]
+
+ *) modules/filters: Fix broken compilation when using old GCC (<4.2.x).
+ PR 63633. [Rainer Jung, Joe Orton]
+
+ *) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
+ configured for a domain managed by mod_md. [Stefan Eissing]
+
+Changes with Apache 2.4.40
+
+ *) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via
+ RegexDefaultOptions -DOTALL [Yann Ylavic]
+
+ *) core: Remove request details from built-in error documents [Eric Covener]
+
+ *) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on
+ merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]
+
+ *) mod_http2: fixed a bug that prevented proper stream cleanup when connection
+ throttling was in place. Stream resets by clients on streams initiated by them
+ are counted as possible trigger for throttling. [Stefan Eissing]
+
+ *) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing
+ more to write with streams ongoing (flow control block). The timeout waiting
+ for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not
+ Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]
+
+ *) mod_proxy_balancer: Load balancer required byrequests when bytraffic chosen.
+ PR 62372. [Jim Jagielski]
+
+ *) mod_proxy_hcheck: Create the configuration for mod_proxy_hcheck
+ when used in BalancerMember. PR 60757. [Jean-Frederic Clere]
+
+ *) mod_proxy_hcheck: Mute extremely frequent debug message. [Yann Ylavic]
+
+ *) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for
+ adding certificates and keys to a virtual host. An additional hook allows
+ answering special TLS connections as used in ACME challenges.
+ Adding 2 new hooks for init/get of OCSP stapling status information when
+ other modules want to provide those. Falls back to own implementation with
+ same behaviour as before.
+ [Stefan Eissing]
+
+ *) mod_md: new features
+ - protocol
+ - supports the ACMEv2 protocol. It is the default and will be used on the next
+ certificate renewal, unless another "MDCertificateAuthority" is configured
+ - ACMEv2 endpoints use the GET via empty POST way of accessing resources, see
+ announcement by Let's Encrypt:
+ https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
+ - challenges
+ - new challenge method 'tls-alpn-01' implemented
+ - challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer
+ - supports command configuration to setup/teardown 'dns-01' challenges
+ - supports wildcard certificates when dns challenges are configured
+ - status information and monitoring
+ - a domain exposes its status at https://<domain>/.httpd/certificate-status
+ - Managed Domains are now in Apache's 'server-status' page
+ - A new handler 'md-status' exposes verbose status information in JSON format
+ - new directives
+ - "MDCertificateFile" and "MDCertificateKeyFile" to configure a
+ Managed Domain that uses static files. Auto-renewal is turned off for those.
+ - "MDMessageCmd" that is invoked on several events: 'renewed', 'expiring' and
+ 'errored'.
+ - "MDWarnWindow" directive to configure when expiration warnings shall be issued.
+ [Stefan Eissing]
+
+ *) mod_mime_magic: Fix possible corruption of returned strings.
+ [Christophe Jaillet]
+
+ *) Default "conf/magic": Fix pattern for "audio/x-wav" for WAV files,
+ remove "audio/unknown" pattern for other RIFF files.
+ [Ãngel Ollé Blázquez <aollebla redhat.com>]
+
+ *) mod_proxy_http2: fixing a potential NULL pointer use in logging.
+ [Christophe Jaillet, Dr Silvio Cesare InfoSect]
+
+ *) mod_dav: Reduce the amount of memory needed when doing PROPFIND's on large
+ collections by improving the memory management. [Joe Orton, Ruediger Pluem]
+
+ *) mod_proxy_http2: adding support for handling trailers in both directions.
+ PR 63502. [Stefan Eissing]
+
+ *) mod_proxy_http: forward 100-continue, and minimize race conditions when
+ reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere]
+
+ *) mod_proxy_balancer: Fix some HTML syntax issues. [Christophe Jaillet]
+
+ *) When using mod_status with the Event MPM, report the number of requests
+ associated with an active connection in the "ACC" field. Previously
+ zero was always reported with this MPM. PR60647. [Eric Covener]
+
+ *) mod_http2: remove the no longer existing h2_ngn_shed.c from Cmake.
+ [Stefan Eissing]
+
+ *) mod_proxy/ssl: Proxy SSL client certificate configuration and other proxy
+ SSL configurations broken inside <Proxy> context. PR 63430.
+ [Ruediger Pluem, Yann Ylavic]
+
+ *) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.
+ PR 61857. [Markus Gausling <markusgausling googlemail.com>, Yann Ylavic]
+
+ *) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39.
+ PR 63325. [Yann Ylavic]
+
+ *) mod_info: Fix output of server settings for PIPE_BUF in mod_info in
+ the rare case that PIPE_BUF is defined. [Rainer Jung]
+
+ *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
+ spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]
+
+Changes with Apache 2.4.39
+
+ *) SECURITY: CVE-2019-0197 (cve.mitre.org)
+ mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
+ host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
+ request from http/1.1 to http/2 that was not the first request on a
+ connection could lead to a misconfiguration and crash. Servers that
+ never enabled the h2 protocol or only enabled it for https: and
+ did not set "H2Upgrade on" are unaffected by this issue.
