You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2017/07/06 17:43:58 UTC
svn commit: r20344 [2/2] - /dev/httpd/CHANGES_2.4.27
Modified: dev/httpd/CHANGES_2.4.27
==============================================================================
--- dev/httpd/CHANGES_2.4.27 (original)
+++ dev/httpd/CHANGES_2.4.27 Thu Jul 6 17:43:58 2017
@@ -32,5388 +32,7 @@ Changes with Apache 2.4.27
This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
PR 61207. [Christophe Jaillet]
-Changes with Apache 2.4.26
- *) SECURITY: CVE-2017-7679 (cve.mitre.org)
- mod_mime can read one byte past the end of a buffer when sending a
- malicious Content-Type response header. [Yann Ylavic]
-
- *) SECURITY: CVE-2017-7668 (cve.mitre.org)
- The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
- bug in token list parsing, which allows ap_find_token() to search past
- the end of its input string. By maliciously crafting a sequence of
- request headers, an attacker may be able to cause a segmentation fault,
- or to force ap_find_token() to return an incorrect value.
- [Jacob Champion]
-
- *) SECURITY: CVE-2017-7659 (cve.mitre.org)
- A maliciously constructed HTTP/2 request could cause mod_http2 to
- dereference a NULL pointer and crash the server process.
-
- *) SECURITY: CVE-2017-3169 (cve.mitre.org)
- mod_ssl may dereference a NULL pointer when third-party modules call
- ap_hook_process_connection() during an HTTP request to an HTTPS port.
- [Yann Ylavic]
-
- *) SECURITY: CVE-2017-3167 (cve.mitre.org)
- Use of the ap_get_basic_auth_pw() by third-party modules outside of the
- authentication phase may lead to authentication requirements being
- bypassed.
- [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
-
- *) HTTP/2 support no longer tagged as "experimental" but is instead considered
- fully production ready.
-
- *) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
- the session in continuous check for state changes that never happen.
- [Stefan Eissing]
-
- *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
- protocols. [Jean-Frederic Clere]
-
- *) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
- a possible crash if a signal is caught during (graceful) restart.
- PR 60487. [Yann Ylavic]
-
- *) mod_rewrite: When a substitution is a fully qualified URL, and the
- scheme/host/port matches the current virtual host, stop interpreting the
- path component as a local path just because the first component of the
- path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
- to revert to previous behavior. PR60009.
- [Hank Ibell <hwibell gmail.com>]
-
- *) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
- platforms. PR61124. [Hank Ibell <hwibell gmail.com>]
-
- *) ab: enable option processing for setting a custom HTTP method also for
- non-SSL builds. [Rainer Jung]
-
- *) core: EBCDIC fixes for interim responses with additional headers.
- [Eric Covener]
-
- *) mod_env: when processing a 'SetEnv' directive, warn if the environment
- variable name includes a '='. It is likely a configuration error.
- PR 60249 [Christophe Jaillet]
-
- *) Evaluate nested If/ElseIf/Else configuration blocks.
- [Luca Toscano, Jacob Champion]
-
- *) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
- allow spaces in backreferences to be encoded as %20 instead of '+'.
- [Eric Covener]
-
- *) mod_rewrite: Add the possibility to limit the escaping to specific
- characters in backreferences by listing them in the B flag.
- [Eric Covener]
-
- *) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
- systems. [Eric Covener]
-
- *) mod_http2: fail requests without ERROR log in case we need to read interim
- responses and see only garbage. This can happen if proxied servers send
- data where none should be, e.g. a body for a HEAD request. [Stefan Eissing]
-
- *) mod_proxy_http2: adding support for Reverse Proxy Request headers.
- [Stefan Eissing]
-
- *) mod_http2: fixed possible deadlock that could occur when connections were
- terminated early with ongoing streams. Fixed possible hanger with timeout
- on race when connection considers itself idle. [Stefan Eissing]
-
- *) mod_http2: MaxKeepAliveRequests now limits the number of times a
- slave connection gets reused. [Stefan Eissing]
-
- *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
- [Evgeny Kotkov]
-
- *) mod_proxy_http2: Fixed bug in re-attempting proxy requests after
- connection error. Reliability of reconnect handling improved.
- [Stefan Eissing]
-
- *) mod_http2: better performance, eliminated need for nested locks and
- thread privates. Moving request setups from the main connection to the
- worker threads. Increase number of spare connections kept.
- [Stefan Eissing]
-
- *) mod_http2: input buffering and dynamic flow windows for increased
- throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
- in mod_http2 INFO log as feature 'DWINS'. [Stefan Eissing]
-
- *) mod_http2: h2 workers with improved scalability for better scheduling
- performance. There are H2MaxWorkers threads created at start and the
- number is kept constant for now. [Stefan Eissing]
-
- *) mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and
- just log a warning. [Stefan Eissing]
-
- *) mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date
- format from 2.2 in the Last Modified column. PR60846.
- [Hank Ibell <hwibell gmail.com>]
-
- *) core: Add %{REMOTE_PORT} to the expression parser. PR59938
- [Hank Ibell <hwibell gmail.com>]
-
- *) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
- computing and using the same entity key according to when the cache
- checks, loads and saves the request.
- PR 60577. [Yann Ylavic]
-
- *) mod_proxy_hcheck: Don't validate timed out responses. [Yann Ylavic]
-
- *) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
- in use (ProxyHCTPsize > 0). PR 60071. [Yann Ylavic, Jim Jagielski]
-
- *) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
- URI originally requsted by the user, not the nested documents URI. This
- restores the behavior of this variable to match the "legacy" SSI parser.
- PR60624. [Hank Ibell <hwibell gmail.com>]
-
- *) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
- variables just before invoking the FastCGI. [Eric Covener,
- Jacob Champion]
-
- *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
- a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
- default. Add ProxyFCGIBackendType to allow the type of backend to be
- specified so these kinds of fixups can be restored without impacting
- FPM. PR60576 [Eric Covener, Jim Jagielski]
-
- *) mod_ssl: work around leaks on (graceful) restart. [Yann Ylavic]
-
- *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
-
- *) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
- than zero. [Eric Covener]
-
- *) mod_http2: moving session cleanup to pre_close hook to avoid races with
- modules already shut down and slave connections still operating.
- [Stefan Eissing]
-
- *) mod_lua: Support for Lua 5.3
-
- *) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
-
- *) mod_http2: fix for crash when running out of memory.
- [Robert Swiecki <robert swiecki.net>, Stefan Eissing]
-
- *) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
- [Luca Toscano]
-
- *) mod_http2: not counting file buckets again stream max buffer limits.
- Effectively transfering static files in one step from slave to master
- connection. [Stefan Eissing]
-
- *) mod_http2: comforting ap_check_pipeline() on slave connections
- to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
- [Stefan Eissing, reported by Armin Abfalterer]
-
- *) mod_http2: http/2 streams now with state handling/transitions as defined
- in RFC7540. Stream cleanup/connection shutdown reworked to become easier
- to understand/maintain/debug. Added many asserts on state and cleanup
- transitions. [Stefan Eissing]
-
- *) mod_auth_digest: Use an anonymous shared memory segment by default,
- preventing startup failure after unclean shutdown. PR 54622.
- [Jan Kaluza]
-
- *) mod_filter: Fix AddOutputFilterByType with non-content-level filters.
- PR 58856. [Micha Lenk <micha lenk.info>]
-
- *) mod_watchdog: Fix semaphore leak over restarts. [Jim Jagielski]
-
- *) mod_http2: regression fix on PR 59348, on graceful restart, ongoing
- streams are finished normally before the final GOAWAY is sent.
- [Stefan Eissing, <slavko gmail.com>]
-
- *) mod_proxy: Allow the per-request environment variable "no-proxy" to
- be used as an alternative to ProxyPass /path !. This is primarily
- to set exceptions for ProxyPass specified in <Location> context.
- Use SetEnvIf, not SetEnv. PR 60458. [Eric Covener]
-
- *) mod_http2: fixes PR60599, sending proper response for conditional requests
- answered by mod_cache. [Jeff Wheelhouse, Stefan Eissing]
-
- *) mod_http2: rework of stream resource cleanup to avoid a crash in a close
- of a lingering connection. Prohibit special file bucket beaming for
- shared buckets. Files sent in stream output now use the stream pool
- as read buffer, reducing memory footprint of connections.
- [Yann Ylavic, Stefan Eissing]
-
- *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
- modules add empty environment variables to the request. PR 60275.
- [<alex2grad AT gmail.com>]
-
- *) mod_http2: fix for possible page fault when stream is resumed during
- session shutdown. [sidney-j-r-m (github)]
-
- *) mod_http2: fix for h2 session ignoring new responses while already
- open streams continue to have data available. [Stefan Eissing]
-
- *) mod_http2: adding support for MergeTrailers directive. [Stefan Eissing]
-
- *) mod_http2: limiting DATA frame sizes by TLS record sizes in use on the
- connection. Flushing outgoing frames earlier. [Stefan Eissing]
-
- *) mod_http2: cleanup beamer registry on server reload. PR 60510.
- [Pavel Mateja <pavel verotel.cz>, Stefan Eissing]
-
- *) mod_proxy_{ajp,fcgi}: Fix a possible crash when reusing an established
- backend connection, happening with LogLevel trace2 or higher configured,
- or at any log level with compilers not detected as C99 compliant (e.g.
- MSVC on Windows). [Yann Ylavic]
-
- *) mod_ext_filter: Don't interfere with "error buckets" issued by other
- modules. PR 60375. [Eric Covener, Lubos Uhliarik]
-
- *) mod_http2: fixes https://github.com/icing/mod_h2/issues/126 e.g. beam
- bucket lifetime handling when data is sent over temporary pools.
- [Stefan Eissing]
-
-Changes with Apache 2.4.25
-
- *) Fix some build issues related to various modules.
- [Rainer Jung]
-
-Changes with Apache 2.4.24 (not released)
-
- *) SECURITY: CVE-2016-8740 (cve.mitre.org)
- mod_http2: Mitigate DoS memory exhaustion via endless
- CONTINUATION frames.
- [Naveen Tiwari <na...@asu.edu> and CDF/SEFCOM at Arizona State
- University, Stefan Eissing]
-
- *) SECURITY: CVE-2016-2161 (cve.mitre.org)
- mod_auth_digest: Prevent segfaults during client entry allocation when
- the shared memory space is exhausted.
