You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2017/06/16 17:38:04 UTC
svn commit: r20048 - /release/httpd/
Author: jim
Date: Fri Jun 16 17:38:04 2017
New Revision: 20048
Log:
Move artifacts for mirror grab
Added:
release/httpd/CHANGES_2.4.26
release/httpd/httpd-2.4.26.tar.bz2 (with props)
release/httpd/httpd-2.4.26.tar.bz2.asc (with props)
release/httpd/httpd-2.4.26.tar.bz2.md5
release/httpd/httpd-2.4.26.tar.bz2.sha1
release/httpd/httpd-2.4.26.tar.bz2.sha256
release/httpd/httpd-2.4.26.tar.gz (with props)
release/httpd/httpd-2.4.26.tar.gz.asc (with props)
release/httpd/httpd-2.4.26.tar.gz.md5
release/httpd/httpd-2.4.26.tar.gz.sha1
release/httpd/httpd-2.4.26.tar.gz.sha256
Modified:
release/httpd/Announcement2.4.html
release/httpd/Announcement2.4.txt
release/httpd/CHANGES_2.4
Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Fri Jun 16 17:38:04 2017
@@ -49,54 +49,27 @@
<div class="banner"></div>
<h1>
- Apache HTTP Server 2.4.25 Released
+ Apache HTTP Server 2.4.26 Released
</h1>
<p>
- December 20, 2016
+ June 19, 2017
</p>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to <a href="http://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
- the release of version 2.4.25 of the Apache
+ the release of version 2.4.26 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a security, feature, and bug fix release, and addresses these
- specific security defects as well as other fixes:
-</p>
-<ul>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736">CVE-2016-0736</a>
- mod_session_crypto: Authenticate the session data/cookie with a
- MAC (SipHash) to prevent deciphering or tampering with a padding
- oracle attack.
-</li>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161">CVE-2016-2161</a>
- mod_auth_digest: Prevent segfaults during client entry allocation
- when the shared memory space is exhausted.
-</li>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387">CVE-2016-5387</a>
- core: Mitigate [f]cgi "httpoxy" issues.
-</li>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740">CVE-2016-8740</a>
- mod_http2: Mitigate DoS memory exhaustion via endless
- CONTINUATION frames.
-</li>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743">CVE-2016-8743</a>
- Enforce HTTP request grammar corresponding to RFC7230 for request
- lines and request headers, to prevent response splitting and cache
- pollution by malicious clients or downstream proxies.
-</li>
-</ul>
-<p>
- NOTE: version 2.4.24 was not released.
+ a security, feature, and bug fix release.
</p>
<p>
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
</p>
<p>
- Apache HTTP Server 2.4.25 is available for download from:
+ Apache HTTP Server 2.4.26 is available for download from:
</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi"
@@ -104,7 +77,7 @@
</dl>
<p>
Please see the CHANGES_2.4 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.4.25 includes only
+ full list of changes. A condensed list, CHANGES_2.4.26 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
@@ -115,9 +88,10 @@
</dd>
</dl>
<p>
- This release requires the Apache Portable Runtime (APR) version 1.5.x
- and APR-Util version 1.5.x. The APR libraries must be upgraded for all
- features of httpd to operate correctly.
+ This release requires the Apache Portable Runtime (APR), minimum version
+ 1.5.x, and APR-Util, minimum version 1.5.x. Some features may require the 1.6.x
+ version of both APR and APR-Util. The APR libraries must be upgraded for
+ all features of httpd to operate correctly.
</p>
<p>
Apache HTTP Server 2.4 provides a number of improvements and enhancements
Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Fri Jun 16 17:38:04 2017
@@ -1,43 +1,19 @@
- Apache HTTP Server 2.4.25 Released
+ Apache HTTP Server 2.4.26 Released
- December 20, 2016
+ June 19, 2017
The Apache Software Foundation and the Apache HTTP Server Project
- are pleased to announce the release of version 2.4.25 of the Apache
+ are pleased to announce the release of version 2.4.26 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a security, feature, and bug fix release, and addresses these
- specific security defects as well as other fixes:
+ a security, feature, and bug fix release.
