You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2018/10/22 14:13:09 UTC
svn commit: r30217 [2/2] - /dev/httpd/CHANGES_2.4
Added: dev/httpd/CHANGES_2.4
==============================================================================
--- dev/httpd/CHANGES_2.4 (added)
+++ dev/httpd/CHANGES_2.4 Mon Oct 22 14:13:09 2018
@@ -0,0 +1,5928 @@
+ -*- coding: utf-8 -*-
+Changes with Apache 2.4.35
+
+ *) http: Enforce consistently no response body with both 204 and 304
+ statuses. [Yann Ylavic]
+
+ *) mod_status: Cumulate CPU time of exited child processes in the
+ "cu" and "cs" values. Add CPU time of the parent process to the
+ "c" and "s" values.
+ [Rainer Jung]
+
+ *) mod_proxy: Improve the balancer member data shown in mod_status when
+ "ProxyStatus" is "On": add "busy" count and show byte counts in
+ auto mode always in units of kilobytes. [Rainer Jung]
+
+ *) mod_status: Add cumulated response duration time in milliseconds.
+ [Rainer Jung]
+
+ *) mod_status: Complete the data shown for async MPMs in "auto" mode.
+ Added number of processes, number of stopping processes and number
+ of busy and idle workers. [Rainer Jung]
+
+ *) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
+ introduced in 2.4.34. PR 62568. [Yann Ylavic]
+
+ *) mod_proxy: Remove load order and link dependency between mod_lbmethod_*
+ modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe]
+
+ *) Allow the argument to <IfFile>, <IfDefine>, <IfSection>, <IfDirective>,
+ and <IfModule> to be quoted. This is primarily for the benefit of
+ <IfFile>. [Eric Covener]
+
+ *) mod_watchdog: Correct some log messages. [Rainer Jung]
+
+ *) mod_md: When the last domain name from an MD is moved to another one,
+ that now empty MD gets moved to the store archive. PR 62572.
+ [Stefan Eissing]
+
+ *) mod_ssl: Fix merging of SSLOCSPOverrideResponder. [Jeff Trawick,
+ [Frank Meier <frank meier ergon.ch>]
+
+ *) mod_proxy_balancer: Restore compatibility with APR 1.4. [Joe Orton]
+
+Changes with Apache 2.4.34
+
+ *) SECURITY: CVE-2018-8011 (cve.mitre.org)
+ mod_md: DoS via Coredumps on specially crafted requests
+
+ *) SECURITY: CVE-2018-1333 (cve.mitre.org)
+ mod_http2: DoS for HTTP/2 connections by specially crafted requests
+
+ *) Introduce zh-cn and zh-tw (simplified and traditional Chinese) error
+ document translations. [CodeingBoy, popcorner]
+
+ *) event: avoid possible race conditions with modules on the child pool.
+ [Stefan Fritsch]
+
+ *) mod_proxy: Fix a corner case where the ProxyPassReverseCookieDomain or
+ ProxyPassReverseCookiePath directive could fail to update correctly
+ 'domain=' or 'path=' in the 'Set-Cookie' header. PR 61560.
+ [Christophe Jaillet]
+
+ *) mod_ratelimit: fix behavior when proxing content. PR 62362.
+ [Luca Toscano, Yann Ylavic]
+
+ *) core: Re-allow '_' (underscore) in hostnames.
+ [Eric Covener]
+
+ *) mod_authz_core: If several parameters are used in a AuthzProviderAlias
+ directive, if these parameters are not enclosed in quotation mark, only
+ the first one is handled. The other ones are silently ignored.
+ Add a message to warn about such a spurious configuration.
+ PR 62469 [Hank Ibell <hwibell gmail.com>, Christophe Jaillet]
+
+ *) mod_md: improvements and bugfixes
+ - MDNotifyCmd now takes additional parameter that are passed on to the called command.
+ - ACME challenges have better checks for interference with other modules
+ - ACME challenges are only handled for domains managed by the module, allowing
+ other ACME clients to operate for other domains in the server.
+ - better libressl integration
+
+ *) mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'.
+ PR 62480. [Lubos Uhliarik <luhliari redhat.com>}
+
+ *) logging: Some early logging-related startup messages could be lost
+ when using syslog for the global ErrorLog. [Eric Covener]
+
+ *) mod_cache: Handle case of an invalid Expires header value RFC compliant
+ like the case of an Expires time in the past: allow to overwrite the
+ non-caching decision using CacheStoreExpired and respect Cache-Control
+ "max-age" and "s-maxage". [Rainer Jung]
+
+ *) mod_xml2enc: Fix forwarding of error metadata/responses. PR 62180.
+ [Micha Lenk <micha lenk.info>, Yann Ylavic]
+
+ *) mod_proxy_http: Fix response header thrown away after the previous one
+ was considered too large and truncated. PR 62196. [Yann Ylavic]
+
+ *) core: Add and handle AP_GETLINE_NOSPC_EOL flag for ap_getline() family
+ of functions to consume the end of line when the buffer is exhausted.
+ PR 62198. [Yann Ylavic]
+
+ *) mod_proxy_http: Add new worker parameter 'responsefieldsize' to
+ allow maximum HTTP response header size to be increased past 8192
+ bytes. PR 62199. [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_ssl: Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf
+ of a certificate chain. PR62112.
+ [Ricardo Martin Camarero <rickyepoderi yahoo.es>]
+
+ *) http: Fix small memory leak per request when handling persistent
+ connections. [Ruediger Pluem, Joe Orton]
+
+ *) mod_proxy_html: Fix variable interpolation and memory allocation failure
+ in ProxyHTMLURLMap. [Ewald Dieterich <ewald mailbox.org>]
+
+ *) mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.
+ PR 62220. [Chritophe Jaillet, Yann Ylavic]
+
+ *) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
+ zero out what had been initialized as the connection-level port. PR59931.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: In ONE_PROCESS/debug mode, cleanup everything when exiting.
+ [Yann Ylavic]
+
+ *) mod_proxy_balancer: Add hot spare member type and corresponding flag (R).
+ Hot spare members are used as drop-in replacements for unusable workers
+ in the same load balancer set. This differs from hot standbys which are
+ only used when all workers in a set are unusable. PR 61140. [Jim Riggs]
+
+ *) suexec: Add --enable-suexec-capabilites support on Linux, to use
+ setuid/setgid capability bits rather than a setuid root binary.
+ [Joe Orton]
+
+ *) suexec: Add support for logging to syslog as an alternative to
+ logging to a file; use --without-suexec-logfile --with-suexec-syslog.
+ [Joe Orton]
+
+ *) mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling
+ which broke some rare but previously-working configs. [Joe Orton]
+
+ *) core, log: improve sanity checks for the ErrorLog's syslog config, and
+ explicitly allow only lowercase 'syslog' settings. PR 62102
+ [Luca Toscano, Jim Riggs, Christophe Jaillet]
+
+ *) mod_http2: accurate reporting of h2 data input/output per request via
+ mod_logio. Fixes an issue where output sizes where counted n-times on
+ reused slave connections. [Stefan Eissing]
+ See github issue: https://github.com/icing/mod_h2/issues/158
+
+ *) mod_http2: Fix unnecessary timeout waits in case streams are aborted.
+ [Stefan Eissing]
+
+ *) mod_http2: restoring the v1.10.16 keepalive timeout behaviour of mod_http2.
+ [Stefan Eissing]
+
+ *) mod_proxy: Do not restrict the maximum pool size for backend connections
+ any longer by the maximum number of threads per process and use a better
+ default if mod_http2 is loaded.
+ [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Gregg Smith]
+
+ *) mod_slotmem_shm: Add generation number to shm filename to fix races
+ with graceful restarts. PRs 62044 and 62308. [Jim Jagielski, Yann Ylavic]
+
+ *) core: Preserve the original HTTP request method in the '%<m' LogFormat
+ when an path-based ErrorDocument is used. PR 62186.
+ [Micha Lenk <micha lenk.info>]
+
+ *) mod_remoteip: make proxy-protocol work on slave connections, e.g. in
+ HTTP/2 requests. [Stefan Eissing]
+ See also https://github.com/roadrunner2/mod-proxy-protocol/issues/6
+
+ *) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
+ regression introduced in 2.4.30. PR 62232. [Rainer Jung, Yann Ylavic]
+
+ *) mod_md: Fix compilation with OpenSSL before version 1.0.2. [Rainer Jung]
+
+ *) mod_dumpio: do nothing below log level TRACE7. [Yann Ylavic]
+
+ *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
+ [Eric Covener]
+
+ *) core: On ECBDIC platforms, some errors related to oversized headers
+ may be misreported or be logged as ASCII escapes. PR 62200
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_ssl: Fix cmake-based build. PR 62266. [Rainer Jung]
+
+ *) core: Add <IfFile>, <IfDirective> and <IfSection> conditional
+ section containers. [Eric Covener, Joe Orton]
+
+Changes with Apache 2.4.33
+
+ *) core: Fix request timeout logging and possible crash for error_log hooks.
+ [Yann Ylavic]
+
+ *) mod_slomem_shm: Fix failure to create balancers's slotmems in Windows MPM,
+ where children processes need to attach them instead since they are owned
+ by the parent process already. [Yann Ylavic]
+
+ *) ab: try all destination socket addresses returned by
+ apr_sockaddr_info_get instead of failing on first one when not available.
+ Needed for instance if localhost resolves to both ::1 and 127.0.0.1
+ e.g. if both are in /etc/hosts. [Jan Kaluza]
+
+ *) ab: Use only one connection to determine working destination socket
+ address. [Jan Kaluza]
+
+ *) ab: LibreSSL doesn't have or require Windows applink.c. [Gregg L. Smith]
+
+ *) htpasswd/htdigest: Disable support for bcrypt on EBCDIC platforms.
+ apr-util's bcrypt implementation doesn't tolerate EBCDIC. [Eric Covener]
+
+ *) htpasswd/htdbm: report the right limit when get_password() overflows.
+ [Yann Ylavic]
+
+ *) htpasswd: Don't fail in -v mode if password file is unwritable.
+ PR 61631. [Joe Orton]
+
+ *) htpasswd: don't point to (unused) stack memory on output
+ to make static analysers happy. PR 60634.
+ [Yann Ylavic, reported by shqking and Zhenwei Zou]
+
+Changes with Apache 2.4.32
+
+ *) mod_access_compat: Fail if a comment is found in an Allow or Deny
+ directive. [Jan Kaluza]
+
+ *) mod_authz_host: Ignore comments after "Require host", logging a
+ warning, or logging an error if the line is otherwise empty.
