CHANGES 237 KB
Newer Older
powelld's avatar
powelld committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000
                                                         -*- coding: utf-8 -*-
Changes with Apache 2.4.29

  *) mod_unique_id: Use output of the PRNG rather than IP address and
     pid, avoiding sleep() call and possible DNS issues at startup,
     plus improving randomness for IPv6-only hosts.  [Jan Kaluza]

  *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
     is used in a condition that evaluates to true. PR 58231 [Luca Toscano]

  *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
     beams that could lead to assertion failure in edge cases.
     [Stefan Eissing] 

  *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
     in 2.4.28.  [Jim Jagielski]

  *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
     PR 61546.  [Lubos Uhliarik <luhliari redhat.com>]

  *) mod_rewrite: Add support for starting External Rewriting Programs
     as non-root user on UNIX systems by specifying username and group
     name as third argument of RewriteMap directive.  [Jan Kaluza]

  *) core: Rewrite the Content-Length filter to avoid excessive memory
     consumption. Chunked responses will be generated in more cases
     than in previous releases.  PR 61222.  [Joe Orton, Ruediger Pluem]

  *) mod_ssl: Fix SessionTicket callback return value, which does seem to
     matter with OpenSSL 1.1. [Yann Ylavic]

Changes with Apache 2.4.28

  *) SECURITY: CVE-2017-9798 (cve.mitre.org)
     Corrupted or freed memory access. <Limit[Except]> must now be used in the
     main configuration file (httpd.conf) to register HTTP methods before the
     .htaccess files.  [Yann Ylavic]

  *) event: Avoid possible blocking in the listener thread when shutting down
     connections. PR 60956.  [Yann Ylavic]

  *) mod_speling: Don't embed referer data in a link in error page.
     PR 38923 [Nick Kew]

  *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
     length in a password file.
     [Luca Toscano, Hanno Böck <hanno hboeck de>]

  *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
     [Jim Jagielski]

  *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
     PR 61142.

  *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
     down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
     's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]

  *) mod_http2: Fix for stalling when more than 32KB are written to a
     suspended stream.  [Stefan Eissing]

  *) build: allow configuration without APR sources.  [Jacob Champion]

  *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
     [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
      Yann Ylavic]

  *) core/log: Support use of optional "tag" in syslog entries.
     PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]

  *) mod_proxy: Fix ProxyAddHeaders merging.  [Joe Orton]
 
  *) core: Disallow multiple Listen on the same IP:port when listener buckets
     are configured (ListenCoresBucketsRatio > 0), consistently with the single
     bucket case (default), thus avoiding the leak of the corresponding socket
     descriptors on graceful restart.  [Yann Ylavic]

  *) event: Avoid listener periodic wake ups by using the pollset wake-ability
     when available.  PR 57399.  [Yann Ylavic, Luca Toscano]

  *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
     led to spurious HTTP 502 error messages sent on upgrade connections.
     PR 61283.  [Yann Ylavic]

Changes with Apache 2.4.27

  *) SECURITY: CVE-2017-9789 (cve.mitre.org)
     mod_http2: Read after free. When under stress, closing many connections,
     the HTTP/2 handling code would sometimes access memory after it has been
     freed, resulting in potentially erratic behaviour.
     [Stefan Eissing]

  *) SECURITY: CVE-2017-9788 (cve.mitre.org)
     mod_auth_digest: Uninitialized memory reflection.  The value placeholder
     in [Proxy-]Authorization headers type 'Digest' was not initialized or
     reset before or between successive key=value assignments.
     [William Rowe]

  *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
     global variable when using Lua 5.2 or later. This was exported as a
     side effect from luaL_register, which is no longer supported as of
     Lua 5.2 which deprecates pollution of the global namespace.
     [Rainer Jung]

  *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
     The server will continue to run, but HTTP/2 will no longer be negotiated.
     [Stefan Eissing]

  *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
     default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
     [Jacob Champion, Jim Jagielski]

  *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
     PR58188, PR60831, PR61245. [Rainer Jung]
  
  *) mod_http2: Simplify ready queue, less memory and better performance. Update
     mod_http2 version to 1.10.7. [Stefan Eissing]
  
  *) Allow single-char field names inadvertently disallowed in 2.4.25.
     PR 61220. [Yann Ylavic]

  *) htpasswd / htdigest: Do not apply the strict permissions of the temporary
     passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]

  *) core: Avoid duplicate HEAD in Allow header.
     This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
     PR 61207. [Christophe Jaillet]

Changes with Apache 2.4.26

  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
     mod_mime can read one byte past the end of a buffer when sending a
     malicious Content-Type response header.  [Yann Ylavic]

  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
     bug in token list parsing, which allows ap_find_token() to search past
     the end of its input string. By maliciously crafting a sequence of
     request headers, an attacker may be able to cause a segmentation fault,
     or to force ap_find_token() to return an incorrect value.
     [Jacob Champion]

  *) SECURITY: CVE-2017-7659 (cve.mitre.org)
     A maliciously constructed HTTP/2 request could cause mod_http2 to
     dereference a NULL pointer and crash the server process.