- CVE-2016-0736 (cve.mitre.org)
- mod_session_crypto: Authenticate the session data/cookie with a
- MAC (SipHash) to prevent deciphering or tampering with a padding
- oracle attack.
-
- CVE-2016-2161 (cve.mitre.org)
- mod_auth_digest: Prevent segfaults during client entry allocation
- when the shared memory space is exhausted.
-
- CVE-2016-5387 (cve.mitre.org)
- core: Mitigate [f]cgi "httpoxy" issues.
-
- CVE-2016-8740 (cve.mitre.org)
- mod_http2: Mitigate DoS memory exhaustion via endless
- CONTINUATION frames.
-
- CVE-2016-8743 (cve.mitre.org)
- Enforce HTTP request grammar corresponding to RFC7230 for request
- lines and request headers, to prevent response splitting and cache
- pollution by malicious clients or downstream proxies.
-
- NOTE: Version 2.4.24 was not released.
-
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
- Apache HTTP Server 2.4.25 is available for download from:
+ Apache HTTP Server 2.4.26 is available for download from:
http://httpd.apache.org/download.cgi
@@ -48,16 +24,17 @@
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.4.25 includes only
+ full list of changes. A condensed list, CHANGES_2.4.26 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_24.html
- This release requires the Apache Portable Runtime (APR) version 1.5.x
- and APR-Util version 1.5.x. The APR libraries must be upgraded for all
- features of httpd to operate correctly.
+ This release requires the Apache Portable Runtime (APR), minimum
+ version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
+ require the 1.6.x version of both APR and APR-Util. The APR libraries
+ must be upgraded for all features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Fri Jun 16 17:38:04 2017
@@ -1,11 +1,235 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.4.26
+
+ *) HTTP/2 support no longer tagged as "experimental" but is instead considered
+ fully production ready.
+
+ *) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
+ the session in continuous check for state changes that never happen.
+ [Stefan Eissing]
+
+ *) mod_mime: Fix error checking for quoted pairs. [Yann Ylavic]
+
+ *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
+ protocols. [Jean-Frederic Clere]
+
+ *) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
+ a possible crash if a signal is caught during (graceful) restart.
+ PR 60487. [Yann Ylavic]
+
+ *) core: Deprecate ap_get_basic_auth_pw() and add
+ ap_get_basic_auth_components().
+ [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+
+ *) mod_rewrite: When a substitution is a fully qualified URL, and the
+ scheme/host/port matches the current virtual host, stop interpreting the
+ path component as a local path just because the first component of the
+ path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
+ to revert to previous behavior. PR60009.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
+ platforms. PR61124. [Hank Ibell <hwibell gmail.com>]
+
+ *) ab: enable option processing for setting a custom HTTP method also for
+ non-SSL builds. [Rainer Jung]
+
+ *) core: EBCDIC fixes for interim responses with additional headers.
+ [Eric Covener]
+
+ *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
+ to ssl_io_filter_error(). [Yann Ylavic]
+
+ *) mod_env: when processing a 'SetEnv' directive, warn if the environment
+ variable name includes a '='. It is likely a configuration error.
+ PR 60249 [Christophe Jaillet]
+
+ *) Evaluate nested If/ElseIf/Else configuration blocks.
+ [Luca Toscano, Jacob Champion]
+
+ *) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
+ allow spaces in backreferences to be encoded as %20 instead of '+'.
+ [Eric Covener]
+
+ *) mod_rewrite: Add the possibility to limit the escaping to specific
+ characters in backreferences by listing them in the B flag.
+ [Eric Covener]
+
+ *) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
+ systems. [Eric Covener]
+
+ *) mod_http2: fail requests without ERROR log in case we need to read interim
+ responses and see only garbage. This can happen if proxied servers send
+ data where none should be, e.g. a body for a HEAD request. [Stefan Eissing]
+
+ *) mod_proxy_http2: adding support for Reverse Proxy Request headers.
