You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ja...@apache.org on 2021/04/28 15:59:45 UTC
svn commit: r47462 - /dev/httpd/ /release/httpd/
Author: jailletc36
Date: Wed Apr 28 15:59:45 2021
New Revision: 47462
Log:
Push 2.4.47 up to the release directory
Added:
release/httpd/CHANGES_2.4.47
- copied unchanged from r47461, dev/httpd/CHANGES_2.4.47
release/httpd/httpd-2.4.47.tar.bz2
- copied unchanged from r47461, dev/httpd/httpd-2.4.47.tar.bz2
release/httpd/httpd-2.4.47.tar.bz2.asc
- copied unchanged from r47461, dev/httpd/httpd-2.4.47.tar.bz2.asc
release/httpd/httpd-2.4.47.tar.bz2.md5
- copied unchanged from r47461, dev/httpd/httpd-2.4.47.tar.bz2.md5
release/httpd/httpd-2.4.47.tar.bz2.sha1
- copied unchanged from r47461, dev/httpd/httpd-2.4.47.tar.bz2.sha1
release/httpd/httpd-2.4.47.tar.bz2.sha256
- copied unchanged from r47461, dev/httpd/httpd-2.4.47.tar.bz2.sha256
release/httpd/httpd-2.4.47.tar.bz2.sha512
- copied unchanged from r47461, dev/httpd/httpd-2.4.47.tar.bz2.sha512
release/httpd/httpd-2.4.47.tar.gz
- copied unchanged from r47461, dev/httpd/httpd-2.4.47.tar.gz
release/httpd/httpd-2.4.47.tar.gz.asc
- copied unchanged from r47461, dev/httpd/httpd-2.4.47.tar.gz.asc
release/httpd/httpd-2.4.47.tar.gz.md5
- copied unchanged from r47461, dev/httpd/httpd-2.4.47.tar.gz.md5
release/httpd/httpd-2.4.47.tar.gz.sha1
- copied unchanged from r47461, dev/httpd/httpd-2.4.47.tar.gz.sha1
release/httpd/httpd-2.4.47.tar.gz.sha256
- copied unchanged from r47461, dev/httpd/httpd-2.4.47.tar.gz.sha256
release/httpd/httpd-2.4.47.tar.gz.sha512
- copied unchanged from r47461, dev/httpd/httpd-2.4.47.tar.gz.sha512
Removed:
dev/httpd/CHANGES_2.4
dev/httpd/CHANGES_2.4.47
dev/httpd/httpd-2.4.47-deps.tar.bz2
dev/httpd/httpd-2.4.47-deps.tar.bz2.asc
dev/httpd/httpd-2.4.47-deps.tar.bz2.md5
dev/httpd/httpd-2.4.47-deps.tar.bz2.sha1
dev/httpd/httpd-2.4.47-deps.tar.bz2.sha256
dev/httpd/httpd-2.4.47-deps.tar.bz2.sha512
dev/httpd/httpd-2.4.47-deps.tar.gz
dev/httpd/httpd-2.4.47-deps.tar.gz.asc
dev/httpd/httpd-2.4.47-deps.tar.gz.md5
dev/httpd/httpd-2.4.47-deps.tar.gz.sha1
dev/httpd/httpd-2.4.47-deps.tar.gz.sha256
dev/httpd/httpd-2.4.47-deps.tar.gz.sha512
dev/httpd/httpd-2.4.47.tar.bz2
dev/httpd/httpd-2.4.47.tar.bz2.asc
dev/httpd/httpd-2.4.47.tar.bz2.md5
dev/httpd/httpd-2.4.47.tar.bz2.sha1
dev/httpd/httpd-2.4.47.tar.bz2.sha256
dev/httpd/httpd-2.4.47.tar.bz2.sha512
dev/httpd/httpd-2.4.47.tar.gz
dev/httpd/httpd-2.4.47.tar.gz.asc
dev/httpd/httpd-2.4.47.tar.gz.md5
dev/httpd/httpd-2.4.47.tar.gz.sha1
dev/httpd/httpd-2.4.47.tar.gz.sha256
dev/httpd/httpd-2.4.47.tar.gz.sha512
Modified:
release/httpd/Announcement2.4.html
release/httpd/Announcement2.4.txt
release/httpd/CHANGES_2.4
Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Wed Apr 28 15:59:45 2021
@@ -49,27 +49,27 @@
<div class="banner"></div>
<h1>
- Apache HTTP Server 2.4.46 Released
+ Apache HTTP Server 2.4.47 Released
</h1>
<p>
- August 07, 2020
+ September 21, 2018
</p>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to <a href="https://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
- the release of version 2.4.46 of the Apache
+ the release of version 2.4.47 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a security, feature and bug fix release.