+ [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-0196 (cve.mitre.org)
+ mod_http2: using fuzzed network input, the http/2 request
+ handling could be made to access freed memory in string
+ comparison when determining the method of a request and
+ thus process the request incorrectly. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-0211 (cve.mitre.org)
+ MPMs unix: Fix a local privilege escalation vulnerability by not
+ maintaining each child's listener bucket number in the scoreboard,
+ preventing unprivileged code like scripts run by/on the server (e.g. via
+ mod_php) from modifying it persistently to abuse the privileged main
+ process. [Charles Fol <folcharles gmail.com>, Yann Ylavic]
+
+ *) SECURITY: CVE-2019-0217 (cve.mitre.org)
+ mod_auth_digest: Fix a race condition checking user credentials which
+ could allow a user with valid credentials to impersonate another,
+ under a threaded MPM. PR 63124. [Simon Kappel <simon.kappel axis.com>]
+
+ *) SECURITY: CVE-2019-0215 (cve.mitre.org)
+ mod_ssl: Fix access control bypass for per-location/per-dir client
+ certificate verification in TLSv1.3.
+
+ *) SECURITY: CVE-2019-0220 (cve.mitre.org)
+ Merge consecutive slashes in URL's. Opt-out with
+ `MergeSlashes OFF`. [Eric Covener]
+
+ *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
+ connection is recycled/reused to avoid a possible crash with some SSLProxy
+ configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]
+
+ *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
+ PR 55348
+
+ *) mod_socache_redis: Support for Redis as socache storage provider.
+
+ *) core: new configuration option 'MergeSlashes on|off' that controls handling of
+ multiple, consecutive slash ('/') characters in the path component of the request URL.
+ [Eric Covener]
+
+ *) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
+ in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.
+ Fixed. [Michael Kaufmann]
+
+ *) mod_http2: new configuration directive: `H2Padding numbits` to control
+ padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
+ controlling the range of padding bytes added to a frame. The actual number
+ added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE
+ frames equally. The default continues to be 0, e.g. no padding. [Stefan Eissing]
+
+ *) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2
+ has no more need for it. Optional functions are still declared but no longer implemented.
+ While previous mod_proxy_http2 will work with this, it is recommended to run the matching
+ versions of both modules. [Stefan Eissing]
+
+ *) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which
+ resolve PR63170. The proxy module does now a single h2 request on the (reused)
+ connection and returns. [Stefan Eissing]
+
+ *) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status
+ to trigger immediate shutdown of backend connections. This is now always signalled
+ by mod_http2 when the the session is being released.
+ proxy_http2 now only sends a PING frame to the backend when there is not already one
+ in flight. [Stefan Eissing]
+
+ *) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite
+ loop when encountering certain errors on the backend connection.
+ See <https://bz.apache.org/bugzilla/show_bug.cgi?id=63170>. [Stefan Eissing]
+
+ *) mod_http2: Configuration directives H2Push and H2Upgrade can now be specified per
+ Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]
+
+ *) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
+ terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.
+ Fixes <https://github.com/icing/mod_h2/issues/167>. [Michael Kaufmann]
+
+ *) http: Fix possible empty response with mod_ratelimit for HEAD requests.
+ PR 63192. [Yann Ylavic]
+
+ *) mod_cache_socache: Avoid reallocations and be safe with outgoing data
+ lifetime. [Yann Ylavic]
+
+ *) mod_http2: enable re-use of slave connections again. Fixed slave connection
+ keepalives counter. [Stefan Eissing]
+
+ *) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.
+ PR 61310. [Yann Ylavic]
+
+ *) core: Split out the ability to parse wildcard files and directories
+ from the Include/IncludeOptional directives into a generic set of
+ functions ap_dir_nofnmatch() and ap_dir_fnmatch(). [Graham Leggett]
+
+ *) mod_proxy_wstunnel: Fix websocket proxy over UDS.
+ PR 62932 <pavel dcmsys.com>
+
+ *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
+ configuration (SSLFIPS on) and not active by default in OpenSSL.
+ PR 63136. [Yann Ylavic]
+
+Changes with Apache 2.4.38
+
+ *) SECURITY: CVE-2018-17199 (cve.mitre.org)
+ mod_session: mod_session_cookie does not respect expiry time allowing
+ sessions to be reused. [Hank Ibell]
+
+ *) SECURITY: CVE-2018-17189 (cve.mitre.org)
+ mod_http2: fixes a DoS attack vector. By sending slow request bodies
+ to resources not consuming them, httpd cleanup code occupies a server
+ thread unnecessarily. This was changed to an immediate stream reset
+ which discards all stream state and incoming data. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-0190 (cve.mitre.org)
+ mod_ssl: Fix infinite loop triggered by a client-initiated
+ renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
+ later. PR 63052. [Joe Orton]
+
+ *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
+ PR 63052 [Joe Orton]
+
+ *) mod_negotiation: Treat LanguagePriority as case-insensitive to match
+ AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]
+
+ *) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
+ have been fixed. [Michael Kaufmann, Stefan Eissing]
+
+ *) mod_setenvif: We can have expressions that become true if a regex pattern
+ in the expression does NOT match. In this case val is NULL
+ and we should just set the value for the environment variable
+ like in the pattern case. [Ruediger Pluem]
+
+ *) mod_session: Always decode session attributes early. [Hank Ibell]
+
+ *) core: Incorrect values for environment variables are substituted when
+ multiple environment variables are specified in a directive. [Hank Ibell]
+
+ *) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
+ this type of map is present in the configuration. PR62311.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_dav: Fix invalid Location header when a resource is created by
+ passing an absolute URI on the request line [Jim Jagielski]
+
+ *) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
+ [Emmanuel Dreyfus <ma...@netbsd.org>, Luca Toscano]
+
+ *) mod_ssl: clear *SSL errors before loading certificates and checking
+ afterwards. Otherwise errors are reported when other SSL using modules
+ are in play. Fixes PR 62880. [Michael Kaufmann]
+
+ *) mod_ssl: Fix the error code returned in an error path of
+ 'ssl_io_filter_handshake()'. This messes-up error handling performed
+ in 'ssl_io_filter_error()' [Yann Ylavic]
+
+ *) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
+ authz provider so "Require ssl" works correctly in HTTP/2.