+ [Stefan Eissing]
+
+ *) mod_http2: fixed possible deadlock that could occur when connections were
+ terminated early with ongoing streams. Fixed possible hanger with timeout
+ on race when connection considers itself idle. [Stefan Eissing]
+
+ *) mod_http2: MaxKeepAliveRequests now limits the number of times a
+ slave connection gets reused. [Stefan Eissing]
+
+ *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
+ [Evgeny Kotkov]
+
+ *) mod_proxy_http2: Fixed bug in re-attempting proxy requests after
+ connection error. Reliability of reconnect handling improved.
+ [Stefan Eissing]
+
+ *) mod_http2: better performance, eliminated need for nested locks and
+ thread privates. Moving request setups from the main connection to the
+ worker threads. Increase number of spare connections kept.
+ [Stefan Eissing]
+
+ *) mod_http2: input buffering and dynamic flow windows for increased
+ throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
+ in mod_http2 INFO log as feature 'DWINS'. [Stefan Eissing]
+
+ *) mod_http2: h2 workers with improved scalability for better scheduling
+ performance. There are H2MaxWorkers threads created at start and the
+ number is kept constant for now. [Stefan Eissing]
+
+ *) mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and
+ just log a warning. [Stefan Eissing]
+
+ *) mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date
+ format from 2.2 in the Last Modified column. PR60846.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: Add %{REMOTE_PORT} to the expression parser. PR59938
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
+ computing and using the same entity key according to when the cache
+ checks, loads and saves the request.
+ PR 60577. [Yann Ylavic]
+
+ *) mod_proxy_hcheck: Don't validate timed out responses. [Yann Ylavic]
+
+ *) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
+ in use (ProxyHCTPsize > 0). PR 60071. [Yann Ylavic, Jim Jagielski]
+
+ *) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
+ URI originally requsted by the user, not the nested documents URI. This
+ restores the behavior of this variable to match the "legacy" SSI parser.
+ PR60624. [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
+ variables just before invoking the FastCGI. [Eric Covener,
+ Jacob Champion]
+
+ *) mod_proxy: Allow the per-request environment variable "no-proxy" to
+ be used as an alternative to ProxyPass /path !. This is primarily
+ to set exceptions for ProxyPass specified in <Location> context.
+ Use SetEnvIf, not SetEnv. [Eric Covener]
+
+ *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
+ a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
+ default. Add ProxyFCGIBackendType to allow the type of backend to be
+ specified so these kinds of fixups can be restored without impacting
+ FPM. PR60576 [Eric Covener, Jim Jagielski]
+
+ *) mod_ssl: work around leaks on (graceful) restart. [Yann Ylavic]
+
+ *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
+
+ *) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
+ than zero. [Eric Covener]
+
+ *) mod_http2: moving session cleanup to pre_close hook to avoid races with
+ modules already shut down and slave connections still operating.
+ [Stefan Eissing]
+
+ *) mod_lua: Support for Lua 5.3
+
+ *) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
+
+ *) mod_http2: fix for crash when running out of memory.
+ [Robert Swiecki <robert swiecki.net>, Stefan Eissing]
+
+ *) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
+ [Luca Toscano]
+
+ *) mod_http2: not counting file buckets again stream max buffer limits.
+ Effectively transfering static files in one step from slave to master
+ connection. [Stefan Eissing]
+
+ *) mod_http2: comforting ap_check_pipeline() on slave connections
+ to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
+ [Stefan Eissing, reported by Armin Abfalterer]
+
+ *) mod_http2: http/2 streams now with state handling/transitions as defined
+ in RFC7540. Stream cleanup/connection shutdown reworked to become easier
+ to understand/maintain/debug. Added many asserts on state and cleanup
+ transitions. [Stefan Eissing]
+
+ *) mod_auth_digest: Use an anonymous shared memory segment by default,
+ preventing startup failure after unclean shutdown. PR 54622.
+ [Jan Kaluza]
+
+ *) mod_filter: Fix AddOutputFilterByType with non-content-level filters.
