Skip to content
CHANGES 261 KiB
Newer Older
Jeff Trawick's avatar
Jeff Trawick committed
                                                         -*- coding: utf-8 -*-
Daniel Ruggeri's avatar
Daniel Ruggeri committed
Changes with Apache 2.4.39

  *) http: Fix possible empty response with mod_ratelimit for HEAD requests.
     PR 63192. [Yann Ylavic]

Yann Ylavic's avatar
Yann Ylavic committed
  *) MPMs unix: bind the bucket number of each child to its slot number, for a
     more efficient per bucket maintenance. [Yann Ylavic]

Joe Orton's avatar
Joe Orton committed
  *) mod_auth_digest: Fix a race condition. Authentication with valid
     credentials could be refused in case of concurrent accesses from
     different users.  PR 63124.  [Simon Kappel <simon.kappel axis.com>]

  *) mod_proxy_wstunnel: Fix websocket proxy over UDS.
     PR 62932 <pavel dcmsys.com>

  *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
     configuration (SSLFIPS on) and not active by default in OpenSSL.
     PR 63136. [Yann Ylavic]
Changes with Apache 2.4.38

  *) SECURITY: CVE-2018-17199 (cve.mitre.org)
     mod_session: mod_session_cookie does not respect expiry time allowing
     sessions to be reused.  [Hank Ibell]

  *) SECURITY: CVE-2018-17189 (cve.mitre.org)
     mod_http2: fixes a DoS attack vector. By sending slow request bodies
     to resources not consuming them, httpd cleanup code occupies a server
     thread unnecessarily. This was changed to an immediate stream reset
     which discards all stream state and incoming data.  [Stefan Eissing]

  *) SECURITY: CVE-2019-0190 (cve.mitre.org)
     mod_ssl: Fix infinite loop triggered by a client-initiated
     renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
     later.  PR 63052.  [Joe Orton]

  *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
     PR 63052 [Joe Orton]

  *) mod_negotiation: Treat LanguagePriority as case-insensitive to match
     AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]
  
  *) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
     have been fixed. [Michael Kaufmann, Stefan Eissing]
  
  *) mod_setenvif: We can have expressions that become true if a regex pattern
     in the expression does NOT match. In this case val is NULL
     and we should just set the value for the environment variable 
     like in the pattern case. [Ruediger Pluem]
  *) mod_session: Always decode session attributes early. [Hank Ibell]

  *) core: Incorrect values for environment variables are substituted when
     multiple environment variables are specified in a directive. [Hank Ibell]

  *) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
     this type of map is present in the configuration.  PR62311.  
     [Hank Ibell <hwibell gmail.com>]

  *) mod_dav: Fix invalid Location header when a resource is created by
     passing an absolute URI on the request line [Jim Jagielski]

  *) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
     [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]

  *) mod_ssl: clear *SSL errors before loading certificates and checking
     afterwards. Otherwise errors are reported when other SSL using modules
     are in play. Fixes PR 62880. [Michael Kaufmann]

  *) mod_ssl: Fix the error code returned in an error path of
     'ssl_io_filter_handshake()'. This messes-up error handling performed
     in 'ssl_io_filter_error()' [Yann Ylavic]

  *) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
     authz provider so "Require ssl" works correctly in HTTP/2.
     PR 61519, 62654.  [Joe Orton, Stefan Eissing]

  *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
     redirects, subsequent ProxyPassReverse statements, whether they are
     relative or absolute, may fail.  PR 60408.  [Peter Haworth <pmh1wheel gmail.com>]
  
  *) mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1]
Daniel Ruggeri's avatar
Daniel Ruggeri committed
Changes with Apache 2.4.37

  *) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1. [Rainer Jung]

  *) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
     when client certificates are available from the original handshake
     but were originally not verified and should get verified now.
     This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]

  *) mod_ssl: Correctly merge configurations that have client certificates set
     by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]

Daniel Ruggeri's avatar
Daniel Ruggeri committed
Changes with Apache 2.4.36

  *) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
     responses. Regression introduced in 2.4.35.

  *) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
     body of the response. [Jim Jagielski]

  *) mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when
     there are still idle threads available. When there are less idle threads than
     MinSpareThreads, issue new one-time message AH10159. Matches worker MPM.
     [Eric Covener]

  *) mod_http2: adding defensive code for stream EOS handling, in case the request handler
     missed to signal it the normal way (eos buckets). Addresses github issues 
     https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
     and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing] 

Joe Orton's avatar
Joe Orton committed
  *) ab: Add client certificate support.  PR 55774.  [Graham Leggett]
  *) ab: Disable printing temp key for OpenSSL before
     version 1.0.2. SSL_get_server_tmp_key is not available
     there. [Rainer Jung]

Eric Covener's avatar
Eric Covener committed
  *) mod_ssl: Fix a regression that the configuration settings for verify mode
     and verify depth were taken from the frontend connection in case of
     connections by the proxy to the backend. PR 62769. [Ruediger Pluem]

  *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
     before signals handling to avoid lifetime issues on restart or shutdown.
     PR 62658. [Yann Ylavic]

  *) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3.  TLSv1.3 has
     behavioural changes compared to v1.2 and earlier; client and
     configuration changes should be expected.  SSLCipherSuite is
     enhanced for TLSv1.3 ciphers, but applies at vhost level only.
     [Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]
  *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
     should be accepted after the authorization scheme. \t are also tolerated.
     [Christophe Jaillet]

