Newer
Older
*) mod_http2: CVE-2016-8740: Mitigate DoS memory exhaustion via endless
CONTINUATION frames.
[Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State University, Stefan Eissing]
Jim Jagielski
committed
*) mod_socache_memcache: Pass expiration time through to memcached.
[Faidon Liambotis <paravoid debian.org>, Joe Orton]
*) mod_cache: Use the actual URI path and query-string for identifying the
cached entity (key), such that rewrites are taken into account when
running afterwards (CacheQuickHandler off). PR 21935. [Yann Ylavic]
*) mod_http2: new directive 'H2EarlyHints' to enable sending of HTTP status
103 interim responses. Disabled by default. [Stefan Eissing]
*) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
in the client certificate chain. PR 55786. [Yann Ylavic]
Jim Jagielski
committed
*) event: Allow to use the whole allocated scoreboard (up to ServerLimit
slots) to avoid scoreboard full errors when some processes are finishing
gracefully. Also, make gracefully finishing processes close all
keep-alive connections. PR 53555. [Stefan Fritsch]
*) mpm_event: Don't take over scoreboard slots from gracefully finishing
threads. [Stefan Fritsch]
*) mpm_event: Free memory earlier when shutting down processes.
[Stefan Fritsch]
*) mod_status: Display the process slot number in the async connection
overview. [Stefan Fritsch]
*) mod_dir: Responses that go through "FallbackResource" might appear to
hang due to unterminated chunked encoding. PR58292. [Eric Covener]
*) mod_dav: Fix a potential cause of unbounded memory usage or incorrect
behavior in a routine that sends <DAV:response>'s to the output filters.
[Evgeny Kotkov]
*) mod_http2: new directive 'H2PushResource' to enable early pushes before
processing of the main request starts. Resources are announced to the
client in Link headers on a 103 early hint response.
All responses with status code <400 are inspected for Link header and
trigger pushes accordingly. 304 still does prevent pushes.
'H2PushResource' can mark resources as 'critical' which gives them higher
priority than the main resource. This leads to preferred scheduling for
processing and, when content is available, will send it first. 'critical'
is also recognized on Link headers. [Stefan Eissing]
*) mod_proxy_http2: uris in Link headers are now mapped back to a suitable
local url when available. Relative uris with an absolute path are mapped
as well. This makes reverse proxy mapping available for resources
announced in this header.
With 103 interim responses being forwarded to the main client connection,
this effectively allows early pushing of resources by a reverse proxied
backend server. [Stefan Eissing]
*) mod_proxy_http2: adding support for newly proposed 103 status code.
[Stefan Eissing]
*) mpm_unix: Apache fails to start if previously crashed then restarted with
the same PID (e.g. in container). PR 60261.
[Val <valentin.bremond gmail.com>, Yann Ylavic]
*) mod_http2: unannounced and multiple interim responses (status code < 200)
are parsed and forwarded to client until a final response arrives.
[Stefan Eissing]
*) mod_proxy_http2: improved robustness when main connection is closed early
by resetting all ongoing streams against the backend.
[Stefan Eissing]
*) mod_http2: allocators from slave connections are released earlier, resulting
in less overall memory use on busy, long lived connections.
[Stefan Eissing]
*) mod_remoteip: Pick up where we left off during a subrequest rather
than running with the modified XFF but original TCP address.
PR 49839/PR 60251
*) http: Respond with "408 Request Timeout" when a timeout occurs while
reading the request body. [Yann Ylavic]
*) mod_http2: connection shutdown revisited: corrected edge cases on
shutting down ongoing streams, changed log warnings to be less noisy
when waiting on long running tasks. [Stefan Eissing]
*) mod_http2: changed all AP_DEBUG_ASSERT to ap_assert to have them
available also in normal deployments. [Stefan Eissing]
*) mod_http2/mod_proxy_http2: 100-continue handling now properly implemented
up to the backend. Reused HTTP/2 proxy connections with more than a second
not used will block request bodies until a PING answer is received.
Requests headers are not delayed by this, since they are repeatable in
case of failure. This greatly increases robustness, especially with
busy server and/or low keepalive connections. [Stefan Eissing]
*) mod_proxy_http2: fixed duplicate symbols with mod_http2.