+ [Jan Kaluza, Joe Orton]
+
+ *) rotatelogs: Fix expansion of %Z in localtime (-l) mode, and fix
+ Y2K38 bug. [Joe Orton]
+
+ *) mod_ssl: Support SSL DN raw variable extraction without conversion
+ to UTF-8, using _RAW suffix on variable names. [Joe Orton]
+
+ *) ab: Fix https:// connection failures (regression in 2.4.30); fix
+ crash generating CSV output for large -n. [Joe Orton, Jan Kaluza]
+
+Changes with Apache 2.4.31 (not released)
+
+ *) mod_proxy_fcgi: Add the support for mod_proxy's flushpackets and flushwait
+ parameters. [Luca Toscano, Ruediger Pluem, Yann Ylavic]
+
+ *) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
+ improper merging of the cache lock in vhost config.
+ PR 43164 [Eric Covener]
+
+ *) mpm_event: Do lingering close in worker(s). [Yann Ylavic]
+
+ *) mpm_queue: Put fdqueue code in common for MPMs event and worker.
+ [Yann Ylavic]
+
+Changes with Apache 2.4.30 (not released)
+
+ *) SECURITY: CVE-2017-15710 (cve.mitre.org)
+ Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
+ [Eric Covener, Luca Toscano, Yann Ylavic]
+
+ *) SECURITY: CVE-2018-1283 (cve.mitre.org)
+ mod_session: CGI-like applications that intend to read from mod_session's
+ 'SessionEnv ON' could be fooled into reading user-supplied data instead.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2018-1303 (cve.mitre.org)
+ mod_cache_socache: Fix request headers parsing to avoid a possible crash
+ with specially crafted input data. [Ruediger Pluem]
+
+ *) SECURITY: CVE-2018-1301 (cve.mitre.org)
+ core: Possible crash with excessively long HTTP request headers.
+ Impractical to exploit with a production build and production LogLevel.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2017-15715 (cve.mitre.org)
+ core: Configure the regular expression engine to match '$' to the end of
+ the input string only, excluding matching the end of any embedded
+ newline characters. Behavior can be changed with new directive
+ 'RegexDefaultOptions'. [Yann Ylavic]
+
+ *) SECURITY: CVE-2018-1312 (cve.mitre.org)
+ mod_auth_digest: Fix generation of nonce values to prevent replay
+ attacks across servers using a common Digest domain. This change
+ may cause problems if used with round robin load balancers. PR 54637
+ [Stefan Fritsch]
+
+ *) SECURITY: CVE-2018-1302 (cve.mitre.org)
+ mod_http2: Potential crash w/ mod_http2.
+ [Stefan Eissing]
+
+ *) mod_proxy: Worker schemes and hostnames which are too large are no
+ longer fatal errors; it is logged and the truncated values are stored.
+ [Jim Jagielski]
+
+ *) mod_proxy: Allow setting options to globally defined balancer from
+ ProxyPass used in VirtualHost. Balancers are now merged using the new
+ merge_balancers method which merges the balancers options. [Jan Kaluza]
+
+ *) logresolve: Fix incorrect behavior or segfault if -c flag is used
+ Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259
+ [Stefan Fritsch]
+
+ *) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
+ Add ability for PROXY protocol processing to be optional to donated code.
+ See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
+ [Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri]
+
+ *) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
+ allowing per backend TLS configuration. [Yann Ylavic]
+
+ *) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module. [Roberto De Ioris,
+ Jim Jagielski]
+
+ *) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
+ depend on the number of restarts (non-Unix systems) and preserve shared
+ names as much as possible on configuration changes for SHMs and persisted
+ files. PR 62044. [Yann Ylavic, Jim Jagielski]
+
+ *) mod_http2: obsolete code removed, no more events on beam pool destruction,
+ discourage content encoders on http2-status response (where they do not work).
+ [Stefan Eissing]
+
+ *) mpm_event: Let the listener thread do its maintenance job on resources
+ shortage. PR 61979. [Yann Ylavic]
+
+ *) mpm_event: Wakeup the listener to re-enable listening sockets.
+ [Yann Ylavic]
+
+ *) mod_ssl: The SSLCompression directive will now give an error if used
+ with an OpenSSL build which does not support any compression methods.
+ [Joe Orton]
+
+ *) mpm_event,worker: Mask signals for threads created by modules in child
+ init, so that they don't receive (implicitely) the ones meant for the MPM.
+ PR 62009. [Armin Abfalterer <a.abfalterer gmail com>, Yann Ylavic]
+
+ *) mod_md: new experimental, module for managing domains across virtual hosts,
+ implementing the Let's Encrypt ACMEv1 protocol to signup and renew
+ certificates. Please read the modules documentation for further instructions
+ on how to use it. [Stefan Eissing]
+
+ *) mod_proxy_html: skip documents shorter than 4 bytes
+ PR 56286 [Micha Lenk <micha lenk info>]
+
+ *) core, mpm_event: Avoid a small memory leak of the scoreboard handle, for
+ the lifetime of the connection, each time it is processed by MPM event.
+ [Yann Ylavic]
+
+ *) mpm_event: Update scoreboard status for KeepAlive state. [Yann Ylavic]
+
+ *) mod_ldap: Fix a case where a full LDAP cache would continually fail to
+ purge old entries and log AH01323. PR61891.
+ [Hendrik Harms <hendrik.harms gmail.com>]
+
+ *) mpm_event: close connections not reported as handled by any module to
+ avoid losing track of them and leaking scoreboard entries. PR 61551.
+ [Yann Ylavic]
+
+ *) core: A signal received while stopping could have crashed the main
+ process. PR 61558. [Yann Ylavic]
+
+ *) mod_ssl: support for mod_md added. [Stefan Eissing]
+
+ *) mod_proxy_html: process parsed comments immediately.
+ Fixes bug (seen in the wild when used with IBM's HTTPD bundle)
+ where parsed comments may be lost. [Nick Kew]
+
+ *) mod_proxy_html: introduce doctype for HTML 5 [Nick Kew]
+
+ *) mod_proxy_html: fix typo-bug processing "strict" vs "transitional"
+ HTML/XHTML. PR 56457 [Nick Kew]
+
+ *) mpm_event: avoid a very unlikely race condition between the listener and
+ the workers when the latter fails to add a connection to the pollset.
+ [Yann Ylavic]
+
+ *) core: silently ignore a not existent file path when IncludeOptional
+ is used. PR 57585. [Alberto Murillo Silva <powerbsd yahoo.com>, Luca Toscano]
+
+ *) mod_macro: fix usability of globally defined macros in .htaccess files.
+ PR 57525. [Jose Kahan <jose w3.org>, Yann Ylavic]
+
+ *) mod_rewrite, core: add the Vary header when a condition evaluates to true
+ and the related RewriteRule is used in a Directory context
+ (triggering an internal redirect). [Luca Toscano]
+
+ *) ab: Make the TLS layer aware that the underlying socket is nonblocking,
+ and use/handle POLLOUT where needed to avoid busy IOs and recover write
+ errors when appropriate. [Yann Ylavic]
+
+ *) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
+ read was incomplete (the SSL case can cause the next poll() to timeout
+ since data are buffered already). PR 61301 [Luca Toscano, Yann Ylavic]
+
+ *) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain
+ information retrievals on null bucket beams where it makes sense. [Stefan Eissing]
+
+Changes with Apache 2.4.29
+
+ *) mod_unique_id: Use output of the PRNG rather than IP address and
+ pid, avoiding sleep() call and possible DNS issues at startup,
+ plus improving randomness for IPv6-only hosts. [Jan Kaluza]
+
+ *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
+ is used in a condition that evaluates to true. PR 58231 [Luca Toscano, Yann Ylavic]
+
+ *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
+ beams that could lead to assertion failure in edge cases.
+ [Stefan Eissing]
+
+ *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
+ in 2.4.28. [Jim Jagielski]
+
+ *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
+ PR 61546. [Lubos Uhliarik <luhliari redhat.com>]
+
+ *) mod_rewrite: Add support for starting External Rewriting Programs
+ as non-root user on UNIX systems by specifying username and group
+ name as third argument of RewriteMap directive. [Jan Kaluza]
+
+ *) core: Rewrite the Content-Length filter to avoid excessive memory
+ consumption. Chunked responses will be generated in more cases
+ than in previous releases. PR 61222. [Joe Orton, Ruediger Pluem]
+
+ *) mod_ssl: Fix SessionTicket callback return value, which does seem to
+ matter with OpenSSL 1.1. [Yann Ylavic]
+
+Changes with Apache 2.4.28
+
+ *) SECURITY: CVE-2017-9798 (cve.mitre.org)
+ Corrupted or freed memory access. <Limit[Except]> must now be used in the
+ main configuration file (httpd.conf) to register HTTP methods before the
+ .htaccess files. [Yann Ylavic]
+
+ *) event: Avoid possible blocking in the listener thread when shutting down
+ connections. PR 60956. [Yann Ylavic]
+
+ *) mod_speling: Don't embed referer data in a link in error page.
+ PR 38923 [Nick Kew]
+
+ *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
+ length in a password file. PR 61511.
+ [Luca Toscano, Hanno Böck <hanno hboeck de>]
+
+ *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
+ [Jim Jagielski]
+
+ *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
+ PR 61142.
+
+ *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
+ down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
+ 's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]
+
+ *) mod_http2: Fix for stalling when more than 32KB are written to a
+ suspended stream. [Stefan Eissing]
+
+ *) build: allow configuration without APR sources. [Jacob Champion]
+
+ *) mod_ssl, ab: Fix compatibility with LibreSSL. PR 61184.
+ [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
+ Yann Ylavic]
+
+ *) core/log: Support use of optional "tag" in syslog entries.
+ PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]
+
+ *) mod_proxy: Fix ProxyAddHeaders merging. [Joe Orton]
+
+ *) core: Disallow multiple Listen on the same IP:port when listener buckets
+ are configured (ListenCoresBucketsRatio > 0), consistently with the single
+ bucket case (default), thus avoiding the leak of the corresponding socket
+ descriptors on graceful restart. [Yann Ylavic]
+
+ *) event: Avoid listener periodic wake ups by using the pollset wake-ability
+ when available. PR 57399. [Yann Ylavic, Luca Toscano]
+
+ *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
+ led to spurious HTTP 502 error messages sent on upgrade connections.
+ PR 61283. [Yann Ylavic]
+
+Changes with Apache 2.4.27
+
+ *) SECURITY: CVE-2017-9789 (cve.mitre.org)
+ mod_http2: Read after free. When under stress, closing many connections,
+ the HTTP/2 handling code would sometimes access memory after it has been
+ freed, resulting in potentially erratic behaviour.
+ [Stefan Eissing]
+
+ *) SECURITY: CVE-2017-9788 (cve.mitre.org)
+ mod_auth_digest: Uninitialized memory reflection. The value placeholder
+ in [Proxy-]Authorization headers type 'Digest' was not initialized or
+ reset before or between successive key=value assignments.
