Skip to content
CHANGES 241 KiB
Newer Older
Jeff Trawick's avatar
Jeff Trawick committed
                                                         -*- coding: utf-8 -*-
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.30
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: obsolete code removed, no more events on beam pool destruction,
     discourage content encoders on http2-status response (where they do not work).
     [Stefan Eissing]

  *) mpm_event: Let the listener thread do its maintenance job on resources
     shortage.  PR 61979.  [Yann Ylavic]

  *) mpm_event: Wakeup the listener to re-enable listening sockets.
     [Yann Ylavic]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: The SSLCompression directive will now give an error if used
     with an OpenSSL build which does not support any compression methods.
     [Joe Orton]

  *) mpm_event,worker: Mask signals for threads created by modules in child
     init, so that they don't receive (implicitely) the ones meant for the MPM.
     PR 62009. [Armin Abfalterer <a.abfalterer gmail com>, Yann Ylavic]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_md: new experimental, module for managing domains across virtual hosts,
     implementing the Let's Encrypt ACMEv1 protocol to signup and renew 
     certificates. Please read the modules documentation for further instructions
     on how to use it. [Stefan Eissing]
  
  *) mod_proxy_html: skip documents shorter than 4 bytes
     PR 56286 [Micha Lenk <micha lenk info>]

  *) core, mpm_event: Avoid a small memory leak of the scoreboard handle, for
     the lifetime of the connection, each time it is processed by MPM event.
     [Yann Ylavic]

  *) mpm_event: Update scoreboard status for KeepAlive state.  [Yann Ylavic]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_ldap: Fix a case where a full LDAP cache would continually fail to 
     purge old entries and log AH01323. PR61891.  
     [Hendrik Harms <hendrik.harms gmail.com>]

  *) mpm_event: close connections not reported as handled by any module to
     avoid losing track of them and leaking scoreboard entries.  PR 61551.
     [Yann Ylavic]

  *) core: A signal received while stopping could have crashed the main
     process.  PR 61558.  [Yann Ylavic]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_ssl: support for mod_md added. [Stefan Eissing]
  
  *) mod_proxy_html: process parsed comments immediately. 
     Fixes bug (seen in the wild when used with IBM's HTTPD bundle)
     where parsed comments may be lost. [Nick Kew]

  *) mod_proxy_html: introduce doctype for HTML 5 [Nick Kew]

  *) mod_proxy_html: fix typo-bug processing "strict" vs "transitional"
     HTML/XHTML.  PR 56457  [Nick Kew]
  *) mpm_event: avoid a very unlikely race condition between the listener and
     the workers when the latter fails to add a connection to the pollset.
     [Yann Ylavic]

  *) core: silently ignore a not existent file path when IncludeOptional
     is used. PR 57585. [Alberto Murillo Silva <powerbsd yahoo.com>, Luca Toscano]

  *) mod_macro: fix usability of globally defined macros in .htaccess files.
     PR 57525.  [Jose Kahan <jose w3.org>, Yann Ylavic]

  *) mod_rewrite, core: add the Vary header when a condition evaluates to true
     and the related RewriteRule is used in a Directory context
     (triggering an internal redirect). [Luca Toscano]

Stefan Eissing's avatar
Stefan Eissing committed
  *) ab: Make the TLS layer aware that the underlying socket is nonblocking,
     and use/handle POLLOUT where needed to avoid busy IOs and recover write
     errors when appropriate.  [Yann Ylavic]

  *) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
     read was incomplete (the SSL case can cause the next poll() to timeout
     since data are buffered already).  PR 61301 [Luca Toscano, Yann Ylavic]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain
     information retrievals on null bucket beams where it makes sense. [Stefan Eissing]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.29

Joe Orton's avatar
Joe Orton committed
  *) mod_unique_id: Use output of the PRNG rather than IP address and
     pid, avoiding sleep() call and possible DNS issues at startup,
     plus improving randomness for IPv6-only hosts.  [Jan Kaluza]

  *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
     is used in a condition that evaluates to true. PR 58231 [Luca Toscano, Yann Ylavic]
  *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
     beams that could lead to assertion failure in edge cases.
     [Stefan Eissing] 