  *) mod_proxy_hcheck: Fix issues with interval determination. PR 62318
     [Jim Jagielski]

  *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
     [Dominik Stillhard <dominik.stillhard united-security-providers.ch>]

  *) mod_proxy_hcheck: take balancer's SSLProxy* directives into account.
     [Jim Jagielski]

  *) mod_status, mod_echo: Fix the display of client addresses.
    They were truncated to 31 characters which is not enough for IPv6 addresses.
    This is done by deprecating the use of the 'client' field and using
    the new 'client64' field in worker_score.
    PR 54848 [Bernhard Schmidt <berni birkenwald de>, Jim Jagielski]

  *) http: Enforce consistently no response body with both 204 and 304
     statuses.  [Yann Ylavic]

  *) mod_status: Cumulate CPU time of exited child processes in the
     "cu" and "cs" values. Add CPU time of the parent process to the
     "c" and "s" values.
     [Rainer Jung]

  *) mod_proxy: Improve the balancer member data shown in mod_status when
     "ProxyStatus" is "On": add "busy" count and show byte counts in
     auto mode always in units of kilobytes.  [Rainer Jung]
  *) mod_status: Add cumulated response duration time in milliseconds.
  *) mod_status: Complete the data shown for async MPMs in "auto" mode.
     Added number of processes, number of stopping processes and number
     of busy and idle workers.  [Rainer Jung]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
     introduced in 2.4.34.  PR 62568.  [Yann Ylavic]

  *) mod_proxy: Remove load order and link dependency between mod_lbmethod_*
     modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe]

  *) Allow the argument to <IfFile>, <IfDefine>, <IfSection>, <IfDirective>,
Eric Covener's avatar
Eric Covener committed
     and <IfModule> to be quoted.  This is primarily for the benefit of
     <IfFile>. [Eric Covener]

  *) mod_watchdog: Correct some log messages.  [Rainer Jung]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_md: When the last domain name from an MD is moved to another one,
Eric Covener's avatar
Eric Covener committed
     that now empty MD gets moved to the store archive. PR 62572. 
     [Stefan Eissing]
Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Fix merging of SSLOCSPOverrideResponder.  [Jeff Trawick,
     [Frank Meier <frank meier ergon.ch>]

  *) mod_proxy_balancer: Restore compatibility with APR 1.4.  [Joe Orton]

Daniel Ruggeri's avatar
Daniel Ruggeri committed
Changes with Apache 2.4.34
Jim Jagielski's avatar
Jim Jagielski committed
  *) SECURITY: CVE-2018-8011 (cve.mitre.org)
     mod_md: DoS via Coredumps on specially crafted requests

  *) SECURITY: CVE-2018-1333 (cve.mitre.org)
     mod_http2: DoS for HTTP/2 connections by specially crafted requests

William A. Rowe Jr's avatar
William A. Rowe Jr committed
  *) Introduce zh-cn and zh-tw (simplified and traditional Chinese) error
     document translations. [CodeingBoy, popcorner]

  *) event: avoid possible race conditions with modules on the child pool.
Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_proxy: Fix a corner case where the ProxyPassReverseCookieDomain or
     ProxyPassReverseCookiePath directive could fail to update correctly
     'domain=' or 'path=' in the 'Set-Cookie' header.  PR 61560.
     [Christophe Jaillet]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_ratelimit: fix behavior when proxing content. PR 62362.
     [Luca Toscano, Yann Ylavic]

Eric Covener's avatar
Eric Covener committed
  *) core: Re-allow '_' (underscore) in hostnames.
     [Eric Covener]

  *) mod_authz_core: If several parameters are used in a AuthzProviderAlias
     directive, if these parameters are not enclosed in quotation mark, only
     the first one is handled. The other ones are silently ignored.
     Add a message to warn about such a spurious configuration.
     PR 62469 [Hank Ibell <hwibell gmail.com>, Christophe Jaillet]
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_md: improvements and bugfixes
     - MDNotifyCmd now takes additional parameter that are passed on to the called command.
     - ACME challenges have better checks for interference with other modules
     - ACME challenges are only handled for domains managed by the module, allowing
       other ACME clients to operate for other domains in the server.
     - better libressl integration

  *) mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'.
     PR 62480. [Lubos Uhliarik <luhliari redhat.com>}
Eric Covener's avatar
Eric Covener committed
  *) logging: Some early logging-related startup messages could be lost
     when using syslog for the global ErrorLog. [Eric Covener]

  *) mod_cache: Handle case of an invalid Expires header value RFC compliant
     like the case of an Expires time in the past: allow to overwrite the
     non-caching decision using CacheStoreExpired and respect Cache-Control
     "max-age" and "s-maxage".  [Rainer Jung]

  *) mod_xml2enc: Fix forwarding of error metadata/responses. PR 62180.
     [Micha Lenk <micha lenk.info>, Yann Ylavic]

  *) mod_proxy_http: Fix response header thrown away after the previous one
     was considered too large and truncated. PR 62196. [Yann Ylavic]

  *) core: Add and handle AP_GETLINE_NOSPC_EOL flag for ap_getline() family
     of functions to consume the end of line when the buffer is exhausted.
     PR 62198. [Yann Ylavic]