+ [William Rowe]
+
+ *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
+ global variable when using Lua 5.2 or later. This was exported as a
+ side effect from luaL_register, which is no longer supported as of
+ Lua 5.2 which deprecates pollution of the global namespace.
+ [Rainer Jung]
+
+ *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
+ The server will continue to run, but HTTP/2 will no longer be negotiated.
+ [Stefan Eissing]
+
+ *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
+ default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
+ [Jacob Champion, Jim Jagielski]
+
+ *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
+ PR58188, PR60831, PR61245. [Rainer Jung]
+
+ *) mod_http2: Simplify ready queue, less memory and better performance. Update
+ mod_http2 version to 1.10.7. [Stefan Eissing]
+
+ *) Allow single-char field names inadvertently disallowed in 2.4.25.
+ PR 61220. [Yann Ylavic]
+
+ *) htpasswd / htdigest: Do not apply the strict permissions of the temporary
+ passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]
+
+ *) core: Avoid duplicate HEAD in Allow header.
+ This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
+ PR 61207. [Christophe Jaillet]
+
+Changes with Apache 2.4.26
+
+ *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+ mod_mime can read one byte past the end of a buffer when sending a
+ malicious Content-Type response header. [Yann Ylavic]
+
+ *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+ The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+ bug in token list parsing, which allows ap_find_token() to search past
+ the end of its input string. By maliciously crafting a sequence of
+ request headers, an attacker may be able to cause a segmentation fault,
+ or to force ap_find_token() to return an incorrect value.
+ [Jacob Champion]
+
+ *) SECURITY: CVE-2017-7659 (cve.mitre.org)
+ A maliciously constructed HTTP/2 request could cause mod_http2 to
+ dereference a NULL pointer and crash the server process.
+
+ *) SECURITY: CVE-2017-3169 (cve.mitre.org)
+ mod_ssl may dereference a NULL pointer when third-party modules call
+ ap_hook_process_connection() during an HTTP request to an HTTPS port.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2017-3167 (cve.mitre.org)
+ Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+ authentication phase may lead to authentication requirements being
+ bypassed.
+ [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+
+ *) HTTP/2 support no longer tagged as "experimental" but is instead considered
+ fully production ready.
+
+ *) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
+ the session in continuous check for state changes that never happen.
+ [Stefan Eissing]
+
+ *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
+ protocols. [Jean-Frederic Clere]
+
+ *) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
+ a possible crash if a signal is caught during (graceful) restart.
+ PR 60487. [Yann Ylavic]
+
+ *) mod_rewrite: When a substitution is a fully qualified URL, and the
+ scheme/host/port matches the current virtual host, stop interpreting the
+ path component as a local path just because the first component of the
+ path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
+ to revert to previous behavior. PR60009.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
+ platforms. PR61124. [Hank Ibell <hwibell gmail.com>]
+
+ *) ab: enable option processing for setting a custom HTTP method also for
+ non-SSL builds. [Rainer Jung]
+
+ *) core: EBCDIC fixes for interim responses with additional headers.
+ [Eric Covener]
+
+ *) mod_env: when processing a 'SetEnv' directive, warn if the environment
+ variable name includes a '='. It is likely a configuration error.
+ PR 60249 [Christophe Jaillet]
+
+ *) Evaluate nested If/ElseIf/Else configuration blocks.
+ [Luca Toscano, Jacob Champion]
+
+ *) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
+ allow spaces in backreferences to be encoded as %20 instead of '+'.
+ [Eric Covener]
+
+ *) mod_rewrite: Add the possibility to limit the escaping to specific
+ characters in backreferences by listing them in the B flag.
+ [Eric Covener]
+
+ *) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
+ systems. [Eric Covener]
+
+ *) mod_http2: fail requests without ERROR log in case we need to read interim
+ responses and see only garbage. This can happen if proxied servers send
+ data where none should be, e.g. a body for a HEAD request. [Stefan Eissing]
+
+ *) mod_proxy_http2: adding support for Reverse Proxy Request headers.
+ [Stefan Eissing]
+
+ *) mod_http2: fixed possible deadlock that could occur when connections were
+ terminated early with ongoing streams. Fixed possible hanger with timeout
+ on race when connection considers itself idle. [Stefan Eissing]
+
+ *) mod_http2: MaxKeepAliveRequests now limits the number of times a
+ slave connection gets reused. [Stefan Eissing]
+
+ *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
+ [Evgeny Kotkov]
+
+ *) mod_proxy_http2: Fixed bug in re-attempting proxy requests after
+ connection error. Reliability of reconnect handling improved.
+ [Stefan Eissing]
+
+ *) mod_http2: better performance, eliminated need for nested locks and
+ thread privates. Moving request setups from the main connection to the
+ worker threads. Increase number of spare connections kept.
+ [Stefan Eissing]
+
+ *) mod_http2: input buffering and dynamic flow windows for increased
+ throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
+ in mod_http2 INFO log as feature 'DWINS'. [Stefan Eissing]
+
+ *) mod_http2: h2 workers with improved scalability for better scheduling
+ performance. There are H2MaxWorkers threads created at start and the
+ number is kept constant for now. [Stefan Eissing]
+
+ *) mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and
+ just log a warning. [Stefan Eissing]
+
+ *) mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date
+ format from 2.2 in the Last Modified column. PR60846.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: Add %{REMOTE_PORT} to the expression parser. PR59938
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
+ computing and using the same entity key according to when the cache
+ checks, loads and saves the request.
+ PR 60577. [Yann Ylavic]
+
+ *) mod_proxy_hcheck: Don't validate timed out responses. [Yann Ylavic]
+
+ *) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
+ in use (ProxyHCTPsize > 0). PR 60071. [Yann Ylavic, Jim Jagielski]
+
+ *) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
+ URI originally requsted by the user, not the nested documents URI. This
+ restores the behavior of this variable to match the "legacy" SSI parser.
+ PR60624. [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
+ variables just before invoking the FastCGI. [Eric Covener,
+ Jacob Champion]
+
+ *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
+ a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
+ default. Add ProxyFCGIBackendType to allow the type of backend to be
+ specified so these kinds of fixups can be restored without impacting
+ FPM. PR60576 [Eric Covener, Jim Jagielski]
+
+ *) mod_ssl: work around leaks on (graceful) restart. [Yann Ylavic]
+
+ *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
+
+ *) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
+ than zero. [Eric Covener]
+
+ *) mod_http2: moving session cleanup to pre_close hook to avoid races with
+ modules already shut down and slave connections still operating.
+ [Stefan Eissing]
+
+ *) mod_lua: Support for Lua 5.3
+
+ *) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
+
+ *) mod_http2: fix for crash when running out of memory.
+ [Robert Swiecki <robert swiecki.net>, Stefan Eissing]
+
+ *) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
+ [Luca Toscano]
+
+ *) mod_http2: not counting file buckets again stream max buffer limits.
+ Effectively transfering static files in one step from slave to master
+ connection. [Stefan Eissing]
+
+ *) mod_http2: comforting ap_check_pipeline() on slave connections
+ to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
+ [Stefan Eissing, reported by Armin Abfalterer]
+
+ *) mod_http2: http/2 streams now with state handling/transitions as defined
+ in RFC7540. Stream cleanup/connection shutdown reworked to become easier
+ to understand/maintain/debug. Added many asserts on state and cleanup
+ transitions. [Stefan Eissing]
+
+ *) mod_auth_digest: Use an anonymous shared memory segment by default,
+ preventing startup failure after unclean shutdown. PR 54622.
+ [Jan Kaluza]
+
+ *) mod_filter: Fix AddOutputFilterByType with non-content-level filters.
+ PR 58856. [Micha Lenk <micha lenk.info>]
+
+ *) mod_watchdog: Fix semaphore leak over restarts. [Jim Jagielski]
+
+ *) mod_http2: regression fix on PR 59348, on graceful restart, ongoing
+ streams are finished normally before the final GOAWAY is sent.
+ [Stefan Eissing, <slavko gmail.com>]
+
+ *) mod_proxy: Allow the per-request environment variable "no-proxy" to
+ be used as an alternative to ProxyPass /path !. This is primarily
+ to set exceptions for ProxyPass specified in <Location> context.
+ Use SetEnvIf, not SetEnv. PR 60458. [Eric Covener]
+
+ *) mod_http2: fixes PR60599, sending proper response for conditional requests
+ answered by mod_cache. [Jeff Wheelhouse, Stefan Eissing]
+
+ *) mod_http2: rework of stream resource cleanup to avoid a crash in a close
+ of a lingering connection. Prohibit special file bucket beaming for
+ shared buckets. Files sent in stream output now use the stream pool
+ as read buffer, reducing memory footprint of connections.
+ [Yann Ylavic, Stefan Eissing]
+
+ *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
+ modules add empty environment variables to the request. PR 60275.
+ [<alex2grad AT gmail.com>]
+
+ *) mod_http2: fix for possible page fault when stream is resumed during
+ session shutdown. [sidney-j-r-m (github)]
+
+ *) mod_http2: fix for h2 session ignoring new responses while already
+ open streams continue to have data available. [Stefan Eissing]
+
+ *) mod_http2: adding support for MergeTrailers directive. [Stefan Eissing]
+
+ *) mod_http2: limiting DATA frame sizes by TLS record sizes in use on the
+ connection. Flushing outgoing frames earlier. [Stefan Eissing]
+
+ *) mod_http2: cleanup beamer registry on server reload. PR 60510.
+ [Pavel Mateja <pavel verotel.cz>, Stefan Eissing]
+
+ *) mod_proxy_{ajp,fcgi}: Fix a possible crash when reusing an established
+ backend connection, happening with LogLevel trace2 or higher configured,
+ or at any log level with compilers not detected as C99 compliant (e.g.
+ MSVC on Windows). [Yann Ylavic]
+
+ *) mod_ext_filter: Don't interfere with "error buckets" issued by other
+ modules. PR 60375. [Eric Covener, Lubos Uhliarik]
+
+ *) mod_http2: fixes https://github.com/icing/mod_h2/issues/126 e.g. beam
+ bucket lifetime handling when data is sent over temporary pools.
+ [Stefan Eissing]
+
+Changes with Apache 2.4.25
+
+ *) Fix some build issues related to various modules.
+ [Rainer Jung]
+
+Changes with Apache 2.4.24 (not released)
+
+ *) SECURITY: CVE-2016-8740 (cve.mitre.org)
+ mod_http2: Mitigate DoS memory exhaustion via endless
+ CONTINUATION frames.