+ a feature and bug fix release.
</p>
<p>
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
</p>
<p>
- Apache HTTP Server 2.4.46 is available for download from:
+ Apache HTTP Server 2.4.47 is available for download from:
</p>
<dl>
<dd><a href="https://httpd.apache.org/download.cgi"
@@ -77,7 +77,7 @@
</dl>
<p>
Please see the <a href="./CHANGES_2.4">CHANGES_2.4</a> file, linked from the download page, for a
- full list of changes. A condensed list, <a href="./CHANGES_2.4.46">CHANGES_2.4.46</a> includes only
+ full list of changes. A condensed list, <a href="./CHANGES_2.4.47">CHANGES_2.4.47</a> includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
@@ -124,9 +124,5 @@ href="https://svn.apache.org/repos/asf/h
patches. Users must promptly complete their transitions to this 2.4.x
release of httpd to benefit from further bug fixes or new features.
</p>
-<p>
- Finally, please note that support for the recently released Lua 5.4 is
- not available in this release. Please continue to use Lua 5.3 for now.
-</p>
</body>
</html>
Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Wed Apr 28 15:59:45 2021
@@ -1,19 +1,19 @@
- Apache HTTP Server 2.4.46 Released
+ Apache HTTP Server 2.4.47 Released
- August 07, 2020
+ September 21, 2018
The Apache Software Foundation and the Apache HTTP Server Project
- are pleased to announce the release of version 2.4.46 of the Apache
+ are pleased to announce the release of version 2.4.47 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a security, feature and bug fix release.
+ a feature and bug fix release.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
- Apache HTTP Server 2.4.46 is available for download from:
+ Apache HTTP Server 2.4.47 is available for download from:
https://httpd.apache.org/download.cgi
@@ -24,7 +24,7 @@
https://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.4.46 includes only
+ full list of changes. A condensed list, CHANGES_2.4.47 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
@@ -52,5 +52,3 @@
patches. Users must promptly complete their transitions to this 2.4.x
release of httpd to benefit from further bug fixes or new features.
- Finally, please note that support for the recently released Lua 5.4 is
- not available in this release. Please continue to use Lua 5.3 for now.
Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Wed Apr 28 15:59:45 2021
@@ -1,5 +1,144 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.4.47
+
+ *) mod_dav_fs: Improve logging output when failing to open files for
+ writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>]
+
+ *) mod_http2: Fixed a race condition that could lead to streams being
+ aborted (RST to the client), although a response had been produced.
+ [Stefan Eissing]
+
+ *) mod_lua: Add support to Lua 5.4 [Joe Orton, Giovanni Bechis, Ruediger Pluem]
+
+ *) MPM event/worker: Fix possible crash in child process on early signal
+ delivery. PR 64533. [Ruediger Pluem]
+
+ *) mod_http2: sync with github standalone version 1.15.17
+ - Log requests and sent the configured error response in case of early detected
+ errors like too many or too long headers. [Ruediger Pluem]
+ - new option 'H2OutputBuffering on/off' which controls the buffering of stream output.
+ The default is on, which is the behaviour of older mod-h2 versions. When off, all
+ bytes are made available immediately to the main connection for sending them
+ out to the client. This fixes interop issues with certain flavours of gRPC, see
+ also <https://github.com/icing/mod_h2/issues/207>.
+ [Stefan Eissing]
+
+ *) mod_unique_id: Fix potential duplicated ID generation under heavy load.
+ PR 65159
+ [Jonas Müntener <jonas.muentener ergon.ch>, Christophe Jaillet]
+
+ *) "[mod_dav_fs etag handling] should really honor the FileETag setting".