  *) mod_proxy_http: Add new worker parameter 'responsefieldsize' to
     allow maximum HTTP response header size to be increased past 8192
Yann Ylavic's avatar
Yann Ylavic committed
     bytes.  PR 62199.  [Hank Ibell <hwibell gmail.com>]
  *) mod_ssl: Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf
     of a certificate chain.  PR62112.
     [Ricardo Martin Camarero <rickyepoderi yahoo.es>]

  *) http: Fix small memory leak per request when handling persistent
     connections.  [Ruediger Pluem, Joe Orton]

  *) mod_proxy_html: Fix variable interpolation and memory allocation failure
     in ProxyHTMLURLMap.  [Ewald Dieterich <ewald mailbox.org>]

  *) mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.
     PR 62220.  [Chritophe Jaillet, Yann Ylavic]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
     zero out what had been initialized as the connection-level port.  PR59931.
     [Hank Ibell <hwibell gmail.com>]

  *) core: In ONE_PROCESS/debug mode, cleanup everything when exiting.
     [Yann Ylavic]

  *) mod_proxy_balancer: Add hot spare member type and corresponding flag (R).
     Hot spare members are used as drop-in replacements for unusable workers
     in the same load balancer set. This differs from hot standbys which are
     only used when all workers in a set are unusable. PR 61140. [Jim Riggs]

  *) suexec: Add --enable-suexec-capabilites support on Linux, to use
     setuid/setgid capability bits rather than a setuid root binary.
     [Joe Orton]

  *) suexec: Add support for logging to syslog as an alternative to
     logging to a file; use --without-suexec-logfile --with-suexec-syslog.
     [Joe Orton]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling
     which broke some rare but previously-working configs.  [Joe Orton]

  *) core, log: improve sanity checks for the ErrorLog's syslog config, and
Christophe Jaillet's avatar
Christophe Jaillet committed
     explicitly allow only lowercase 'syslog' settings. PR 62102
     [Luca Toscano, Jim Riggs, Christophe Jaillet]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_http2: accurate reporting of h2 data input/output per request via
     mod_logio. Fixes an issue where output sizes where counted n-times on
     reused slave connections.  [Stefan Eissing]
Yann Ylavic's avatar
Yann Ylavic committed
     See github issue: https://github.com/icing/mod_h2/issues/158
Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_http2: Fix unnecessary timeout waits in case streams are aborted.
     [Stefan Eissing]

  *) mod_http2: restoring the v1.10.16 keepalive timeout behaviour of mod_http2.
     [Stefan Eissing]

  *) mod_proxy: Do not restrict the maximum pool size for backend connections
     any longer by the maximum number of threads per process and use a better
     default if mod_http2 is loaded.
     [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Gregg Smith]

Daniel Ruggeri's avatar
Daniel Ruggeri committed
  *) mod_slotmem_shm: Add generation number to shm filename to fix races
     with graceful restarts. PRs 62044 and 62308.  [Jim Jagielski, Yann Ylavic]

  *) core: Preserve the original HTTP request method in the '%<m' LogFormat
     when an path-based ErrorDocument is used.  PR 62186.
     [Micha Lenk <micha lenk.info>]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_remoteip: make proxy-protocol work on slave connections, e.g. in
     HTTP/2 requests.  [Stefan Eissing]
     See also https://github.com/roadrunner2/mod-proxy-protocol/issues/6
  *) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
     regression introduced in 2.4.30. PR 62232. [Rainer Jung, Yann Ylavic]

  *) mod_md: Fix compilation with OpenSSL before version 1.0.2.  [Rainer Jung]

  *) mod_dumpio: do nothing below log level TRACE7.  [Yann Ylavic]

  *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
     [Eric Covener]

  *) core: On ECBDIC platforms, some errors related to oversized headers
Jim Jagielski's avatar
Jim Jagielski committed
     may be misreported or be logged as ASCII escapes.  PR 62200
Yann Ylavic's avatar
Yann Ylavic committed
     [Hank Ibell <hwibell gmail.com>]
Rainer Jung's avatar
Rainer Jung committed
  *) mod_ssl: Fix cmake-based build.  PR 62266.  [Rainer Jung]
  *) core: Add <IfFile>, <IfDirective> and <IfSection> conditional
     section containers.  [Eric Covener, Joe Orton]

Daniel Ruggeri's avatar
Daniel Ruggeri committed
Changes with Apache 2.4.33

  *) core: Fix request timeout logging and possible crash for error_log hooks.
     [Yann Ylavic]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_slomem_shm: Fix failure to create balancers's slotmems in Windows MPM,
     where children processes need to attach them instead since they are owned
     by the parent process already.  [Yann Ylavic]

  *) ab: try all destination socket addresses returned by
     apr_sockaddr_info_get instead of failing on first one when not available.
     Needed for instance if localhost resolves to both ::1 and 127.0.0.1
     e.g. if both are in /etc/hosts.  [Jan Kaluza]

  *) ab: Use only one connection to determine working destination socket
     address.  [Jan Kaluza]

Rainer Jung's avatar
Rainer Jung committed
  *) ab: LibreSSL doesn't have or require Windows applink.c.  [Gregg L. Smith]

  *) htpasswd/htdigest: Disable support for bcrypt on EBCDIC platforms.
Rainer Jung's avatar
Rainer Jung committed
     apr-util's bcrypt implementation doesn't tolerate EBCDIC.  [Eric Covener]