+ PR 61519, 62654. [Joe Orton, Stefan Eissing]
+
+ *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
+ redirects, subsequent ProxyPassReverse statements, whether they are
+ relative or absolute, may fail. PR 60408. [Peter Haworth <pmh1wheel gmail.com>]
+
+ *) mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1]
+
+Changes with Apache 2.4.37
+
+ *) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1. [Rainer Jung]
+
+ *) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
+ when client certificates are available from the original handshake
+ but were originally not verified and should get verified now.
+ This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]
+
+ *) mod_ssl: Correctly merge configurations that have client certificates set
+ by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]
+
+Changes with Apache 2.4.36
+
+ *) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
+ responses. Regression introduced in 2.4.35.
+
+ *) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
+ body of the response. [Jim Jagielski]
+
+ *) mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when
+ there are still idle threads available. When there are less idle threads than
+ MinSpareThreads, issue new one-time message AH10159. Matches worker MPM.
+ [Eric Covener]
+
+ *) mod_http2: adding defensive code for stream EOS handling, in case the request handler
+ missed to signal it the normal way (eos buckets). Addresses github issues
+ https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
+ and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing]
+
+ *) ab: Add client certificate support. PR 55774. [Graham Leggett]
+
+ *) ab: Disable printing temp key for OpenSSL before
+ version 1.0.2. SSL_get_server_tmp_key is not available
+ there. [Rainer Jung]
+
+ *) mod_ssl: Fix a regression that the configuration settings for verify mode
+ and verify depth were taken from the frontend connection in case of
+ connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
+
+ *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
+ before signals handling to avoid lifetime issues on restart or shutdown.
+ PR 62658. [Yann Ylavic]
+
+ *) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has
+ behavioural changes compared to v1.2 and earlier; client and
+ configuration changes should be expected. SSLCipherSuite is
+ enhanced for TLSv1.3 ciphers, but applies at vhost level only.
+ [Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]
+
+ *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
+ should be accepted after the authorization scheme. \t are also tolerated.
+ [Christophe Jaillet]
+
+ *) mod_socache_redis: New socache submodule provider to allow use
+ of Redis as storage backend. [Jim Jagielski]
+
+ *) mod_proxy_hcheck: Fix issues with interval determination. PR 62318
+ [Jim Jagielski]
+
+ *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
+ [Dominik Stillhard <dominik.stillhard united-security-providers.ch>]
+
+ *) mod_proxy_hcheck: take balancer's SSLProxy* directives into account.
+ [Jim Jagielski]
+
+ *) mod_status, mod_echo: Fix the display of client addresses.
+ They were truncated to 31 characters which is not enough for IPv6 addresses.
+ This is done by deprecating the use of the 'client' field and using
+ the new 'client64' field in worker_score.
+ PR 54848 [Bernhard Schmidt <berni birkenwald de>, Jim Jagielski]
+
+Changes with Apache 2.4.35
+
+ *) http: Enforce consistently no response body with both 204 and 304
+ statuses. [Yann Ylavic]
+
+ *) mod_status: Cumulate CPU time of exited child processes in the
+ "cu" and "cs" values. Add CPU time of the parent process to the
+ "c" and "s" values.
+ [Rainer Jung]
+
+ *) mod_proxy: Improve the balancer member data shown in mod_status when
+ "ProxyStatus" is "On": add "busy" count and show byte counts in
+ auto mode always in units of kilobytes. [Rainer Jung]
+
+ *) mod_status: Add cumulated response duration time in milliseconds.
+ [Rainer Jung]
+
+ *) mod_status: Complete the data shown for async MPMs in "auto" mode.
+ Added number of processes, number of stopping processes and number
+ of busy and idle workers. [Rainer Jung]
+
+ *) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
+ introduced in 2.4.34. PR 62568. [Yann Ylavic]
+
+ *) mod_proxy: Remove load order and link dependency between mod_lbmethod_*
+ modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe]
+
+ *) Allow the argument to <IfFile>, <IfDefine>, <IfSection>, <IfDirective>,
+ and <IfModule> to be quoted. This is primarily for the benefit of
+ <IfFile>. [Eric Covener]
+
+ *) mod_watchdog: Correct some log messages. [Rainer Jung]
+
+ *) mod_md: When the last domain name from an MD is moved to another one,
+ that now empty MD gets moved to the store archive. PR 62572.
+ [Stefan Eissing]
+
+ *) mod_ssl: Fix merging of SSLOCSPOverrideResponder. [Jeff Trawick,
+ [Frank Meier <frank meier ergon.ch>]
+
+ *) mod_proxy_balancer: Restore compatibility with APR 1.4. [Joe Orton]
+
+Changes with Apache 2.4.34
+
+ *) SECURITY: CVE-2018-8011 (cve.mitre.org)
+ mod_md: DoS via Coredumps on specially crafted requests
+
+ *) SECURITY: CVE-2018-1333 (cve.mitre.org)
+ mod_http2: DoS for HTTP/2 connections by specially crafted requests
+
+ *) Introduce zh-cn and zh-tw (simplified and traditional Chinese) error
+ document translations. [CodeingBoy, popcorner]
+
+ *) event: avoid possible race conditions with modules on the child pool.