+ - It now does.
+ - Add "Digest" to FileETag directive, allowing a strong ETag to be
+ generated using a file digest.
+ - Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over
+ ETag generation.
+ - Add concept of "binary notes" to request_rec, allowing packed bit flags
+ to be added to a request.
+ - First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force
+ the ETag to a strong ETag to comply with RFC requirements, such as those
+ mandated by various WebDAV extensions.
+ [Graham Leggett]
+
+ *) mod_proxy_http: Fix a possibly crash when the origin connection gets
+ interrupted before completion. PR 64234.
+ [Barnim Dzwillo <dzwillo strato.de>, Ruediger Pluem]
+
+ *) mod_ssl: Do not keep connections to OCSP responders alive when doing
+ OCSP requests. PR 64135. [Ruediger Pluem]
+
+ *) mod_ssl: Improve the coalescing filter to buffer into larger TLS
+ records, and avoid revealing the HTTP header size via TLS record
+ boundaries (for common response generators).
+ [Joe Orton, Ruediger Pluem]
+
+ *) mod_proxy_hcheck: Don't pile up health checks if the previous one did
+ not finish before hcinterval. PR 63010. [Yann Ylavic]
+
+ *) mod_session: Improve session parsing. [Yann Yalvic]
+
+ *) mod_authnz_ldap: Prevent authentications with empty passwords for the
+ initial bind to fail with status 500. [Ruediger Pluem]
+
+ *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
+ the format can't match anyway. [Yann Ylavic]
+
+ *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
+ Transfer-Encoding from the client, spooling the request body when needed
+ to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
+
+ *) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
+ proxy_util. [Yann Ylavic]
+
+ *) mod_proxy: Improve tunneling loop to support half closed connections and
+ pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
+
+ *) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
+ and switched protocol forwarding. [Yann Ylavic]
+
+ *) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
+ allowing for (non-)Upgrade negotiation with the origin server.
+ [Yann Ylavic]
+
+ *) mod_proxy: Allow ProxyErrorOverride to be restricted to specific status
+ codes. PR63628. [Martin DröÃler <mail martindroessler.de>]
+
+ *) core: Add ReadBufferSize, FlushMaxThreshold and FlushMaxPipelined
+ directives. [Yann Ylavic]
+
+ *) core: Ensure that aborted connections are logged as such. PR 62823
+ [Arnaud Grandville <co...@grandville.net>]
+
+ *) http: Allow unknown response status' lines returned in the form of
+ "HTTP/x.x xxx Status xxx". [Yann Ylavic]
+
+ *) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies,
+ leading to Request Timeout (408). PR 63855. [Yann Ylavic]
+
+ *) core: Remove headers on 304 Not Modified as specified by RFC7234, as
+ opposed to passing an explicit subset of headers. PR 61820.
+ [Giovanni Bechis]
+
+ *) mpm_event: Don't reset connections after lingering close, restoring prior
+ to 2.4.28 behaviour. [Yann Ylavic]
+
+ *) mpm_event: Kill connections in keepalive state only when there is no more
+ workers available, not when the maximum number of connections is reached,
+ restoring prior to 2.4.30 behaviour. [Yann Ylavic]
+
+ *) mod_unique_id: Use base64url encoding for UNIQUE_ID variable,
+ avoiding the use of '@'. PR 57044.
+ [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>]
+
+ *) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a
+ SameSite attribute. [Eric Covener]
+
+ *) mod_proxy: Add proxy check_trans hook. This allows proxy
+ modules to decline request handling at early stage.
+
+ *) mod_proxy_wstunnel: Decline requests without an Upgrade
+ header so ws/wss can be enabled overlapping with later
+ http/https.
+
+ *) mod_http2: Log requests and sent the configured error response in case of
+ early detected errors like too many or too long headers.