  *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
     in 2.4.28.  [Jim Jagielski]

Joe Orton's avatar
Joe Orton committed
  *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
     PR 61546.  [Lubos Uhliarik <luhliari redhat.com>]

Joe Orton's avatar
Joe Orton committed
  *) mod_rewrite: Add support for starting External Rewriting Programs
     as non-root user on UNIX systems by specifying username and group
     name as third argument of RewriteMap directive.  [Jan Kaluza]

Joe Orton's avatar
Joe Orton committed
  *) core: Rewrite the Content-Length filter to avoid excessive memory
     consumption. Chunked responses will be generated in more cases
     than in previous releases.  PR 61222.  [Joe Orton, Ruediger Pluem]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_ssl: Fix SessionTicket callback return value, which does seem to
     matter with OpenSSL 1.1. [Yann Ylavic]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.28

  *) SECURITY: CVE-2017-9798 (cve.mitre.org)
     Corrupted or freed memory access. <Limit[Except]> must now be used in the
     main configuration file (httpd.conf) to register HTTP methods before the
     .htaccess files.  [Yann Ylavic]

Yann Ylavic's avatar
Yann Ylavic committed
  *) event: Avoid possible blocking in the listener thread when shutting down
     connections. PR 60956.  [Yann Ylavic]

  *) mod_speling: Don't embed referer data in a link in error page.
     PR 38923 [Nick Kew]

  *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
     length in a password file.
     [Luca Toscano, Hanno Böck <hanno hboeck de>]

  *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
     [Jim Jagielski]

  *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
     PR 61142.

  *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
     down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
     's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]

  *) mod_http2: Fix for stalling when more than 32KB are written to a
     suspended stream.  [Stefan Eissing]

  *) build: allow configuration without APR sources.  [Jacob Champion]

  *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
     [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
      Yann Ylavic]

Yann Ylavic's avatar
Yann Ylavic committed
  *) core/log: Support use of optional "tag" in syslog entries.
     PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]

Joe Orton's avatar
Joe Orton committed
  *) mod_proxy: Fix ProxyAddHeaders merging.  [Joe Orton]
 
  *) core: Disallow multiple Listen on the same IP:port when listener buckets
     are configured (ListenCoresBucketsRatio > 0), consistently with the single
     bucket case (default), thus avoiding the leak of the corresponding socket
     descriptors on graceful restart.  [Yann Ylavic]

  *) event: Avoid listener periodic wake ups by using the pollset wake-ability
     when available.  PR 57399.  [Yann Ylavic, Luca Toscano]

  *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
     led to spurious HTTP 502 error messages sent on upgrade connections.
     PR 61283.  [Yann Ylavic]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.27

  *) SECURITY: CVE-2017-9789 (cve.mitre.org)
     mod_http2: Read after free. When under stress, closing many connections,
     the HTTP/2 handling code would sometimes access memory after it has been
Yann Ylavic's avatar
Yann Ylavic committed
     freed, resulting in potentially erratic behaviour.
     [Stefan Eissing]

  *) SECURITY: CVE-2017-9788 (cve.mitre.org)
     mod_auth_digest: Uninitialized memory reflection.  The value placeholder
     in [Proxy-]Authorization headers type 'Digest' was not initialized or
     reset before or between successive key=value assignments.
Yann Ylavic's avatar
Yann Ylavic committed
     [William Rowe]
  *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
     global variable when using Lua 5.2 or later. This was exported as a
     side effect from luaL_register, which is no longer supported as of
     Lua 5.2 which deprecates pollution of the global namespace.
     [Rainer Jung]

  *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
     The server will continue to run, but HTTP/2 will no longer be negotiated.
     [Stefan Eissing]

  *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
     default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
     [Jacob Champion, Jim Jagielski]

  *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
     PR58188, PR60831, PR61245. [Rainer Jung]
  
  *) mod_http2: Simplify ready queue, less memory and better performance. Update
     mod_http2 version to 1.10.7. [Stefan Eissing]
Jim Jagielski's avatar
Jim Jagielski committed
  *) Allow single-char field names inadvertently disallowed in 2.4.25.
Loading full blame...