Newer
Older
*) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
[Michael Kaufmann <mail michael-kaufmann.ch>]
*) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
PR 55348
*) mod_socache_redis: Support for Redis as socache storage provider.
*) core: new configuration option 'MergeSlashes on|off' that controls handling of
multiple, consecutive slash ('/') characters in the path component of the request URL.
[Eric Covener]
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
*) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.
Fixed. [Michael Kaufmann]
*) mod_http2: new configuration directive: `H2Padding numbits` to control
padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
controlling the range of padding bytes added to a frame. The actual number
added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE
frames equally. The default continues to be 0, e.g. no padding. [Stefan Eissing]
*) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2
has no more need for it. Optional functions are still declared but no longer implemented.
While previous mod_proxy_http2 will work with this, it is recommeneded to run the matching
versions of both modules. [Stefan Eissing]
*) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which
resolve PR63170. The proxy module does now a single h2 request on the (reused)
connection and returns. [Stefan Eissing]
*) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status
to trigger immediate shutdown of backend connections. This is now always signalled
by mod_http2 when the the session is being released.
proxy_http2 now only sends a PING frame to the backend when there is not already one
in flight. [Stefan Eissing]
*) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite
loop when encountering certain errors on the backend connection.
See <https://bz.apache.org/bugzilla/show_bug.cgi?id=63170>. [Stefan Eissing]
*) mod_http2: Configuration directives H2Push and H2Upgrade can now be specified per
Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]
*) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.
Fixes <https://github.com/icing/mod_h2/issues/167>. [Michael Kaufmann]
*) http: Fix possible empty response with mod_ratelimit for HEAD requests.
PR 63192. [Yann Ylavic]
*) mod_cache_socache: Avoid reallocations and be safe with outgoing data
lifetime. [Yann Ylavic]
*) MPMs unix: bind the bucket number of each child to its slot number, for a
more efficient per bucket maintenance. [Yann Ylavic]
*) mod_auth_digest: Fix a race condition. Authentication with valid
credentials could be refused in case of concurrent accesses from
different users. PR 63124. [Simon Kappel <simon.kappel axis.com>]
*) mod_http2: enable re-use of slave connections again. Fixed slave connection
keepalives counter. [Stefan Eissing]
Jim Jagielski
committed
*) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.
PR 61310. [Yann Ylavic]
*) mod_proxy_wstunnel: Fix websocket proxy over UDS.
PR 62932 <pavel dcmsys.com>
*) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
configuration (SSLFIPS on) and not active by default in OpenSSL.
PR 63136. [Yann Ylavic]
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowing
sessions to be reused. [Hank Ibell]
*) SECURITY: CVE-2018-17189 (cve.mitre.org)
mod_http2: fixes a DoS attack vector. By sending slow request bodies
to resources not consuming them, httpd cleanup code occupies a server
thread unnecessarily. This was changed to an immediate stream reset
which discards all stream state and incoming data. [Stefan Eissing]
*) SECURITY: CVE-2019-0190 (cve.mitre.org)
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later. PR 63052. [Joe Orton]
*) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
PR 63052 [Joe Orton]
William A. Rowe Jr
committed
*) mod_negotiation: Treat LanguagePriority as case-insensitive to match
AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]
*) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
have been fixed. [Michael Kaufmann, Stefan Eissing]
Graham Leggett
committed
*) mod_setenvif: We can have expressions that become true if a regex pattern
in the expression does NOT match. In this case val is NULL
and we should just set the value for the environment variable
like in the pattern case. [Ruediger Pluem]
Graham Leggett
committed
*) mod_session: Always decode session attributes early. [Hank Ibell]
*) core: Incorrect values for environment variables are substituted when
multiple environment variables are specified in a directive. [Hank Ibell]
*) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
this type of map is present in the configuration. PR62311.
[Hank Ibell <hwibell gmail.com>]
Graham Leggett
committed
*) mod_dav: Fix invalid Location header when a resource is created by
passing an absolute URI on the request line [Jim Jagielski]
*) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
[Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]
*) mod_ssl: clear *SSL errors before loading certificates and checking
afterwards. Otherwise errors are reported when other SSL using modules
are in play. Fixes PR 62880. [Michael Kaufmann]
Graham Leggett
committed
*) mod_ssl: Fix the error code returned in an error path of
'ssl_io_filter_handshake()'. This messes-up error handling performed
in 'ssl_io_filter_error()' [Yann Ylavic]
*) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
authz provider so "Require ssl" works correctly in HTTP/2.
PR 61519, 62654. [Joe Orton, Stefan Eissing]
*) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
redirects, subsequent ProxyPassReverse statements, whether they are
relative or absolute, may fail. PR 60408. [Peter Haworth <pmh1wheel gmail.com>]
*) mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1]
*) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1. [Rainer Jung]
*) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
when client certificates are available from the original handshake
but were originally not verified and should get verified now.
This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]
*) mod_ssl: Correctly merge configurations that have client certificates set
by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]
*) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
responses. Regression introduced in 2.4.35.
*) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
body of the response. [Jim Jagielski]
Graham Leggett
committed
*) mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when
there are still idle threads available. When there are less idle threads than
MinSpareThreads, issue new one-time message AH10159. Matches worker MPM.
[Eric Covener]
*) mod_http2: adding defensive code for stream EOS handling, in case the request handler
missed to signal it the normal way (eos buckets). Addresses github issues
https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing]
*) ab: Add client certificate support. PR 55774. [Graham Leggett]
*) ab: Disable printing temp key for OpenSSL before
version 1.0.2. SSL_get_server_tmp_key is not available
there. [Rainer Jung]
*) mod_ssl: Fix a regression that the configuration settings for verify mode
and verify depth were taken from the frontend connection in case of
connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
*) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
before signals handling to avoid lifetime issues on restart or shutdown.
PR 62658. [Yann Ylavic]
*) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has
behavioural changes compared to v1.2 and earlier; client and
configuration changes should be expected. SSLCipherSuite is
enhanced for TLSv1.3 ciphers, but applies at vhost level only.
[Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]
Jim Jagielski
committed
*) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
should be accepted after the authorization scheme. \t are also tolerated.
[Christophe Jaillet]
Jim Jagielski
committed
*) mod_socache_redis: New socache submodule provider to allow use
of Redis as storage backend. [Jim Jagielski]
*) mod_proxy_hcheck: Fix issues with interval determination. PR 62318
[Jim Jagielski]
Loading full blame...