- [Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion]
-
- *) SECURITY: CVE-2016-0736 (cve.mitre.org)
- mod_session_crypto: Authenticate the session data/cookie with a
- MAC (SipHash) to prevent deciphering or tampering with a padding
- oracle attack. [Yann Ylavic, Colm MacCarthaigh]
-
- *) SECURITY: CVE-2016-8743 (cve.mitre.org)
- Enforce HTTP request grammar corresponding to RFC7230 for request lines
- and request headers, to prevent response splitting and cache pollution by
- malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
-
- *) Validate HTTP response header grammar defined by RFC7230, resulting
- in a 500 error in the event that invalid response header contents are
- detected when serving the response, to avoid response splitting and cache
- pollution by malicious clients, upstream servers or faulty modules.
- [Stefan Fritsch, Eric Covener, Yann Ylavic]
-
- *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
- [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
-
- *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
- looping RewriteRules when the local path significantly exceeds
- LimitRequestLine. PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]
-
- *) mod_ratelimit: Allow for initial "burst" amount at full speed before
- throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>,
- Jim Jagielski]
-
- *) mod_socache_memcache: Provide memcache stats to mod_status.
- [Jim Jagielski]
-
- *) http_filters: Fix potential looping in new check_headers() due to new
- pattern of ap_die() from http header filter. Explicitly clear the
- previous headers and body.
-
- *) core: Drop Content-Length header and message-body from HTTP 204 responses.
- PR 51350 [Luca Toscano]
-
- *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is
- configured in <Location>, like in 2.2. PR 60458.
- [Eric Covener]
-
- *) mod_lua: Fix default value of LuaInherit directive. It should be
- 'parent-first' instead of 'none', as per documentation. PR 60419
- [Christophe Jaillet]
-
- *) core: New directive HttpProtocolOptions to control httpd enforcement
- of various RFC7230 requirements. [Stefan Fritsch, William Rowe]
-
- *) core: Permit unencoded ';' characters to appear in proxy requests and
- Location: response headers. Corresponds to modern browser behavior.
- [William Rowe]
-
- *) core: ap_rgetline_core now pulls from r->proto_input_filters.
-
- *) core: Correctly parse an IPv6 literal host specification in an absolute
- URL in the request line. [Stefan Fritsch]
-
- *) core: New directive RegisterHttpMethod for registering non-standard
- HTTP methods. [Stefan Fritsch]
-
- *) mod_socache_memcache: Pass expiration time through to memcached.
- [Faidon Liambotis <paravoid debian.org>, Joe Orton]
-
- *) mod_cache: Use the actual URI path and query-string for identifying the
- cached entity (key), such that rewrites are taken into account when
- running afterwards (CacheQuickHandler off). PR 21935. [Yann Ylavic]
-
- *) mod_http2: new directive 'H2EarlyHints' to enable sending of HTTP status
- 103 interim responses. Disabled by default. [Stefan Eissing]
-
- *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
- in the client certificate chain. PR 55786. [Yann Ylavic]
-
- *) event: Allow to use the whole allocated scoreboard (up to ServerLimit
- slots) to avoid scoreboard full errors when some processes are finishing
- gracefully. Also, make gracefully finishing processes close all
- keep-alive connections. PR 53555. [Stefan Fritsch]
-
- *) mpm_event: Don't take over scoreboard slots from gracefully finishing
- threads. [Stefan Fritsch]
-
- *) mpm_event: Free memory earlier when shutting down processes.
- [Stefan Fritsch]
-
- *) mod_status: Display the process slot number in the async connection
- overview. [Stefan Fritsch]
-
- *) mod_dir: Responses that go through "FallbackResource" might appear to
- hang due to unterminated chunked encoding. PR58292. [Eric Covener]
-
- *) mod_dav: Fix a potential cause of unbounded memory usage or incorrect
- behavior in a routine that sends <DAV:response>'s to the output filters.
- [Evgeny Kotkov]
-
- *) mod_http2: new directive 'H2PushResource' to enable early pushes before
- processing of the main request starts. Resources are announced to the
- client in Link headers on a 103 early hint response.
- All responses with status code <400 are inspected for Link header and
- trigger pushes accordingly. 304 still does prevent pushes.
- 'H2PushResource' can mark resources as 'critical' which gives them higher
- priority than the main resource. This leads to preferred scheduling for
- processing and, when content is available, will send it first. 'critical'
- is also recognized on Link headers. [Stefan Eissing]
-
- *) mod_proxy_http2: uris in Link headers are now mapped back to a suitable
- local url when available. Relative uris with an absolute path are mapped
- as well. This makes reverse proxy mapping available for resources
- announced in this header.
- With 103 interim responses being forwarded to the main client connection,
- this effectively allows early pushing of resources by a reverse proxied
- backend server. [Stefan Eissing]
-
- *) mod_proxy_http2: adding support for newly proposed 103 status code.
- [Stefan Eissing]
-
- *) mpm_unix: Apache fails to start if previously crashed then restarted with
- the same PID (e.g. in container). PR 60261.
- [Val <valentin.bremond gmail.com>, Yann Ylavic]
-
- *) mod_http2: unannounced and multiple interim responses (status code < 200)
- are parsed and forwarded to client until a final response arrives.
- [Stefan Eissing]
-
- *) mod_proxy_http2: improved robustness when main connection is closed early
- by resetting all ongoing streams against the backend.
- [Stefan Eissing]
-
- *) mod_http2: allocators from slave connections are released earlier,
- resulting in less overall memory use on busy, long lived connections.
- [Stefan Eissing]
-
- *) mod_remoteip: Pick up where we left off during a subrequest rather
- than running with the modified XFF but original TCP address.
- PR 49839/PR 60251
-
- *) http: Respond with "408 Request Timeout" when a timeout occurs while
- reading the request body. [Yann Ylavic]
-
- *) mod_http2: connection shutdown revisited: corrected edge cases on
- shutting down ongoing streams, changed log warnings to be less noisy
- when waiting on long running tasks. [Stefan Eissing]
-
- *) mod_http2: changed all AP_DEBUG_ASSERT to ap_assert to have them
- available also in normal deployments. [Stefan Eissing]
-
- *) mod_http2/mod_proxy_http2: 100-continue handling now properly implemented
- up to the backend. Reused HTTP/2 proxy connections with more than a second
- not used will block request bodies until a PING answer is received.
- Requests headers are not delayed by this, since they are repeatable in
- case of failure. This greatly increases robustness, especially with
- busy server and/or low keepalive connections. [Stefan Eissing]
-
- *) mod_proxy_http2: fixed duplicate symbols with mod_http2.
- [Stefan Eissing]
-
- *) mod_http2: rewrite of how responses and trailers are transferred between
- master and slave connection. Reduction of internal states for tasks
- and streams, stability. Heuristic id generation for slave connections
- to better keep promise of connection ids unique at given point int time.
- Fix for mod_cgid interop in high load situtations.
- Fix for handling of incoming trailers when no request body is sent.
- [Stefan Eissing]
-
- *) mod_http2: fix suspended handling for streams. Output could become
- blocked in rare cases. [Stefan Eissing]
-
- *) mpm_winnt: Prevent a denial of service when the 'data' AcceptFilter is in
- use by replacing it with the 'connect' filter. PR 59970. [Jacob Champion]
-
- *) mod_cgid: Resolve a case where a short CGI response causes a subsequent
- CGI to be killed prematurely, resulting in a truncated subsequent
- response. [Eric Covener]
-
- *) mod_proxy_hcheck: Set health check URI and expression correctly for health
- check worker. PR 60038 [zdeno <zd...@scnet.sk>]
-
- *) mod_http2: if configured with nghttp2 1.14.0 and onward, invalid request
- headers will immediately reset the stream with a PROTOCOL error. Feature
- logged by module on startup as 'INVHD' in info message.
- [Stefan Eissing]
-
- *) mod_http2: fixed handling of stream buffers during shutdown.
- [Stefan Eissing]
-
- *) mod_reqtimeout: Fix body timeout disabling for CONNECT requests to avoid
- triggering mod_proxy_connect's AH01018 once the tunnel is established.
- [Yann Ylavic]
-
- *) ab: Set the Server Name Indication (SNI) extension on outgoing TLS
- connections (unless -I is specified), according to the Host header (if
- any) or the requested URL's hostname otherwise. [Yann Ylavic]
-
- *) mod_proxy_fcgi: avoid loops when ProxyErrorOverride is enabled
- and the error documents are proxied. PR 55415. [Luca Toscano]
-
- *) mod_proxy_fcgi: read the whole FCGI response even when the content
- has not been modified (HTTP 304) or in case of a precondition failure
- (HTTP 412) to avoid subsequent bogus reads and confusing
- error messages logged. [Luca Toscano]
-
- *) mod_http2: h2 status resource follows latest draft, see
- http://www.ietf.org/id/draft-benfield-http2-debug-state-01.txt
- [Stefan Eissing]
-
- *) mod_http2: handling graceful shutdown gracefully, e.g. handling existing
- streams to the end. [Stefan Eissing]
-
- *) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data
- available before the request is sent. PR 57832. [Yann Ylavic]
-
- *) mod_proxy_balancer: Prevent redirect loops between workers within a
- balancer by limiting the number of redirects to the number balancer
- members. PR 59864 [Ruediger Pluem]
-
- *) mod_proxy: Correctly consider error response codes by the backend when
- processing failonstatus. PR 59869 [Ruediger Pluem]
-
- *) mod_dav: Add dav_get_provider_name() function to obtain the name
- of the provider from mod_dav. [Graham Leggett]
-
- *) mod_dav: Add support for childtags to dav_error.
- [Jari Urpalainen <jari.urpalainen nokia.com>]
-
- *) mod_proxy_fcgi: Fix 2.4.23 breakage for mod_rewrite per-dir and query
- string showing up in SCRIPT_FILENAME. PR59815
-
- *) mod_include: Fix a potential memory misuse while evaluating expressions.
- PR59844. [Eric Covener]
-
- *) mod_http2: new H2CopyFiles directive that changes treatment of file
- handles in responses. Necessary in order to fix broken lifetime handling
- in modules such as mod_wsgi.
-
- *) mod_http2: removing timeouts on master connection while requests are
- being processed. Requests may timeout, but the master only times out when
- no more requests are active. [Stefan Eissing]
-
- *) mod_http2: fixes connection flush when answering SETTINGS without any
- stream open. [Moto Ishizawa <@summerwind>, Stefan Eissing]
-
-Changes with Apache 2.4.23
-
- *) mod_ssl: reset client-verify state of ssl when aborting renegotiations.