+ PR 58856. [Micha Lenk <micha lenk.info>]
+
+ *) mod_watchdog: Fix semaphore leak over restarts. [Jim Jagielski]
+
+ *) mod_http2: regression fix on PR 59348, on graceful restart, ongoing
+ streams are finished normally before the final GOAWAY is sent.
+ [Stefan Eissing, <slavko gmail.com>]
+
+ *) mod_proxy: Allow the per-request environment variable "no-proxy" to
+ be used as an alternative to ProxyPass /path !. This is primarily
+ to set exceptions for ProxyPass specified in <Location> context.
+ Use SetEnvIf, not SetEnv. PR 60458. [Eric Covener]
+
+ *) mod_http2: fixes PR60599, sending proper response for conditional requests
+ answered by mod_cache. [Jeff Wheelhouse, Stefan Eissing]
+
+ *) mod_http2: rework of stream resource cleanup to avoid a crash in a close
+ of a lingering connection. Prohibit special file bucket beaming for
+ shared buckets. Files sent in stream output now use the stream pool
+ as read buffer, reducing memory footprint of connections.
+ [Yann Ylavic, Stefan Eissing]
+
+ *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
+ modules add empty environment variables to the request. PR 60275.
+ [<alex2grad AT gmail.com>]
+
+ *) mod_http2: fix for possible page fault when stream is resumed during
+ session shutdown. [sidney-j-r-m (github)]
+
+ *) mod_http2: fix for h2 session ignoring new responses while already
+ open streams continue to have data available. [Stefan Eissing]
+
+ *) mod_http2: adding support for MergeTrailers directive. [Stefan Eissing]
+
+ *) mod_http2: limiting DATA frame sizes by TLS record sizes in use on the
+ connection. Flushing outgoing frames earlier. [Stefan Eissing]
+
+ *) mod_http2: cleanup beamer registry on server reload. PR 60510.
+ [Pavel Mateja <pavel verotel.cz>, Stefan Eissing]
+
+ *) mod_proxy_{ajp,fcgi}: Fix a possible crash when reusing an established
+ backend connection, happening with LogLevel trace2 or higher configured,
+ or at any log level with compilers not detected as C99 compliant (e.g.
+ MSVC on Windows). [Yann Ylavic]
+
+ *) mod_ext_filter: Don't interfere with "error buckets" issued by other
+ modules. PR 60375. [Eric Covener, Lubos Uhliarik]
+
+ *) mod_http2: fixes https://github.com/icing/mod_h2/issues/126 e.g. beam
+ bucket lifetime handling when data is sent over temporary pools.
+ [Stefan Eissing]
+
Changes with Apache 2.4.25
*) Fix some build issues related to various modules.
[Rainer Jung]
-Changes with Apache 2.4.24
+Changes with Apache 2.4.24 (not released)
*) SECURITY: CVE-2016-8740 (cve.mitre.org)
mod_http2: Mitigate DoS memory exhaustion via endless
@@ -13,10 +237,6 @@ Changes with Apache 2.4.24
[Naveen Tiwari <na...@asu.edu> and CDF/SEFCOM at Arizona State
University, Stefan Eissing]
- *) SECURITY: CVE-2016-5387 (cve.mitre.org)
- core: Mitigate [f]cgi "httpoxy" issues.
- [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
-
*) SECURITY: CVE-2016-2161 (cve.mitre.org)
mod_auth_digest: Prevent segfaults during client entry allocation when
the shared memory space is exhausted.
@@ -38,6 +258,9 @@ Changes with Apache 2.4.24
pollution by malicious clients, upstream servers or faulty modules.
[Stefan Fritsch, Eric Covener, Yann Ylavic]
+ *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
+ [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+
*) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
looping RewriteRules when the local path significantly exceeds
LimitRequestLine. PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]
Added: release/httpd/CHANGES_2.4.26
==============================================================================
--- release/httpd/CHANGES_2.4.26 (added)
+++ release/httpd/CHANGES_2.4.26 Fri Jun 16 17:38:04 2017
@@ -0,0 +1,238 @@
+ -*- coding: utf-8 -*-
+
+Changes with Apache 2.4.26
+
+ *) HTTP/2 support no longer tagged as "experimental" but is instead considered
+ fully production ready.