Rainer Jung's avatar
Rainer Jung committed
  *) htpasswd/htdbm: report the right limit when get_password() overflows.
     [Yann Ylavic]

Rainer Jung's avatar
Rainer Jung committed
  *) htpasswd: Don't fail in -v mode if password file is unwritable.
     PR 61631.  [Joe Orton]

Rainer Jung's avatar
Rainer Jung committed
  *) htpasswd: don't point to (unused) stack memory on output
     to make static analysers happy.  PR 60634.
     [Yann Ylavic, reported by shqking and Zhenwei Zou]

Daniel Ruggeri's avatar
Daniel Ruggeri committed
Changes with Apache 2.4.32

  *) mod_access_compat: Fail if a comment is found in an Allow or Deny
     directive.  [Jan Kaluza]

  *) mod_authz_host: Ignore comments after "Require host", logging a
     warning, or logging an error if the line is otherwise empty.
     [Jan Kaluza, Joe Orton]

  *) rotatelogs: Fix expansion of %Z in localtime (-l) mode, and fix
     Y2K38 bug.  [Joe Orton]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Support SSL DN raw variable extraction without conversion
     to UTF-8, using _RAW suffix on variable names.  [Joe Orton]

Joe Orton's avatar
Joe Orton committed
  *) ab: Fix https:// connection failures (regression in 2.4.30); fix
     crash generating CSV output for large -n.  [Joe Orton, Jan Kaluza]
Changes with Apache 2.4.31 (not released)
  *) mod_proxy_fcgi: Add the support for mod_proxy's flushpackets and flushwait
     parameters. [Luca Toscano, Ruediger Pluem, Yann Ylavic]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
     improper merging of the cache lock in vhost config.
     PR 43164 [Eric Covener]

  *) mpm_event: Do lingering close in worker(s).  [Yann Ylavic]

  *) mpm_queue: Put fdqueue code in common for MPMs event and worker.
     [Yann Ylavic]

Changes with Apache 2.4.30 (not released)
  *) SECURITY: CVE-2017-15710 (cve.mitre.org)
     Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
     [Eric Covener, Luca Toscano, Yann Ylavic]
  *) SECURITY: CVE-2018-1283 (cve.mitre.org)
     mod_session: CGI-like applications that intend to read from mod_session's
     'SessionEnv ON' could be fooled into reading user-supplied data instead.
  *) SECURITY: CVE-2018-1303 (cve.mitre.org)
     mod_cache_socache: Fix request headers parsing to avoid a possible crash
     with specially crafted input data.  [Ruediger Pluem]

  *) SECURITY: CVE-2018-1301 (cve.mitre.org)
     core: Possible crash with excessively long HTTP request headers.
     Impractical to exploit with a production build and production LogLevel.
     [Yann Ylavic]
  *) SECURITY: CVE-2017-15715 (cve.mitre.org)
     core: Configure the regular expression engine to match '$' to the end of
     the input string only, excluding matching the end of any embedded
     newline characters. Behavior can be changed with new directive
     'RegexDefaultOptions'. [Yann Ylavic]
  *) SECURITY: CVE-2018-1312 (cve.mitre.org)
     mod_auth_digest: Fix generation of nonce values to prevent replay
     attacks across servers using a common Digest domain. This change
     may cause problems if used with round robin load balancers. PR 54637
     [Stefan Fritsch]

Eric Covener's avatar
Eric Covener committed
  *) SECURITY: CVE-2018-1302 (cve.mitre.org)
     mod_http2: Potential crash w/ mod_http2.
     [Stefan Eissing]

  *) mod_proxy: Worker schemes and hostnames which are too large are no
     longer fatal errors; it is logged and the truncated values are stored.
     [Jim Jagielski]

  *) mod_proxy: Allow setting options to globally defined balancer from
     ProxyPass used in VirtualHost. Balancers are now merged using the new
     merge_balancers method which merges the balancers options.  [Jan Kaluza]

Christophe Jaillet's avatar
Christophe Jaillet committed
  *) logresolve: Fix incorrect behavior or segfault if -c flag is used
     Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259
     [Stefan Fritsch]

  *) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
     Add ability for PROXY protocol processing to be optional to donated code.
     See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
     [Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri]

  *) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
     allowing per backend TLS configuration.  [Yann Ylavic]

  *) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module. [Roberto De Ioris,
     Jim Jagielski]

  *) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
     depend on the number of restarts (non-Unix systems) and preserve shared
     names as much as possible on configuration changes for SHMs and persisted
     files.  PR 62044.  [Yann Ylavic, Jim Jagielski]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: obsolete code removed, no more events on beam pool destruction,
     discourage content encoders on http2-status response (where they do not work).
     [Stefan Eissing]

  *) mpm_event: Let the listener thread do its maintenance job on resources
     shortage.  PR 61979.  [Yann Ylavic]

  *) mpm_event: Wakeup the listener to re-enable listening sockets.
     [Yann Ylavic]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: The SSLCompression directive will now give an error if used
     with an OpenSSL build which does not support any compression methods.
     [Joe Orton]