- [Erki Aring <er...@example.ee>, Stefan Eissing]
-
- *) mod_sed: Fix 'x' command processing. [Christophe Jaillet]
-
- *) configure: Fix ./configure edge-case failures around dependencies
- of mod_proxy_hcheck. [William Rowe, Ruediger Pluem, Jeff Trawick]
-
-Changes with Apache 2.4.22
-
- *) mod_http2: fix for request abort when connections drops, introduced in
- 1.5.8
-
-Changes with Apache 2.4.21
-
- *) ab: Use caseless matching for HTTP tokens (e.g. content-length). PR 59111.
- [Yann Ylavic]
-
- *) mod_http2: more rigid error handling in DATA frame assembly, leading
- to deterministic connection errors if assembly fails.
- [Stefan Eissing, Pal Nilsen <https://github.com/maedox>]
-
- *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
- failures under Visual Studio 2015 and other mismatched MSVCRT flavors.
- PR59630 [Jan Ehrhardt <phpdev ehrhardt.nl>]
-
- *) mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive
- to opt-in previous behaviour (2.2) with CRLs verification when checking
- certificate(s) with no corresponding CRL. [Yann Ylavic]
-
- *) mpm_event, mpm_worker: Fix computation of MinSpareThreads' lower bound
- according the number of listeners buckets. [Yann Ylavic]
-
- *) Add ap_cstr_casecmp[n]() - placeholder of apr_cstr_casecmp[n] functions
- for case-insensitive C/POSIX-locale token comparison.
- [Jim Jagielski, William Rowe, Yann Ylavic, Branko Äibej]
-
- *) mod_userdir: Constify and save a few bytes in the conf pool when
- parsing the "UserDir" directive. [Christophe Jaillet]
-
- *) mod_cache: Fix (max-stale with no '=') and enforce (check
- integers after '=') Cache-Control header parsing.
- [Christophe Jaillet]
-
- *) core: Add -DDUMP_INCLUDES configtest option to show the tree
- of Included configuration files.
- [Jacob Champion <champion.pxi gmail.com>]
-
- *) mod_proxy_fcgi: Avoid passing a filename of proxy:fcgi:// as
- SCRIPT_FILENAME to a FastCGI server. PR59618.
- [Jacob Champion <champion.pxi gmail.com>]
-
- *) mod_dav: Add dav_get_provider_name() function to obtain the name
- of the provider from mod_dav.
- [Jari Urpalainen <jari.urpalainen nokia.com>]
-
- *) mod_proxy_http2: properly care for HTTP2 flow control of the frontend
- connection is HTTP/1.1. [Patch supplied by Evgeny Kotkov]
-
- *) mod_http2: improved cleanup of connection/streams/tasks to always
- have deterministic order regardless of event initiating it. Addresses
- reported crashes due to memory read after free issues.
- [Stefan Eissing]
-
- *) mod_ssl: Correct the interaction between SSLProxyCheckPeerCN and newer
- SSLProxyCheckPeerName directives since release 2.4.5, such that disabling
- either disables both, and that enabling either triggers the new, more
- comprehensive SSLProxyCheckPeerName behavior. Only a single configuration
- remains to enable the legacy behavior, which is to explicitly disable
- SSLProxyCheckPeerName, and enable SSLProxyCheckPeerCN. [William Rowe]
-
- *) mod_include: add the <!--#comment ...> syntax in order to include comments
- in a SSI file. [Christophe Jaillet based on a suggestion from Rob]
-
- *) mod_http2: improved event handling for suspended streams, responses
- and window updates. [Stefan Eissing]
-
- *) mod_proxy_hcheck: Provide for dynamic background health
- checks on reverse proxies associated with BalancerMember
- workers. [Jim Jagielski]
-
- *) mod_http2: Fix async write issue that led to selection of wrong timeout
- vs. keepalive timeout selection for idle sessions. [Stefan Eissing]
-
- *) mod_http2: checking LimitRequestLine, LimitRequestFields and
- LimitRequestFieldSize configurated values for incoming streams. Returning
- HTTP status 431 for too long/many headers fields and 414 for a too long
- pseudo header. [Stefan Eissing]
-
- *) mod_http2: tracking conn_rec->current_thread on slave connections, so
- that mod_lua finds the correct one. Fixes PR 59542. [Stefan Eissing]
-
- *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
- urls. Part of the httpd mod_proxy framework, common settings apply.
- Requests from the same HTTP/2 frontend connection against the same backend
- are aggregated on a single connection.
- [Stefan Eissing]
-
- *) mod_http2: slave connections have conn_rec->aborted flag set when a stream
- has been reset by the client. [Stefan Eissing]
-
- *) mod_http2: merge of some 2.4.x adaptions re filters on slave connections.
- Small fixes in bucket beams when forwarding file buckets. Output handling
- on master connection uses less FLUSH and passes automatically when more
- than half of H2StreamMaxMemSize bytes have accumulated.
- Workaround for http: when forwarding partial file buckets to keep the
- output filter from closing these too early. [Stefan Eissing]
-
- *) mod_http2: elimination of fixed master connection buffer for TLS
- connections. New scratch bucket handling optimized for TLS write sizes.
- File bucket data read directly into scratch buffers, avoiding one
- copy. Non-TLS connections continue to pass buckets unchanged to the core
- filters to allow sendfile() usage. [Stefan Eissing]
-
- *) mod_http2/mod_proxy_http2: h2_request.c is no longer shared between these
- modules. This simplifies building on platforms such as Windows, as module
- reference used in logging is now clear. [Stefan Eissing]
-
- *) Scoreboard: Fix a regression in 2.4.20 that causes wrong request data
- to be displayed on the status page. PR 59333. [Yann Ylavic, William Rowe]
-
- *) mod_http2: fixed a bug that caused mod_proxy_http2 to be called for window
- updates on requests it had already reported done. Added synchronization
- on early connection/stream close that lets ongoing requests safely drain
- their input filters.
- [Stefan Eissing]
-
- *) mod_http2: scoreboard updates that summarize the h2 session (and replace
- the last request information) will only happen when the session is idle or
- in shutdown/done phase. [Stefan Eissing]
-
- *) mod_http2: new "bucket beam" technology to transport buckets across
- threads without buffer copy. Delaying response start until flush or
- enough body data has been accumulated. Overall significantly smaller
- memory footprint. [Stefan Eissing]
-
- *) core: New CGIVar directive can configure REQUEST_URI to represent the
- current URI being processed instead of always the original request.
- [Jeff Trawick]
-
- *) scoreboard/status: Restore behavior of showing workers' previous Client,
- VHost and Request values when idle, like in 2.4.18 and earlier.
-
- *) mod_http2: r->protocol changed to "HTTP/2.0" (was "HTTP/2") as this will
- give expected syntax in CGI's SERVER_PROTOCOL is more compatible with
- existing major/minor handling. Fixes PR 59313.
-
- *) mod_http2: disabling mmap for file buckets transport due to segmenation
- faults when files change on the fly.
-
-Changes with Apache 2.4.20
-
- *) SECURITY: CVE-2016-1546 (cve.mitre.org)
- mod_http2: restricting number of concurrent stream workers per connection
- if client is slow.
-
- *) core: Do not read .htaccess if AllowOverride and AllowOverrideList
- are "None". PR 58528.
- [Michael Schlenker <msc contact.de, Ruediger Pluem, Daniel Ruggeri]
-
- *) mod_proxy_express: Fix possible use of DB handle after close. PR 59230.
- [Petr <pgajdos suse.cz>]
-
- *) core/util_script: relax alphanumeric filter of environment variable names
- on Windows to allow '(' and ')' for passing PROGRAMFILES(X86) et.al.
- unadulterated in 64 bit versions of Windows. PR 46751.
- [John <john leineweb de>]
-
- *) mod_http2: incrementing keepalives on each request started so that logging
- %k gives increasing numbers per master http2 connection.
- New documented variables in env, usable in custom log formats: H2_PUSH,
- H2_PUSHED, H2_PUSHED_ON, H2_STREAM_ID and H2_STREAM_TAG.
- [Stefan Eissing]
-
- *) mod_http2: more efficient passing of response bodies with less contention
- and file bucket forwarding. [Stefan Eissing]
-
- *) mod_http2: fix for missing score board updates on request count, fix for
- memory leak on slave connection reuse. [Stefan Eissing]
-
- *) mod_http2: Fix build on Windows from dsp files.
- [Stefan Eissing]
-
-Changes with Apache 2.4.19
-
- *) mod_include: Add variable DOCUMENT_ARGS, with the arguments to the
- request for the SSI document. [Jeff Trawick]
-
- *) mod_authz_host: Add a new "forward-dns" authorization type, not relying on
- reverse DNS lookups. [Fabien]
-
- *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
- urls. Uses backend connections for concurrent requests if frontend
- connection is http2 as well.
- [Stefan Eissing]
-
- *) mod_ssl: Add hooks to allow other modules to perform processing at
- several stages of initialization and connection handling. See
- mod_ssl_openssl.h. [Jeff Trawick]
-
- *) mod_http2: disabling PUSH when client sends GOAWAY. Slave connections are
- reused for several requests, improved performance and better memory use.
- [Stefan Eissing]
-
- *) mod_rewrite: Don't implicitly URL-escape the original query string
- when no substitution has changed it (like PR50447 but server context)
- [Evgeny Kotkov <evgeny.kotkov visualsvn.com>]
-
- *) mod_http2: fixes problem with wrong lifetime of file buckets on main
- connection. [Stefan Eissing]
-
- *) mod_http2: fixes incorrect denial of requests without :authority header.
- [Stefan Eissing]
-
- *) mod_reqtimeout: Prevent long response times from triggering a timeout once
- the request has been fully read. PR 59045. [Yann Ylavic]
-
- *) ap_expr: expression support for variable HTTP2=on|off. [Stefan Eissing]
-
- *) mod_http2: give control to async mpm for keepalive timeouts only when
- no streams are open and even if only after 1 sec delay. Under load, event
- mpm discards connections otherwise too quickly. [Stefan Eissing]
-
- *) mod_ssl: Don't lose track of the SSL context if an unlikely failure occurs
- in ssl_init_ssl_connection(). [Graham Leggett]
-
- *) mod_rewrite: Add QSL|qslast flag to allow rewrites to files with
- literal question marks in their names. PR 58777. [Eric Covener]
-
- *) event: use pre_connection hook to properly initialize connection state for
- slave connections. use protocol_switch hook to initialize server config
- early based on SNI selected vhost.
