Newer
Older
*) Allow single-char field names inadvertantly disallowed in 2.4.25.
PR 61220. [Yann Ylavic]
*) core: Avoid duplicate HEAD in Allow header.
This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
PR 61207. [Christophe Jaillet]
*) SECURITY: CVE-2017-7679 (cve.mitre.org)
mod_mime can read one byte past the end of a buffer when sending a
*) SECURITY: CVE-2017-7668 (cve.mitre.org)
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.
*) SECURITY: CVE-2017-7659 (cve.mitre.org)
A maliciously constructed HTTP/2 request could cause mod_http2 to
dereference a NULL pointer and crash the server process.
*) SECURITY: CVE-2017-3169 (cve.mitre.org)
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
*) SECURITY: CVE-2017-3167 (cve.mitre.org)
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.
[Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
*) HTTP/2 support no longer tagged as "experimental" but is instead considered
fully production ready.
*) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
the session in continuous check for state changes that never happen.
[Stefan Eissing]
*) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
protocols. [Jean-Frederic Clere]
*) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
a possible crash if a signal is caught during (graceful) restart.
PR 60487. [Yann Ylavic]
*) mod_rewrite: When a substitution is a fully qualified URL, and the
scheme/host/port matches the current virtual host, stop interpreting the
path component as a local path just because the first component of the
path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
to revert to previous behavior. PR60009.
[Hank Ibell <hwibell gmail.com>]
*) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
platforms. PR61124. [Hank Ibell <hwibell gmail.com>]
*) ab: enable option processing for setting a custom HTTP method also for
non-SSL builds. [Rainer Jung]
*) core: EBCDIC fixes for interim responses with additional headers.
[Eric Covener]
*) mod_env: when processing a 'SetEnv' directive, warn if the environment
variable name includes a '='. It is likely a configuration error.
PR 60249 [Christophe Jaillet]
*) Evaluate nested If/ElseIf/Else configuration blocks.
[Luca Toscano, Jacob Champion]
*) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
allow spaces in backreferences to be encoded as %20 instead of '+'.
[Eric Covener]
*) mod_rewrite: Add the possibility to limit the escaping to specific
characters in backreferences by listing them in the B flag.
[Eric Covener]
*) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
systems. [Eric Covener]
*) mod_http2: fail requests without ERROR log in case we need to read interim
responses and see only garbage. This can happen if proxied servers send
data where none should be, e.g. a body for a HEAD request. [Stefan Eissing]
*) mod_proxy_http2: adding support for Reverse Proxy Request headers.
[Stefan Eissing]
*) mod_http2: fixed possible deadlock that could occur when connections were
terminated early with ongoing streams. Fixed possible hanger with timeout
on race when connection considers itself idle. [Stefan Eissing]
*) mod_http2: MaxKeepAliveRequests now limits the number of times a
slave connection gets reused. [Stefan Eissing]
*) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
[Evgeny Kotkov]
*) mod_proxy_http2: Fixed bug in re-attempting proxy requests after
connection error. Reliability of reconnect handling improved.
[Stefan Eissing]
*) mod_http2: better performance, eliminated need for nested locks and
thread privates. Moving request setups from the main connection to the
worker threads. Increase number of spare connections kept.
[Stefan Eissing]
*) mod_http2: input buffering and dynamic flow windows for increased
throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
in mod_http2 INFO log as feature 'DWINS'. [Stefan Eissing]
*) mod_http2: h2 workers with improved scalability for better scheduling
performance. There are H2MaxWorkers threads created at start and the
number is kept constant for now. [Stefan Eissing]
*) mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and
just log a warning. [Stefan Eissing]
*) mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date
format from 2.2 in the Last Modified column. PR60846.
[Hank Ibell <hwibell gmail.com>]
*) core: Add %{REMOTE_PORT} to the expression parser. PR59938
[Hank Ibell <hwibell gmail.com>]
*) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
computing and using the same entity key according to when the cache
checks, loads and saves the request.
PR 60577. [Yann Ylavic]
*) mod_proxy_hcheck: Don't validate timed out responses. [Yann Ylavic]
*) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
in use (ProxyHCTPsize > 0). PR 60071. [Yann Ylavic, Jim Jagielski]
*) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
URI originally requsted by the user, not the nested documents URI. This
restores the behavior of this variable to match the "legacy" SSI parser.
PR60624. [Hank Ibell <hwibell gmail.com>]
Jim Jagielski
committed
*) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
variables just before invoking the FastCGI. [Eric Covener,
Jacob Champion]
*) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
default. Add ProxyFCGIBackendType to allow the type of backend to be
specified so these kinds of fixups can be restored without impacting
FPM. PR60576 [Eric Covener, Jim Jagielski]
*) mod_ssl: work around leaks on (graceful) restart. [Yann Ylavic]
*) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
*) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
than zero. [Eric Covener]
*) mod_http2: moving session cleanup to pre_close hook to avoid races with
modules already shut down and slave connections still operating.
[Stefan Eissing]
*) mod_lua: Support for Lua 5.3
*) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
*) mod_http2: fix for crash when running out of memory.
*) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
[Luca Toscano]
*) mod_http2: not counting file buckets again stream max buffer limits.
Effectively transfering static files in one step from slave to master
connection. [Stefan Eissing]
*) mod_http2: comforting ap_check_pipeline() on slave connections
to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
[Stefan Eissing, reported by Armin Abfalterer]
*) mod_http2: http/2 streams now with state handling/transitions as defined
in RFC7540. Stream cleanup/connection shutdown reworked to become easier
to understand/maintain/debug. Added many asserts on state and cleanup
transitions. [Stefan Eissing]
*) mod_auth_digest: Use an anonymous shared memory segment by default,
preventing startup failure after unclean shutdown. PR 54622.
[Jan Kaluza]
*) mod_filter: Fix AddOutputFilterByType with non-content-level filters.
PR 58856. [Micha Lenk <micha lenk.info>]
*) mod_watchdog: Fix semaphore leak over restarts. [Jim Jagielski]
Loading full blame...