+
+ *) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
+ the session in continuous check for state changes that never happen.
+ [Stefan Eissing]
+
+ *) mod_mime: Fix error checking for quoted pairs. [Yann Ylavic]
+
+ *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
+ protocols. [Jean-Frederic Clere]
+
+ *) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
+ a possible crash if a signal is caught during (graceful) restart.
+ PR 60487. [Yann Ylavic]
+
+ *) core: Deprecate ap_get_basic_auth_pw() and add
+ ap_get_basic_auth_components().
+ [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+
+ *) mod_rewrite: When a substitution is a fully qualified URL, and the
+ scheme/host/port matches the current virtual host, stop interpreting the
+ path component as a local path just because the first component of the
+ path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
+ to revert to previous behavior. PR60009.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
+ platforms. PR61124. [Hank Ibell <hwibell gmail.com>]
+
+ *) ab: enable option processing for setting a custom HTTP method also for
+ non-SSL builds. [Rainer Jung]
+
+ *) core: EBCDIC fixes for interim responses with additional headers.
+ [Eric Covener]
+
+ *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
+ to ssl_io_filter_error(). [Yann Ylavic]
+
+ *) mod_env: when processing a 'SetEnv' directive, warn if the environment
+ variable name includes a '='. It is likely a configuration error.
+ PR 60249 [Christophe Jaillet]
+
+ *) Evaluate nested If/ElseIf/Else configuration blocks.
+ [Luca Toscano, Jacob Champion]
+
+ *) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
+ allow spaces in backreferences to be encoded as %20 instead of '+'.
+ [Eric Covener]
+
+ *) mod_rewrite: Add the possibility to limit the escaping to specific
+ characters in backreferences by listing them in the B flag.
+ [Eric Covener]
+
+ *) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
+ systems. [Eric Covener]
+
+ *) mod_http2: fail requests without ERROR log in case we need to read interim
+ responses and see only garbage. This can happen if proxied servers send
+ data where none should be, e.g. a body for a HEAD request. [Stefan Eissing]
+
+ *) mod_proxy_http2: adding support for Reverse Proxy Request headers.
+ [Stefan Eissing]
+
+ *) mod_http2: fixed possible deadlock that could occur when connections were
+ terminated early with ongoing streams. Fixed possible hanger with timeout
+ on race when connection considers itself idle. [Stefan Eissing]
+
+ *) mod_http2: MaxKeepAliveRequests now limits the number of times a
+ slave connection gets reused. [Stefan Eissing]
+
+ *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
+ [Evgeny Kotkov]
+
+ *) mod_proxy_http2: Fixed bug in re-attempting proxy requests after
+ connection error. Reliability of reconnect handling improved.
+ [Stefan Eissing]
+
+ *) mod_http2: better performance, eliminated need for nested locks and
+ thread privates. Moving request setups from the main connection to the
+ worker threads. Increase number of spare connections kept.
+ [Stefan Eissing]
+
+ *) mod_http2: input buffering and dynamic flow windows for increased
+ throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
+ in mod_http2 INFO log as feature 'DWINS'. [Stefan Eissing]
+
+ *) mod_http2: h2 workers with improved scalability for better scheduling
+ performance. There are H2MaxWorkers threads created at start and the
+ number is kept constant for now. [Stefan Eissing]
+
+ *) mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and
+ just log a warning. [Stefan Eissing]
+
+ *) mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date
+ format from 2.2 in the Last Modified column. PR60846.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: Add %{REMOTE_PORT} to the expression parser. PR59938
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
+ computing and using the same entity key according to when the cache
+ checks, loads and saves the request.
+ PR 60577. [Yann Ylavic]
+
+ *) mod_proxy_hcheck: Don't validate timed out responses. [Yann Ylavic]
+
+ *) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
+ in use (ProxyHCTPsize > 0). PR 60071. [Yann Ylavic, Jim Jagielski]
+
+ *) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
+ URI originally requsted by the user, not the nested documents URI. This
+ restores the behavior of this variable to match the "legacy" SSI parser.