- [Stefan Eissing]
-
- *) hostname: Test and log useragent_host per-request across various modules,
- including the scoreboard, expression and rewrite engines, setenvif,
- authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.
- PR55348 [William Rowe]
-
- *) core: Track the useragent_host per-request when mod_remoteip or similar
- modules track a per-request useragent_ip. Modules should be updated
- to inquire for ap_get_useragent_host() in place of ap_get_remote_host().
- [William Rowe]
-
- *) core: fix a bug in <UnDefine ...> directive processing. When used, the last
- <Define...>'ed variable was also withdrawn. PR 59019
- [Christophe Jaillet]
-
- *) mod_http2: Accept-Encoding is, when present on the initiating request,
- added to push promises. This lets compressed content work in pushes.
- by the client. [Stefan Eissing]
-
- *) mod_http2: fixed possible read after free when streams were cancelled early
- by the client. [Stefan Eissing]
-
- *) mod_http2: fixed possible deadlock during connection shutdown. Thanks to
- @FrankStolle for reporting and getting the necessary data.
- [Stefan Eissing]
-
- *) mod_http2: fixed apr_uint64_t formatting in a log statement to user proper
- APR def, thanks to @Sp1l.
-
- *) mod_http2: number of worker threads allowed to a connection is adjusting
- dynamically. Starting with 4, the number is doubled when streams can be
- served without block on http/2 connection flow. The number is halfed, when
- the server has to wait on client flow control grants.
- This can happen with a maximum frequency of 5 times per second.
- When a connection occupies too many workers, repeatable requests
- (GET/HEAD/OPTIONS) are cancelled and placed back in the queue. Should that
- not suffice and a stream is busy longer than the server timeout, the
- connection will be aborted with error code ENHANCE_YOUR_CALM.
- This does *not* limit the number of streams a client may open, rather the
- number of server threads a connection might use.
- [Stefan Eissing]
-
- *) mod_http2: allowing link header to specify multiple "rel" values,
- space-separated inside a quoted string. Prohibiting push when Link
- parameter "nopush" is present.
- [Stefan Eissing]
-
- *) mod_http2: reworked connection state handling. Idle connections accept a
- GOAWAY from the client without further reply. Otherwise the
- module makes a best effort to send one last GOAWAY to the client.
-
- *) mod_http2: the values from standard directives Timeout and KeepAliveTimeout
- properly are applied to http/2 connections.
- [Stefan Eissing]
-
- *) mod_http2: idle connections are returned to async mpms. new hook
- "pre_close_connection" used to send GOAWAY frame when not already done.
- Setting event mpm server config "by hand" for the main connection to
- the correct negotiated server.
- [Stefan Eissing]
-
- *) mod_http2: keep-alive blocking reads are done with 1 second timeouts to
- check for MPM stopping. Will announce early GOAWAY and finish processing
- open streams, then close.
- [Stefan Eissing]
-
- *) mod_http2: bytes read/written on slave connections are reported via the
- optional mod_logio functions. Fixes PR 58871.
-
- *) prefork: Initialize the POD when running in ONE_PROCESS (or -X) mode to
- avoid a crash. [Jan Kaluza, Yann Ylavic]
-
- *) mod_ssl: When SSLVerify is disabled (NONE), don't force a renegotiation if
- the SSLVerifyDepth applied with the default/handshaken vhost differs from
- the one applicable with the finally selected vhost. [Yann Ylavic]
-
- *) core: Ensure that httpd exits with an error status when the MPM fails
- to run. [Yann Ylavic]
-
- *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
- [Jan Kaluza, Yann Ylavic]
-
- *) mod_ssl: Add SSLOCSPProxyURL to add the possibility to do all queries
- to OCSP responders through a HTTP proxy. [Ruediger Pluem]
-
- *) mod_proxy: Play/restore the TLS-SNI on new backend connections which
- had to be issued because the remote closed the previous/reusable one
- during idle (keep-alive) time. [Yann Ylavic]
-
- *) mod_cache_socache: Fix a possible cached entity body corruption when it
- is received from an origin server in multiple batches and forwarded by
- mod_proxy. [Yann Ylavic]
-
- *) core: Add expression support to SetHandler.
- [Eric Covener]
-
- *) mod_remoteip: Prevent an external proxy from presenting an internal
- proxy. PR 55962. [Mike Rumph]
-
- *) core: Prevent a server crash in case of an invalid CONNECT request with
- a custom error page for status code 400 that uses server side includes.
- PR 58929 [Ruediger Pluem]
-
- *) mod_ssl: handle TIMEOUT on empty SSL input as non-fatal, returning
- APR_TIMEUP and preserving connection state for later retry.
- [Stefan Eissing]
-
- *) mod_ssl: Save some TLS record (application data) fragmentations by
- including the last and subsequent suitable buckets when coalescing.
- [Yann Ylavic]
-
- *) mod_proxy_fcgi: Suppress HTTP error 503 and message 01075,
- "Error dispatching request", when the cause appears to be
- due to the client closing the connection.
- PR58118. [Tobias Adolph <adolph lrz.de>]
-
- *) mod_cgid: Message AH02550, failure to flush a response to the client,
- is now logged at TRACE1 level to match the underlying core output filter
- severity. [Eric Covener]
-
- *) mime.types: add common extension "m4a" for MPEG 4 Audio.
- PR 57895 [Dylan Millikin <dylan.millikin gmail.com>]
-
- *) Added many log numbers to log statements that had none.
- [Rainer Jung]
-
- *) mod_log_config: Add GlobalLog to allow a globally defined log to
- be inherited by virtual hosts that define a CustomLog.
- [Edward Lu]
-
- *) mod_http2: connections how keep a "push diary" where hashes of already
- pushed resources are kept. See directive H2PushDiarySize for managing this.
- Push diaries can be initialized by clients via the "Cache-Digest" request
- header. This carries a base64url encoded. compressed Golomb set as described
- in https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/
- Introduced a status handler for HTTP/2 connections, giving various counters
- and statistics about the current connection, plus its cache digest value
- in a JSON record. Not a replacement for more HTTP/2 in the server status.
- Configured as
- <Location "/http2-status">
- SetHandler http2-status
- </Location>
- [Stefan Eissing]
-
- *) mod_http2: Fixed flushing of last GOAWAY frame. Previously, that frame
- did not always reach the client, causing some to fail the next request.
- Fixed calculation of last stream id accepted as described in rfc7540.
- Reading in KEEPALIVE state now correctly shown in scoreboard.
- Fixed possible race in connection shutdown after review by Ylavic.
- Fixed segfault on connection shutdown, callback ran into a semi dismantled session.
- [Stefan Eissing]
-
- *) mod_http2: Added support for experimental accept-push-policy draft
- (https://tools.ietf.org/html/draft-ruellan-http-accept-push-policy-00). Clients
- may now influence server pushes by sending accept-push-policy headers.
- [Stefan Eissing]
-
- *) mod_http2: new r->subprocess_env variables HTTP2 and H2PUSH, set to "on"
- when available for request.
- [Stefan Eissing]
-
- *) mod_http2: fixed bug in input window size calculation by moving chunked
- request body encoding into later stage of processing. Fixes PR 58825.
- [Stefan Eissing]
-
- *) core: new hook "pre_close_connection" which is run before the lingering
- close of connections is started. This gives protocol handlers one last
- chance to use a connection before it goes down.
- [Stefan Eissing]
-
- *) mod_status/scoreboard: showing connection protocol in new column, new
- ap_update_child_status methods for updating server/description. mod_ssl
- sets vhost negotiated by servername directly.
- [Stefan Eissing]
-
-Changes with Apache 2.4.18
-
- *) mod_ssl: for all ssl_engine_vars.c lookups, fall back to master connection
- if conn_rec itself holds no valid SSLConnRec*. Fixes PR58666.
- [Stefan Eissing]
-
- *) mod_http2: connection level window for flow control is set to protocol
- maximum of 2GB-1, preventing window exhaustion when sending data on many
- streams with higher cumulative window size.
- Reducing write frequency unless push promises need to be flushed.
- [Stefan Eissing]
-
- *) mod_http2: required minimum version of libnghttp2 is 1.2.1
- [Stefan Eissing]
-
- *) mod_proxy_fdpass: Fix AH01153 error when using the default configuration.
- In earlier version of httpd, you can explicitelly set the 'flusher' parameter
- to 'flush' as a workaround. (i.e. flusher=flush)
- Add documentation for the 'flusher' parameter when defining a proxy worker.
- [Christophe Jaillet]
-
- *) mod_ssl: For the "SSLStaplingReturnResponderErrors off" case, make sure
- to only staple responses with certificate status "good". [Kaspar Brand]
-
- *) mod_http2: new directive 'H2PushPriority' to allow priority specifications
- on server pushed streams according to their content-type.
- [Stefan Eissing]
-
- *) mod_http2: fixes crash on connection abort for a busy connection.
- fixes crash on a request that did not produce any response.
- [Stefan Eissing]
-
- *) mod_http2: trailers are sent after response body if set in request_rec
- trailers_out before the end-of-request bucket is sent through the
- output filters. [Stefan Eissing]
-
- *) mod_http2: incoming trailers (headers after request body) are properly
- forwarded to the processing engine. [Stefan Eissing]
-
- *) mod_http2: new directive 'H2Push' to en-/disable HTTP/2 server
- pushes a server/virtual host. Pushes are initiated by the presence
- of 'Link:' headers with relation 'preload' on a response. [Stefan Eissing]
-
- *) mod_http2: write performance of http2 improved for larger resources,
- especially static files. [Stefan Eissing]
-
- *) core: if the first HTTP/1.1 request on a connection goes to a server that
- prefers different protocols, these protocols are announced in a Upgrade:
- header on the response, mentioning the preferred protocols.
- [Stefan Eissing]
-
- *) mod_http2: new directives 'H2TLSWarmUpSize' and 'H2TLSCoolDownSecs'
- to control TLS record sizes during connection lifetime.
- [Stefan Eissing]
-
- *) mod_http2: new directive 'H2ModernTLSOnly' to enforce security
- requirements of RFC 7540 on TLS connections. [Stefan Eissing]
-
- *) core: add ap_get_protocol_upgrades() to retrieve the list of protocols
- that a client could possibly upgrade to. Use in first request on a
- connection to announce protocol choices. [Stefan Eissing]
-
- *) mod_http2: reworked deallocation on connection shutdown and worker
- abort. Separate parent pool for all workers. worker threads are joined
- on planned worker shutdown. [Yann Ylavic, Stefan Eissing]
-
- *) mod_ssl: when receiving requests for other virtual hosts than the handshake
- server, the SSL parameters are checked for equality. With equal
- configuration, requests are passed for processing. Any change will trigger
- the old behaviour of "421 Misdirected Request".