+ [Ruediger Pluem, Stefan Eissing]
+
+ *) mod_md: Lowered the required minimal libcurl version from 7.50 to 7.29
+ as proposed by <alexander.gerasimov codeit.pro>. [Stefan Eissing]
+
+ *) mod_ssl: Fix request body buffering with PHA in TLSv1.3. [Joe Orton]
+
+ *) mod_proxy_uwsgi: Fix a crash when sending environment variables with no
+ value. PR 64598 [Ruediger Pluem]
+
+ *) mod_proxy: Recognize parameters from ProxyPassMatch workers with dollar
+ substitution, such that they apply to the backend connection. Note that
+ connection reuse is disabled by default to avoid compatibility issues.
+ [Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere]
+
Changes with Apache 2.4.46
+
*) SECURITY: CVE-2020-11984 (cve.mitre.org)
mod_proxy_uwsgi: Malicious request may result in information disclosure
or RCE of existing file on the server running under a malicious process
@@ -10,13 +149,13 @@ Changes with Apache 2.4.46
where possibly made that result in concurrent, unsafe use of
a memory pool. [Stefan Eissing]
- *) SECURITY:
+ *) SECURITY: CVE-2020-9490 (cve.mitre.org)
mod_http2: a specially crafted value for the 'Cache-Digest' header
request would result in a crash when the server actually tries
- to HTTP/2 PUSH a resource afterwards.
- [Stefan Eissing, Eric Covener, Christophe Jaillet]
+ to HTTP/2 PUSH a resource afterwards. [Stefan Eissing]
- *) mod_proxy_fcgi: Fix build warnings for Windows platform
+ *) mod_proxy_fcgi: Fix missing APLOGNO macro argument
+ [Eric Covener, Christophe Jaillet]
Changes with Apache 2.4.45
@@ -102,6 +241,11 @@ Changes with Apache 2.4.42
with an empty body (regression introduced in 2.4.41). PR63891.
[Yann Ylavic]
+ *) core: Use a temporary file when writing the pid file, avoiding
+ startup failure if an empty pidfile is left over from a
+ previous crashed or aborted invocation of httpd. PR 63140.
+ [Nicolas Carrier <carrier.nicolas0 gmail.com>, Joe Orton]
+
*) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
identifier under load, see <https://github.com/icing/mod_h2/issues/195>.
[Michael Kaufmann, Stefan Eissing]
@@ -222,7 +366,7 @@ Changes with Apache 2.4.42
documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
- Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
- Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
- "transfer-encoding" to POST requests. This failed in directy communication with
+ "transfer-encoding" to POST requests. This failed in direct communication with
Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]
*) mod_md: Adding the several new features.
@@ -231,7 +375,7 @@ Changes with Apache 2.4.42
is part of mod_md's monitoring and message notifications. If can be used
for sites that do not have ACME certificates.
The url for a CTLog Monitor can be configured. It is used in the server-status
- to link to the external status page of a certicate.
+ to link to the external status page of a certificate.
The MDMessageCmd is called with argument "installed" when a new certificate
has been activated on server restart/reload. This allows for processing of
the new certificate, for example to applications that require it in different
@@ -405,22 +549,16 @@ Changes with Apache 2.4.39
*) SECURITY: CVE-2019-0196 (cve.mitre.org)
mod_http2: using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
- comparision when determining the method of a request and
+ comparison when determining the method of a request and
thus process the request incorrectly. [Stefan Eissing]
*) SECURITY: CVE-2019-0211 (cve.mitre.org)
- MPMs unix: Fix a local priviledge escalation vulnerability by not
+ MPMs unix: Fix a local privilege escalation vulnerability by not
maintaining each child's listener bucket number in the scoreboard,
preventing unprivileged code like scripts run by/on the server (e.g. via
- mod_php) from modifying it persistently to abuse the priviledged main
+ mod_php) from modifying it persistently to abuse the privileged main
process. [Charles Fol <folcharles gmail.com>, Yann Ylavic]
- *) SECURITY: CVE-2019-0196 (cve.mitre.org)
- mod_http2: using fuzzed network input, the http/2 request
- handling could be made to access freed memory in string
- comparision when determining the method of a request and
- thus process the request incorrectly. [Stefan Eissing]
-
*) SECURITY: CVE-2019-0217 (cve.mitre.org)
mod_auth_digest: Fix a race condition checking user credentials which
could allow a user with valid credentials to impersonate another,
@@ -459,7 +597,7 @@ Changes with Apache 2.4.39
*) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2
has no more need for it. Optional functions are still declared but no longer implemented.