+ PR60624. [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
+ variables just before invoking the FastCGI. [Eric Covener,
+ Jacob Champion]
+
+ *) mod_proxy: Allow the per-request environment variable "no-proxy" to
+ be used as an alternative to ProxyPass /path !. This is primarily
+ to set exceptions for ProxyPass specified in <Location> context.
+ Use SetEnvIf, not SetEnv. [Eric Covener]
+
+ *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
+ a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
+ default. Add ProxyFCGIBackendType to allow the type of backend to be
+ specified so these kinds of fixups can be restored without impacting
+ FPM. PR60576 [Eric Covener, Jim Jagielski]
+
+ *) mod_ssl: work around leaks on (graceful) restart. [Yann Ylavic]
+
+ *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
+
+ *) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
+ than zero. [Eric Covener]
+
+ *) mod_http2: moving session cleanup to pre_close hook to avoid races with
+ modules already shut down and slave connections still operating.
+ [Stefan Eissing]
+
+ *) mod_lua: Support for Lua 5.3
+
+ *) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
+
+ *) mod_http2: fix for crash when running out of memory.
+ [Robert Swiecki <robert swiecki.net>, Stefan Eissing]
+
+ *) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
+ [Luca Toscano]
+
+ *) mod_http2: not counting file buckets again stream max buffer limits.
+ Effectively transfering static files in one step from slave to master
+ connection. [Stefan Eissing]
+
+ *) mod_http2: comforting ap_check_pipeline() on slave connections
+ to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
+ [Stefan Eissing, reported by Armin Abfalterer]
+
+ *) mod_http2: http/2 streams now with state handling/transitions as defined
+ in RFC7540. Stream cleanup/connection shutdown reworked to become easier
+ to understand/maintain/debug. Added many asserts on state and cleanup
+ transitions. [Stefan Eissing]
+
+ *) mod_auth_digest: Use an anonymous shared memory segment by default,
+ preventing startup failure after unclean shutdown. PR 54622.
+ [Jan Kaluza]
+
+ *) mod_filter: Fix AddOutputFilterByType with non-content-level filters.
+ PR 58856. [Micha Lenk <micha lenk.info>]
+
+ *) mod_watchdog: Fix semaphore leak over restarts. [Jim Jagielski]
+
+ *) mod_http2: regression fix on PR 59348, on graceful restart, ongoing
+ streams are finished normally before the final GOAWAY is sent.
+ [Stefan Eissing, <slavko gmail.com>]
+
+ *) mod_proxy: Allow the per-request environment variable "no-proxy" to
+ be used as an alternative to ProxyPass /path !. This is primarily
+ to set exceptions for ProxyPass specified in <Location> context.
+ Use SetEnvIf, not SetEnv. PR 60458. [Eric Covener]
+
+ *) mod_http2: fixes PR60599, sending proper response for conditional requests
+ answered by mod_cache. [Jeff Wheelhouse, Stefan Eissing]
+
+ *) mod_http2: rework of stream resource cleanup to avoid a crash in a close
+ of a lingering connection. Prohibit special file bucket beaming for
+ shared buckets. Files sent in stream output now use the stream pool
+ as read buffer, reducing memory footprint of connections.
+ [Yann Ylavic, Stefan Eissing]
+
+ *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
+ modules add empty environment variables to the request. PR 60275.
+ [<alex2grad AT gmail.com>]
+
+ *) mod_http2: fix for possible page fault when stream is resumed during
+ session shutdown. [sidney-j-r-m (github)]
+
+ *) mod_http2: fix for h2 session ignoring new responses while already
+ open streams continue to have data available. [Stefan Eissing]
+
+ *) mod_http2: adding support for MergeTrailers directive. [Stefan Eissing]
+
+ *) mod_http2: limiting DATA frame sizes by TLS record sizes in use on the
+ connection. Flushing outgoing frames earlier. [Stefan Eissing]
+
+ *) mod_http2: cleanup beamer registry on server reload. PR 60510.