  *) mpm_event,worker: Mask signals for threads created by modules in child
     init, so that they don't receive (implicitely) the ones meant for the MPM.
     PR 62009. [Armin Abfalterer <a.abfalterer gmail com>, Yann Ylavic]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_md: new experimental, module for managing domains across virtual hosts,
     implementing the Let's Encrypt ACMEv1 protocol to signup and renew
Stefan Eissing's avatar
Stefan Eissing committed
     certificates. Please read the modules documentation for further instructions
     on how to use it. [Stefan Eissing]
  *) mod_proxy_html: skip documents shorter than 4 bytes
     PR 56286 [Micha Lenk <micha lenk info>]

  *) core, mpm_event: Avoid a small memory leak of the scoreboard handle, for
     the lifetime of the connection, each time it is processed by MPM event.
     [Yann Ylavic]

  *) mpm_event: Update scoreboard status for KeepAlive state.  [Yann Ylavic]

  *) mod_ldap: Fix a case where a full LDAP cache would continually fail to
     purge old entries and log AH01323. PR61891.
Yann Ylavic's avatar
Yann Ylavic committed
     [Hendrik Harms <hendrik.harms gmail.com>]

  *) mpm_event: close connections not reported as handled by any module to
     avoid losing track of them and leaking scoreboard entries.  PR 61551.
     [Yann Ylavic]

  *) core: A signal received while stopping could have crashed the main
     process.  PR 61558.  [Yann Ylavic]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_ssl: support for mod_md added. [Stefan Eissing]

  *) mod_proxy_html: process parsed comments immediately.
     Fixes bug (seen in the wild when used with IBM's HTTPD bundle)
     where parsed comments may be lost. [Nick Kew]

  *) mod_proxy_html: introduce doctype for HTML 5 [Nick Kew]

  *) mod_proxy_html: fix typo-bug processing "strict" vs "transitional"
     HTML/XHTML.  PR 56457  [Nick Kew]
  *) mpm_event: avoid a very unlikely race condition between the listener and
     the workers when the latter fails to add a connection to the pollset.
     [Yann Ylavic]

  *) core: silently ignore a not existent file path when IncludeOptional
     is used. PR 57585. [Alberto Murillo Silva <powerbsd yahoo.com>, Luca Toscano]

  *) mod_macro: fix usability of globally defined macros in .htaccess files.
     PR 57525.  [Jose Kahan <jose w3.org>, Yann Ylavic]

  *) mod_rewrite, core: add the Vary header when a condition evaluates to true
     and the related RewriteRule is used in a Directory context
     (triggering an internal redirect). [Luca Toscano]

Stefan Eissing's avatar
Stefan Eissing committed
  *) ab: Make the TLS layer aware that the underlying socket is nonblocking,
     and use/handle POLLOUT where needed to avoid busy IOs and recover write
     errors when appropriate.  [Yann Ylavic]

  *) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
     read was incomplete (the SSL case can cause the next poll() to timeout
     since data are buffered already).  PR 61301 [Luca Toscano, Yann Ylavic]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain
     information retrievals on null bucket beams where it makes sense. [Stefan Eissing]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.29

Joe Orton's avatar
Joe Orton committed
  *) mod_unique_id: Use output of the PRNG rather than IP address and
     pid, avoiding sleep() call and possible DNS issues at startup,
     plus improving randomness for IPv6-only hosts.  [Jan Kaluza]

  *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
     is used in a condition that evaluates to true. PR 58231 [Luca Toscano, Yann Ylavic]
  *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
     beams that could lead to assertion failure in edge cases.
     [Stefan Eissing]
  *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
     in 2.4.28.  [Jim Jagielski]

Joe Orton's avatar
Joe Orton committed
  *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
     PR 61546.  [Lubos Uhliarik <luhliari redhat.com>]

Joe Orton's avatar
Joe Orton committed
  *) mod_rewrite: Add support for starting External Rewriting Programs
     as non-root user on UNIX systems by specifying username and group
     name as third argument of RewriteMap directive.  [Jan Kaluza]

Joe Orton's avatar
Joe Orton committed
  *) core: Rewrite the Content-Length filter to avoid excessive memory
     consumption. Chunked responses will be generated in more cases
     than in previous releases.  PR 61222.  [Joe Orton, Ruediger Pluem]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_ssl: Fix SessionTicket callback return value, which does seem to
     matter with OpenSSL 1.1. [Yann Ylavic]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.28

  *) SECURITY: CVE-2017-9798 (cve.mitre.org)
     Corrupted or freed memory access. <Limit[Except]> must now be used in the
     main configuration file (httpd.conf) to register HTTP methods before the
     .htaccess files.  [Yann Ylavic]

Yann Ylavic's avatar
Yann Ylavic committed
  *) event: Avoid possible blocking in the listener thread when shutting down
     connections. PR 60956.  [Yann Ylavic]

  *) mod_speling: Don't embed referer data in a link in error page.
     PR 38923 [Nick Kew]

  *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
     length in a password file. PR 61511.
     [Luca Toscano, Hanno Böck <hanno hboeck de>]

  *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
     [Jim Jagielski]

  *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
     PR 61142.

