Skip to content
CHANGES 232 KiB
Newer Older
Jeff Trawick's avatar
Jeff Trawick committed
                                                         -*- coding: utf-8 -*-
Ruediger Pluem's avatar
Ruediger Pluem committed

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.27

  *) Allow single-char field names inadvertantly disallowed in 2.4.25.
     PR 61220. [Yann Ylavic]

  *) core: Avoid duplicate HEAD in Allow header.
     This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
     PR 61207. [Christophe Jaillet]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.26
Jim Jagielski's avatar
Jim Jagielski committed
  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
     mod_mime can read one byte past the end of a buffer when sending a
Eric Covener's avatar
Eric Covener committed
     malicious Content-Type response header.  [Yann Ylavic]
Jim Jagielski's avatar
Jim Jagielski committed

  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
     bug in token list parsing, which allows ap_find_token() to search past
     the end of its input string. By maliciously crafting a sequence of
     request headers, an attacker may be able to cause a segmentation fault,
     or to force ap_find_token() to return an incorrect value.
Eric Covener's avatar
Eric Covener committed
     [Jacob Champion]
Jim Jagielski's avatar
Jim Jagielski committed

  *) SECURITY: CVE-2017-7659 (cve.mitre.org)
     A maliciously constructed HTTP/2 request could cause mod_http2 to
     dereference a NULL pointer and crash the server process.

  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
     mod_ssl may dereference a NULL pointer when third-party modules call
     ap_hook_process_connection() during an HTTP request to an HTTPS port.
Eric Covener's avatar
Eric Covener committed
     [Yann Ylavic]
Jim Jagielski's avatar
Jim Jagielski committed

  *) SECURITY: CVE-2017-3167 (cve.mitre.org)
     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
     authentication phase may lead to authentication requirements being
     bypassed.
Eric Covener's avatar
Eric Covener committed
     [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
Jim Jagielski's avatar
Jim Jagielski committed

  *) HTTP/2 support no longer tagged as "experimental" but is instead considered
     fully production ready.

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
     the session in continuous check for state changes that never happen. 
     [Stefan Eissing]

Eric Covener's avatar
Eric Covener committed
  *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
     protocols.  [Jean-Frederic Clere]

Yann Ylavic's avatar
Yann Ylavic committed
  *) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
     a possible crash if a signal is caught during (graceful) restart.
     PR 60487.  [Yann Ylavic]

  *) mod_rewrite: When a substitution is a fully qualified URL, and the 
     scheme/host/port matches the current virtual host, stop interpreting the 
     path component as a local path just because the first component of the 
     path exists in the filesystem.  Adds RewriteOption "LegacyPrefixDocRoot" 
     to revert to previous behavior. PR60009.
     [Hank Ibell <hwibell gmail.com>]
 
  *) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
     platforms. PR61124. [Hank Ibell <hwibell gmail.com>]

Rainer Jung's avatar
Rainer Jung committed
  *) ab: enable option processing for setting a custom HTTP method also for
     non-SSL builds.  [Rainer Jung]

  *) core: EBCDIC fixes for interim responses with additional headers.
     [Eric Covener]

  *) mod_env: when processing a 'SetEnv' directive, warn if the environment
     variable name includes a '='. It is likely a configuration error.
     PR 60249 [Christophe Jaillet]

  *) Evaluate nested If/ElseIf/Else configuration blocks.
     [Luca Toscano, Jacob Champion]

  *) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to 
     allow spaces in backreferences to be encoded as %20 instead of '+'.
     [Eric Covener]

  *) mod_rewrite: Add the possibility to limit the escaping to specific
     characters in backreferences by listing them in the B flag.
     [Eric Covener]

Eric Covener's avatar
Eric Covener committed
  *) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
     systems.  [Eric Covener]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: fail requests without ERROR log in case we need to read interim
     responses and see only garbage. This can happen if proxied servers send
     data where none should be, e.g. a body for a HEAD request. [Stefan Eissing]
     