+ [Stefan Fritsch]
+
+ *) mod_proxy: Fix a corner case where the ProxyPassReverseCookieDomain or
+ ProxyPassReverseCookiePath directive could fail to update correctly
+ 'domain=' or 'path=' in the 'Set-Cookie' header. PR 61560.
+ [Christophe Jaillet]
+
+ *) mod_ratelimit: fix behavior when proxing content. PR 62362.
+ [Luca Toscano, Yann Ylavic]
+
+ *) core: Re-allow '_' (underscore) in hostnames.
+ [Eric Covener]
+
+ *) mod_authz_core: If several parameters are used in a AuthzProviderAlias
+ directive, if these parameters are not enclosed in quotation mark, only
+ the first one is handled. The other ones are silently ignored.
+ Add a message to warn about such a spurious configuration.
+ PR 62469 [Hank Ibell <hwibell gmail.com>, Christophe Jaillet]
+
+ *) mod_md: improvements and bugfixes
+ - MDNotifyCmd now takes additional parameter that are passed on to the called command.
+ - ACME challenges have better checks for interference with other modules
+ - ACME challenges are only handled for domains managed by the module, allowing
+ other ACME clients to operate for other domains in the server.
+ - better libressl integration
+
+ *) mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'.
+ PR 62480. [Lubos Uhliarik <luhliari redhat.com>}
+
+ *) logging: Some early logging-related startup messages could be lost
+ when using syslog for the global ErrorLog. [Eric Covener]
+
+ *) mod_cache: Handle case of an invalid Expires header value RFC compliant
+ like the case of an Expires time in the past: allow to overwrite the
+ non-caching decision using CacheStoreExpired and respect Cache-Control
+ "max-age" and "s-maxage". [Rainer Jung]
+
+ *) mod_xml2enc: Fix forwarding of error metadata/responses. PR 62180.
+ [Micha Lenk <micha lenk.info>, Yann Ylavic]
+
+ *) mod_proxy_http: Fix response header thrown away after the previous one
+ was considered too large and truncated. PR 62196. [Yann Ylavic]
+
+ *) core: Add and handle AP_GETLINE_NOSPC_EOL flag for ap_getline() family
+ of functions to consume the end of line when the buffer is exhausted.
+ PR 62198. [Yann Ylavic]
+
+ *) mod_proxy_http: Add new worker parameter 'responsefieldsize' to
+ allow maximum HTTP response header size to be increased past 8192
+ bytes. PR 62199. [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_ssl: Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf
+ of a certificate chain. PR62112.
+ [Ricardo Martin Camarero <rickyepoderi yahoo.es>]
+
+ *) http: Fix small memory leak per request when handling persistent
+ connections. [Ruediger Pluem, Joe Orton]
+
+ *) mod_proxy_html: Fix variable interpolation and memory allocation failure
+ in ProxyHTMLURLMap. PR 62344. [Ewald Dieterich <ewald mailbox.org>]
+
+ *) mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.
+ PR 62220. [Chritophe Jaillet, Yann Ylavic]
+
+ *) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
+ zero out what had been initialized as the connection-level port. PR59931.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: In ONE_PROCESS/debug mode, cleanup everything when exiting.
+ [Yann Ylavic]
+
+ *) mod_proxy_balancer: Add hot spare member type and corresponding flag (R).
+ Hot spare members are used as drop-in replacements for unusable workers
+ in the same load balancer set. This differs from hot standbys which are
+ only used when all workers in a set are unusable. PR 61140. [Jim Riggs]
+
+ *) suexec: Add --enable-suexec-capabilites support on Linux, to use
+ setuid/setgid capability bits rather than a setuid root binary.
+ [Joe Orton]
+
+ *) suexec: Add support for logging to syslog as an alternative to
+ logging to a file; use --without-suexec-logfile --with-suexec-syslog.
+ [Joe Orton]
+
+ *) mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling
+ which broke some rare but previously-working configs. [Joe Orton]
+
+ *) core, log: improve sanity checks for the ErrorLog's syslog config, and
+ explicitly allow only lowercase 'syslog' settings. PR 62102
+ [Luca Toscano, Jim Riggs, Christophe Jaillet]
+
+ *) mod_http2: accurate reporting of h2 data input/output per request via
+ mod_logio. Fixes an issue where output sizes where counted n-times on
+ reused slave connections. [Stefan Eissing]
+ See github issue: https://github.com/icing/mod_h2/issues/158
+
+ *) mod_http2: Fix unnecessary timeout waits in case streams are aborted.
+ [Stefan Eissing]
+
+ *) mod_http2: restoring the v1.10.16 keepalive timeout behaviour of mod_http2.
+ [Stefan Eissing]
+
+ *) mod_proxy: Do not restrict the maximum pool size for backend connections
+ any longer by the maximum number of threads per process and use a better
+ default if mod_http2 is loaded.
+ [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Gregg Smith]
+
+ *) mod_slotmem_shm: Add generation number to shm filename to fix races
+ with graceful restarts. PRs 62044 and 62308. [Jim Jagielski, Yann Ylavic]
+
+ *) core: Preserve the original HTTP request method in the '%<m' LogFormat
+ when an path-based ErrorDocument is used. PR 62186.