- SSL now remembers the cipher suite that was used for the last handshake.
- This is compared against for any vhost/directory cipher specification.
- Detailed examination of renegotiation is only done when these do not
- match.
- Renegotiation is 403ed when a master connection is present. Exact reason
- is given additionally in a request note. [Stefan Eissing]
-
- *) mod_ssl: Make the output filter more friendly with deferred write and
- response pipelining. [Yann Ylavic, Joe Orton]
-
- *) core: Fix scoreboard crash (SIGBUS) on hardware requiring strict 64bit
- alignment (SPARC64, PPC64). [Yann Ylavic]
-
- *) mod_cache: Accept HT (Horizontal Tab) when parsing cache related header
- fields as described in RFC7230. [Christophe Jaillet]
-
- *) core/util_script: making REDIRECT_URL a full URL is now opt-in
- via new 'QualifyRedirectURL' directive.
-
- *) core: Limit to ten the number of tolerated empty lines between request,
- and consume them before the pipelining check to avoid possible response
- delay when reading the next request without flushing. [Yann Ylavic]
-
- *) mod_ssl: Extend expression parser registration to support ssl variables
- in any expression using mod_rewrite syntax "%{SSL:VARNAME}" or function
- syntax "ssl(VARNAME)". [Rainer Jung]
-
-Changes with Apache 2.4.17
-
- *) mod_http2: added donated HTTP/2 implementation via core module. Similar
- configuration options to mod_ssl. [Stefan Eissing]
-
- *) mod_proxy: don't recyle backend announced "Connection: close" connections
- to avoid reusing it should the close be effective after some new request
- is ready to be sent. [Yann Ylavic]
-
- *) mod_substitute: Allow to configure the patterns merge order with the new
- SubstituteInheritBefore on|off directive. PR 57641
- [Marc.Stern <Marc.Stern approach.be>, Yann Ylavic, William Rowe]
-
- *) mod_proxy: Fix ProxySourceAddress binding failure with AH00938.
- PR 56687. [Arne de Bruijn <apache arbruijn.dds.nl>
-
- *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3,
- and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
- in accordance with RFC 7568. PR 58349, PR 57120. [Kaspar Brand]
-
- *) mod_ssl: append :!aNULL:!eNULL:!EXP to the cipher string settings,
- instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
- and later). Enables support for configuring the SUITEB* cipher
- strings introduced in OpenSSL 1.0.2. PR 58213. [Kaspar Brand]
-
- *) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
- of subjectAltName entries of type "otherName" into
- SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
- variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,
- Kaspar Brand]
-
- *) mod_logio: Fix logging of %^FB (time to first byte) on the first request on
- an SSL connection. PR 58454.
- [Konstantin J. Chernov <k.j.chernov gmail.com>]
-
- *) mod_cache: r->err_headers_out is not merged into
- r->headers when mod_cache is enabled and the response
- is cached for the first time. [Edward Lu]
-
- *) mod_slotmem_shm: Fix slots/SHM files names on restart for systems that
- can't create new (clear) slots while previous children gracefully stopping
- still use the old ones (e.g. Windows, OS2). mod_proxy_balancer failed to
- restart whenever the number of configured balancers/members changed during
- restart. PR 58024. [Yann Ylavic]
-
- *) core/util_script: make REDIRECT_URL a full URL. PR 57785. [Nick Kew]
-
- *) MPMs: Support SO_REUSEPORT to create multiple duplicated listener
- records for scalability. [Yingqi Lu <yi...@intel.com>,
- Jeff Trawick, Jim Jagielski, Yann Ylavic]
-
- *) mod_alias: Introduce expression parser support for Alias, ScriptAlias
- and Redirect. Limit Redirect expressions to directory (Location) context
- and redirect statuses (implicit or explicit).
- [Graham Leggett, Yann Ylavic, Ruediger Pluem]
-
- *) mod_proxy: Fix a race condition that caused a failed worker to be retried
- before the retry period is over. [Ruediger Pluem]
-
- *) mod_autoindex: Allow autoindexes when neither mod_dir nor mod_mime are
- loaded. [Eric Covener]
-
- *) mod_rewrite: Allow cookies set by mod_rewrite to contain ':' by accepting
- ';' as an alternate separator. PR47241.
- [<bugzilla schermesser com>, Eric Covener]
-
- *) apxs: Add HTTPD_VERSION and HTTPD_MMN to the variables available with
- apxs -q. PR58202. [Daniel Shahaf <danielsh apache.org>]
-
- *) mod_rewrite: Avoid a crash when lacking correct DB access permissions
- when using RewriteMap with MapType dbd or fastdbd. [Christophe Jaillet]
-
- *) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions.
- PR 57868. [Jose Kahan <jose w3.org>, Yann Ylavic]
-
- *) mod_socache_memcache: Add the 'MemcacheConnTTL' directive to control how
- long to keep idle connections with the memcache server(s).
- Change default value from 600 usec (!) to 15 sec. PR 58091
- [Christophe Jaillet]
-
- *) mod_dir: Prevent the internal identifier "httpd/unix-directory" from
- appearing as a Content-Type response header when requests for a directory
- are rewritten by mod_rewrite. [Eric Covener]
-
-Changes with Apache 2.4.16
-
- *) http: Fix LimitRequestBody checks when there is no more bytes to read.
- [Michael Kaufmann <mail michael-kaufmann.ch>]
-
- *) mod_alias: Revert expression parser support for Alias, ScriptAlias
- and Redirect due to a regression (introduced in 2.4.13, not released).
-
- *) mod_reqtimeout: Don't let pipelining checks and keep-alive times interfere
- with the timeouts computed for subsequent requests. PR 56729.
- [Eric Covener, Yann Ylavic]
-
- *) core: Avoid a possible truncation of the faulty header included in the
- HTML response when LimitRequestFieldSize is reached. [Yann Ylavic]
-
- *) mod_ldap: In some case, LDAP_NO_SUCH_ATTRIBUTE could be returned instead
- of an error during a compare operation. [Eric Covener]
-
-Changes with Apache 2.4.15 (not released)
-
- *) mod_ext_filter, mod_charset_lite: Avoid inadvertent filtering of protocol
- data during read of chunked request bodies. PR 58049.
- [Edward Lu <Chaosed0 gmail.com>]
-
- *) mod_ldap: Stop leaking LDAP connections when 'LDAPConnectionPoolTTL 0'
- is configured. PR 58037. [Ted Phelps <phelps gnusto.com>]
-
- *) core: Allow spaces after chunk-size for compatibility with implementations
- using a pre-filled buffer. [Yann Ylavic, Jeff Trawick]
-
- *) mod_ssl: Remove deprecated SSLCertificateChainFile warning.
- [Yann Ylavic]
-
-Changes with Apache 2.4.14 (not released)
-
- *) SECURITY: CVE-2015-3183 (cve.mitre.org)
- core: Fix chunk header parsing defect.
- Remove apr_brigade_flatten(), buffering and duplicated code from
- the HTTP_IN filter, parse chunks in a single pass with zero copy.
- Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
- authorized characters. [Graham Leggett, Yann Ylavic]
-
- *) SECURITY: CVE-2015-3185 (cve.mitre.org)
- Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
- with new ap_some_authn_required and ap_force_authn hook. [Ben Reser]
-
-Changes with Apache 2.4.13 (not released)
-
- *) SECURITY: CVE-2015-0253 (cve.mitre.org)
- core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
- with the INCLUDES filter active, introduced in 2.4.11. PR 57531.
- [Yann Ylavic]
-
- *) SECURITY: CVE-2015-0228 (cve.mitre.org)
- mod_lua: A maliciously crafted websockets PING after a script
- calls r:wsupgrade() can cause a child process crash.
- [Edward Lu <Chaosed0 gmail.com>]
-
- *) mod_proxy: Don't put the worker in error state for 500 or 503 errors
- returned by the backend unless failonstatus is configured to. PR 56925.
- [Yann Ylavic]
-
- *) core: Don't lowercase the argument to SetHandler if it begins with
- "proxy:unix". PR 57968. [Eric Covener]
-
- *) mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
- the OCSP response for a different certificate. mod_ssl has an additional
- global mutex, "ssl-stapling-refresh". PR 57131 (partial fix).
- [Jeff Trawick]
-
- *) mod_authz_dbm: Fix crashes when "dbm-file-group" is used and
- authz modules were loaded in the "wrong" order. [Joe Orton]
-
- *) mod_authn_dbd, mod_authz_dbd, mod_session_dbd, mod_rewrite: Fix lifetime
- of DB lookup entries independently of the selected DB engine. PR 46421.
- [Steven whitson <steven.whitson gmail com>, Jan Kaluza, Yann Ylavic].
-
- *) In alignment with RFC 7525, the default recommended SSLCipherSuite
- and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
- default recommended SSLProtocol and SSLProxyProtocol directives now
- exclude SSLv3. Existing configurations must be adjusted by the
- administrator. [William Rowe]
-
- *) mod_ssl: Add support for extracting subjectAltName entries of type
- rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
- environment variables. Also addresses PR 57207. [Kaspar Brand]
-
- *) dav_validate_request: avoid validating locks and ETags when there are
- no If headers providing them on a resource we aren't modifying.
- [Ben Reser]
-
- *) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
- response header to be used by the application, for when the application
- or framework is unable to return Location in the internal-redirect
- form. [Jeff Trawick]
-
- *) core: Cleanup the request soon/even if some output filter fails to
- handle the EOR bucket. [Yann Ylavic]
-
- *) mpm_event: Allow for timer events duplicates. [Jim Jagielski, Yann Ylavic]
-
- *) mod_proxy, mod_ssl, mod_cache_socache, mod_socache_*: Support machine
- readable server-status produced when using the "?auto" query string.
- [Rainer Jung]
-
- *) mod_status: Add more data to machine readable server-status produced
- when using the "?auto" query string. [Rainer Jung]
-
- *) mod_ssl: Check for the Entropy Gathering Daemon (EGD) availability at
- configure time (RAND_egd), and complain if SSLRandomSeed requires using
- it otherwise. [Bernard Spil <pil.oss gmail com>, Stefan Sperling,
- Kaspar Brand]
-
- *) mod_ssl: make sure to consistently output SSLCertificateChainFile
- deprecation warnings, when encountered in a VirtualHost block.