+ [Naveen Tiwari <na...@asu.edu> and CDF/SEFCOM at Arizona State
+ University, Stefan Eissing]
+
+ *) SECURITY: CVE-2016-2161 (cve.mitre.org)
+ mod_auth_digest: Prevent segfaults during client entry allocation when
+ the shared memory space is exhausted.
+ [Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion]
+
+ *) SECURITY: CVE-2016-0736 (cve.mitre.org)
+ mod_session_crypto: Authenticate the session data/cookie with a
+ MAC (SipHash) to prevent deciphering or tampering with a padding
+ oracle attack. [Yann Ylavic, Colm MacCarthaigh]
+
+ *) SECURITY: CVE-2016-8743 (cve.mitre.org)
+ Enforce HTTP request grammar corresponding to RFC7230 for request lines
+ and request headers, to prevent response splitting and cache pollution by
+ malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
+
+ *) Validate HTTP response header grammar defined by RFC7230, resulting
+ in a 500 error in the event that invalid response header contents are
+ detected when serving the response, to avoid response splitting and cache
+ pollution by malicious clients, upstream servers or faulty modules.
+ [Stefan Fritsch, Eric Covener, Yann Ylavic]
+
+ *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
+ [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+
+ *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
+ looping RewriteRules when the local path significantly exceeds
+ LimitRequestLine. PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]
+
+ *) mod_ratelimit: Allow for initial "burst" amount at full speed before
+ throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>,
+ Jim Jagielski]
+
+ *) mod_socache_memcache: Provide memcache stats to mod_status.
+ [Jim Jagielski]
+
+ *) mod_file_cache: mod_file_cache should be able to serve files that
+ haven't had a Content-Type set via e.g. mod_mime. [Eric Covener]
+
+ *) http_filters: Fix potential looping in new check_headers() due to new
+ pattern of ap_die() from http header filter. Explicitly clear the
+ previous headers and body.
+
+ *) core: Drop Content-Length header and message-body from HTTP 204 responses.
+ PR 51350 [Luca Toscano]
+
+ *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is
+ configured in <Location>, like in 2.2. PR 60458.
+ [Eric Covener]
+
+ *) mod_lua: Fix default value of LuaInherit directive. It should be
+ 'parent-first' instead of 'none', as per documentation. PR 60419
+ [Christophe Jaillet]
+
+ *) core: New directive HttpProtocolOptions to control httpd enforcement
+ of various RFC7230 requirements. [Stefan Fritsch, William Rowe]
+
+ *) core: Permit unencoded ';' characters to appear in proxy requests and
+ Location: response headers. Corresponds to modern browser behavior.
+ [William Rowe]
+
+ *) core: ap_rgetline_core now pulls from r->proto_input_filters.
+
+ *) core: Correctly parse an IPv6 literal host specification in an absolute
+ URL in the request line. [Stefan Fritsch]
+
+ *) core: New directive RegisterHttpMethod for registering non-standard
+ HTTP methods. [Stefan Fritsch]
+
+ *) mod_socache_memcache: Pass expiration time through to memcached. PR 55445.
+ [Faidon Liambotis <paravoid debian.org>, Joe Orton]
+
+ *) mod_cache: Use the actual URI path and query-string for identifying the
+ cached entity (key), such that rewrites are taken into account when
+ running afterwards (CacheQuickHandler off). PR 21935. [Yann Ylavic]
+
+ *) mod_http2: new directive 'H2EarlyHints' to enable sending of HTTP status
+ 103 interim responses. Disabled by default. [Stefan Eissing]
+
+ *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
+ in the client certificate chain. PR 55786. [Yann Ylavic]
+
+ *) event: Allow to use the whole allocated scoreboard (up to ServerLimit
+ slots) to avoid scoreboard full errors when some processes are finishing
+ gracefully. Also, make gracefully finishing processes close all
+ keep-alive connections. PR 53555. [Stefan Fritsch]
+
+ *) mpm_event: Don't take over scoreboard slots from gracefully finishing
+ threads. [Stefan Fritsch]
+
+ *) mpm_event: Free memory earlier when shutting down processes.
+ [Stefan Fritsch]
+
+ *) mod_status: Display the process slot number in the async connection
+ overview. [Stefan Fritsch]
+
+ *) mod_dir: Responses that go through "FallbackResource" might appear to
+ hang due to unterminated chunked encoding. PR58292. [Eric Covener]
+
+ *) mod_dav: Fix a potential cause of unbounded memory usage or incorrect
+ behavior in a routine that sends <DAV:response>'s to the output filters.
+ [Evgeny Kotkov]
+
+ *) mod_http2: new directive 'H2PushResource' to enable early pushes before
+ processing of the main request starts. Resources are announced to the
+ client in Link headers on a 103 early hint response.
+ All responses with status code <400 are inspected for Link header and
+ trigger pushes accordingly. 304 still does prevent pushes.
+ 'H2PushResource' can mark resources as 'critical' which gives them higher
+ priority than the main resource. This leads to preferred scheduling for
+ processing and, when content is available, will send it first. 'critical'
+ is also recognized on Link headers. [Stefan Eissing]
+
+ *) mod_proxy_http2: uris in Link headers are now mapped back to a suitable
+ local url when available. Relative uris with an absolute path are mapped
+ as well. This makes reverse proxy mapping available for resources
+ announced in this header.
+ With 103 interim responses being forwarded to the main client connection,
+ this effectively allows early pushing of resources by a reverse proxied
+ backend server. [Stefan Eissing]
+
+ *) mod_proxy_http2: adding support for newly proposed 103 status code.
+ [Stefan Eissing]
+
+ *) mpm_unix: Apache fails to start if previously crashed then restarted with
+ the same PID (e.g. in container). PR 60261.
+ [Val <valentin.bremond gmail.com>, Yann Ylavic]
+
+ *) mod_http2: unannounced and multiple interim responses (status code < 200)
+ are parsed and forwarded to client until a final response arrives.
+ [Stefan Eissing]
+
+ *) mod_proxy_http2: improved robustness when main connection is closed early
+ by resetting all ongoing streams against the backend.
+ [Stefan Eissing]
+
+ *) mod_http2: allocators from slave connections are released earlier,
+ resulting in less overall memory use on busy, long lived connections.
+ [Stefan Eissing]
+
+ *) mod_remoteip: Pick up where we left off during a subrequest rather
+ than running with the modified XFF but original TCP address.
+ PR 49839/PR 60251
+
+ *) http: Respond with "408 Request Timeout" when a timeout occurs while
+ reading the request body. [Yann Ylavic]
+
+ *) mod_http2: connection shutdown revisited: corrected edge cases on
+ shutting down ongoing streams, changed log warnings to be less noisy
+ when waiting on long running tasks. [Stefan Eissing]
+
+ *) mod_http2: changed all AP_DEBUG_ASSERT to ap_assert to have them
+ available also in normal deployments. [Stefan Eissing]
+
+ *) mod_http2/mod_proxy_http2: 100-continue handling now properly implemented
+ up to the backend. Reused HTTP/2 proxy connections with more than a second
+ not used will block request bodies until a PING answer is received.
+ Requests headers are not delayed by this, since they are repeatable in
+ case of failure. This greatly increases robustness, especially with
+ busy server and/or low keepalive connections. [Stefan Eissing]
+
+ *) mod_proxy_http2: fixed duplicate symbols with mod_http2.
+ [Stefan Eissing]
+
+ *) mod_http2: rewrite of how responses and trailers are transferred between
+ master and slave connection. Reduction of internal states for tasks
+ and streams, stability. Heuristic id generation for slave connections
+ to better keep promise of connection ids unique at given point int time.
+ Fix for mod_cgid interop in high load situtations.
+ Fix for handling of incoming trailers when no request body is sent.
+ [Stefan Eissing]
+
+ *) mod_http2: fix suspended handling for streams. Output could become
+ blocked in rare cases. [Stefan Eissing]
+
+ *) mpm_winnt: Prevent a denial of service when the 'data' AcceptFilter is in
+ use by replacing it with the 'connect' filter. PR 59970. [Jacob Champion]
+
+ *) mod_cgid: Resolve a case where a short CGI response causes a subsequent
+ CGI to be killed prematurely, resulting in a truncated subsequent
+ response. [Eric Covener]
+
+ *) mod_proxy_hcheck: Set health check URI and expression correctly for health
+ check worker. PR 60038 [zdeno <zd...@scnet.sk>]
+
+ *) mod_http2: if configured with nghttp2 1.14.0 and onward, invalid request
+ headers will immediately reset the stream with a PROTOCOL error. Feature
+ logged by module on startup as 'INVHD' in info message.
+ [Stefan Eissing]
+
+ *) mod_http2: fixed handling of stream buffers during shutdown.
+ [Stefan Eissing]
+
+ *) mod_reqtimeout: Fix body timeout disabling for CONNECT requests to avoid
+ triggering mod_proxy_connect's AH01018 once the tunnel is established.
+ [Yann Ylavic]
+
+ *) ab: Set the Server Name Indication (SNI) extension on outgoing TLS
+ connections (unless -I is specified), according to the Host header (if
+ any) or the requested URL's hostname otherwise. [Yann Ylavic]
+
+ *) mod_proxy_fcgi: avoid loops when ProxyErrorOverride is enabled
+ and the error documents are proxied. PR 55415. [Luca Toscano]
+
+ *) mod_proxy_fcgi: read the whole FCGI response even when the content
+ has not been modified (HTTP 304) or in case of a precondition failure
+ (HTTP 412) to avoid subsequent bogus reads and confusing
+ error messages logged. [Luca Toscano]
+
+ *) mod_http2: h2 status resource follows latest draft, see
+ http://www.ietf.org/id/draft-benfield-http2-debug-state-01.txt
+ [Stefan Eissing]
+
+ *) mod_http2: handling graceful shutdown gracefully, e.g. handling existing
+ streams to the end. [Stefan Eissing]
+
+ *) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data
+ available before the request is sent. PR 57832. [Yann Ylavic]
+
+ *) mod_proxy_balancer: Prevent redirect loops between workers within a
+ balancer by limiting the number of redirects to the number balancer
+ members. PR 59864 [Ruediger Pluem]
+
+ *) mod_proxy: Correctly consider error response codes by the backend when
+ processing failonstatus. PR 59869 [Ruediger Pluem]
+
+ *) mod_dav: Add dav_get_provider_name() function to obtain the name
+ of the provider from mod_dav. [Graham Leggett]
+
+ *) mod_dav: Add support for childtags to dav_error.
+ [Jari Urpalainen <jari.urpalainen nokia.com>]
+
+ *) mod_proxy_fcgi: Fix 2.4.23 breakage for mod_rewrite per-dir and query
+ string showing up in SCRIPT_FILENAME. PR59815
+
+ *) mod_include: Fix a potential memory misuse while evaluating expressions.