  *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
     down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
     's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]

  *) mod_http2: Fix for stalling when more than 32KB are written to a
     suspended stream.  [Stefan Eissing]

  *) build: allow configuration without APR sources.  [Jacob Champion]

  *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
     [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
      Yann Ylavic]

Yann Ylavic's avatar
Yann Ylavic committed
  *) core/log: Support use of optional "tag" in syslog entries.
     PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]

Joe Orton's avatar
Joe Orton committed
  *) mod_proxy: Fix ProxyAddHeaders merging.  [Joe Orton]
  *) core: Disallow multiple Listen on the same IP:port when listener buckets
     are configured (ListenCoresBucketsRatio > 0), consistently with the single
     bucket case (default), thus avoiding the leak of the corresponding socket
     descriptors on graceful restart.  [Yann Ylavic]

  *) event: Avoid listener periodic wake ups by using the pollset wake-ability
     when available.  PR 57399.  [Yann Ylavic, Luca Toscano]

  *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
     led to spurious HTTP 502 error messages sent on upgrade connections.
     PR 61283.  [Yann Ylavic]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.27

  *) SECURITY: CVE-2017-9789 (cve.mitre.org)
     mod_http2: Read after free. When under stress, closing many connections,
     the HTTP/2 handling code would sometimes access memory after it has been
Yann Ylavic's avatar
Yann Ylavic committed
     freed, resulting in potentially erratic behaviour.
     [Stefan Eissing]

  *) SECURITY: CVE-2017-9788 (cve.mitre.org)
     mod_auth_digest: Uninitialized memory reflection.  The value placeholder
     in [Proxy-]Authorization headers type 'Digest' was not initialized or
     reset before or between successive key=value assignments.
Yann Ylavic's avatar
Yann Ylavic committed
     [William Rowe]
  *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
     global variable when using Lua 5.2 or later. This was exported as a
     side effect from luaL_register, which is no longer supported as of
     Lua 5.2 which deprecates pollution of the global namespace.
     [Rainer Jung]

  *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
     The server will continue to run, but HTTP/2 will no longer be negotiated.
     [Stefan Eissing]

  *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
     default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
     [Jacob Champion, Jim Jagielski]

  *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
     PR58188, PR60831, PR61245. [Rainer Jung]
  *) mod_http2: Simplify ready queue, less memory and better performance. Update
     mod_http2 version to 1.10.7. [Stefan Eissing]
Jim Jagielski's avatar
Jim Jagielski committed
  *) Allow single-char field names inadvertently disallowed in 2.4.25.
  *) htpasswd / htdigest: Do not apply the strict permissions of the temporary
     passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]

  *) core: Avoid duplicate HEAD in Allow header.
     This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
     PR 61207. [Christophe Jaillet]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.26
Jim Jagielski's avatar
Jim Jagielski committed
  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
     mod_mime can read one byte past the end of a buffer when sending a
Eric Covener's avatar
Eric Covener committed
     malicious Content-Type response header.  [Yann Ylavic]
Jim Jagielski's avatar
Jim Jagielski committed

  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
     bug in token list parsing, which allows ap_find_token() to search past
     the end of its input string. By maliciously crafting a sequence of
     request headers, an attacker may be able to cause a segmentation fault,
     or to force ap_find_token() to return an incorrect value.
Eric Covener's avatar
Eric Covener committed
     [Jacob Champion]
Jim Jagielski's avatar
Jim Jagielski committed

  *) SECURITY: CVE-2017-7659 (cve.mitre.org)
     A maliciously constructed HTTP/2 request could cause mod_http2 to
     dereference a NULL pointer and crash the server process.

  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
     mod_ssl may dereference a NULL pointer when third-party modules call
     ap_hook_process_connection() during an HTTP request to an HTTPS port.
Eric Covener's avatar
Eric Covener committed
     [Yann Ylavic]
Jim Jagielski's avatar
Jim Jagielski committed

  *) SECURITY: CVE-2017-3167 (cve.mitre.org)
     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
     authentication phase may lead to authentication requirements being
     bypassed.
Eric Covener's avatar
Eric Covener committed
     [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
Jim Jagielski's avatar
Jim Jagielski committed

  *) HTTP/2 support no longer tagged as "experimental" but is instead considered
     fully production ready.

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
     the session in continuous check for state changes that never happen.
Stefan Eissing's avatar
Stefan Eissing committed
     [Stefan Eissing]

Eric Covener's avatar
Eric Covener committed
  *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
     protocols.  [Jean-Frederic Clere]

Yann Ylavic's avatar
Yann Ylavic committed
  *) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
     a possible crash if a signal is caught during (graceful) restart.
     PR 60487.  [Yann Ylavic]

  *) mod_rewrite: When a substitution is a fully qualified URL, and the
     scheme/host/port matches the current virtual host, stop interpreting the
     path component as a local path just because the first component of the
     path exists in the filesystem.  Adds RewriteOption "LegacyPrefixDocRoot"
     to revert to previous behavior. PR60009.
     [Hank Ibell <hwibell gmail.com>]
  *) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
     platforms. PR61124. [Hank Ibell <hwibell gmail.com>]

Rainer Jung's avatar
Rainer Jung committed
  *) ab: enable option processing for setting a custom HTTP method also for
     non-SSL builds.  [Rainer Jung]

  *) core: EBCDIC fixes for interim responses with additional headers.
     [Eric Covener]

  *) mod_env: when processing a 'SetEnv' directive, warn if the environment
     variable name includes a '='. It is likely a configuration error.
     PR 60249 [Christophe Jaillet]

  *) Evaluate nested If/ElseIf/Else configuration blocks.
     [Luca Toscano, Jacob Champion]

  *) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
     allow spaces in backreferences to be encoded as %20 instead of '+'.
     [Eric Covener]

  *) mod_rewrite: Add the possibility to limit the escaping to specific
     characters in backreferences by listing them in the B flag.
     [Eric Covener]