- [Falco Schwarz <hiding falco.me>]
-
- *) mod_log_config: Add "%{UNIT}T" format to output request duration in
- seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
- [Ben Reser, Rainer Jung]
-
- *) Allow FallbackResource to work when a directory is requested and
- there is no autoindex nor DirectoryIndex.
- [Jack <tjerk.meesters gmail.com>, Eric Covener]
-
- *) mod_proxy_wstunnel: Bypass the handler while the connection is not
- upgraded to WebSocket, so that other modules can possibly take over
- the leading HTTP requests. [Yann Ylavic]
-
- *) mod_http: Fix incorrect If-Match handling. PR 57358
- [Kunihiko Sakamoto <ksakamoto google.com>]
-
- *) mod_ssl: Add a warning if protocol given in SSLProtocol or SSLProxyProtocol
- will override other parameters given in the same directive. This could be
- a missing + or - prefix. PR 52820 [Christophe Jaillet]
-
- *) core, modules: Avoid error response/document handling by the core if some
- handler or input filter already did it while reading the request (causing
- a double response body). [Yann Ylavic]
-
- *) mod_proxy_ajp: Fix client connection errors handling and logged status
- when it occurs. PR 56823. [Yann Ylavic]
-
- *) mod_proxy: Use the correct server name for SNI in case the backend
- SSL connection itself is established via a proxy server.
- PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
-
- *) mod_ssl: Fix possible crash when loading server certificate constraints.
- PR 57694. [Paul Spangler <paul.spangler ni com>, Yann Ylavic]
-
- *) build: Don't load both mod_cgi and mod_cgid in the default configuration
- if they're both built. [olli hauer <ohauer gmx.de>]
-
- *) mod_logio: Add LogIOTrackTTFB and %^FB logformat to log the time
- taken to start writing response headers. [Eric Covener]
-
- *) mod_ssl: Avoid compilation errors with LibreSSL related to
- the use of ENGINE_CTRL_CHIL_SET_FORKCHECK.
- [Stuart Henderson <sthen openbsd.org>]
-
- *) mod_proxy_http: Use the "Connection: close" header for requests to
- backends not recycling connections (disablereuse), including the default
- reverse and forward proxies. [Yann Ylavic]
-
- *) mod_proxy: Add ap_connection_reusable() for checking if a connection
- is reusable as of this point in processing. [Jeff Trawick]
-
- *) mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad
- Gateway) when no response is ever received from the backend.
- [Jan Kaluza]
-
- *) core_filters: Restore/disable TCP_NOPUSH option after non-blocking
- sendfile. [Yann Ylavic]
-
- *) mod_buffer: Forward flushed input data immediately and avoid (unlikely)
- access to freed memory. [Yann Ylavic, Christophe Jaillet]
-
- *) core: Add CGIPassAuth directive to control whether HTTP authorization
- headers are passed to scripts as CGI variables. PR 56855. [Jeff
- Trawick]
-
- *) core: Initialize scoreboard's used optional functions on graceful restarts
- to avoid a crash when relocation occurs. PR 57177. [Yann Ylavic]
-
- *) mod_dav: Avoid a potential integer underflow in the lock timeout value sent
- back to a client. The answer to a LOCK request could be an extremly large
- integer if the time needed to lock the resource was longer that the
- requested timeout given in the LOCK request. In such a case, we now answer
- "Second-0". PR55420
- [Christophe Jaillet]
-
- *) mod_cgid: Within the first minute of a server start or restart,
- allow mod_cgid to retry connecting to its daemon process. Previously,
- 'No such file or directory: unable to connect to cgi daemon...' could
- be logged without an actual retry. PR57685.
- [Edward Lu <Chaosed0 gmail.com>]
-
- *) mod_proxy: Use the original (non absolute) form of the request-line's URI
- for requests embedded in CONNECT payloads used to connect SSL backends via
- a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms <hendrik.harms
- gmail com>, William Rowe, Yann Ylavic]
-
- *) http: Make ap_die() robust against any HTTP error code and not modify
- response status (finally logged) when nothing is to be done. PR 56035.
- [Yann Ylavic]
-
- *) mod_proxy_connect/wstunnel: If both client and backend sides get readable
- at the same time, don't lose errors occurring while forwarding on the first
- side when none occurs next on the other side, and abort. [Yann Ylavic]
-
- *) mod_rewrite: Improve relative substitutions in per-directory/htaccess
- context for directories found by mod_userdir and mod_alias. These no
- longer require RewriteBase to be specified. [Eric Covener]
-
- *) mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
- finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
- or force-proxy-request-1.0. [Yann Ylavic]
-
- *) core: If explicitly configured, use the KeepaliveTimeout value of the
- virtual host which handled the latest request on the connection, or by
- default the one of the first virtual host bound to the same IP:port.
- PR56226. [Yann Ylavic]
-
- *) mod_lua: After a r:wsupgrade(), mod_lua was not properly
- responding to a websockets PING but instead invoking the specified
- script. PR57524. [Edward Lu <Chaosed0 gmail.com>]
-
- *) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
- a combination of certificate serialNumber and issuer as defined by
- CertificateExactMatch in RFC4523. [Graham Leggett]
-
- *) core: Add expression support to ErrorDocument. Switch from a fixed
- sized 664 byte array per merge to a hash table. [Graham Leggett]
-
- *) ab: Add missing longest request (100%) to CSV export.
- [Marcin Fabrykowski <bugzilla fabrykowski.pl>]
-
- *) mod_macro: Clear macros before initialization to avoid use-after-free
- on startup or restart when the module is linked statically. PR 57525
- [apache.org tech.futurequest.net, Yann Ylavic]
-
- *) mod_alias: Introduce expression parser support for Alias, ScriptAlias
- and Redirect. [Graham Leggett]
-
- *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
- PR 57100. [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
- Yann Ylavic]
-
- *) mpm_event: Avoid access to the scoreboard from the connection while
- it is suspended (waiting for events). [Eric Covener, Jeff Trawick]
-
- *) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument.
- PR 57334. [Yann Ylavic].
-
- *) mod_deflate: A misplaced check prevents limiting small bodies with the
- new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic]
-
- *) mod_proxy_ajp: Forward SSL protocol name (SSLv3, TLSv1.1 etc.) as a
- request attribute to the backend. Recent Tomcat versions will extract
- it and provide it as a servlet request attribute named
- "org.apache.tomcat.util.net.secure_protocol_version". [Rainer Jung]
-
- *) core: Optimize string concatenation in expression parser when evaluating
- a string expression. [Rainer Jung]
-
- *) acinclude.m4: Generate #LoadModule directive in default httpd.conf for
- every --enable-mpms-shared. PR 53882. [olli hauer <ohauer gmx.de>,
- Yann Ylavic]
-
- *) mod_authn_dbd: Fix the error message logged in case of error while querying
- the database. This is associated to AH01656 and AH01661. [Christophe Jaillet]
-
- *) mod_authz_groupfile: Reduce the severity of AH01667 from ERROR to DEBUG,
- because it may be evaluated inside <RequireAny>. PR55523. [Eric Covener]
-
- *) mod_ssl: Fix small memory leak during initialization when ECDH is used.
- [Jan Kaluza]
-
-Changes with Apache 2.4.12
-
- *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
- internationalization. [William Rowe]
-
- *) mpm_winnt: Normalize the error and status messages emitted by service.c,
- the service control interface for Windows. [William Rowe]
-
- *) configure: Fix --enable-v4-mapped configuration on *BSD. PR 53824.
- [ olli hauer <ohauer gmx.de>, Yann Ylavic ]
-
- *) Reverted <DirectoryMatch > behavior regression introduced in 2.4.11
- (not released).
-
-Changes with Apache 2.4.11 (not released)
-
- *) SECURITY: CVE-2014-3583 (cve.mitre.org)
- mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with
- response headers' size above 8K. [Yann Ylavic, Jeff Trawick]
-
- *) SECURITY: CVE-2014-3581 (cve.mitre.org)
- mod_cache: Avoid a crash when Content-Type has an empty value.
- PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
-
- *) SECURITY: CVE-2014-8109 (cve.mitre.org)
- mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
- used in multiple Require directives with different arguments.
- PR57204 [Edward Lu <Chaosed0 gmail.com>]
-
- *) SECURITY: CVE-2013-5704 (cve.mitre.org)
- core: HTTP trailers could be used to replace HTTP headers
- late during request processing, potentially undoing or
- otherwise confusing modules that examined or modified
- request headers earlier. Adds "MergeTrailers" directive to restore
- legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
-
- *) mod_ssl: New directive SSLSessionTickets (On|Off).
- The directive controls the use of TLS session tickets (RFC 5077),
- default value is "On" (unchanged behavior).
- Session ticket creation uses a random key created during web
- server startup and recreated during restarts. No other key
- recreation mechanism is available currently. Therefore using session
- tickets without restarting the web server with an appropriate frequency
- (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
-
- *) mod_proxy_fcgi: Provide some basic alternate options for specifying
- how PATH_INFO is passed to FastCGI backends by adding significance to
- the value of proxy-fcgi-pathinfo. PR 55329. [Eric Covener]
-
- *) mod_proxy_fcgi: Enable UDS backends configured with SetHandler/RewriteRule
- to opt-in to connection reuse and other Proxy options via explicitly
- declared "proxy workers" (<Proxy unix:... enablereuse=on max=...)
- [Eric Covener]
-
- *) mod_proxy: Add "enablereuse" option as the inverse of "disablereuse".
- [Eric Covener]
-
- *) mod_proxy_fcgi: Enable opt-in to TCP connection reuse by explicitly
- setting proxy option disablereuse=off. [Eric Covener] PR 57378.
-
- *) event: Update the internal "connection id" when requests
- move from thread to thread. Reuse can confuse modules like
- mod_cgid. PR 57435. [Michael Thorpe <mike gistnet.com>]
-
- *) mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME
- passed to fastcgi backends. [Eric Covener]
-
- *) core: Configuration files with long lines and continuation characters
- are not read properly. PR 55910. [Manuel Mausz <manuel-as mausz.at>]
-
- *) mod_include: the 'env' function was incorrectly handled as 'getenv' if the
- leading 'e' was written in upper case in <!--#if expr="..." -->
- statements. [Christophe Jaillet]
-
- *) split-logfile: Fix perl error: 'Can't use string ("example.org:80")
- as a symbol ref while "strict refs"'. PR 56329.