+ PR59844. [Eric Covener]
+
+ *) mod_http2: new H2CopyFiles directive that changes treatment of file
+ handles in responses. Necessary in order to fix broken lifetime handling
+ in modules such as mod_wsgi.
+
+ *) mod_http2: removing timeouts on master connection while requests are
+ being processed. Requests may timeout, but the master only times out when
+ no more requests are active. [Stefan Eissing]
+
+ *) mod_http2: fixes connection flush when answering SETTINGS without any
+ stream open. [Moto Ishizawa <@summerwind>, Stefan Eissing]
+
+Changes with Apache 2.4.23
+
+ *) mod_ssl: reset client-verify state of ssl when aborting renegotiations.
+ [Erki Aring <er...@example.ee>, Stefan Eissing]
+
+ *) mod_sed: Fix 'x' command processing. [Christophe Jaillet]
+
+ *) configure: Fix ./configure edge-case failures around dependencies
+ of mod_proxy_hcheck. [William Rowe, Ruediger Pluem, Jeff Trawick]
+
+Changes with Apache 2.4.22
+
+ *) mod_http2: fix for request abort when connections drops, introduced in
+ 1.5.8
+
+Changes with Apache 2.4.21
+
+ *) core: Added support for HTTP code 451. PR 58985.
+ [Yehuda Katz <yehuda ymkatz.net>, Jim Jagielski]
+
+ *) ab: Use caseless matching for HTTP tokens (e.g. content-length). PR 59111.
+ [Yann Ylavic]
+
+ *) mod_http2: more rigid error handling in DATA frame assembly, leading
+ to deterministic connection errors if assembly fails.
+ [Stefan Eissing, Pal Nilsen <https://github.com/maedox>]
+
+ *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
+ failures under Visual Studio 2015 and other mismatched MSVCRT flavors.
+ PR59630 [Jan Ehrhardt <phpdev ehrhardt.nl>]
+
+ *) mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive
+ to opt-in previous behaviour (2.2) with CRLs verification when checking
+ certificate(s) with no corresponding CRL. [Yann Ylavic]
+
+ *) mpm_event, mpm_worker: Fix computation of MinSpareThreads' lower bound
+ according the number of listeners buckets. [Yann Ylavic]
+
+ *) Add ap_cstr_casecmp[n]() - placeholder of apr_cstr_casecmp[n] functions
+ for case-insensitive C/POSIX-locale token comparison.
+ [Jim Jagielski, William Rowe, Yann Ylavic, Branko Äibej]
+
+ *) mod_userdir: Constify and save a few bytes in the conf pool when
+ parsing the "UserDir" directive. [Christophe Jaillet]
+
+ *) mod_cache: Fix (max-stale with no '=') and enforce (check
+ integers after '=') Cache-Control header parsing.
+ [Christophe Jaillet]
+
+ *) core: Add -DDUMP_INCLUDES configtest option to show the tree
+ of Included configuration files.
+ [Jacob Champion <champion.pxi gmail.com>]
+
+ *) mod_proxy_fcgi: Avoid passing a filename of proxy:fcgi:// as
+ SCRIPT_FILENAME to a FastCGI server. PR59618.
+ [Jacob Champion <champion.pxi gmail.com>]
+
+ *) mod_dav: Add dav_get_provider_name() function to obtain the name
+ of the provider from mod_dav.
+ [Jari Urpalainen <jari.urpalainen nokia.com>]
+
+ *) mod_proxy_http2: properly care for HTTP2 flow control of the frontend
+ connection is HTTP/1.1. [Patch supplied by Evgeny Kotkov]
+
+ *) mod_http2: improved cleanup of connection/streams/tasks to always
+ have deterministic order regardless of event initiating it. Addresses
+ reported crashes due to memory read after free issues.
+ [Stefan Eissing]
+
+ *) mod_ssl: Correct the interaction between SSLProxyCheckPeerCN and newer
+ SSLProxyCheckPeerName directives since release 2.4.5, such that disabling
+ either disables both, and that enabling either triggers the new, more
+ comprehensive SSLProxyCheckPeerName behavior. Only a single configuration
+ remains to enable the legacy behavior, which is to explicitly disable
+ SSLProxyCheckPeerName, and enable SSLProxyCheckPeerCN. [William Rowe]
+
+ *) mod_include: add the <!--#comment ...> syntax in order to include comments
+ in a SSI file. [Christophe Jaillet based on a suggestion from Rob]
+
+ *) mod_http2: improved event handling for suspended streams, responses
+ and window updates. [Stefan Eissing]
+
+ *) mod_proxy_hcheck: Provide for dynamic background health
+ checks on reverse proxies associated with BalancerMember
+ workers. [Jim Jagielski]
+
+ *) mod_http2: Fix async write issue that led to selection of wrong timeout
+ vs. keepalive timeout selection for idle sessions. [Stefan Eissing]
+
+ *) mod_http2: checking LimitRequestLine, LimitRequestFields and
+ LimitRequestFieldSize configurated values for incoming streams. Returning
+ HTTP status 431 for too long/many headers fields and 414 for a too long
+ pseudo header. [Stefan Eissing]
+
+ *) mod_http2: tracking conn_rec->current_thread on slave connections, so
+ that mod_lua finds the correct one. Fixes PR 59542. [Stefan Eissing]
+
+ *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
+ urls. Part of the httpd mod_proxy framework, common settings apply.
+ Requests from the same HTTP/2 frontend connection against the same backend
+ are aggregated on a single connection.
+ [Stefan Eissing]
+
+ *) mod_http2: slave connections have conn_rec->aborted flag set when a stream
+ has been reset by the client. [Stefan Eissing]
+
+ *) mod_http2: merge of some 2.4.x adaptions re filters on slave connections.
+ Small fixes in bucket beams when forwarding file buckets. Output handling
+ on master connection uses less FLUSH and passes automatically when more
+ than half of H2StreamMaxMemSize bytes have accumulated.
+ Workaround for http: when forwarding partial file buckets to keep the
+ output filter from closing these too early. [Stefan Eissing]
+
+ *) mod_http2: elimination of fixed master connection buffer for TLS
+ connections. New scratch bucket handling optimized for TLS write sizes.
+ File bucket data read directly into scratch buffers, avoiding one
+ copy. Non-TLS connections continue to pass buckets unchanged to the core
+ filters to allow sendfile() usage. [Stefan Eissing]
+
+ *) mod_http2/mod_proxy_http2: h2_request.c is no longer shared between these
+ modules. This simplifies building on platforms such as Windows, as module
+ reference used in logging is now clear. [Stefan Eissing]
+
+ *) Scoreboard: Fix a regression in 2.4.20 that causes wrong request data
+ to be displayed on the status page. PR 59333. [Yann Ylavic, William Rowe]
+
+ *) mod_http2: fixed a bug that caused mod_proxy_http2 to be called for window
+ updates on requests it had already reported done. Added synchronization
+ on early connection/stream close that lets ongoing requests safely drain
+ their input filters.
+ [Stefan Eissing]
+
+ *) mod_http2: scoreboard updates that summarize the h2 session (and replace
+ the last request information) will only happen when the session is idle or
+ in shutdown/done phase. [Stefan Eissing]
+
+ *) mod_http2: new "bucket beam" technology to transport buckets across
+ threads without buffer copy. Delaying response start until flush or
+ enough body data has been accumulated. Overall significantly smaller
+ memory footprint. [Stefan Eissing]
+
+ *) core: New CGIVar directive can configure REQUEST_URI to represent the
+ current URI being processed instead of always the original request.
+ [Jeff Trawick]
+
+ *) scoreboard/status: Restore behavior of showing workers' previous Client,
+ VHost and Request values when idle, like in 2.4.18 and earlier.
+
+ *) mod_http2: r->protocol changed to "HTTP/2.0" (was "HTTP/2") as this will
+ give expected syntax in CGI's SERVER_PROTOCOL is more compatible with
+ existing major/minor handling. Fixes PR 59313.
+
+ *) mod_http2: disabling mmap for file buckets transport due to segmenation
+ faults when files change on the fly.
+
+Changes with Apache 2.4.20
+
+ *) SECURITY: CVE-2016-1546 (cve.mitre.org)
+ mod_http2: restricting number of concurrent stream workers per connection
+ if client is slow.
+
+ *) core: Do not read .htaccess if AllowOverride and AllowOverrideList
+ are "None". PR 58528.
+ [Michael Schlenker <msc contact.de, Ruediger Pluem, Daniel Ruggeri]
+
+ *) mod_proxy_express: Fix possible use of DB handle after close. PR 59230.
+ [Petr <pgajdos suse.cz>]
+
+ *) core/util_script: relax alphanumeric filter of environment variable names
+ on Windows to allow '(' and ')' for passing PROGRAMFILES(X86) et.al.
+ unadulterated in 64 bit versions of Windows. PR 46751.
+ [John <john leineweb de>]
+
+ *) mod_http2: incrementing keepalives on each request started so that logging
+ %k gives increasing numbers per master http2 connection.
+ New documented variables in env, usable in custom log formats: H2_PUSH,
+ H2_PUSHED, H2_PUSHED_ON, H2_STREAM_ID and H2_STREAM_TAG.
+ [Stefan Eissing]
+
+ *) mod_http2: more efficient passing of response bodies with less contention
+ and file bucket forwarding. [Stefan Eissing]
+
+ *) mod_http2: fix for missing score board updates on request count, fix for
+ memory leak on slave connection reuse. [Stefan Eissing]
+
+ *) mod_http2: Fix build on Windows from dsp files.
+ [Stefan Eissing]
+
+Changes with Apache 2.4.19
+
+ *) mod_ssl: Add missing Upgrade/Connection headers in case of TRACE or
+ OPTIONS * requests. PR 58688. [William Rowe]
+
+ *) mod_include: Add variable DOCUMENT_ARGS, with the arguments to the
+ request for the SSI document. [Jeff Trawick]
+
+ *) mod_authz_host: Add a new "forward-dns" authorization type, not relying on
+ reverse DNS lookups. [Fabien]
+
+ *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
+ urls. Uses backend connections for concurrent requests if frontend
+ connection is http2 as well.
+ [Stefan Eissing]
+
+ *) mod_ssl: Add hooks to allow other modules to perform processing at
+ several stages of initialization and connection handling. See
+ mod_ssl_openssl.h. [Jeff Trawick]
+
+ *) mod_http2: disabling PUSH when client sends GOAWAY. Slave connections are
+ reused for several requests, improved performance and better memory use.
+ [Stefan Eissing]
+
+ *) mod_rewrite: Don't implicitly URL-escape the original query string
+ when no substitution has changed it (like PR50447 but server context)
+ [Evgeny Kotkov <evgeny.kotkov visualsvn.com>]
+
+ *) mod_http2: fixes problem with wrong lifetime of file buckets on main
+ connection. [Stefan Eissing]
+
+ *) mod_http2: fixes incorrect denial of requests without :authority header.