+ [Pavel Mateja <pavel verotel.cz>, Stefan Eissing]
+
+ *) mod_proxy_{ajp,fcgi}: Fix a possible crash when reusing an established
+ backend connection, happening with LogLevel trace2 or higher configured,
+ or at any log level with compilers not detected as C99 compliant (e.g.
+ MSVC on Windows). [Yann Ylavic]
+
+ *) mod_ext_filter: Don't interfere with "error buckets" issued by other
+ modules. PR 60375. [Eric Covener, Lubos Uhliarik]
+
+ *) mod_http2: fixes https://github.com/icing/mod_h2/issues/126 e.g. beam
+ bucket lifetime handling when data is sent over temporary pools.
+ [Stefan Eissing]
+
+
+ [Apache 2.3.0-dev includes those bug fixes and changes with the
+ Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
+
Added: release/httpd/httpd-2.4.26.tar.bz2
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.4.26.tar.bz2
------------------------------------------------------------------------------
svn:mime-type = application/x-bzip2
Added: release/httpd/httpd-2.4.26.tar.bz2.asc
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.4.26.tar.bz2.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: release/httpd/httpd-2.4.26.tar.bz2.md5
==============================================================================
--- release/httpd/httpd-2.4.26.tar.bz2.md5 (added)
+++ release/httpd/httpd-2.4.26.tar.bz2.md5 Fri Jun 16 17:38:04 2017
@@ -0,0 +1 @@
+d4d47749a44461cb2e6c9d78a22b522b *httpd-2.4.26.tar.bz2
Added: release/httpd/httpd-2.4.26.tar.bz2.sha1
==============================================================================
--- release/httpd/httpd-2.4.26.tar.bz2.sha1 (added)
+++ release/httpd/httpd-2.4.26.tar.bz2.sha1 Fri Jun 16 17:38:04 2017
@@ -0,0 +1 @@
+b10b0f569a0e5adfef61d8c7f0813d42046e399a *httpd-2.4.26.tar.bz2
Added: release/httpd/httpd-2.4.26.tar.bz2.sha256
==============================================================================
--- release/httpd/httpd-2.4.26.tar.bz2.sha256 (added)
+++ release/httpd/httpd-2.4.26.tar.bz2.sha256 Fri Jun 16 17:38:04 2017
@@ -0,0 +1 @@
+a07eb52fafc879e0149d31882f7da63173e72df4478db4dc69f7a775b663d387 *httpd-2.4.26.tar.bz2
Added: release/httpd/httpd-2.4.26.tar.gz
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.4.26.tar.gz
------------------------------------------------------------------------------
svn:mime-type = application/x-gzip
Added: release/httpd/httpd-2.4.26.tar.gz.asc
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.4.26.tar.gz.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: release/httpd/httpd-2.4.26.tar.gz.md5
==============================================================================
--- release/httpd/httpd-2.4.26.tar.gz.md5 (added)
+++ release/httpd/httpd-2.4.26.tar.gz.md5 Fri Jun 16 17:38:04 2017
@@ -0,0 +1 @@
+492aeb0f752baf7e895fea6334dfe202 *httpd-2.4.26.tar.gz
Added: release/httpd/httpd-2.4.26.tar.gz.sha1
==============================================================================
--- release/httpd/httpd-2.4.26.tar.gz.sha1 (added)
+++ release/httpd/httpd-2.4.26.tar.gz.sha1 Fri Jun 16 17:38:04 2017
@@ -0,0 +1 @@
+3821d35e80e6fa01f8367ca530f53d5be09c6b2f *httpd-2.4.26.tar.gz
Added: release/httpd/httpd-2.4.26.tar.gz.sha256
==============================================================================
--- release/httpd/httpd-2.4.26.tar.gz.sha256 (added)
+++ release/httpd/httpd-2.4.26.tar.gz.sha256 Fri Jun 16 17:38:04 2017
@@ -0,0 +1 @@
+0b5f65e278c0bf3f87afe0fbc253a919d40b9b2c63c3f66cd844e10ba67ced35 *httpd-2.4.26.tar.gz