[Stefan Eissing]
*) mod_http2: rewrite of how responses and trailers are transferred between
master and slave connection. Reduction of internal states for tasks
and streams, stability. Heuristic id generation for slave connections
to better keep promise of connection ids unique at given point int time.
Fix for mod_cgid interop in high load situtations.
Fix for handling of incoming trailers when no request body is sent.
[Stefan Eissing]
*) mod_http2: fix suspended handling for streams. Output could become
blocked in rare cases. [Stefan Eissing]
*) mpm_winnt: Prevent a denial of service when the 'data' AcceptFilter is in
use by replacing it with the 'connect' filter. PR 59970. [Jacob Champion]
*) mod_cgid: Resolve a case where a short CGI response causes a subsequent
CGI to be killed prematurely, resulting in a truncated subsequent
response. [Eric Covener]
*) mod_proxy_hcheck: Set health check URI and expression correctly for health
check worker. PR 60038 [zdeno <zdeno@scnet.sk>]
*) mod_http2: if configured with nghttp2 1.14.0 and onward, invalid request
headers will immediately reset the stream with a PROTOCOL error. Feature
logged by module on startup as 'INVHD' in info message.
[Stefan Eissing]
*) mod_http2: fixed handling of stream buffers during shutdown.
[Stefan Eissing]
*) mod_reqtimeout: Fix body timeout disabling for CONNECT requests to avoid
triggering mod_proxy_connect's AH01018 once the tunnel is established.
[Yann Ylavic]
*) ab: Set the Server Name Indication (SNI) extension on outgoing TLS
connections (unless -I is specified), according to the Host header (if
any) or the requested URL's hostname otherwise. [Yann Ylavic]
*) mod_proxy_fcgi: avoid loops when ProxyErrorOverride is enabled
and the error documents are proxied. PR 55415. [Luca Toscano]
*) mod_proxy_fcgi: read the whole FCGI response even when the content
has not been modified (HTTP 304) or in case of a precondition failure
(HTTP 412) to avoid subsequent bogus reads and confusing
error messages logged. [Luca Toscano]
*) mod_http2: h2 status resource follows latest draft, see
http://www.ietf.org/id/draft-benfield-http2-debug-state-01.txt
[Stefan Eissing]
*) mod_http2: handling graceful shutdown gracefully, e.g. handling existing
streams to the end. [Stefan Eissing]
*) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues.
[Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
*) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data
available before the request is sent. PR 57832. [Yann Ylavic]
*) mod_proxy_balancer: Prevent redirect loops between workers within a
balancer by limiting the number of redirects to the number balancer
members. PR 59864 [Ruediger Pluem]
*) mod_proxy: Correctly consider error response codes by the backend when
processing failonstatus. PR 59869 [Ruediger Pluem]
*) mod_dav: Add dav_get_provider_name() function to obtain the name
of the provider from mod_dav. [Graham Leggett]
*) mod_dav: Add support for childtags to dav_error.
[Jari Urpalainen <jari.urpalainen nokia.com>]
*) mod_proxy_fcgi: Fix 2.4.23 breakage for mod_rewrite per-dir and query
string showing up in SCRIPT_FILENAME. PR59815
*) mod_include: Fix a potential memory misuse while evaluating expressions.
PR59844. [Eric Covener]
*) mod_http2: new H2CopyFiles directive that changes treatment of file
handles in responses. Necessary in order to fix broken lifetime handling
in modules such as mod_wsgi.
*) mod_http2: removing timeouts on master connection while requests are
being processed. Requests may timeout, but the master only times out when
no more requests are active. [Stefan Eissing]
*) mod_http2: fixes connection flush when answering SETTINGS without any
stream open. [Moto Ishizawa <@summerwind>, Stefan Eissing]
*) mod_ssl: reset client-verify state of ssl when aborting renegotiations.
[Erki Aring <erki@example.ee>, Stefan Eissing]
*) mod_sed: Fix 'x' command processing. [Christophe Jaillet]
*) configure: Fix ./configure edge-case failures around dependencies
of mod_proxy_hcheck. [William Rowe, Ruediger Pluem, Jeff Trawick]
Loading full blame...