  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
     mod_ssl may dereference a NULL pointer when third-party modules call
     ap_hook_process_connection() during an HTTP request to an HTTPS port.
     [Yann Ylavic]

  *) SECURITY: CVE-2017-3167 (cve.mitre.org)
     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
     authentication phase may lead to authentication requirements being
     bypassed.
     [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]

  *) HTTP/2 support no longer tagged as "experimental" but is instead considered
     fully production ready.

  *) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
     the session in continuous check for state changes that never happen. 
     [Stefan Eissing]

  *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
     protocols.  [Jean-Frederic Clere]

  *) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
     a possible crash if a signal is caught during (graceful) restart.
     PR 60487.  [Yann Ylavic]

  *) mod_rewrite: When a substitution is a fully qualified URL, and the 
     scheme/host/port matches the current virtual host, stop interpreting the 
     path component as a local path just because the first component of the 
     path exists in the filesystem.  Adds RewriteOption "LegacyPrefixDocRoot" 
     to revert to previous behavior. PR60009.
     [Hank Ibell <hwibell gmail.com>]
 
  *) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
     platforms. PR61124. [Hank Ibell <hwibell gmail.com>]

  *) ab: enable option processing for setting a custom HTTP method also for
     non-SSL builds.  [Rainer Jung]

  *) core: EBCDIC fixes for interim responses with additional headers.
     [Eric Covener]

  *) mod_env: when processing a 'SetEnv' directive, warn if the environment
     variable name includes a '='. It is likely a configuration error.
     PR 60249 [Christophe Jaillet]

  *) Evaluate nested If/ElseIf/Else configuration blocks.
     [Luca Toscano, Jacob Champion]

  *) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to 
     allow spaces in backreferences to be encoded as %20 instead of '+'.
     [Eric Covener]

  *) mod_rewrite: Add the possibility to limit the escaping to specific
     characters in backreferences by listing them in the B flag.
     [Eric Covener]

  *) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
     systems.  [Eric Covener]

  *) mod_http2: fail requests without ERROR log in case we need to read interim
     responses and see only garbage. This can happen if proxied servers send
     data where none should be, e.g. a body for a HEAD request. [Stefan Eissing]
     
  *) mod_proxy_http2: adding support for Reverse Proxy Request headers.
     [Stefan Eissing]
     
  *) mod_http2: fixed possible deadlock that could occur when connections were 
     terminated early with ongoing streams. Fixed possible hanger with timeout
     on race when connection considers itself idle. [Stefan Eissing]  

  *) mod_http2: MaxKeepAliveRequests now limits the number of times a 
     slave connection gets reused. [Stefan Eissing]

  *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
     [Evgeny Kotkov]

  *) mod_proxy_http2: Fixed bug in re-attempting proxy requests after 
     connection error. Reliability of reconnect handling improved. 
     [Stefan Eissing]
  
  *) mod_http2: better performance, eliminated need for nested locks and
     thread privates. Moving request setups from the main connection to the
     worker threads. Increase number of spare connections kept.
     [Stefan Eissing]
     
  *) mod_http2: input buffering and dynamic flow windows for increased 
     throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
     in mod_http2 INFO log as feature 'DWINS'. [Stefan Eissing]

  *) mod_http2: h2 workers with improved scalability for better scheduling
     performance. There are H2MaxWorkers threads created at start and the
     number is kept constant for now. [Stefan Eissing]
     
  *) mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and
     just log a warning. [Stefan Eissing]
     
  *) mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date
     format from 2.2 in the Last Modified column. PR60846.
     [Hank Ibell <hwibell gmail.com>]
 
  *) core: Add %{REMOTE_PORT} to the expression parser. PR59938
     [Hank Ibell <hwibell gmail.com>]

  *) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
     computing and using the same entity key according to when the cache
     checks, loads and saves the request.
     PR 60577.  [Yann Ylavic]
  
  *) mod_proxy_hcheck: Don't validate timed out responses.  [Yann Ylavic]

  *) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
     in use (ProxyHCTPsize > 0).  PR 60071.  [Yann Ylavic, Jim Jagielski]

  *) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
     URI originally requsted by the user, not the nested documents URI. This
     restores the behavior of this variable to match the "legacy" SSI parser.
     PR60624. [Hank Ibell <hwibell gmail.com>]

  *) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
     variables just before invoking the FastCGI. [Eric Covener,
     Jacob Champion]

  *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
     a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
     default.  Add ProxyFCGIBackendType to allow the type of backend to be
     specified so these kinds of fixups can be restored without impacting
     FPM. PR60576 [Eric Covener, Jim Jagielski]

  *) mod_ssl: work around leaks on (graceful) restart. [Yann Ylavic]

  *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]

  *) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
     than zero.  [Eric Covener]

  *) mod_http2: moving session cleanup to pre_close hook to avoid races with
     modules already shut down and slave connections still operating.
     [Stefan Eissing]

  *) mod_lua: Support for Lua 5.3

  *) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
  
  *) mod_http2: fix for crash when running out of memory.
     [Robert Swiecki <robert swiecki.net>, Stefan Eissing]
     
  *) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
     [Luca Toscano]