+ [Micha Lenk <micha lenk.info>]
+
+ *) mod_remoteip: make proxy-protocol work on slave connections, e.g. in
+ HTTP/2 requests. [Stefan Eissing]
+ See also https://github.com/roadrunner2/mod-proxy-protocol/issues/6
+
+ *) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
+ regression introduced in 2.4.30. PR 62232. [Rainer Jung, Yann Ylavic]
+
+ *) mod_md: Fix compilation with OpenSSL before version 1.0.2. [Rainer Jung]
+
+ *) mod_dumpio: do nothing below log level TRACE7. [Yann Ylavic]
+
+ *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
+ [Eric Covener]
+
+ *) core: On ECBDIC platforms, some errors related to oversized headers
+ may be misreported or be logged as ASCII escapes. PR 62200
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_ssl: Fix cmake-based build. PR 62266. [Rainer Jung]
+
+ *) core: Add <IfFile>, <IfDirective> and <IfSection> conditional
+ section containers. [Eric Covener, Joe Orton]
+
+ *) rotatelogs: Add -D option to create parent directories. PR 46669.
+ [Philippe Lantin <plantin cobaltgroup.com>, Ben Reser, Rainer Jung]
+
+Changes with Apache 2.4.33
+
+ *) core: Fix request timeout logging and possible crash for error_log hooks.
+ [Yann Ylavic]
+
+ *) mod_slomem_shm: Fix failure to create balancers's slotmems in Windows MPM,
+ where children processes need to attach them instead since they are owned
+ by the parent process already. [Yann Ylavic]
+
+ *) ab: try all destination socket addresses returned by
+ apr_sockaddr_info_get instead of failing on first one when not available.
+ Needed for instance if localhost resolves to both ::1 and 127.0.0.1
+ e.g. if both are in /etc/hosts. [Jan Kaluza]
+
+ *) ab: Use only one connection to determine working destination socket
+ address. [Jan Kaluza]
+
+ *) ab: LibreSSL doesn't have or require Windows applink.c. [Gregg L. Smith]
+
+ *) htpasswd/htdigest: Disable support for bcrypt on EBCDIC platforms.
+ apr-util's bcrypt implementation doesn't tolerate EBCDIC. [Eric Covener]
+
+ *) htpasswd/htdbm: report the right limit when get_password() overflows.
+ [Yann Ylavic]
+
+ *) htpasswd: Don't fail in -v mode if password file is unwritable.
+ PR 61631. [Joe Orton]
+
+ *) htpasswd: don't point to (unused) stack memory on output
+ to make static analysers happy. PR 60634.
+ [Yann Ylavic, reported by shqking and Zhenwei Zou]
+
+Changes with Apache 2.4.32
+
+ *) mod_access_compat: Fail if a comment is found in an Allow or Deny
+ directive. [Jan Kaluza]
+
+ *) mod_authz_host: Ignore comments after "Require host", logging a
+ warning, or logging an error if the line is otherwise empty.
+ [Jan Kaluza, Joe Orton]
+
+ *) rotatelogs: Fix expansion of %Z in localtime (-l) mode, and fix
+ Y2K38 bug. [Joe Orton]
+
+ *) mod_ssl: Support SSL DN raw variable extraction without conversion
+ to UTF-8, using _RAW suffix on variable names. [Joe Orton]
+
+ *) ab: Fix https:// connection failures (regression in 2.4.30); fix
+ crash generating CSV output for large -n. [Joe Orton, Jan Kaluza]
+
+Changes with Apache 2.4.31 (not released)
+
+ *) mod_proxy_fcgi: Add the support for mod_proxy's flushpackets and flushwait
+ parameters. [Luca Toscano, Ruediger Pluem, Yann Ylavic]
+
+ *) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
+ improper merging of the cache lock in vhost config.
+ PR 43164 [Eric Covener]
+
+ *) mpm_event: Do lingering close in worker(s). [Yann Ylavic]
+
+ *) mpm_queue: Put fdqueue code in common for MPMs event and worker.
+ [Yann Ylavic]
+
+Changes with Apache 2.4.30 (not released)
+
+ *) SECURITY: CVE-2017-15710 (cve.mitre.org)
+ Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
+ [Eric Covener, Luca Toscano, Yann Ylavic]
+
+ *) SECURITY: CVE-2018-1283 (cve.mitre.org)
+ mod_session: CGI-like applications that intend to read from mod_session's
+ 'SessionEnv ON' could be fooled into reading user-supplied data instead.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2018-1303 (cve.mitre.org)
+ mod_cache_socache: Fix request headers parsing to avoid a possible crash
+ with specially crafted input data. [Ruediger Pluem]
+
+ *) SECURITY: CVE-2018-1301 (cve.mitre.org)
+ core: Possible crash with excessively long HTTP request headers.
+ Impractical to exploit with a production build and production LogLevel.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2017-15715 (cve.mitre.org)
+ core: Configure the regular expression engine to match '$' to the end of
+ the input string only, excluding matching the end of any embedded
+ newline characters. Behavior can be changed with new directive
+ 'RegexDefaultOptions'. [Yann Ylavic]
+
+ *) SECURITY: CVE-2018-1312 (cve.mitre.org)
+ mod_auth_digest: Fix generation of nonce values to prevent replay
+ attacks across servers using a common Digest domain. This change
+ may cause problems if used with round robin load balancers. PR 54637
+ [Stefan Fritsch]
+
+ *) SECURITY: CVE-2018-1302 (cve.mitre.org)
+ mod_http2: Potential crash w/ mod_http2.
+ [Stefan Eissing]
+
+ *) mod_proxy: Worker schemes and hostnames which are too large are no
+ longer fatal errors; it is logged and the truncated values are stored.