- While previous mod_proxy_http2 will work with this, it is recommeneded to run the matching
+ While previous mod_proxy_http2 will work with this, it is recommended to run the matching
versions of both modules. [Stefan Eissing]
*) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which
@@ -979,7 +1117,7 @@ Changes with Apache 2.4.30 (not released
[Joe Orton]
*) mpm_event,worker: Mask signals for threads created by modules in child
- init, so that they don't receive (implicitely) the ones meant for the MPM.
+ init, so that they don't receive (implicitly) the ones meant for the MPM.
PR 62009. [Armin Abfalterer <a.abfalterer gmail com>, Yann Ylavic]
*) mod_md: new experimental, module for managing domains across virtual hosts,
@@ -1096,7 +1234,7 @@ Changes with Apache 2.4.28
*) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
PR 61142.
- *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
+ *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be specified
down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]
@@ -1302,7 +1440,7 @@ Changes with Apache 2.4.26
in use (ProxyHCTPsize > 0). PR 60071. [Yann Ylavic, Jim Jagielski]
*) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
- URI originally requsted by the user, not the nested documents URI. This
+ URI originally requested by the user, not the nested documents URI. This
restores the behavior of this variable to match the "legacy" SSI parser.
PR60624. [Hank Ibell <hwibell gmail.com>]
@@ -1338,7 +1476,7 @@ Changes with Apache 2.4.26
[Luca Toscano]
*) mod_http2: not counting file buckets again stream max buffer limits.
- Effectively transfering static files in one step from slave to master
+ Effectively transferring static files in one step from slave to master
connection. [Stefan Eissing]
*) mod_http2: comforting ap_check_pipeline() on slave connections
@@ -1587,7 +1725,7 @@ Changes with Apache 2.4.24 (not released
master and slave connection. Reduction of internal states for tasks
and streams, stability. Heuristic id generation for slave connections
to better keep promise of connection ids unique at given point int time.
- Fix for mod_cgid interop in high load situtations.
+ Fix for mod_cgid interop in high load situations.
Fix for handling of incoming trailers when no request body is sent.
[Stefan Eissing]
@@ -2100,7 +2238,7 @@ Changes with Apache 2.4.18
[Stefan Eissing]
*) mod_proxy_fdpass: Fix AH01153 error when using the default configuration.
- In earlier version of httpd, you can explicitelly set the 'flusher' parameter
+ In earlier version of httpd, you can explicitly set the 'flusher' parameter
to 'flush' as a workaround. (i.e. flusher=flush)
Add documentation for the 'flusher' parameter when defining a proxy worker.
[Christophe Jaillet]
@@ -2186,7 +2324,7 @@ Changes with Apache 2.4.17
*) mod_http2: added donated HTTP/2 implementation via core module. Similar
configuration options to mod_ssl. [Stefan Eissing]
- *) mod_proxy: don't recyle backend announced "Connection: close" connections
+ *) mod_proxy: don't recycle backend announced "Connection: close" connections
to avoid reusing it should the close be effective after some new request
is ready to be sent. [Yann Ylavic]
@@ -2450,7 +2588,7 @@ Changes with Apache 2.4.13 (not released
to avoid a crash when relocation occurs. PR 57177. [Yann Ylavic]
*) mod_dav: Avoid a potential integer underflow in the lock timeout value sent
- back to a client. The answer to a LOCK request could be an extremly large
+ back to a client. The answer to a LOCK request could be an extremely large
integer if the time needed to lock the resource was longer that the
requested timeout given in the LOCK request. In such a case, we now answer
"Second-0". PR55420
@@ -2672,7 +2810,7 @@ Changes with Apache 2.4.11 (not released
*) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC
systems. PR 57092 [Edward Lu <Chaosed0 gmail.com>]
- *) mod_cache: Avoid a 304 response to an unconditional requst when an AH00752
+ *) mod_cache: Avoid a 304 response to an unconditional request when an AH00752
CacheLock error occurs during cache revalidation. [Eric Covener]
*) mod_ssl: Move OCSP stapling information from a per-certificate store to