  *) mod_http2: not counting file buckets again stream max buffer limits. 
     Effectively transfering static files in one step from slave to master 
     connection. [Stefan Eissing]
    
  *) mod_http2: comforting ap_check_pipeline() on slave connections
     to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
     [Stefan Eissing, reported by Armin Abfalterer]
     
  *) mod_http2: http/2 streams now with state handling/transitions as defined
     in RFC7540. Stream cleanup/connection shutdown reworked to become easier
     to understand/maintain/debug. Added many asserts on state and cleanup 
     transitions. [Stefan Eissing]
     
  *) mod_auth_digest: Use an anonymous shared memory segment by default,
     preventing startup failure after unclean shutdown.  PR 54622.
     [Jan Kaluza]

  *) mod_filter: Fix AddOutputFilterByType with non-content-level filters.
     PR 58856. [Micha Lenk <micha lenk.info>]
 
  *) mod_watchdog: Fix semaphore leak over restarts.  [Jim Jagielski]

  *) mod_http2: regression fix on PR 59348, on graceful restart, ongoing 
     streams are finished normally before the final GOAWAY is sent. 
     [Stefan Eissing, <slavko gmail.com>]

  *) mod_proxy: Allow the per-request environment variable "no-proxy" to
     be used as an alternative to ProxyPass /path !. This is primarily
     to set exceptions for ProxyPass specified in <Location> context.
     Use SetEnvIf, not SetEnv. PR 60458.  [Eric Covener]

  *) mod_http2: fixes PR60599, sending proper response for conditional requests
     answered by mod_cache. [Jeff Wheelhouse, Stefan Eissing]
     
  *) mod_http2: rework of stream resource cleanup to avoid a crash in a close
     of a lingering connection. Prohibit special file bucket beaming for
     shared buckets. Files sent in stream output now use the stream pool
     as read buffer, reducing memory footprint of connections.
     [Yann Ylavic, Stefan Eissing]
     
  *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
     modules add empty environment variables to the request. PR 60275.
     [<alex2grad AT gmail.com>]

  *) mod_http2: fix for possible page fault when stream is resumed during 
     session shutdown. [sidney-j-r-m (github)]
     
  *) mod_http2: fix for h2 session ignoring new responses while already
     open streams continue to have data available. [Stefan Eissing]
     
  *) mod_http2: adding support for MergeTrailers directive. [Stefan Eissing]
  
  *) mod_http2: limiting DATA frame sizes by TLS record sizes in use on the 
     connection. Flushing outgoing frames earlier. [Stefan Eissing]

  *) mod_http2: cleanup beamer registry on server reload.  PR 60510.
     [Pavel Mateja <pavel verotel.cz>, Stefan Eissing]
     
  *) mod_proxy_{ajp,fcgi}: Fix a possible crash when reusing an established
     backend connection, happening with LogLevel trace2 or higher configured,
     or at any log level with compilers not detected as C99 compliant (e.g.
     MSVC on Windows).  [Yann Ylavic]

  *) mod_ext_filter: Don't interfere with "error buckets" issued by other
     modules. PR 60375.  [Eric Covener, Lubos Uhliarik]

  *) mod_http2: fixes https://github.com/icing/mod_h2/issues/126 e.g. beam
     bucket lifetime handling when data is sent over temporary pools.
     [Stefan Eissing] 
  
Changes with Apache 2.4.25

  *) Fix some build issues related to various modules.
     [Rainer Jung]

Changes with Apache 2.4.24 (not released)

  *) SECURITY: CVE-2016-8740 (cve.mitre.org)
     mod_http2: Mitigate DoS memory exhaustion via endless
     CONTINUATION frames.
     [Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State
     University, Stefan Eissing]

  *) SECURITY: CVE-2016-2161 (cve.mitre.org)
     mod_auth_digest: Prevent segfaults during client entry allocation when
     the shared memory space is exhausted.
     [Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion]

  *) SECURITY: CVE-2016-0736 (cve.mitre.org)
     mod_session_crypto: Authenticate the session data/cookie with a
     MAC (SipHash) to prevent deciphering or tampering with a padding
     oracle attack.  [Yann Ylavic, Colm MacCarthaigh]

  *) SECURITY: CVE-2016-8743 (cve.mitre.org)
     Enforce HTTP request grammar corresponding to RFC7230 for request lines
     and request headers, to prevent response splitting and cache pollution by
     malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]

  *) Validate HTTP response header grammar defined by RFC7230, resulting
     in a 500 error in the event that invalid response header contents are
     detected when serving the response, to avoid response splitting and cache
     pollution by malicious clients, upstream servers or faulty modules.
     [Stefan Fritsch, Eric Covener, Yann Ylavic]

  *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]

  *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
     looping RewriteRules when the local path significantly exceeds 
     LimitRequestLine.  PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]

  *) mod_ratelimit: Allow for initial "burst" amount at full speed before
     throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>,
     Jim Jagielski]

  *) mod_socache_memcache: Provide memcache stats to mod_status.
     [Jim Jagielski]

  *) http_filters: Fix potential looping in new check_headers() due to new
     pattern of ap_die() from http header filter. Explicitly clear the
     previous headers and body.