+ [Jim Jagielski]
+
+ *) mod_proxy: Allow setting options to globally defined balancer from
+ ProxyPass used in VirtualHost. Balancers are now merged using the new
+ merge_balancers method which merges the balancers options. [Jan Kaluza]
+
+ *) logresolve: Fix incorrect behavior or segfault if -c flag is used
+ Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259
+ [Stefan Fritsch]
+
+ *) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
+ Add ability for PROXY protocol processing to be optional to donated code.
+ See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
+ [Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri]
+
+ *) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
+ allowing per backend TLS configuration. [Yann Ylavic]
+
+ *) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module. [Roberto De Ioris,
+ Jim Jagielski]
+
+ *) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
+ depend on the number of restarts (non-Unix systems) and preserve shared
+ names as much as possible on configuration changes for SHMs and persisted
+ files. PR 62044. [Yann Ylavic, Jim Jagielski]
+
+ *) mod_http2: obsolete code removed, no more events on beam pool destruction,
+ discourage content encoders on http2-status response (where they do not work).
+ [Stefan Eissing]
+
+ *) mpm_event: Let the listener thread do its maintenance job on resources
+ shortage. PR 61979. [Yann Ylavic]
+
+ *) mpm_event: Wakeup the listener to re-enable listening sockets.
+ [Yann Ylavic]
+
+ *) mod_ssl: The SSLCompression directive will now give an error if used
+ with an OpenSSL build which does not support any compression methods.
+ [Joe Orton]
+
+ *) mpm_event,worker: Mask signals for threads created by modules in child
+ init, so that they don't receive (implicitly) the ones meant for the MPM.
+ PR 62009. [Armin Abfalterer <a.abfalterer gmail com>, Yann Ylavic]
+
+ *) mod_md: new experimental, module for managing domains across virtual hosts,
+ implementing the Let's Encrypt ACMEv1 protocol to signup and renew
+ certificates. Please read the modules documentation for further instructions
+ on how to use it. [Stefan Eissing]
+
+ *) mod_proxy_html: skip documents shorter than 4 bytes
+ PR 56286 [Micha Lenk <micha lenk info>]
+
+ *) core, mpm_event: Avoid a small memory leak of the scoreboard handle, for
+ the lifetime of the connection, each time it is processed by MPM event.
+ [Yann Ylavic]
+
+ *) mpm_event: Update scoreboard status for KeepAlive state. [Yann Ylavic]
+
+ *) mod_ldap: Fix a case where a full LDAP cache would continually fail to
+ purge old entries and log AH01323. PR61891.
+ [Hendrik Harms <hendrik.harms gmail.com>]
+
+ *) mpm_event: close connections not reported as handled by any module to
+ avoid losing track of them and leaking scoreboard entries. PR 61551.
+ [Yann Ylavic]
+
+ *) core: A signal received while stopping could have crashed the main
+ process. PR 61558. [Yann Ylavic]
+
+ *) mod_ssl: support for mod_md added. [Stefan Eissing]
+
+ *) mod_proxy_html: process parsed comments immediately.
+ Fixes bug (seen in the wild when used with IBM's HTTPD bundle)
+ where parsed comments may be lost. [Nick Kew]
+
+ *) mod_proxy_html: introduce doctype for HTML 5 [Nick Kew]
+
+ *) mod_proxy_html: fix typo-bug processing "strict" vs "transitional"
+ HTML/XHTML. PR 56457 [Nick Kew]
+
+ *) mpm_event: avoid a very unlikely race condition between the listener and
+ the workers when the latter fails to add a connection to the pollset.
+ [Yann Ylavic]
+
+ *) core: silently ignore a not existent file path when IncludeOptional
+ is used. PR 57585. [Alberto Murillo Silva <powerbsd yahoo.com>, Luca Toscano]
+
+ *) mod_macro: fix usability of globally defined macros in .htaccess files.
+ PR 57525. [Jose Kahan <jose w3.org>, Yann Ylavic]
+
+ *) mod_rewrite, core: add the Vary header when a condition evaluates to true
+ and the related RewriteRule is used in a Directory context
+ (triggering an internal redirect). [Luca Toscano]
+
+ *) ab: Make the TLS layer aware that the underlying socket is nonblocking,
+ and use/handle POLLOUT where needed to avoid busy IOs and recover write
+ errors when appropriate. [Yann Ylavic]
+
+ *) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
+ read was incomplete (the SSL case can cause the next poll() to timeout
+ since data are buffered already). PR 61301 [Luca Toscano, Yann Ylavic]
+
+ *) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain
+ information retrievals on null bucket beams where it makes sense. [Stefan Eissing]
+
+Changes with Apache 2.4.29
+
+ *) mod_unique_id: Use output of the PRNG rather than IP address and
+ pid, avoiding sleep() call and possible DNS issues at startup,
+ plus improving randomness for IPv6-only hosts. [Jan Kaluza]
+
+ *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
+ is used in a condition that evaluates to true. PR 58231 [Luca Toscano, Yann Ylavic]
+
+ *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
+ beams that could lead to assertion failure in edge cases.
