Newer
Older
*) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
beams that could lead to assertion failure in edge cases.
[Stefan Eissing]
*) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
in 2.4.28. [Jim Jagielski]
*) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
PR 61546. [Lubos Uhliarik <luhliari redhat.com>]
*) mod_rewrite: Add support for starting External Rewriting Programs
as non-root user on UNIX systems by specifying username and group
name as third argument of RewriteMap directive. [Jan Kaluza]
*) core: Rewrite the Content-Length filter to avoid excessive memory
consumption. Chunked responses will be generated in more cases
than in previous releases. PR 61222. [Joe Orton, Ruediger Pluem]
*) mod_ssl: Fix SessionTicket callback return value, which does seem to
matter with OpenSSL 1.1. [Yann Ylavic]
*) SECURITY: CVE-2017-9798 (cve.mitre.org)
Corrupted or freed memory access. <Limit[Except]> must now be used in the
main configuration file (httpd.conf) to register HTTP methods before the
.htaccess files. [Yann Ylavic]
*) event: Avoid possible blocking in the listener thread when shutting down
connections. PR 60956. [Yann Ylavic]
*) mod_speling: Don't embed referer data in a link in error page.
PR 38923 [Nick Kew]
*) htdigest: prevent a buffer overflow when a string exceeds the allowed max
length in a password file.
[Luca Toscano, Hanno Böck <hanno hboeck de>]
*) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
[Jim Jagielski]
*) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
PR 61142.
*) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]
*) mod_http2: Fix for stalling when more than 32KB are written to a
suspended stream. [Stefan Eissing]
*) build: allow configuration without APR sources. [Jacob Champion]
*) mod_ssl, ab: Fix compatibility with LibreSSL. PR 61184.
[Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
Yann Ylavic]
*) core/log: Support use of optional "tag" in syslog entries.
PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]
*) mod_proxy: Fix ProxyAddHeaders merging. [Joe Orton]
*) core: Disallow multiple Listen on the same IP:port when listener buckets
are configured (ListenCoresBucketsRatio > 0), consistently with the single
bucket case (default), thus avoiding the leak of the corresponding socket
descriptors on graceful restart. [Yann Ylavic]
Jim Jagielski
committed
*) event: Avoid listener periodic wake ups by using the pollset wake-ability
when available. PR 57399. [Yann Ylavic, Luca Toscano]
*) mod_proxy_wstunnel: Fix detection of unresponded request which could have
led to spurious HTTP 502 error messages sent on upgrade connections.
PR 61283. [Yann Ylavic]
*) SECURITY: CVE-2017-9789 (cve.mitre.org)
mod_http2: Read after free. When under stress, closing many connections,
the HTTP/2 handling code would sometimes access memory after it has been
freed, resulting in potentially erratic behaviour.
[Stefan Eissing]
*) SECURITY: CVE-2017-9788 (cve.mitre.org)
mod_auth_digest: Uninitialized memory reflection. The value placeholder
in [Proxy-]Authorization headers type 'Digest' was not initialized or
reset before or between successive key=value assignments.
*) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
global variable when using Lua 5.2 or later. This was exported as a
side effect from luaL_register, which is no longer supported as of
Lua 5.2 which deprecates pollution of the global namespace.
[Rainer Jung]
*) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
The server will continue to run, but HTTP/2 will no longer be negotiated.
[Stefan Eissing]
*) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
[Jacob Champion, Jim Jagielski]
*) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
PR58188, PR60831, PR61245. [Rainer Jung]
*) mod_http2: Simplify ready queue, less memory and better performance. Update
mod_http2 version to 1.10.7. [Stefan Eissing]
*) Allow single-char field names inadvertently disallowed in 2.4.25.
PR 61220. [Yann Ylavic]
*) htpasswd / htdigest: Do not apply the strict permissions of the temporary
passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]
*) core: Avoid duplicate HEAD in Allow header.
This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
PR 61207. [Christophe Jaillet]
*) SECURITY: CVE-2017-7679 (cve.mitre.org)
mod_mime can read one byte past the end of a buffer when sending a
*) SECURITY: CVE-2017-7668 (cve.mitre.org)
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.
*) SECURITY: CVE-2017-7659 (cve.mitre.org)
A maliciously constructed HTTP/2 request could cause mod_http2 to
dereference a NULL pointer and crash the server process.
*) SECURITY: CVE-2017-3169 (cve.mitre.org)
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
*) SECURITY: CVE-2017-3167 (cve.mitre.org)
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.
[Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
*) HTTP/2 support no longer tagged as "experimental" but is instead considered
fully production ready.
*) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
the session in continuous check for state changes that never happen.
[Stefan Eissing]
*) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
protocols. [Jean-Frederic Clere]
*) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
a possible crash if a signal is caught during (graceful) restart.
PR 60487. [Yann Ylavic]
*) mod_rewrite: When a substitution is a fully qualified URL, and the
scheme/host/port matches the current virtual host, stop interpreting the
path component as a local path just because the first component of the
path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
to revert to previous behavior. PR60009.
[Hank Ibell <hwibell gmail.com>]
*) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
platforms. PR61124. [Hank Ibell <hwibell gmail.com>]
*) ab: enable option processing for setting a custom HTTP method also for
non-SSL builds. [Rainer Jung]
*) core: EBCDIC fixes for interim responses with additional headers.
[Eric Covener]
*) mod_env: when processing a 'SetEnv' directive, warn if the environment
variable name includes a '='. It is likely a configuration error.
PR 60249 [Christophe Jaillet]
*) Evaluate nested If/ElseIf/Else configuration blocks.
[Luca Toscano, Jacob Champion]
*) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
allow spaces in backreferences to be encoded as %20 instead of '+'.
[Eric Covener]
*) mod_rewrite: Add the possibility to limit the escaping to specific
characters in backreferences by listing them in the B flag.
[Eric Covener]
*) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
systems. [Eric Covener]
*) mod_http2: fail requests without ERROR log in case we need to read interim
responses and see only garbage. This can happen if proxied servers send
Loading full blame...