  *) core: Drop Content-Length header and message-body from HTTP 204 responses.
     PR 51350 [Luca Toscano]

  *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is
     configured in <Location>, like in 2.2. PR 60458.
     [Eric Covener]

  *) mod_lua: Fix default value of LuaInherit directive. It should be 
     'parent-first' instead of 'none', as per documentation.  PR 60419
     [Christophe Jaillet]

  *) core: New directive HttpProtocolOptions to control httpd enforcement
     of various RFC7230 requirements. [Stefan Fritsch, William Rowe]

  *) core: Permit unencoded ';' characters to appear in proxy requests and
     Location: response headers. Corresponds to modern browser behavior.
     [William Rowe]

  *) core: ap_rgetline_core now pulls from r->proto_input_filters.

  *) core: Correctly parse an IPv6 literal host specification in an absolute
     URL in the request line. [Stefan Fritsch]

  *) core: New directive RegisterHttpMethod for registering non-standard
     HTTP methods. [Stefan Fritsch]

  *) mod_socache_memcache: Pass expiration time through to memcached.
     [Faidon Liambotis <paravoid debian.org>, Joe Orton]

  *) mod_cache: Use the actual URI path and query-string for identifying the
     cached entity (key), such that rewrites are taken into account when
     running afterwards (CacheQuickHandler off).  PR 21935.  [Yann Ylavic]

  *) mod_http2: new directive 'H2EarlyHints' to enable sending of HTTP status
     103 interim responses. Disabled by default. [Stefan Eissing]
     
  *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
     in the client certificate chain.  PR 55786.  [Yann Ylavic]

  *) event: Allow to use the whole allocated scoreboard (up to ServerLimit
     slots) to avoid scoreboard full errors when some processes are finishing
     gracefully. Also, make gracefully finishing processes close all
     keep-alive connections. PR 53555. [Stefan Fritsch]

  *) mpm_event: Don't take over scoreboard slots from gracefully finishing
     threads. [Stefan Fritsch]

  *) mpm_event: Free memory earlier when shutting down processes.
     [Stefan Fritsch]

  *) mod_status: Display the process slot number in the async connection
     overview. [Stefan Fritsch]

  *) mod_dir: Responses that go through "FallbackResource" might appear to
     hang due to unterminated chunked encoding. PR58292. [Eric Covener]

  *) mod_dav: Fix a potential cause of unbounded memory usage or incorrect
     behavior in a routine that sends <DAV:response>'s to the output filters.
     [Evgeny Kotkov]

  *) mod_http2: new directive 'H2PushResource' to enable early pushes before 
     processing of the main request starts. Resources are announced to the 
     client in Link headers on a 103 early hint response. 
     All responses with status code <400 are inspected for Link header and
     trigger pushes accordingly. 304 still does prevent pushes.
     'H2PushResource' can mark resources as 'critical' which gives them higher
     priority than the main resource. This leads to preferred scheduling for
     processing and, when content is available, will send it first. 'critical'
     is also recognized on Link headers. [Stefan Eissing]
     
  *) mod_proxy_http2: uris in Link headers are now mapped back to a suitable
     local url when available. Relative uris with an absolute path are mapped
     as well. This makes reverse proxy mapping available for resources
     announced in this header. 
     With 103 interim responses being forwarded to the main client connection,
     this effectively allows early pushing of resources by a reverse proxied
     backend server. [Stefan Eissing]
     
  *) mod_proxy_http2: adding support for newly proposed 103 status code.
     [Stefan Eissing]
     
  *) mpm_unix: Apache fails to start if previously crashed then restarted with
     the same PID (e.g. in container).  PR 60261.
     [Val <valentin.bremond gmail.com>, Yann Ylavic]

  *) mod_http2: unannounced and multiple interim responses (status code < 200)
     are parsed and forwarded to client until a final response arrives.
     [Stefan Eissing]
  
  *) mod_proxy_http2: improved robustness when main connection is closed early
     by resetting all ongoing streams against the backend.
     [Stefan Eissing]
  
  *) mod_http2: allocators from slave connections are released earlier,
     resulting in less overall memory use on busy, long lived connections.
     [Stefan Eissing]
     
  *) mod_remoteip: Pick up where we left off during a subrequest rather
     than running with the modified XFF but original TCP address.
     PR 49839/PR 60251

  *) http: Respond with "408 Request Timeout" when a timeout occurs while
     reading the request body.  [Yann Ylavic]

  *) mod_http2: connection shutdown revisited: corrected edge cases on
     shutting down ongoing streams, changed log warnings to be less noisy
     when waiting on long running tasks. [Stefan Eissing]

  *) mod_http2: changed all AP_DEBUG_ASSERT to ap_assert to have them 
     available also in normal deployments. [Stefan Eissing]

  *) mod_http2/mod_proxy_http2: 100-continue handling now properly implemented
     up to the backend. Reused HTTP/2 proxy connections with more than a second
     not used will block request bodies until a PING answer is received.
     Requests headers are not delayed by this, since they are repeatable in
     case of failure. This greatly increases robustness, especially with
     busy server and/or low keepalive connections. [Stefan Eissing]
     
  *) mod_proxy_http2: fixed duplicate symbols with mod_http2.
     [Stefan Eissing]
  