- [Holger Mauermann <mauermann gmail.com>]
-
- *) mod_proxy: Prevent ProxyPassReverse from doing a substitution when
- the URL parameter interpolates to an empty string. PR 56603.
- [<ajprout hotmail.com>]
-
- *) core: Fix -D[efined] or <Define>[d] variables lifetime across restarts.
- PR 57328. [Armin Abfalterer <a.abfalterer gmail.com>, Yann Ylavic].
-
- *) mod_proxy: Preserve original request headers even if they differ
- from the ones to be forwarded to the backend. PR 45387.
- [Yann Ylavic]
-
- *) mod_ssl: dump SSL IO/state for the write side of the connection(s),
- like reads (level TRACE4). [Yann Ylavic]
-
- *) mod_proxy_fcgi: Ignore body data from backend for 304 responses. PR 57198.
- [Jan Kaluza]
-
- *) mod_ssl: Do not crash when looking up SSL related variables during
- expression evaluation on non SSL connections. PR 57070 [Ruediger Pluem]
-
- *) mod_proxy_ajp: Fix handling of the default port (8009) in the
- ProxyPass and <Proxy> configurations. PR 57259. [Yann Ylavic]
-
- *) mpm_event: Avoid a possible use after free when notifying the end of
- connection during lingering close. PR 57268. [Eric Covener, Yann Ylavic]
-
- *) mod_ssl: Fix recognition of OCSP stapling responses that are encoded
- improperly or too large. [Jeff Trawick]
-
- *) core: Add ap_log_data(), ap_log_rdata(), etc. for logging buffers.
- [Jeff Trawick]
-
- *) mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an
- error when parsing or forwarding the response fails. [Yann Ylavic]
-
- *) mod_ssl: Fix a memory leak in case of graceful restarts with OpenSSL >= 0.9.8e
- PR 53435 [tadanori <tadanori2007 yahoo.com>, Sebastian Wiedenroth <wiedi frubar.net>]
-
- *) mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read
- determine whether it is a normal close or a real error. PR 57168. [Yann
- Ylavic]
-
- *) mod_proxy_wstunnel: abort backend connection on polling error to avoid
- further processing. [Yann Ylavic]
-
- *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
- PR 57167 [Edward Lu <Chaosed0 gmail.com>]
-
- *) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC
- systems. PR 57092 [Edward Lu <Chaosed0 gmail.com>]
-
- *) mod_cache: Avoid a 304 response to an unconditional requst when an AH00752
- CacheLock error occurs during cache revalidation. [Eric Covener]
-
- *) mod_ssl: Move OCSP stapling information from a per-certificate store to
- a per-server hash. PR 54357, PR 56919. [Alex Bligh <alex alex.org.uk>,
- Yann Ylavic, Kaspar Brand]
-
- *) mod_cache_socache: Change average object size hint from 32 bytes to
- 2048 bytes. [Rainer Jung]
-
- *) mod_cache_socache: Add cache status to server-status. [Rainer Jung]
-
- *) event: Fix worker-listener deadlock in graceful restart.
- PR 56960.
-
- *) Concat strings at compile time when possible. PR 53741.
-
- *) mod_substitute: Restrict configuration in .htaccess to
- FileInfo as documented. [Rainer Jung]
-
- *) mod_substitute: Make maximum line length configurable. [Rainer Jung]
-
- *) mod_substitute: Fix line length limitation in case of regexp plus flatten.
- [Rainer Jung]
-
- *) mod_proxy: Truncated character worker names are no longer fatal
- errors. PR53218. [Jim Jagielski]
-
- *) mod_dav: Set r->status_line in dav_error_response. PR 55426.
-
- *) mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory.
- [Yann Ylavic, Christophe Jaillet]
-
- *) http_protocol: fix logic in ap_method_list_(add|remove) in order:
- - to correctly reset bits
- - not to modify the 'method_mask' bitfield unnecessarily
- [Christophe Jaillet]
-
- *) mod_slotmem_shm: Increase log level for some originally debug messages.
- [Jim Jagielski]
-
- *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with
- the wrong credentials when a backend connection is reused.
- [Eric Covener]
-
- *) mod_macro: Add missing APLOGNO for some Warning log messages.
- [Christophe Jaillet]
-
- *) mod_cache: Avoid sending 304 responses during failed revalidations
- PR56881. [Eric Covener]
-
- *) mod_status: Honor client IP address using mod_remoteip. PR 55886.
- [Jim Jagielski]
-
- *) cmake-based build for Windows: Fix incompatibility with cmake 2.8.12
- and later. PR 56615. [Chuck Liu <cliu81 gmail.com>, Jeff Trawick]
-
- *) mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade
- failed) messages from ERROR to TRACE1. Other filters do not bother
- re-reporting failures from lower level filters. PR56832. [Eric Covener]
-
- *) core: Avoid useless warning message when parsing a section guarded by
- <IfDefine foo> if $(foo) is used within the section.
- PR 56503 [Christophe Jaillet]
-
- *) mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the
- application. PR 56858. [Manuel Mausz <manuel-asf mausz.at>]
-
- *) mod_proxy_http: Proxy responses with error status and
- "ProxyErrorOverride On" hang until proxy timeout.
- PR53420 [Rainer Jung]
-
- *) mod_log_config: Allow three character log formats to be registered. For
- backwards compatibility, the first character of a three-character format
- must be the '^' (caret) character. [Eric Covener]
-
- *) mod_lua: Don't quote Expires and Path values. PR 56734.
- [Keith Mashinter, <kmashint yahoo com>]
-
- *) mod_authz_core: Allow <AuthzProviderAlias>'es to be seen from auth
- stanzas under virtual hosts. PR 56870. [Eric Covener]
-
-Changes with Apache 2.4.10
-
- *) SECURITY: CVE-2014-0117 (cve.mitre.org)
- mod_proxy: Fix crash in Connection header handling which allowed a denial
- of service attack against a reverse proxy with a threaded MPM.
- [Ben Reser]
-
- *) SECURITY: CVE-2014-3523 (cve.mitre.org)
- Fix a memory consumption denial of service in the WinNT MPM, used in all
- Windows installations. Workaround: AcceptFilter <protocol> {none|connect}
- [Jeff Trawick]
-
- *) SECURITY: CVE-2014-0226 (cve.mitre.org)
- Fix a race condition in scoreboard handling, which could lead to
- a heap buffer overflow. [Joe Orton, Eric Covener]
-
- *) SECURITY: CVE-2014-0118 (cve.mitre.org)
- mod_deflate: The DEFLATE input filter (inflates request bodies) now
- limits the length and compression ratio of inflated request bodies to
- avoid denial of service via highly compressed bodies. See directives
- DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
- and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
-
- *) SECURITY: CVE-2014-0231 (cve.mitre.org)
- mod_cgid: Fix a denial of service against CGI scripts that do
- not consume stdin that could lead to lingering HTTPD child processes
- filling up the scoreboard and eventually hanging the server. By
- default, the client I/O timeout (Timeout directive) now applies to
- communication with scripts. The CGIDScriptTimeout directive can be
- used to set a different timeout for communication with scripts.
- [Rainer Jung, Eric Covener, Yann Ylavic]
-
- *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
- resumed by TLS session resumption (RFC 5077). [Rainer Jung]
-
- *) mod_deflate: Don't fail when flushing inflated data to the user-agent
- and that coincides with the end of stream ("Zlib error flushing inflate
- buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
-
- *) mod_proxy_ajp: Forward local IP address as a custom request attribute
- like we already do for the remote port. [Rainer Jung]
-
- *) core: Include any error notes set by modules in the canned error
- response for 403 errors. [Jeff Trawick]
-
- *) mod_ssl: Set an error note for requests rejected due to
- SSLStrictSNIVHostCheck. [Jeff Trawick]
-
- *) mod_ssl: Fix issue with redirects to error documents when handling
- SNI errors. [Jeff Trawick]
-
- *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
- larger keys and support up to 8192-bit keys. [Ruediger Pluem,
- Joe Orton]
-
- *) mod_dav: Fix improper encoding in PROPFIND responses. PR 56480.
- [Ben Reser]
-
- *) WinNT MPM: Improve error handling for termination events in child.
- [Jeff Trawick]
-
- *) mod_proxy: When ping/pong is configured for a worker, don't send or
- forward "100 Continue" (interim) response to the client if it does
- not expect one. [Yann Ylavic]
-
- *) mod_ldap: Be more conservative with the last-used time for
- LDAPConnectionPoolTTL. PR54587 [Eric Covener]
-
- *) mod_ldap: LDAP connections used for authn were not respecting
- LDAPConnectionPoolTTL. PR54587 [Eric Covener]
-
- *) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.
- [Jeff Trawick]
-
- *) event MPM: Fix possible crashes (third-party modules accessing c->sbh)
- or occasional missed mod_status updates under load. PR 56639.
- [Edward Lu <Chaosed0 gmail com>]
-
- *) mod_authnz_ldap: Support primitive LDAP servers do not accept
- filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
- filter "none" to be specified in AuthLDAPURL. [Eric Covener]
-
- *) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
- [Lukas Bezdicka <social v3.sk>]
-
- *) mod_deflate: Handle Zlib header and validation bytes received in multiple
- chunks. PR 46146. [Yann Ylavic]
-
- *) mod_proxy: Allow reverse-proxy to be set via explicit handler.
- [ryo takatsuki <ryotakatsuki gmail com>]
-
- *) ab: support custom HTTP method with -m argument. PR 56604.
- [Roman Jurkov <winfinit gmail.com>]
-
- *) mod_proxy_balancer: Correctly encode user provided data in management
- interface. PR 56532 [Maksymilian, <max cert.cx>]
-
- *) mod_proxy: Don't limit the size of the connectable Unix Domain Socket
- paths. [Graham Dumpleton, Christophe Jaillet, Yann Ylavic]
-
- *) mod_proxy_fcgi: Support iobuffersize parameter. [Jeff Trawick]
-
- *) event: Send the SSL close notify alert when the KeepAliveTimeout
- expires. PR54998. [Yann Ylavic]
-
- *) mod_ssl: Ensure that the SSL close notify alert is flushed to the client.