+ [Stefan Eissing]
+
+ *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
+ in 2.4.28. [Jim Jagielski]
+
+ *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
+ PR 61546. [Lubos Uhliarik <luhliari redhat.com>]
+
+ *) mod_rewrite: Add support for starting External Rewriting Programs
+ as non-root user on UNIX systems by specifying username and group
+ name as third argument of RewriteMap directive. [Jan Kaluza]
+
+ *) core: Rewrite the Content-Length filter to avoid excessive memory
+ consumption. Chunked responses will be generated in more cases
+ than in previous releases. PR 61222. [Joe Orton, Ruediger Pluem]
+
+ *) mod_ssl: Fix SessionTicket callback return value, which does seem to
+ matter with OpenSSL 1.1. [Yann Ylavic]
+
+Changes with Apache 2.4.28
+
+ *) SECURITY: CVE-2017-9798 (cve.mitre.org)
+ Corrupted or freed memory access. <Limit[Except]> must now be used in the
+ main configuration file (httpd.conf) to register HTTP methods before the
+ .htaccess files. [Yann Ylavic]
+
+ *) event: Avoid possible blocking in the listener thread when shutting down
+ connections. PR 60956. [Yann Ylavic]
+
+ *) mod_speling: Don't embed referer data in a link in error page.
+ PR 38923 [Nick Kew]
+
+ *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
+ length in a password file. PR 61511.
+ [Luca Toscano, Hanno Böck <hanno hboeck de>]
+
+ *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
+ [Jim Jagielski]
+
+ *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
+ PR 61142.
+
+ *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be specified
+ down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
+ 's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]
+
+ *) mod_http2: Fix for stalling when more than 32KB are written to a
+ suspended stream. [Stefan Eissing]
+
+ *) build: allow configuration without APR sources. [Jacob Champion]
+
+ *) mod_ssl, ab: Fix compatibility with LibreSSL. PR 61184.
+ [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
+ Yann Ylavic]
+
+ *) core/log: Support use of optional "tag" in syslog entries.
+ PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]
+
+ *) mod_proxy: Fix ProxyAddHeaders merging. [Joe Orton]
+
+ *) core: Disallow multiple Listen on the same IP:port when listener buckets
+ are configured (ListenCoresBucketsRatio > 0), consistently with the single
+ bucket case (default), thus avoiding the leak of the corresponding socket
+ descriptors on graceful restart. [Yann Ylavic]
+
+ *) event: Avoid listener periodic wake ups by using the pollset wake-ability
+ when available. PR 57399. [Yann Ylavic, Luca Toscano]
+
+ *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
+ led to spurious HTTP 502 error messages sent on upgrade connections.
+ PR 61283. [Yann Ylavic]
+
+Changes with Apache 2.4.27
+
+ *) SECURITY: CVE-2017-9789 (cve.mitre.org)
+ mod_http2: Read after free. When under stress, closing many connections,
+ the HTTP/2 handling code would sometimes access memory after it has been
+ freed, resulting in potentially erratic behaviour.
+ [Stefan Eissing]
+
+ *) SECURITY: CVE-2017-9788 (cve.mitre.org)
+ mod_auth_digest: Uninitialized memory reflection. The value placeholder
+ in [Proxy-]Authorization headers type 'Digest' was not initialized or
+ reset before or between successive key=value assignments.
+ [William Rowe]
+
+ *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
+ global variable when using Lua 5.2 or later. This was exported as a
+ side effect from luaL_register, which is no longer supported as of
+ Lua 5.2 which deprecates pollution of the global namespace.
+ [Rainer Jung]
+
+ *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
+ The server will continue to run, but HTTP/2 will no longer be negotiated.
+ [Stefan Eissing]
+
+ *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
+ default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
+ [Jacob Champion, Jim Jagielski]
+
+ *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
+ PR58188, PR60831, PR61245. [Rainer Jung]
+
+ *) mod_http2: Simplify ready queue, less memory and better performance. Update
+ mod_http2 version to 1.10.7. [Stefan Eissing]
+
+ *) Allow single-char field names inadvertently disallowed in 2.4.25.
+ PR 61220. [Yann Ylavic]
+
+ *) htpasswd / htdigest: Do not apply the strict permissions of the temporary
+ passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]
+
+ *) core: Avoid duplicate HEAD in Allow header.
+ This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
+ PR 61207. [Christophe Jaillet]
+
+Changes with Apache 2.4.26
+
+ *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+ mod_mime can read one byte past the end of a buffer when sending a
+ malicious Content-Type response header. [Yann Ylavic]
+
+ *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+ The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+ bug in token list parsing, which allows ap_find_token() to search past
+ the end of its input string. By maliciously crafting a sequence of
+ request headers, an attacker may be able to cause a segmentation fault,
+ or to force ap_find_token() to return an incorrect value.
+ [Jacob Champion]
+
+ *) SECURITY: CVE-2017-7659 (cve.mitre.org)
+ A maliciously constructed HTTP/2 request could cause mod_http2 to
+ dereference a NULL pointer and crash the server process.
+
+ *) SECURITY: CVE-2017-3169 (cve.mitre.org)
+ mod_ssl may dereference a NULL pointer when third-party modules call
+ ap_hook_process_connection() during an HTTP request to an HTTPS port.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2017-3167 (cve.mitre.org)
+ Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+ authentication phase may lead to authentication requirements being
+ bypassed.
+ [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+
+ *) HTTP/2 support no longer tagged as "experimental" but is instead considered
+ fully production ready.
+
+ *) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
+ the session in continuous check for state changes that never happen.
+ [Stefan Eissing]
+
+ *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
+ protocols. [Jean-Frederic Clere]
+
+ *) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
+ a possible crash if a signal is caught during (graceful) restart.
+ PR 60487. [Yann Ylavic]
+
+ *) mod_rewrite: When a substitution is a fully qualified URL, and the
+ scheme/host/port matches the current virtual host, stop interpreting the
+ path component as a local path just because the first component of the
+ path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
+ to revert to previous behavior. PR60009.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
+ platforms. PR61124. [Hank Ibell <hwibell gmail.com>]
+
+ *) ab: enable option processing for setting a custom HTTP method also for
+ non-SSL builds. [Rainer Jung]
+
+ *) core: EBCDIC fixes for interim responses with additional headers.