  *) mod_http2: rewrite of how responses and trailers are transferred between
     master and slave connection. Reduction of internal states for tasks
     and streams, stability. Heuristic id generation for slave connections
     to better keep promise of connection ids unique at given point int time.
     Fix for mod_cgid interop in high load situtations. 
     Fix for handling of incoming trailers when no request body is sent.
     [Stefan Eissing]
  
  *) mod_http2: fix suspended handling for streams. Output could become
     blocked in rare cases. [Stefan Eissing]

  *) mpm_winnt: Prevent a denial of service when the 'data' AcceptFilter is in
     use by replacing it with the 'connect' filter. PR 59970. [Jacob Champion]

  *) mod_cgid: Resolve a case where a short CGI response causes a subsequent
     CGI to be killed prematurely, resulting in a truncated subsequent
     response. [Eric Covener]

  *) mod_proxy_hcheck: Set health check URI and expression correctly for health
     check worker. PR 60038 [zdeno <zdeno@scnet.sk>]

  *) mod_http2: if configured with nghttp2 1.14.0 and onward, invalid request
     headers will immediately reset the stream with a PROTOCOL error. Feature
     logged by module on startup as 'INVHD' in info message.
     [Stefan Eissing]
     
  *) mod_http2: fixed handling of stream buffers during shutdown.
     [Stefan Eissing]
     
  *) mod_reqtimeout: Fix body timeout disabling for CONNECT requests to avoid
     triggering mod_proxy_connect's AH01018 once the tunnel is established.
     [Yann Ylavic]

  *) ab: Set the Server Name Indication (SNI) extension on outgoing TLS
     connections (unless -I is specified), according to the Host header (if
     any) or the requested URL's hostname otherwise.  [Yann Ylavic]

  *) mod_proxy_fcgi: avoid loops when ProxyErrorOverride is enabled
     and the error documents are proxied. PR 55415. [Luca Toscano]

  *) mod_proxy_fcgi: read the whole FCGI response even when the content
     has not been modified (HTTP 304) or in case of a precondition failure
     (HTTP 412) to avoid subsequent bogus reads and confusing
     error messages logged. [Luca Toscano]

  *) mod_http2: h2 status resource follows latest draft, see
     http://www.ietf.org/id/draft-benfield-http2-debug-state-01.txt
     [Stefan Eissing]
     
  *) mod_http2: handling graceful shutdown gracefully, e.g. handling existing
     streams to the end. [Stefan Eissing]
  
  *) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data
     available before the request is sent.  PR 57832.  [Yann Ylavic]

  *) mod_proxy_balancer: Prevent redirect loops between workers within a
     balancer by limiting the number of redirects to the number balancer
     members. PR 59864 [Ruediger Pluem]

  *) mod_proxy: Correctly consider error response codes by the backend when
     processing failonstatus. PR 59869 [Ruediger Pluem]

  *) mod_dav: Add dav_get_provider_name() function to obtain the name
     of the provider from mod_dav.  [Graham Leggett]

  *) mod_dav: Add support for childtags to dav_error.
     [Jari Urpalainen <jari.urpalainen nokia.com>]

  *) mod_proxy_fcgi: Fix 2.4.23 breakage for mod_rewrite per-dir and query 
     string showing up in SCRIPT_FILENAME. PR59815

  *) mod_include: Fix a potential memory misuse while evaluating expressions.
     PR59844. [Eric Covener]

  *) mod_http2: new H2CopyFiles directive that changes treatment of file
     handles in responses. Necessary in order to fix broken lifetime handling
     in modules such as mod_wsgi.
  
  *) mod_http2: removing timeouts on master connection while requests are
     being processed. Requests may timeout, but the master only times out when
     no more requests are active. [Stefan Eissing]
     
  *) mod_http2: fixes connection flush when answering SETTINGS without any
     stream open. [Moto Ishizawa <@summerwind>, Stefan Eissing]
     
Changes with Apache 2.4.23

  *) mod_ssl: reset client-verify state of ssl when aborting renegotiations.
     [Erki Aring <erki@example.ee>, Stefan Eissing]

  *) mod_sed: Fix 'x' command processing. [Christophe Jaillet]

  *) configure: Fix ./configure edge-case failures around dependencies
     of mod_proxy_hcheck. [William Rowe, Ruediger Pluem, Jeff Trawick]

Changes with Apache 2.4.22

  *) mod_http2: fix for request abort when connections drops, introduced in
     1.5.8

Changes with Apache 2.4.21

  *) ab: Use caseless matching for HTTP tokens (e.g. content-length). PR 59111.
     [Yann Ylavic]

  *) mod_http2: more rigid error handling in DATA frame assembly, leading
     to deterministic connection errors if assembly fails.
     [Stefan Eissing, Pal Nilsen <https://github.com/maedox>]

  *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
     failures under Visual Studio 2015 and other mismatched MSVCRT flavors.
     PR59630 [Jan Ehrhardt <phpdev ehrhardt.nl>]

  *) mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive
     to opt-in previous behaviour (2.2) with CRLs verification when checking
     certificate(s) with no corresponding CRL.  [Yann Ylavic]