- PR54998. [Tim Kosse <tim.kosse filezilla-project.org>, Yann Ylavic]
-
- *) mod_proxy: Shutdown (eg. SSL close notify) the backend connection before
- closing. [Yann Ylavic]
-
- *) mod_auth_form: Add a debug message when the fields on a form are not
- recognised. [Graham Leggett]
-
- *) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
- response. PR 55547. [Yann Ylavic]
-
- *) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
- scheme. PR55320. [Alex Liu <alex.leo.ca gmail.com>]
-
- *) mod_socache_shmcb: Correct counting of expirations for status display.
- Expirations happening during retrieval were not counted. [Rainer Jung]
-
- *) mod_cache: Retry unconditional request with the full URL (including the
- query-string) when the origin server's 304 response does not match the
- conditions used to revalidate the stale entry. [Yann Ylavic].
-
- *) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
- variables as a result of AliasMatch. [Eric Covener]
-
- *) mod_cache: Don't add cached/revalidated entity headers to a 304 response.
- PR 55547. [Yann Ylavic]
-
- *) mod_proxy_scgi: Support Unix sockets. ap_proxy_port_of_scheme():
- Support default SCGI port (4000). [Jeff Trawick]
-
- *) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
- is enabled. [Eric Covener]
-
- *) mod_expires: don't add Expires header to error responses (4xx/5xx),
- be they generated or forwarded. PR 55669. [Yann Ylavic]
-
- *) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
- (regression in 2.4.9 release) [Jeff Trawick]
-
- *) mod_authn_socache: Fix crash at startup in certain configurations.
- PR 56371. (regression in 2.4.7) [Jan Kaluza]
-
- *) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
- programs to the form used in releases up to 2.4.7, and emulate
- a backwards-compatible behavior for existing setups. [Kaspar Brand]
-
- *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
- OCSP requests should use a nonce to be checked against the responder's
- one. PR 56233. [Yann Ylavic, Kaspar Brand]
-
- *) mod_ssl: "SSLEngine off" will now override a Listen-based default
- and does disable mod_ssl for the vhost. [Joe Orton]
-
- *) mod_lua: Enforce the max post size allowed via r:parsebody()
- [Daniel Gruno]
-
- *) mod_lua: Use binary comparison to find boundaries for multipart
- objects, as to not terminate our search prematurely when hitting
- a NULL byte. [Daniel Gruno]
-
- *) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
- versions before 0.9.8h and not specifying an SSLCertificateChainFile
- (regression introduced with 2.4.8). PR 56410. [Kaspar Brand]
-
- *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
- no longer send warning-level unrecognized_name(112) alerts,
- and limit startup warnings to cases where an OpenSSL version
- without TLS extension support is used. PR 56241. [Kaspar Brand]
-
- *) mod_proxy_html: Avoid some possible memory access violation in case of
- specially crafted files, when the ProxyHTMLMeta directive is turned on.
- Follow up of PR 56287 [Christophe Jaillet]
-
- *) mod_auth_form: Make sure the optional functions are loaded even when
- the AuthFormProvider isn't specified. [Graham Leggett]
-
- *) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
- (and logging garbled file names). PR 56306. [Kaspar Brand]
-
- *) mod_ssl: fix merging of global and vhost-level settings with the
- SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
- directives. PR 56353. [Kaspar Brand]
-
- *) mod_headers: Allow the "value" parameter of Header and RequestHeader to
- contain an ap_expr expression if prefixed with "expr=". [Eric Covener]
-
- *) rotatelogs: Avoid creation of zombie processes when -p is used on
- Unix platforms. [Joe Orton]
-
- *) mod_authnz_fcgi: New module to enable FastCGI authorizer
- applications to authenticate and/or authorize clients.
- [Jeff Trawick]
-
- *) mod_proxy: Do not try to parse the regular expressions passed by
- ProxyPassMatch as URL as they do not follow their syntax.
- PR 56074. [Ruediger Pluem]
-
- *) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
- under the Event MPM. PR56216. [Frank Meier <frank meier ergon ch>]
-
- *) mod_proxy_fcgi: Fix sending of response without some HTTP headers
- that might be set by filters. PR 55558. [Jim Riggs <jim riggs.me>]
-
- *) mod_proxy_html: Do not delete the wrong data from HTML code when a
- "http-equiv" meta tag specifies a Content-Type behind any other
- "http-equiv" meta tag. PR 56287 [Micha Lenk <micha lenk info>]
-
- *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
- differs. PR 55782. [Yann Ylavic]
-
- *) Add suspend_connection and resume_connection hooks to notify modules
- when the thread/connection relationship changes. (Should be implemented
- for any third-party async MPMs.) [Jeff Trawick]
-
- *) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine
- hangups from websockets origin servers. PR 56299
- [Yann Ylavic, Edward Lu <Chaosed0 gmail com>, Eric Covener]
-
- *) mod_proxy_wstunnel: Don't pool backend websockets connections,
- because we need to handshake every time. PR 55890.
- [Eric Covener]
-
- *) mod_lua: Redesign how request record table access behaves,
- in order to utilize the request record from within these tables.
- [Daniel Gruno]
-
- *) mod_lua: Add r:wspeek for peeking at WebSocket frames. [Daniel Gruno]
-
- *) mod_lua: Log an error when the initial parsing of a Lua file fails.
- [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
-
- *) mod_lua: Reformat and escape script error output.
- [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
-
- *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
- from causing response splitting.
- [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
-
- *) mod_lua: Disallow newlines in table values inside the request_rec,
- to prevent HTTP Response Splitting via tainted headers.
- [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
-
- *) mod_lua: Remove the non-working early/late arguments for
- LuaHookCheckUserID. [Daniel Gruno]
-
- *) mod_lua: Change IVM storage to use shm [Daniel Gruno]
-
- *) mod_lua: More verbose error logging when a handler function cannot be
- found. [Daniel Gruno]
-
-Changes with Apache 2.4.9
-
- *) mod_ssl: Work around a bug in some older versions of OpenSSL that
- would cause a crash in SSL_get_certificate for servers where the
- certificate hadn't been sent. [Stephen Henson]
-
- *) mod_lua: Add a fixups hook that checks if the original request is intended
- for LuaMapHandler. This fixes a bug where FallbackResource invalidates the
- LuaMapHandler directive in certain cases by changing the URI before the map
- handler code executes [Daniel Gruno, Daniel Ferradal <dferradal gmail com>].
-
-Changes with Apache 2.4.8 (not released)
-
- *) SECURITY: CVE-2014-0098 (cve.mitre.org)
- Clean up cookie logging with fewer redundant string parsing passes.
- Log only cookies with a value assignment. Prevents segfaults when
- logging truncated cookies.
- [William Rowe, Ruediger Pluem, Jim Jagielski]
-
- *) SECURITY: CVE-2013-6438 (cve.mitre.org)
- mod_dav: Keep track of length of cdata properly when removing
- leading spaces. Eliminates a potential denial of service from
- specifically crafted DAV WRITE requests
- [Amin Tora <Amin.Tora neustar.biz>]
-
- *) core: Support named groups and backreferences within the LocationMatch,
- DirectoryMatch, FilesMatch and ProxyMatch directives. (Requires
- non-ancient PCRE library) [Graham Leggett]
-
- *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
- TE/CL conflicts. [Yann Ylavic, Jim Jagielski]
-
- *) core: Detect incomplete request and response bodies, log an error and
- forward it to the underlying filters. PR 55475 [Yann Ylavic]
-
- *) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping
- execution when a handler is already set. PR53929. [Eric Covener]
-
- *) mod_ssl: Do not perform SNI / Host header comparison in case of a
- forward proxy request. [Ruediger Pluem]
-
- *) mod_ssl: Remove the hardcoded algorithm-type dependency for the
- SSLCertificateFile and SSLCertificateKeyFile directives, to enable
- future algorithm agility, and deprecate the SSLCertificateChainFile
- directive (obsoleted by SSLCertificateFile). [Kaspar Brand]
-
- *) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
- and IgnoreInherit to allow RewriteRules to be pushed from parent scopes
- to child scopes without explicitly configuring each child scope.
- PR56153. [Edward Lu <Chaosed0 gmail com>]
-
- *) prefork: Fix long delays when doing a graceful restart.
- PR 54852 [Jim Jagielski, Arkadiusz Miskiewicz <arekm maven pl>]
-
- *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
- 5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick]
-
- *) mod_proxy_wstunnel: Avoid busy loop on client errors, drop message
- IDs 02445, 02446, and 02448 to TRACE1 from DEBUG. PR 56145.
- [Joffroy Christen <joffroy.christen solvaxis com>, Eric Covener]
-
- *) mod_remoteip: Correct the trusted proxy match test. PR 54651.
- [Yoshinori Ehara <yoshinori ehara gmail com>, Eugene L <eugenel amazon com>]
-
- *) mod_proxy_fcgi: Fix error message when an unexpected protocol version
- number is received from the application. PR 56110. [Jeff Trawick]
-
- *) mod_remoteip: Use the correct IP addresses to populate the proxy_ips field.
- PR 55972. [Mike Rumph]
-
- *) mod_lua: Update r:setcookie() to accept a table of options and add domain,
- path and httponly to the list of options available to set.
- PR 56128 [Edward Lu <Chaosed0 gmail com>, Daniel Gruno]
-
- *) mod_lua: Fix r:setcookie() to add, rather than replace,
- the Set-Cookie header. PR56105
- [Kevin J Walters <kjw ms com>, Edward Lu <Chaosed0 gmail com>]
-
- *) mod_lua: Allow for database results to be returned as a hash with
- row-name/value pairs instead of just row-number/value. [Daniel Gruno]
-
- *) mod_rewrite: Add %{CONN_REMOTE_ADDR} as the non-useragent counterpart to
- %{REMOTE_ADDR}. PR 56094. [Edward Lu <Chaosed0 gmail com>]
-
- *) WinNT MPM: If ap_run_pre_connection() fails or sets c->aborted, don't
- save the socket for reuse by the next worker as if it were an
- APR_SO_DISCONNECTED socket. Restores 2.2 behavior. [Eric Covener]
-
- *) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a URL
- that was just rewritten by mod_rewrite. PR53929. [Eric Covener]
-
- *) mod_session: When we have a session we were unable to decode,
- behave as if there was no session at all. [Thomas Eckert
- <thomas.r.w.eckert gmail com>]
-
- *) mod_session: Fix problems interpreting the SessionInclude and
- SessionExclude configuration. PR 56038. [Erik Pearson
- <erik adaptations.com>]
-
- *) mod_authn_core: Allow <AuthnProviderAlias>'es to be seen from auth
- stanzas under virtual hosts. PR 55622. [Eric Covener]
-
[... 3453 lines stripped ...]