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_proxy_http2: adding support for Reverse Proxy Request headers.
     [Stefan Eissing]
     
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: fixed possible deadlock that could occur when connections were 
     terminated early with ongoing streams. Fixed possible hanger with timeout
     on race when connection considers itself idle. [Stefan Eissing]  

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: MaxKeepAliveRequests now limits the number of times a 
     slave connection gets reused. [Stefan Eissing]

  *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
     [Evgeny Kotkov]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_proxy_http2: Fixed bug in re-attempting proxy requests after 
     connection error. Reliability of reconnect handling improved. 
     [Stefan Eissing]
  
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: better performance, eliminated need for nested locks and
     thread privates. Moving request setups from the main connection to the
     worker threads. Increase number of spare connections kept.
     [Stefan Eissing]
     
  *) mod_http2: input buffering and dynamic flow windows for increased 
     throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
     in mod_http2 INFO log as feature 'DWINS'. [Stefan Eissing]

  *) mod_http2: h2 workers with improved scalability for better scheduling
     performance. There are H2MaxWorkers threads created at start and the
     number is kept constant for now. [Stefan Eissing]
     
  *) mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and
     just log a warning. [Stefan Eissing]
     
  *) mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date
     format from 2.2 in the Last Modified column. PR60846.
     [Hank Ibell <hwibell gmail.com>]
  *) core: Add %{REMOTE_PORT} to the expression parser. PR59938
     [Hank Ibell <hwibell gmail.com>]

  *) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
     computing and using the same entity key according to when the cache
     checks, loads and saves the request.
     PR 60577.  [Yann Ylavic]
  *) mod_proxy_hcheck: Don't validate timed out responses.  [Yann Ylavic]

  *) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
     in use (ProxyHCTPsize > 0).  PR 60071.  [Yann Ylavic, Jim Jagielski]

  *) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
     URI originally requsted by the user, not the nested documents URI. This
     restores the behavior of this variable to match the "legacy" SSI parser.
     PR60624. [Hank Ibell <hwibell gmail.com>]
  *) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
     variables just before invoking the FastCGI. [Eric Covener,
     Jacob Champion]

  *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
     a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
     default.  Add ProxyFCGIBackendType to allow the type of backend to be
     specified so these kinds of fixups can be restored without impacting
     FPM. PR60576 [Eric Covener, Jim Jagielski]

  *) mod_ssl: work around leaks on (graceful) restart. [Yann Ylavic]

  *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]

Joe Orton's avatar
Joe Orton committed
  *) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
     than zero.  [Eric Covener]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: moving session cleanup to pre_close hook to avoid races with
     modules already shut down and slave connections still operating.
     [Stefan Eissing]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
  
  *) mod_http2: fix for crash when running out of memory.
Joe Orton's avatar
Joe Orton committed
     [Robert Swiecki <robert swiecki.net>, Stefan Eissing]
  *) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
     [Luca Toscano]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: not counting file buckets again stream max buffer limits. 
     Effectively transfering static files in one step from slave to master 
     connection. [Stefan Eissing]
    
  *) mod_http2: comforting ap_check_pipeline() on slave connections
     to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
     [Stefan Eissing, reported by Armin Abfalterer]
     
  *) mod_http2: http/2 streams now with state handling/transitions as defined
     in RFC7540. Stream cleanup/connection shutdown reworked to become easier
     to understand/maintain/debug. Added many asserts on state and cleanup 
     transitions. [Stefan Eissing]
     
Joe Orton's avatar
Joe Orton committed
  *) mod_auth_digest: Use an anonymous shared memory segment by default,
     preventing startup failure after unclean shutdown.  PR 54622.
     [Jan Kaluza]

Joe Orton's avatar
Joe Orton committed
  *) mod_filter: Fix AddOutputFilterByType with non-content-level filters.
     PR 58856. [Micha Lenk <micha lenk.info>]
 
  *) mod_watchdog: Fix semaphore leak over restarts.  [Jim Jagielski]
Loading full blame...