  *) mpm_event, mpm_worker: Fix computation of MinSpareThreads' lower bound
     according the number of listeners buckets.  [Yann Ylavic]

  *) Add ap_cstr_casecmp[n]() - placeholder of apr_cstr_casecmp[n] functions
     for case-insensitive C/POSIX-locale token comparison.
     [Jim Jagielski, William Rowe, Yann Ylavic, Branko Čibej]

  *) mod_userdir: Constify and save a few bytes in the conf pool when
     parsing the "UserDir" directive. [Christophe Jaillet]

  *) mod_cache: Fix (max-stale with no '=') and enforce (check
     integers after '=') Cache-Control header parsing.
     [Christophe Jaillet]

  *) core: Add -DDUMP_INCLUDES configtest option to show the tree
     of Included configuration files.
     [Jacob Champion <champion.pxi gmail.com>]

  *) mod_proxy_fcgi: Avoid passing a filename of proxy:fcgi:// as
     SCRIPT_FILENAME to a FastCGI server. PR59618.
     [Jacob Champion <champion.pxi gmail.com>]

  *) mod_dav: Add dav_get_provider_name() function to obtain the name
     of the provider from mod_dav.
     [Jari Urpalainen <jari.urpalainen nokia.com>]

  *) mod_proxy_http2: properly care for HTTP2 flow control of the frontend
     connection is HTTP/1.1. [Patch supplied by Evgeny Kotkov]
     
  *) mod_http2: improved cleanup of connection/streams/tasks to always
     have deterministic order regardless of event initiating it. Addresses
     reported crashes due to memory read after free issues. 
     [Stefan Eissing] 
  
  *) mod_ssl: Correct the interaction between SSLProxyCheckPeerCN and newer
     SSLProxyCheckPeerName directives since release 2.4.5, such that disabling
     either disables both, and that enabling either triggers the new, more
     comprehensive SSLProxyCheckPeerName behavior. Only a single configuration
     remains to enable the legacy behavior, which is to explicitly disable
     SSLProxyCheckPeerName, and enable SSLProxyCheckPeerCN. [William Rowe]

  *) mod_include: add the <!--#comment ...> syntax in order to include comments
     in a SSI file. [Christophe Jaillet based on a suggestion from Rob]

  *) mod_http2: improved event handling for suspended streams, responses
     and window updates. [Stefan Eissing] 
     
  *) mod_proxy_hcheck: Provide for dynamic background health
     checks on reverse proxies associated with BalancerMember
     workers. [Jim Jagielski]

  *) mod_http2: Fix async write issue that led to selection of wrong timeout
     vs. keepalive timeout selection for idle sessions. [Stefan Eissing]
     
  *) mod_http2: checking LimitRequestLine, LimitRequestFields and 
     LimitRequestFieldSize configurated values for incoming streams. Returning
     HTTP status 431 for too long/many headers fields and 414 for a too long
     pseudo header. [Stefan Eissing]
     
  *) mod_http2: tracking conn_rec->current_thread on slave connections, so
     that mod_lua finds the correct one. Fixes PR 59542. [Stefan Eissing]
     
  *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
     urls. Part of the httpd mod_proxy framework, common settings apply.
     Requests from the same HTTP/2 frontend connection against the same backend
     are aggregated on a single connection.
     [Stefan Eissing]
  
  *) mod_http2: slave connections have conn_rec->aborted flag set when a stream
     has been reset by the client. [Stefan Eissing]

  *) mod_http2: merge of some 2.4.x adaptions re filters on slave connections.
     Small fixes in bucket beams when forwarding file buckets. Output handling
     on master connection uses less FLUSH and passes automatically when more
     than half of H2StreamMaxMemSize bytes have accumulated.
     Workaround for http: when forwarding partial file buckets to keep the
     output filter from closing these too early. [Stefan Eissing]

  *) mod_http2: elimination of fixed master connection buffer for TLS 
     connections. New scratch bucket handling optimized for TLS write sizes. 
     File bucket data read directly into scratch buffers, avoiding one
     copy. Non-TLS connections continue to pass buckets unchanged to the core
     filters to allow sendfile() usage. [Stefan Eissing]

  *) mod_http2/mod_proxy_http2: h2_request.c is no longer shared between these
     modules. This simplifies building on platforms such as Windows, as module
     reference used in logging is now clear. [Stefan Eissing]

  *) Scoreboard: Fix a regression in 2.4.20 that causes wrong request data
     to be displayed on the status page. PR 59333. [Yann Ylavic, William Rowe]

  *) mod_http2: fixed a bug that caused mod_proxy_http2 to be called for window
     updates on requests it had already reported done. Added synchronization
     on early connection/stream close that lets ongoing requests safely drain
     their input filters.
     [Stefan Eissing]

  *) mod_http2: scoreboard updates that summarize the h2 session (and replace
     the last request information) will only happen when the session is idle or 
     in shutdown/done phase. [Stefan Eissing]

  *) mod_http2: new "bucket beam" technology to transport buckets across
     threads without buffer copy. Delaying response start until flush or
     enough body data has been accumulated. Overall significantly smaller
     memory footprint. [Stefan Eissing]

  *) core: New CGIVar directive can configure REQUEST_URI to represent the
     current URI being processed instead of always the original request.
     [Jeff Trawick]

  *) scoreboard/status: Restore behavior of showing workers' previous Client,
     VHost and Request values when idle, like in 2.4.18 and earlier. 