+ [Stefan Eissing]
+
+ *) mod_reqtimeout: Prevent long response times from triggering a timeout once
+ the request has been fully read. PR 59045. [Yann Ylavic]
+
+ *) ap_expr: expression support for variable HTTP2=on|off. [Stefan Eissing]
+
+ *) mod_http2: give control to async mpm for keepalive timeouts only when
+ no streams are open and even if only after 1 sec delay. Under load, event
+ mpm discards connections otherwise too quickly. [Stefan Eissing]
+
+ *) mod_ssl: Don't lose track of the SSL context if an unlikely failure occurs
+ in ssl_init_ssl_connection(). [Graham Leggett]
+
+ *) mod_rewrite: Add QSL|qslast flag to allow rewrites to files with
+ literal question marks in their names. PR 58777. [Eric Covener]
+
+ *) event: use pre_connection hook to properly initialize connection state for
+ slave connections. use protocol_switch hook to initialize server config
+ early based on SNI selected vhost.
+ [Stefan Eissing]
+
+ *) hostname: Test and log useragent_host per-request across various modules,
+ including the scoreboard, expression and rewrite engines, setenvif,
+ authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.
+ PR55348 [William Rowe]
+
+ *) core: Track the useragent_host per-request when mod_remoteip or similar
+ modules track a per-request useragent_ip. Modules should be updated
+ to inquire for ap_get_useragent_host() in place of ap_get_remote_host().
+ [William Rowe]
+
+ *) core: fix a bug in <UnDefine ...> directive processing. When used, the last
+ <Define...>'ed variable was also withdrawn. PR 59019
+ [Christophe Jaillet]
+
+ *) mod_http2: Accept-Encoding is, when present on the initiating request,
+ added to push promises. This lets compressed content work in pushes.
+ by the client. [Stefan Eissing]
+
+ *) mod_http2: fixed possible read after free when streams were cancelled early
+ by the client. [Stefan Eissing]
+
+ *) mod_http2: fixed possible deadlock during connection shutdown. Thanks to
+ @FrankStolle for reporting and getting the necessary data.
+ [Stefan Eissing]
+
+ *) mod_http2: fixed apr_uint64_t formatting in a log statement to user proper
+ APR def, thanks to @Sp1l.
+
+ *) mod_http2: number of worker threads allowed to a connection is adjusting
+ dynamically. Starting with 4, the number is doubled when streams can be
+ served without block on http/2 connection flow. The number is halfed, when
+ the server has to wait on client flow control grants.
+ This can happen with a maximum frequency of 5 times per second.
+ When a connection occupies too many workers, repeatable requests
+ (GET/HEAD/OPTIONS) are cancelled and placed back in the queue. Should that
+ not suffice and a stream is busy longer than the server timeout, the
+ connection will be aborted with error code ENHANCE_YOUR_CALM.
+ This does *not* limit the number of streams a client may open, rather the
+ number of server threads a connection might use.
+ [Stefan Eissing]
+
+ *) mod_http2: allowing link header to specify multiple "rel" values,
+ space-separated inside a quoted string. Prohibiting push when Link
+ parameter "nopush" is present.
+ [Stefan Eissing]
+
+ *) mod_http2: reworked connection state handling. Idle connections accept a
+ GOAWAY from the client without further reply. Otherwise the
+ module makes a best effort to send one last GOAWAY to the client.
+
+ *) mod_http2: the values from standard directives Timeout and KeepAliveTimeout
+ properly are applied to http/2 connections.
+ [Stefan Eissing]
+
+ *) mod_http2: idle connections are returned to async mpms. new hook
+ "pre_close_connection" used to send GOAWAY frame when not already done.
+ Setting event mpm server config "by hand" for the main connection to
+ the correct negotiated server.
+ [Stefan Eissing]
+
+ *) mod_http2: keep-alive blocking reads are done with 1 second timeouts to
+ check for MPM stopping. Will announce early GOAWAY and finish processing
+ open streams, then close.
+ [Stefan Eissing]
+
+ *) mod_http2: bytes read/written on slave connections are reported via the
+ optional mod_logio functions. Fixes PR 58871.
+
+ *) prefork: Initialize the POD when running in ONE_PROCESS (or -X) mode to
+ avoid a crash. [Jan Kaluza, Yann Ylavic]
+
+ *) mod_ssl: When SSLVerify is disabled (NONE), don't force a renegotiation if
+ the SSLVerifyDepth applied with the default/handshaken vhost differs from
+ the one applicable with the finally selected vhost. [Yann Ylavic]
+
+ *) core: Ensure that httpd exits with an error status when the MPM fails
+ to run. [Yann Ylavic]
+
+ *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
+ [Jan Kaluza, Yann Ylavic]
+
+ *) mod_ssl: Add SSLOCSPProxyURL to add the possibility to do all queries
+ to OCSP responders through a HTTP proxy. [Ruediger Pluem]
+
+ *) mod_proxy: Play/restore the TLS-SNI on new backend connections which
+ had to be issued because the remote closed the previous/reusable one
+ during idle (keep-alive) time. [Yann Ylavic]
+
+ *) mod_cache_socache: Fix a possible cached entity body corruption when it
+ is received from an origin server in multiple batches and forwarded by
+ mod_proxy. [Yann Ylavic]
+
+ *) core: Add expression support to SetHandler.
+ [Eric Covener]
+
+ *) mod_remoteip: Prevent an external proxy from presenting an internal
+ proxy. PR 55962. [Mike Rumph]
+
+ *) core: Prevent a server crash in case of an invalid CONNECT request with
+ a custom error page for status code 400 that uses server side includes.
+ PR 58929 [Ruediger Pluem]
+
+ *) mod_ssl: handle TIMEOUT on empty SSL input as non-fatal, returning
+ APR_TIMEUP and preserving connection state for later retry.
+ [Stefan Eissing]
+
+ *) mod_ssl: Save some TLS record (application data) fragmentations by
+ including the last and subsequent suitable buckets when coalescing.
+ [Yann Ylavic]
+
+ *) mod_proxy_fcgi: Suppress HTTP error 503 and message 01075,
+ "Error dispatching request", when the cause appears to be
+ due to the client closing the connection.
+ PR58118. [Tobias Adolph <adolph lrz.de>]
+
+ *) mod_cgid: Message AH02550, failure to flush a response to the client,
+ is now logged at TRACE1 level to match the underlying core output filter
+ severity. [Eric Covener]
+
+ *) mime.types: add common extension "m4a" for MPEG 4 Audio.
+ PR 57895 [Dylan Millikin <dylan.millikin gmail.com>]
+
+ *) Added many log numbers to log statements that had none.
+ [Rainer Jung]
+
+ *) mod_log_config: Add GlobalLog to allow a globally defined log to
+ be inherited by virtual hosts that define a CustomLog.
+ [Edward Lu]
+
+ *) mod_http2: connections how keep a "push diary" where hashes of already
+ pushed resources are kept. See directive H2PushDiarySize for managing this.
+ Push diaries can be initialized by clients via the "Cache-Digest" request
+ header. This carries a base64url encoded. compressed Golomb set as described
+ in https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/
+ Introduced a status handler for HTTP/2 connections, giving various counters
+ and statistics about the current connection, plus its cache digest value
+ in a JSON record. Not a replacement for more HTTP/2 in the server status.
+ Configured as
+ <Location "/http2-status">
+ SetHandler http2-status
+ </Location>
+ [Stefan Eissing]
+
+ *) mod_http2: Fixed flushing of last GOAWAY frame. Previously, that frame
+ did not always reach the client, causing some to fail the next request.
+ Fixed calculation of last stream id accepted as described in rfc7540.
+ Reading in KEEPALIVE state now correctly shown in scoreboard.
+ Fixed possible race in connection shutdown after review by Ylavic.
+ Fixed segfault on connection shutdown, callback ran into a semi dismantled session.
+ [Stefan Eissing]
+
+ *) mod_http2: Added support for experimental accept-push-policy draft
+ (https://tools.ietf.org/html/draft-ruellan-http-accept-push-policy-00). Clients
+ may now influence server pushes by sending accept-push-policy headers.
+ [Stefan Eissing]
+
+ *) mod_http2: new r->subprocess_env variables HTTP2 and H2PUSH, set to "on"
+ when available for request.
+ [Stefan Eissing]
+
+ *) mod_http2: fixed bug in input window size calculation by moving chunked
+ request body encoding into later stage of processing. Fixes PR 58825.
+ [Stefan Eissing]
+
+ *) core: new hook "pre_close_connection" which is run before the lingering
+ close of connections is started. This gives protocol handlers one last
+ chance to use a connection before it goes down.
+ [Stefan Eissing]
+
+ *) mod_status/scoreboard: showing connection protocol in new column, new
+ ap_update_child_status methods for updating server/description. mod_ssl
+ sets vhost negotiated by servername directly.
+ [Stefan Eissing]
+
+Changes with Apache 2.4.18
+
+ *) mod_ssl: for all ssl_engine_vars.c lookups, fall back to master connection
+ if conn_rec itself holds no valid SSLConnRec*. Fixes PR58666.
+ [Stefan Eissing]
+
+ *) mod_http2: connection level window for flow control is set to protocol
+ maximum of 2GB-1, preventing window exhaustion when sending data on many
+ streams with higher cumulative window size.
+ Reducing write frequency unless push promises need to be flushed.
+ [Stefan Eissing]
+
+ *) mod_http2: required minimum version of libnghttp2 is 1.2.1
+ [Stefan Eissing]
+
+ *) mod_proxy_fdpass: Fix AH01153 error when using the default configuration.
+ In earlier version of httpd, you can explicitelly set the 'flusher' parameter
+ to 'flush' as a workaround. (i.e. flusher=flush)
+ Add documentation for the 'flusher' parameter when defining a proxy worker.
+ [Christophe Jaillet]
+
+ *) mod_ssl: For the "SSLStaplingReturnResponderErrors off" case, make sure
+ to only staple responses with certificate status "good". [Kaspar Brand]
+
+ *) mod_http2: new directive 'H2PushPriority' to allow priority specifications
+ on server pushed streams according to their content-type.
+ [Stefan Eissing]
+
+ *) mod_http2: fixes crash on connection abort for a busy connection.
+ fixes crash on a request that did not produce any response.