Eric Covener's avatar
Eric Covener committed
  *) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
     systems.  [Eric Covener]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: fail requests without ERROR log in case we need to read interim
     responses and see only garbage. This can happen if proxied servers send
     data where none should be, e.g. a body for a HEAD request. [Stefan Eissing]
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_proxy_http2: adding support for Reverse Proxy Request headers.
     [Stefan Eissing]

  *) mod_http2: fixed possible deadlock that could occur when connections were
Stefan Eissing's avatar
Stefan Eissing committed
     terminated early with ongoing streams. Fixed possible hanger with timeout
     on race when connection considers itself idle. [Stefan Eissing]
  *) mod_http2: MaxKeepAliveRequests now limits the number of times a
Stefan Eissing's avatar
Stefan Eissing committed
     slave connection gets reused. [Stefan Eissing]

  *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
     [Evgeny Kotkov]

  *) mod_proxy_http2: Fixed bug in re-attempting proxy requests after
     connection error. Reliability of reconnect handling improved.
Stefan Eissing's avatar
Stefan Eissing committed
     [Stefan Eissing]
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: better performance, eliminated need for nested locks and
     thread privates. Moving request setups from the main connection to the
     worker threads. Increase number of spare connections kept.
     [Stefan Eissing]

  *) mod_http2: input buffering and dynamic flow windows for increased
Stefan Eissing's avatar
Stefan Eissing committed
     throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
     in mod_http2 INFO log as feature 'DWINS'. [Stefan Eissing]

  *) mod_http2: h2 workers with improved scalability for better scheduling
     performance. There are H2MaxWorkers threads created at start and the
     number is kept constant for now. [Stefan Eissing]
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and
     just log a warning. [Stefan Eissing]
  *) mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date
     format from 2.2 in the Last Modified column. PR60846.
     [Hank Ibell <hwibell gmail.com>]
  *) core: Add %{REMOTE_PORT} to the expression parser. PR59938
     [Hank Ibell <hwibell gmail.com>]

  *) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
     computing and using the same entity key according to when the cache
     checks, loads and saves the request.
     PR 60577.  [Yann Ylavic]
  *) mod_proxy_hcheck: Don't validate timed out responses.  [Yann Ylavic]

  *) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
     in use (ProxyHCTPsize > 0).  PR 60071.  [Yann Ylavic, Jim Jagielski]

  *) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
     URI originally requsted by the user, not the nested documents URI. This
     restores the behavior of this variable to match the "legacy" SSI parser.
     PR60624. [Hank Ibell <hwibell gmail.com>]
  *) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
     variables just before invoking the FastCGI. [Eric Covener,
     Jacob Champion]

  *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
     a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
     default.  Add ProxyFCGIBackendType to allow the type of backend to be
     specified so these kinds of fixups can be restored without impacting
     FPM. PR60576 [Eric Covener, Jim Jagielski]

  *) mod_ssl: work around leaks on (graceful) restart. [Yann Ylavic]

  *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]

Joe Orton's avatar
Joe Orton committed
  *) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
     than zero.  [Eric Covener]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: moving session cleanup to pre_close hook to avoid races with
     modules already shut down and slave connections still operating.
     [Stefan Eissing]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: fix for crash when running out of memory.
Joe Orton's avatar
Joe Orton committed
     [Robert Swiecki <robert swiecki.net>, Stefan Eissing]
  *) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
     [Luca Toscano]

  *) mod_http2: not counting file buckets again stream max buffer limits.
     Effectively transfering static files in one step from slave to master
Stefan Eissing's avatar
Stefan Eissing committed
     connection. [Stefan Eissing]
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: comforting ap_check_pipeline() on slave connections
     to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
     [Stefan Eissing, reported by Armin Abfalterer]
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: http/2 streams now with state handling/transitions as defined
     in RFC7540. Stream cleanup/connection shutdown reworked to become easier
     to understand/maintain/debug. Added many asserts on state and cleanup
Stefan Eissing's avatar
Stefan Eissing committed
     transitions. [Stefan Eissing]
Joe Orton's avatar
Joe Orton committed
  *) mod_auth_digest: Use an anonymous shared memory segment by default,
     preventing startup failure after unclean shutdown.  PR 54622.
     [Jan Kaluza]

Joe Orton's avatar
Joe Orton committed
  *) mod_filter: Fix AddOutputFilterByType with non-content-level filters.
     PR 58856. [Micha Lenk <micha lenk.info>]
  *) mod_watchdog: Fix semaphore leak over restarts.  [Jim Jagielski]

  *) mod_http2: regression fix on PR 59348, on graceful restart, ongoing
     streams are finished normally before the final GOAWAY is sent.
Stefan Eissing's avatar
Stefan Eissing committed
     [Stefan Eissing, <slavko gmail.com>]