  *) mod_http2: r->protocol changed to "HTTP/2.0" (was "HTTP/2") as this will
     give expected syntax in CGI's SERVER_PROTOCOL is more compatible with
     existing major/minor handling. Fixes PR 59313.

  *) mod_http2: disabling mmap for file buckets transport due to segmenation
     faults when files change on the fly.

Changes with Apache 2.4.20

  *) SECURITY: CVE-2016-1546 (cve.mitre.org)     
     mod_http2: restricting number of concurrent stream workers per connection
     if client is slow. 

  *) core: Do not read .htaccess if AllowOverride and AllowOverrideList
     are "None". PR 58528.
     [Michael Schlenker <msc contact.de, Ruediger Pluem, Daniel Ruggeri]

  *) mod_proxy_express: Fix possible use of DB handle after close.  PR 59230.
     [Petr <pgajdos suse.cz>]

  *) core/util_script: relax alphanumeric filter of environment variable names
     on Windows to allow '(' and ')' for passing PROGRAMFILES(X86) et.al.
     unadulterated in 64 bit versions of Windows. PR 46751.
     [John <john leineweb de>]

  *) mod_http2: incrementing keepalives on each request started so that logging
     %k gives increasing numbers per master http2 connection. 
     New documented variables in env, usable in custom log formats: H2_PUSH,
     H2_PUSHED, H2_PUSHED_ON, H2_STREAM_ID and H2_STREAM_TAG.
     [Stefan Eissing]

  *) mod_http2: more efficient passing of response bodies with less contention
     and file bucket forwarding. [Stefan Eissing]

  *) mod_http2: fix for missing score board updates on request count, fix for
     memory leak on slave connection reuse. [Stefan Eissing]

  *) mod_http2: Fix build on Windows from dsp files.
     [Stefan Eissing] 
     
Changes with Apache 2.4.19

  *) mod_include: Add variable DOCUMENT_ARGS, with the arguments to the
     request for the SSI document.  [Jeff Trawick]

  *) mod_authz_host: Add a new "forward-dns" authorization type, not relying on
     reverse DNS lookups.  [Fabien]

  *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
     urls. Uses backend connections for concurrent requests if frontend 
     connection is http2 as well.
     [Stefan Eissing]
  
  *) mod_ssl: Add hooks to allow other modules to perform processing at
     several stages of initialization and connection handling.  See
     mod_ssl_openssl.h.  [Jeff Trawick]

  *) mod_http2: disabling PUSH when client sends GOAWAY. Slave connections are 
     reused for several requests, improved performance and better memory use. 
     [Stefan Eissing]  

  *) mod_rewrite: Don't implicitly URL-escape the original query string
     when no substitution has changed it (like PR50447 but server context)
     [Evgeny Kotkov <evgeny.kotkov visualsvn.com>]

  *) mod_http2: fixes problem with wrong lifetime of file buckets on main
     connection. [Stefan Eissing]

  *) mod_http2: fixes incorrect denial of requests without :authority header.
     [Stefan Eissing]

  *) mod_reqtimeout: Prevent long response times from triggering a timeout once
     the request has been fully read.  PR 59045.  [Yann Ylavic]

  *) ap_expr: expression support for variable HTTP2=on|off. [Stefan Eissing]

  *) mod_http2: give control to async mpm for keepalive timeouts only when
     no streams are open and even if only after 1 sec delay. Under load, event
     mpm discards connections otherwise too quickly. [Stefan Eissing]

  *) mod_ssl: Don't lose track of the SSL context if an unlikely failure occurs
     in ssl_init_ssl_connection().  [Graham Leggett]

  *) mod_rewrite: Add QSL|qslast flag to allow rewrites to files with
     literal question marks in their names. PR 58777. [Eric Covener]

  *) event: use pre_connection hook to properly initialize connection state for
     slave connections. use protocol_switch hook to initialize server config
     early based on SNI selected vhost. 
     [Stefan Eissing]

  *) hostname: Test and log useragent_host per-request across various modules,
     including the scoreboard, expression and rewrite engines, setenvif,
     authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.
     PR55348  [William Rowe]

  *) core: Track the useragent_host per-request when mod_remoteip or similar
     modules track a per-request useragent_ip.  Modules should be updated
     to inquire for ap_get_useragent_host() in place of ap_get_remote_host().
     [William Rowe]

  *) core: fix a bug in <UnDefine ...> directive processing. When used, the last
     <Define...>'ed variable was also withdrawn. PR 59019
     [Christophe Jaillet]

  *) mod_http2: Accept-Encoding is, when present on the initiating request, 
     added to push promises. This lets compressed content work in pushes.
     by the client. [Stefan Eissing]

  *) mod_http2: fixed possible read after free when streams were cancelled early
     by the client. [Stefan Eissing]

  *) mod_http2: fixed possible deadlock during connection shutdown. Thanks to 
     @FrankStolle for reporting and getting the necessary data.
     [Stefan Eissing]

  *) mod_http2: fixed apr_uint64_t formatting in a log statement to user proper 
     APR def, thanks to @Sp1l.