+ [Stefan Eissing]
+
+ *) mod_http2: trailers are sent after response body if set in request_rec
+ trailers_out before the end-of-request bucket is sent through the
+ output filters. [Stefan Eissing]
+
+ *) mod_http2: incoming trailers (headers after request body) are properly
+ forwarded to the processing engine. [Stefan Eissing]
+
+ *) mod_http2: new directive 'H2Push' to en-/disable HTTP/2 server
+ pushes a server/virtual host. Pushes are initiated by the presence
+ of 'Link:' headers with relation 'preload' on a response. [Stefan Eissing]
+
+ *) mod_http2: write performance of http2 improved for larger resources,
+ especially static files. [Stefan Eissing]
+
+ *) core: if the first HTTP/1.1 request on a connection goes to a server that
+ prefers different protocols, these protocols are announced in a Upgrade:
+ header on the response, mentioning the preferred protocols.
+ [Stefan Eissing]
+
+ *) mod_http2: new directives 'H2TLSWarmUpSize' and 'H2TLSCoolDownSecs'
+ to control TLS record sizes during connection lifetime.
+ [Stefan Eissing]
+
+ *) mod_http2: new directive 'H2ModernTLSOnly' to enforce security
+ requirements of RFC 7540 on TLS connections. [Stefan Eissing]
+
+ *) core: add ap_get_protocol_upgrades() to retrieve the list of protocols
+ that a client could possibly upgrade to. Use in first request on a
+ connection to announce protocol choices. [Stefan Eissing]
+
+ *) mod_http2: reworked deallocation on connection shutdown and worker
+ abort. Separate parent pool for all workers. worker threads are joined
+ on planned worker shutdown. [Yann Ylavic, Stefan Eissing]
+
+ *) mod_ssl: when receiving requests for other virtual hosts than the handshake
+ server, the SSL parameters are checked for equality. With equal
+ configuration, requests are passed for processing. Any change will trigger
+ the old behaviour of "421 Misdirected Request".
+ SSL now remembers the cipher suite that was used for the last handshake.
+ This is compared against for any vhost/directory cipher specification.
+ Detailed examination of renegotiation is only done when these do not
+ match.
+ Renegotiation is 403ed when a master connection is present. Exact reason
+ is given additionally in a request note. [Stefan Eissing]
+
+ *) mod_ssl: Make the output filter more friendly with deferred write and
+ response pipelining. [Yann Ylavic, Joe Orton]
+
+ *) core: Fix scoreboard crash (SIGBUS) on hardware requiring strict 64bit
+ alignment (SPARC64, PPC64). [Yann Ylavic]
+
+ *) mod_cache: Accept HT (Horizontal Tab) when parsing cache related header
+ fields as described in RFC7230. [Christophe Jaillet]
+
+ *) core/util_script: making REDIRECT_URL a full URL is now opt-in
+ via new 'QualifyRedirectURL' directive.
+
+ *) core: Limit to ten the number of tolerated empty lines between request,
+ and consume them before the pipelining check to avoid possible response
+ delay when reading the next request without flushing. [Yann Ylavic]
+
+ *) mod_ssl: Extend expression parser registration to support ssl variables
+ in any expression using mod_rewrite syntax "%{SSL:VARNAME}" or function
+ syntax "ssl(VARNAME)". [Rainer Jung]
+
+Changes with Apache 2.4.17
+
+ *) mod_http2: added donated HTTP/2 implementation via core module. Similar
+ configuration options to mod_ssl. [Stefan Eissing]
+
+ *) mod_proxy: don't recyle backend announced "Connection: close" connections
+ to avoid reusing it should the close be effective after some new request
+ is ready to be sent. [Yann Ylavic]
+
+ *) mod_substitute: Allow to configure the patterns merge order with the new
+ SubstituteInheritBefore on|off directive. PR 57641
+ [Marc.Stern <Marc.Stern approach.be>, Yann Ylavic, William Rowe]
+
+ *) mod_proxy: Fix ProxySourceAddress binding failure with AH00938.
+ PR 56687. [Arne de Bruijn <apache arbruijn.dds.nl>
+
+ *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3,
+ and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
+ in accordance with RFC 7568. PR 58349, PR 57120. [Kaspar Brand]
+
+ *) mod_ssl: append :!aNULL:!eNULL:!EXP to the cipher string settings,
+ instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
+ and later). Enables support for configuring the SUITEB* cipher
+ strings introduced in OpenSSL 1.0.2. PR 58213. [Kaspar Brand]
+
+ *) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
+ of subjectAltName entries of type "otherName" into
+ SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
+ variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,
+ Kaspar Brand]
+
+ *) mod_logio: Fix logging of %^FB (time to first byte) on the first request on
+ an SSL connection. PR 58454.
+ [Konstantin J. Chernov <k.j.chernov gmail.com>]
+
+ *) mod_cache: r->err_headers_out is not merged into
+ r->headers when mod_cache is enabled and the response
+ is cached for the first time. [Edward Lu]
+
+ *) mod_slotmem_shm: Fix slots/SHM files names on restart for systems that
+ can't create new (clear) slots while previous children gracefully stopping
+ still use the old ones (e.g. Windows, OS2). mod_proxy_balancer failed to
+ restart whenever the number of configured balancers/members changed during
+ restart. PR 58024. [Yann Ylavic]
+
+ *) core/util_script: make REDIRECT_URL a full URL. PR 57785. [Nick Kew]
+
+ *) MPMs: Support SO_REUSEPORT to create multiple duplicated listener
+ records for scalability. [Yingqi Lu <yi...@intel.com>,
+ Jeff Trawick, Jim Jagielski, Yann Ylavic]
+
+ *) mod_alias: Introduce expression parser support for Alias, ScriptAlias
+ and Redirect. Limit Redirect expressions to directory (Location) context
+ and redirect statuses (implicit or explicit).
+ [Graham Leggett, Yann Ylavic, Ruediger Pluem]
+
+ *) mod_proxy: Fix a race condition that caused a failed worker to be retried
+ before the retry period is over. [Ruediger Pluem]
+
+ *) mod_autoindex: Allow autoindexes when neither mod_dir nor mod_mime are
+ loaded. [Eric Covener]
+
+ *) mod_rewrite: Allow cookies set by mod_rewrite to contain ':' by accepting
+ ';' as an alternate separator. PR47241.
+ [<bugzilla schermesser com>, Eric Covener]
+
+ *) apxs: Add HTTPD_VERSION and HTTPD_MMN to the variables available with
+ apxs -q. PR58202. [Daniel Shahaf <danielsh apache.org>]
+
+ *) mod_rewrite: Avoid a crash when lacking correct DB access permissions
+ when using RewriteMap with MapType dbd or fastdbd. [Christophe Jaillet]
+
+ *) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions.
+ PR 57868. [Jose Kahan <jose w3.org>, Yann Ylavic]
+
+ *) mod_socache_memcache: Add the 'MemcacheConnTTL' directive to control how
+ long to keep idle connections with the memcache server(s).
+ Change default value from 600 usec (!) to 15 sec. PR 58091
+ [Christophe Jaillet]
+
+ *) mod_dir: Prevent the internal identifier "httpd/unix-directory" from
+ appearing as a Content-Type response header when requests for a directory
+ are rewritten by mod_rewrite. [Eric Covener]
+
+Changes with Apache 2.4.16
+
+ *) http: Fix LimitRequestBody checks when there is no more bytes to read.
+ [Michael Kaufmann <mail michael-kaufmann.ch>]
+
+ *) mod_alias: Revert expression parser support for Alias, ScriptAlias
+ and Redirect due to a regression (introduced in 2.4.13, not released).
+
+ *) mod_reqtimeout: Don't let pipelining checks and keep-alive times interfere
+ with the timeouts computed for subsequent requests. PR 56729.
+ [Eric Covener, Yann Ylavic]
+
+ *) core: Avoid a possible truncation of the faulty header included in the
+ HTML response when LimitRequestFieldSize is reached. [Yann Ylavic]
+
+ *) mod_ldap: In some case, LDAP_NO_SUCH_ATTRIBUTE could be returned instead
+ of an error during a compare operation. [Eric Covener]
+
+Changes with Apache 2.4.15 (not released)
+
+ *) mod_ext_filter, mod_charset_lite: Avoid inadvertent filtering of protocol
+ data during read of chunked request bodies. PR 58049.
+ [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_ldap: Stop leaking LDAP connections when 'LDAPConnectionPoolTTL 0'
+ is configured. PR 58037. [Ted Phelps <phelps gnusto.com>]
+
+ *) core: Allow spaces after chunk-size for compatibility with implementations
+ using a pre-filled buffer. [Yann Ylavic, Jeff Trawick]
+
+ *) mod_ssl: Remove deprecated SSLCertificateChainFile warning.
+ [Yann Ylavic]
+
+Changes with Apache 2.4.14 (not released)
+
+ *) SECURITY: CVE-2015-3183 (cve.mitre.org)
+ core: Fix chunk header parsing defect.
+ Remove apr_brigade_flatten(), buffering and duplicated code from
+ the HTTP_IN filter, parse chunks in a single pass with zero copy.
+ Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
+ authorized characters. [Graham Leggett, Yann Ylavic]
+
+ *) SECURITY: CVE-2015-3185 (cve.mitre.org)
+ Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
+ with new ap_some_authn_required and ap_force_authn hook. [Ben Reser]
+
+Changes with Apache 2.4.13 (not released)
+
+ *) SECURITY: CVE-2015-0253 (cve.mitre.org)
+ core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
+ with the INCLUDES filter active, introduced in 2.4.11. PR 57531.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2015-0228 (cve.mitre.org)
+ mod_lua: A maliciously crafted websockets PING after a script
+ calls r:wsupgrade() can cause a child process crash.
+ [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_proxy: Don't put the worker in error state for 500 or 503 errors
+ returned by the backend unless failonstatus is configured to. PR 56925.
+ [Yann Ylavic]
+
+ *) core: Don't lowercase the argument to SetHandler if it begins with
+ "proxy:unix". PR 57968. [Eric Covener]
+
+ *) mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
+ the OCSP response for a different certificate. mod_ssl has an additional
+ global mutex, "ssl-stapling-refresh". PR 57131 (partial fix).
+ [Jeff Trawick]
+
+ *) mod_authz_dbm: Fix crashes when "dbm-file-group" is used and
+ authz modules were loaded in the "wrong" order. [Joe Orton]
+
+ *) mod_authn_dbd, mod_authz_dbd, mod_session_dbd, mod_rewrite: Fix lifetime
+ of DB lookup entries independently of the selected DB engine. PR 46421.
+ [Steven whitson <steven.whitson gmail com>, Jan Kaluza, Yann Ylavic].
+
+ *) In alignment with RFC 7525, the default recommended SSLCipherSuite
+ and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
+ default recommended SSLProtocol and SSLProxyProtocol directives now
+ exclude SSLv3. Existing configurations must be adjusted by the
+ administrator. [William Rowe]
+
+ *) mod_ssl: Add support for extracting subjectAltName entries of type
+ rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
+ environment variables. Also addresses PR 57207. [Kaspar Brand]
+
+ *) dav_validate_request: avoid validating locks and ETags when there are
+ no If headers providing them on a resource we aren't modifying.