  *) mod_proxy: Allow the per-request environment variable "no-proxy" to
     be used as an alternative to ProxyPass /path !. This is primarily
     to set exceptions for ProxyPass specified in <Location> context.
Joe Orton's avatar
Joe Orton committed
     Use SetEnvIf, not SetEnv. PR 60458.  [Eric Covener]
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: fixes PR60599, sending proper response for conditional requests
     answered by mod_cache. [Jeff Wheelhouse, Stefan Eissing]
  *) mod_http2: rework of stream resource cleanup to avoid a crash in a close
     of a lingering connection. Prohibit special file bucket beaming for
     shared buckets. Files sent in stream output now use the stream pool
     as read buffer, reducing memory footprint of connections.
     [Yann Ylavic, Stefan Eissing]
  *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
Joe Orton's avatar
Joe Orton committed
     modules add empty environment variables to the request. PR 60275.
     [<alex2grad AT gmail.com>]
  *) mod_http2: fix for possible page fault when stream is resumed during
     session shutdown. [sidney-j-r-m (github)]
  *) mod_http2: fix for h2 session ignoring new responses while already
     open streams continue to have data available. [Stefan Eissing]
  *) mod_http2: adding support for MergeTrailers directive. [Stefan Eissing]

  *) mod_http2: limiting DATA frame sizes by TLS record sizes in use on the
     connection. Flushing outgoing frames earlier. [Stefan Eissing]

Joe Orton's avatar
Joe Orton committed
  *) mod_http2: cleanup beamer registry on server reload.  PR 60510.
     [Pavel Mateja <pavel verotel.cz>, Stefan Eissing]
  *) mod_proxy_{ajp,fcgi}: Fix a possible crash when reusing an established
     backend connection, happening with LogLevel trace2 or higher configured,
     or at any log level with compilers not detected as C99 compliant (e.g.
     MSVC on Windows).  [Yann Ylavic]

  *) mod_ext_filter: Don't interfere with "error buckets" issued by other
Joe Orton's avatar
Joe Orton committed
     modules. PR 60375.  [Eric Covener, Lubos Uhliarik]
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: fixes https://github.com/icing/mod_h2/issues/126 e.g. beam
     bucket lifetime handling when data is sent over temporary pools.
     [Stefan Eissing]

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.25

Jim Jagielski's avatar
 
Jim Jagielski committed
  *) Fix some build issues related to various modules.
     [Rainer Jung]

Changes with Apache 2.4.24 (not released)
Eric Covener's avatar
Eric Covener committed
  *) SECURITY: CVE-2016-8740 (cve.mitre.org)
     mod_http2: Mitigate DoS memory exhaustion via endless
     CONTINUATION frames.
Jim Jagielski's avatar
Jim Jagielski committed
     [Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State
     University, Stefan Eissing]

  *) SECURITY: CVE-2016-2161 (cve.mitre.org)
     mod_auth_digest: Prevent segfaults during client entry allocation when
     the shared memory space is exhausted.
     [Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion]
  *) SECURITY: CVE-2016-0736 (cve.mitre.org)
     mod_session_crypto: Authenticate the session data/cookie with a
     MAC (SipHash) to prevent deciphering or tampering with a padding
     oracle attack.  [Yann Ylavic, Colm MacCarthaigh]

William A. Rowe Jr's avatar
William A. Rowe Jr committed
  *) SECURITY: CVE-2016-8743 (cve.mitre.org)
     Enforce HTTP request grammar corresponding to RFC7230 for request lines
     and request headers, to prevent response splitting and cache pollution by
     malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]

  *) Validate HTTP response header grammar defined by RFC7230, resulting
     in a 500 error in the event that invalid response header contents are
     detected when serving the response, to avoid response splitting and cache
     pollution by malicious clients, upstream servers or faulty modules.
     [Stefan Fritsch, Eric Covener, Yann Ylavic]

  *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]

Eric Covener's avatar
Eric Covener committed
  *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
     looping RewriteRules when the local path significantly exceeds
Eric Covener's avatar
Eric Covener committed
     LimitRequestLine.  PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]

  *) mod_ratelimit: Allow for initial "burst" amount at full speed before
     throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>,
     Jim Jagielski]

  *) mod_socache_memcache: Provide memcache stats to mod_status.
     [Jim Jagielski]

  *) mod_file_cache: mod_file_cache should be able to serve files that
     haven't had a Content-Type set via e.g. mod_mime. [Eric Covener]

  *) http_filters: Fix potential looping in new check_headers() due to new
     pattern of ap_die() from http header filter. Explicitly clear the
     previous headers and body.

  *) core: Drop Content-Length header and message-body from HTTP 204 responses.
     PR 51350 [Luca Toscano]

  *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is
     configured in <Location>, like in 2.2. PR 60458.
     [Eric Covener]

  *) mod_lua: Fix default value of LuaInherit directive. It should be
     'parent-first' instead of 'none', as per documentation.  PR 60419
     [Christophe Jaillet]

Jim Jagielski's avatar
Jim Jagielski committed
  *) core: New directive HttpProtocolOptions to control httpd enforcement
     of various RFC7230 requirements. [Stefan Fritsch, William Rowe]

  *) core: Permit unencoded ';' characters to appear in proxy requests and
     Location: response headers. Corresponds to modern browser behavior.
     [William Rowe]

  *) core: ap_rgetline_core now pulls from r->proto_input_filters.

  *) core: Correctly parse an IPv6 literal host specification in an absolute
     URL in the request line. [Stefan Fritsch]

  *) core: New directive RegisterHttpMethod for registering non-standard
     HTTP methods. [Stefan Fritsch]
  *) mod_socache_memcache: Pass expiration time through to memcached. PR 55445.
     [Faidon Liambotis <paravoid debian.org>, Joe Orton]

  *) mod_cache: Use the actual URI path and query-string for identifying the