  *) mod_http2: number of worker threads allowed to a connection is adjusting 
     dynamically. Starting with 4, the number is doubled when streams can be 
     served without block on http/2 connection flow. The number is halfed, when
     the server has to wait on client flow control grants. 
     This can happen with a maximum frequency of 5 times per second. 
     When a connection occupies too many workers, repeatable requests 
     (GET/HEAD/OPTIONS) are cancelled and placed back in the queue. Should that 
     not suffice and a stream is busy longer than the server timeout, the 
     connection will be aborted with error code ENHANCE_YOUR_CALM.
     This does *not* limit the number of streams a client may open, rather the
     number of server threads a connection might use.
     [Stefan Eissing]

  *) mod_http2: allowing link header to specify multiple "rel" values, 
     space-separated inside a quoted string. Prohibiting push when Link 
     parameter "nopush" is present.
     [Stefan Eissing]

  *) mod_http2: reworked connection state handling. Idle connections accept a
     GOAWAY from the client without further reply. Otherwise the
     module makes a best effort to send one last GOAWAY to the client.

  *) mod_http2: the values from standard directives Timeout and KeepAliveTimeout
     properly are applied to http/2 connections.
     [Stefan Eissing]

  *) mod_http2: idle connections are returned to async mpms. new hook
     "pre_close_connection" used to send GOAWAY frame when not already done.
     Setting event mpm server config "by hand" for the main connection to
     the correct negotiated server.
     [Stefan Eissing]

  *) mod_http2: keep-alive blocking reads are done with 1 second timeouts to
     check for MPM stopping. Will announce early GOAWAY and finish processing
     open streams, then close.
     [Stefan Eissing]

  *) mod_http2: bytes read/written on slave connections are reported via the
     optional mod_logio functions. Fixes PR 58871.

  *) prefork: Initialize the POD when running in ONE_PROCESS (or -X) mode to
     avoid a crash.  [Jan Kaluza, Yann Ylavic]

  *) mod_ssl: When SSLVerify is disabled (NONE), don't force a renegotiation if
     the SSLVerifyDepth applied with the default/handshaken vhost differs from
     the one applicable with the finally selected vhost.  [Yann Ylavic]

  *) core: Ensure that httpd exits with an error status when the MPM fails
     to run.  [Yann Ylavic]

  *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
     [Jan Kaluza, Yann Ylavic]

  *) mod_ssl: Add SSLOCSPProxyURL to add the possibility to do all queries
     to OCSP responders through a HTTP proxy. [Ruediger Pluem]

  *) mod_proxy: Play/restore the TLS-SNI on new backend connections which
     had to be issued because the remote closed the previous/reusable one
     during idle (keep-alive) time.  [Yann Ylavic]

  *) mod_cache_socache: Fix a possible cached entity body corruption when it
     is received from an origin server in multiple batches and forwarded by
     mod_proxy.  [Yann Ylavic]

  *) core: Add expression support to SetHandler.
     [Eric Covener]

  *) mod_remoteip: Prevent an external proxy from presenting an internal
     proxy. PR 55962. [Mike Rumph]

  *) core: Prevent a server crash in case of an invalid CONNECT request with
     a custom error page for status code 400 that uses server side includes.
     PR 58929 [Ruediger Pluem]

  *) mod_ssl: handle TIMEOUT on empty SSL input as non-fatal, returning 
     APR_TIMEUP and preserving connection state for later retry.
     [Stefan Eissing]

  *) mod_ssl: Save some TLS record (application data) fragmentations by
     including the last and subsequent suitable buckets when coalescing.
     [Yann Ylavic]

  *) mod_proxy_fcgi: Suppress HTTP error 503 and message 01075, 
     "Error dispatching request", when the cause appears to be 
     due to the client closing the connection. 
     PR58118.  [Tobias Adolph <adolph lrz.de>]

  *) mod_cgid: Message AH02550, failure to flush a response to the client,
     is now logged at TRACE1 level to match the underlying core output filter
     severity.  [Eric Covener]

  *) mime.types: add common extension "m4a" for MPEG 4 Audio.
     PR 57895 [Dylan Millikin <dylan.millikin gmail.com>]

  *) Added many log numbers to log statements that had none.
     [Rainer Jung]

  *) mod_log_config: Add GlobalLog to allow a globally defined log to
     be inherited by virtual hosts that define a CustomLog.
     [Edward Lu]

  *) mod_http2: connections how keep a "push diary" where hashes of already
     pushed resources are kept. See directive H2PushDiarySize for managing this.
     Push diaries can be initialized by clients via the "Cache-Digest" request
     header. This carries a base64url encoded. compressed Golomb set as described
     in https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/
     Introduced a status handler for HTTP/2 connections, giving various counters
     and statistics about the current connection, plus its cache digest value
     in a JSON record. Not a replacement for more HTTP/2 in the server status. 
     Configured as
     <Location "/http2-status">
         SetHandler http2-status
     </Location>