+ [Ben Reser]
+
+ *) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
+ response header to be used by the application, for when the application
+ or framework is unable to return Location in the internal-redirect
+ form. [Jeff Trawick]
+
+ *) core: Cleanup the request soon/even if some output filter fails to
+ handle the EOR bucket. [Yann Ylavic]
+
+ *) mpm_event: Allow for timer events duplicates. [Jim Jagielski, Yann Ylavic]
+
+ *) mod_proxy, mod_ssl, mod_cache_socache, mod_socache_*: Support machine
+ readable server-status produced when using the "?auto" query string.
+ [Rainer Jung]
+
+ *) mod_status: Add more data to machine readable server-status produced
+ when using the "?auto" query string. [Rainer Jung]
+
+ *) mod_ssl: Check for the Entropy Gathering Daemon (EGD) availability at
+ configure time (RAND_egd), and complain if SSLRandomSeed requires using
+ it otherwise. [Bernard Spil <pil.oss gmail com>, Stefan Sperling,
+ Kaspar Brand]
+
+ *) mod_ssl: make sure to consistently output SSLCertificateChainFile
+ deprecation warnings, when encountered in a VirtualHost block.
+ [Falco Schwarz <hiding falco.me>]
+
+ *) mod_log_config: Add "%{UNIT}T" format to output request duration in
+ seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
+ [Ben Reser, Rainer Jung]
+
+ *) Allow FallbackResource to work when a directory is requested and
+ there is no autoindex nor DirectoryIndex.
+ [Jack <tjerk.meesters gmail.com>, Eric Covener]
+
+ *) mod_proxy_wstunnel: Bypass the handler while the connection is not
+ upgraded to WebSocket, so that other modules can possibly take over
+ the leading HTTP requests. [Yann Ylavic]
+
+ *) mod_http: Fix incorrect If-Match handling. PR 57358
+ [Kunihiko Sakamoto <ksakamoto google.com>]
+
+ *) mod_ssl: Add a warning if protocol given in SSLProtocol or SSLProxyProtocol
+ will override other parameters given in the same directive. This could be
+ a missing + or - prefix. PR 52820 [Christophe Jaillet]
+
+ *) core, modules: Avoid error response/document handling by the core if some
+ handler or input filter already did it while reading the request (causing
+ a double response body). [Yann Ylavic]
+
+ *) mod_proxy_ajp: Fix client connection errors handling and logged status
+ when it occurs. PR 56823. [Yann Ylavic]
+
+ *) mod_proxy: Use the correct server name for SNI in case the backend
+ SSL connection itself is established via a proxy server.
+ PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
+
+ *) mod_ssl: Fix possible crash when loading server certificate constraints.
+ PR 57694. [Paul Spangler <paul.spangler ni com>, Yann Ylavic]
+
+ *) build: Don't load both mod_cgi and mod_cgid in the default configuration
+ if they're both built. [olli hauer <ohauer gmx.de>]
+
+ *) mod_logio: Add LogIOTrackTTFB and %^FB logformat to log the time
+ taken to start writing response headers. [Eric Covener]
+
+ *) mod_ssl: Avoid compilation errors with LibreSSL related to
+ the use of ENGINE_CTRL_CHIL_SET_FORKCHECK.
+ [Stuart Henderson <sthen openbsd.org>]
+
+ *) mod_proxy_http: Use the "Connection: close" header for requests to
+ backends not recycling connections (disablereuse), including the default
+ reverse and forward proxies. [Yann Ylavic]
+
+ *) mod_proxy: Add ap_connection_reusable() for checking if a connection
+ is reusable as of this point in processing. [Jeff Trawick]
+
+ *) mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad
+ Gateway) when no response is ever received from the backend.
+ [Jan Kaluza]
+
+ *) core_filters: Restore/disable TCP_NOPUSH option after non-blocking
+ sendfile. PR 53253. [Yann Ylavic]
+
+ *) mod_buffer: Forward flushed input data immediately and avoid (unlikely)
+ access to freed memory. [Yann Ylavic, Christophe Jaillet]
+
+ *) core: Add CGIPassAuth directive to control whether HTTP authorization
+ headers are passed to scripts as CGI variables. PR 56855. [Jeff
+ Trawick]
+
+ *) core: Initialize scoreboard's used optional functions on graceful restarts
+ to avoid a crash when relocation occurs. PR 57177. [Yann Ylavic]
+
+ *) mod_dav: Avoid a potential integer underflow in the lock timeout value sent
+ back to a client. The answer to a LOCK request could be an extremly large
+ integer if the time needed to lock the resource was longer that the
+ requested timeout given in the LOCK request. In such a case, we now answer
+ "Second-0". PR55420
+ [Christophe Jaillet]
+
+ *) mod_cgid: Within the first minute of a server start or restart,
+ allow mod_cgid to retry connecting to its daemon process. Previously,
+ 'No such file or directory: unable to connect to cgi daemon...' could
+ be logged without an actual retry. PR57685.
+ [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_proxy: Use the original (non absolute) form of the request-line's URI
+ for requests embedded in CONNECT payloads used to connect SSL backends via
+ a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms <hendrik.harms
+ gmail com>, William Rowe, Yann Ylavic]
+
+ *) http: Make ap_die() robust against any HTTP error code and not modify
+ response status (finally logged) when nothing is to be done. PR 56035.
+ [Yann Ylavic]
+
+ *) mod_proxy_connect/wstunnel: If both client and backend sides get readable
+ at the same time, don't lose errors occurring while forwarding on the first
+ side when none occurs next on the other side, and abort. [Yann Ylavic]
+
+ *) mod_rewrite: Improve relative substitutions in per-directory/htaccess
+ context for directories found by mod_userdir and mod_alias. These no
+ longer require RewriteBase to be specified. [Eric Covener]
+
+ *) mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
+ finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
+ or force-proxy-request-1.0. [Yann Ylavic]
+
+ *) core: If explicitly configured, use the KeepaliveTimeout value of the
+ virtual host which handled the latest request on the connection, or by
+ default the one of the first virtual host bound to the same IP:port.
+ PR56226. [Yann Ylavic]
+
+ *) mod_lua: After a r:wsupgrade(), mod_lua was not properly
+ responding to a websockets PING but instead invoking the specified
+ script. PR57524. [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
+ a combination of certificate serialNumber and issuer as defined by
+ CertificateExactMatch in RFC4523. [Graham Leggett]
+
+ *) core: Add expression support to ErrorDocument. Switch from a fixed
+ sized 664 byte array per merge to a hash table. [Graham Leggett]
+
+ *) ab: Add missing longest request (100%) to CSV export.
+ [Marcin Fabrykowski <bugzilla fabrykowski.pl>]
+
+ *) mod_macro: Clear macros before initialization to avoid use-after-free
+ on startup or restart when the module is linked statically. PR 57525
+ [apache.org tech.futurequest.net, Yann Ylavic]
+
+ *) mod_alias: Introduce expression parser support for Alias, ScriptAlias
+ and Redirect. [Graham Leggett]
+
+ *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
+ PR 57100. [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
+ Yann Ylavic]
+
+ *) mpm_event: Avoid access to the scoreboard from the connection while
+ it is suspended (waiting for events). [Eric Covener, Jeff Trawick]
+
+ *) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument.
+ PR 57334. [Yann Ylavic].
+
+ *) mod_deflate: A misplaced check prevents limiting small bodies with the
+ new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic]
+
+ *) mod_proxy_ajp: Forward SSL protocol name (SSLv3, TLSv1.1 etc.) as a
+ request attribute to the backend. Recent Tomcat versions will extract
+ it and provide it as a servlet request attribute named
+ "org.apache.tomcat.util.net.secure_protocol_version". [Rainer Jung]
+
+ *) core: Optimize string concatenation in expression parser when evaluating
+ a string expression. [Rainer Jung]
+
+ *) acinclude.m4: Generate #LoadModule directive in default httpd.conf for
+ every --enable-mpms-shared. PR 53882. [olli hauer <ohauer gmx.de>,
+ Yann Ylavic]
+
+ *) mod_authn_dbd: Fix the error message logged in case of error while querying
+ the database. This is associated to AH01656 and AH01661. [Christophe Jaillet]
+
+ *) mod_authz_groupfile: Reduce the severity of AH01667 from ERROR to DEBUG,
+ because it may be evaluated inside <RequireAny>. PR55523. [Eric Covener]
+
+ *) mod_ssl: Fix small memory leak during initialization when ECDH is used.
+ [Jan Kaluza]
+
+Changes with Apache 2.4.12
+
+ *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
+ internationalization. [William Rowe]
+
+ *) mpm_winnt: Normalize the error and status messages emitted by service.c,
+ the service control interface for Windows. [William Rowe]
+
+ *) configure: Fix --enable-v4-mapped configuration on *BSD. PR 53824.
+ [ olli hauer <ohauer gmx.de>, Yann Ylavic ]
+
+ *) Reverted <DirectoryMatch > behavior regression introduced in 2.4.11
+ (not released).
+
+Changes with Apache 2.4.11 (not released)
+
+ *) SECURITY: CVE-2014-3583 (cve.mitre.org)
+ mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with
+ response headers' size above 8K. [Yann Ylavic, Jeff Trawick]
+
+ *) SECURITY: CVE-2014-3581 (cve.mitre.org)
+ mod_cache: Avoid a crash when Content-Type has an empty value.
+ PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
+
+ *) SECURITY: CVE-2014-8109 (cve.mitre.org)
+ mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
+ used in multiple Require directives with different arguments.
+ PR57204 [Edward Lu <Chaosed0 gmail.com>]
+
+ *) SECURITY: CVE-2013-5704 (cve.mitre.org)
+ core: HTTP trailers could be used to replace HTTP headers
+ late during request processing, potentially undoing or
+ otherwise confusing modules that examined or modified
+ request headers earlier. Adds "MergeTrailers" directive to restore
+ legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
+
+ *) mod_ssl: New directive SSLSessionTickets (On|Off).
+ The directive controls the use of TLS session tickets (RFC 5077),
+ default value is "On" (unchanged behavior).
+ Session ticket creation uses a random key created during web
+ server startup and recreated during restarts. No other key
+ recreation mechanism is available currently. Therefore using session
+ tickets without restarting the web server with an appropriate frequency
+ (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
+
+ *) mod_proxy_fcgi: Provide some basic alternate options for specifying
+ how PATH_INFO is passed to FastCGI backends by adding significance to
[... 3983 lines stripped ...]