+ [Eric Covener]
+
+ *) mod_env: when processing a 'SetEnv' directive, warn if the environment
+ variable name includes a '='. It is likely a configuration error.
+ PR 60249 [Christophe Jaillet]
+
+ *) Evaluate nested If/ElseIf/Else configuration blocks.
+ [Luca Toscano, Jacob Champion]
+
+ *) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
+ allow spaces in backreferences to be encoded as %20 instead of '+'.
+ [Eric Covener]
+
+ *) mod_rewrite: Add the possibility to limit the escaping to specific
+ characters in backreferences by listing them in the B flag.
+ [Eric Covener]
+
+ *) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
+ systems. [Eric Covener]
+
+ *) mod_http2: fail requests without ERROR log in case we need to read interim
+ responses and see only garbage. This can happen if proxied servers send
+ data where none should be, e.g. a body for a HEAD request. [Stefan Eissing]
+
+ *) mod_proxy_http2: adding support for Reverse Proxy Request headers.
+ [Stefan Eissing]
+
+ *) mod_http2: fixed possible deadlock that could occur when connections were
+ terminated early with ongoing streams. Fixed possible hanger with timeout
+ on race when connection considers itself idle. [Stefan Eissing]
+
+ *) mod_http2: MaxKeepAliveRequests now limits the number of times a
+ slave connection gets reused. [Stefan Eissing]
+
+ *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
+ [Evgeny Kotkov]
+
+ *) mod_proxy_http2: Fixed bug in re-attempting proxy requests after
+ connection error. Reliability of reconnect handling improved.
+ [Stefan Eissing]
+
+ *) mod_http2: better performance, eliminated need for nested locks and
+ thread privates. Moving request setups from the main connection to the
+ worker threads. Increase number of spare connections kept.
+ [Stefan Eissing]
+
+ *) mod_http2: input buffering and dynamic flow windows for increased
+ throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
+ in mod_http2 INFO log as feature 'DWINS'. [Stefan Eissing]
+
+ *) mod_http2: h2 workers with improved scalability for better scheduling
+ performance. There are H2MaxWorkers threads created at start and the
+ number is kept constant for now. [Stefan Eissing]
+
+ *) mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and
+ just log a warning. [Stefan Eissing]
+
+ *) mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date
+ format from 2.2 in the Last Modified column. PR60846.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: Add %{REMOTE_PORT} to the expression parser. PR59938
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
+ computing and using the same entity key according to when the cache
+ checks, loads and saves the request.
+ PR 60577. [Yann Ylavic]
+
+ *) mod_proxy_hcheck: Don't validate timed out responses. [Yann Ylavic]
+
+ *) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
+ in use (ProxyHCTPsize > 0). PR 60071. [Yann Ylavic, Jim Jagielski]
+
+ *) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
+ URI originally requested by the user, not the nested documents URI. This
+ restores the behavior of this variable to match the "legacy" SSI parser.
+ PR60624. [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
+ variables just before invoking the FastCGI. [Eric Covener,
+ Jacob Champion]
+
+ *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
+ a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
+ default. Add ProxyFCGIBackendType to allow the type of backend to be
+ specified so these kinds of fixups can be restored without impacting
+ FPM. PR60576 [Eric Covener, Jim Jagielski]
+
+ *) mod_ssl: work around leaks on (graceful) restart. [Yann Ylavic]
+
+ *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
+
+ *) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
+ than zero. [Eric Covener]
+
+ *) mod_http2: moving session cleanup to pre_close hook to avoid races with
+ modules already shut down and slave connections still operating.
+ [Stefan Eissing]
+
+ *) mod_lua: Support for Lua 5.3
+
+ *) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
+
+ *) mod_http2: fix for crash when running out of memory.
+ [Robert Swiecki <robert swiecki.net>, Stefan Eissing]
+
+ *) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
+ [Luca Toscano]
+
+ *) mod_http2: not counting file buckets again stream max buffer limits.
+ Effectively transferring static files in one step from slave to master
+ connection. [Stefan Eissing]
+
+ *) mod_http2: comforting ap_check_pipeline() on slave connections
+ to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
+ [Stefan Eissing, reported by Armin Abfalterer]
+
+ *) mod_http2: http/2 streams now with state handling/transitions as defined
+ in RFC7540. Stream cleanup/connection shutdown reworked to become easier
+ to understand/maintain/debug. Added many asserts on state and cleanup
+ transitions. [Stefan Eissing]
+
+ *) mod_auth_digest: Use an anonymous shared memory segment by default,
+ preventing startup failure after unclean shutdown. PR 54622.
+ [Jan Kaluza]
+
+ *) mod_filter: Fix AddOutputFilterByType with non-content-level filters.
+ PR 58856. [Micha Lenk <micha lenk.info>]
+
+ *) mod_watchdog: Fix semaphore leak over restarts. [Jim Jagielski]
+
+ *) mod_http2: regression fix on PR 59348, on graceful restart, ongoing
+ streams are finished normally before the final GOAWAY is sent.
+ [Stefan Eissing, <slavko gmail.com>]
+
+ *) mod_proxy: Allow the per-request environment variable "no-proxy" to
+ be used as an alternative to ProxyPass /path !. This is primarily
+ to set exceptions for ProxyPass specified in <Location> context.
+ Use SetEnvIf, not SetEnv. PR 60458. [Eric Covener]
+
[... 5205 lines stripped ...]