Newer
Older
*) core/util_script: making REDIRECT_URL a full URL is now opt-in
via new 'QualifyRedirectURL' directive.
*) mod_ssl: Extend expression parser registration to support ssl variables
in any expression using mod_rewrite syntax "%{SSL:VARNAME}" or function
syntax "ssl(VARNAME)". [Rainer Jung]
*) mod_http2: added donated HTTP/2 implementation via core module. Similar
configuration options to mod_ssl. [Stefan Eissing]
*) mod_proxy: don't recyle backend announced "Connection: close" connections
to avoid reusing it should the close be effective after some new request
is ready to be sent. [Yann Ylavic]
Jim Jagielski
committed
*) mod_substitute: Allow to configure the patterns merge order with the new
SubstituteInheritBefore on|off directive. PR 57641
[Marc.Stern <Marc.Stern approach.be>, Yann Ylavic, William Rowe]
*) mod_proxy: Fix ProxySourceAddress binding failure with AH00938.
PR 56687. [Arne de Bruijn <apache arbruijn.dds.nl>
*) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120. [Kaspar Brand]
*) mod_ssl: append :!aNULL:!eNULL:!EXP to the cipher string settings,
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher
strings introduced in OpenSSL 1.0.2. PR 58213. [Kaspar Brand]
*) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
of subjectAltName entries of type "otherName" into
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,
Kaspar Brand]
*) mod_logio: Fix logging of %^FB (time to first byte) on the first request on
an SSL connection. PR 58454.
[Konstantin J. Chernov <k.j.chernov gmail.com>]
*) mod_cache: r->err_headers_out is not merged into
r->headers when mod_cache is enabled and the response
is cached for the first time. [Edward Lu]
*) mod_slotmem_shm: Fix slots/SHM files names on restart for systems that
can't create new (clear) slots while previous children gracefully stopping
still use the old ones (e.g. Windows, OS2). mod_proxy_balancer failed to
restart whenever the number of configured balancers/members changed during
restart. PR 58024. [Yann Ylavic]
*) core/util_script: make REDIRECT_URL a full URL. PR 57785. [Nick Kew]
*) MPMs: Support SO_REUSEPORT to create multiple duplicated listener
records for scalability. [Yingqi Lu <yingqi.lu@intel.com>,
Jeff Trawick, Jim Jagielski, Yann Ylavic]
*) mod_proxy: Fix a race condition that caused a failed worker to be retried
before the retry period is over. [Ruediger Pluem]
*) mod_autoindex: Allow autoindexes when neither mod_dir nor mod_mime are
loaded. [Eric Covener]
*) mod_rewrite: Allow cookies set by mod_rewrite to contain ':' by accepting
';' as an alternate separator. PR47241.
[<bugzilla schermesser com>, Eric Covener]
*) apxs: Add HTTPD_VERSION and HTTPD_MMN to the variables available with
apxs -q. PR58202. [Daniel Shahaf <danielsh apache.org>]
*) mod_rewrite: Avoid a crash when lacking correct DB access permissions
when using RewriteMap with MapType dbd or fastdbd. [Christophe Jaillet]
*) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions.
PR 57868. [Jose Kahan <jose w3.org>, Yann Ylavic]
*) mod_socache_memcache: Add the 'MemcacheConnTTL' directive to control how
long to keep idle connections with the memcache server(s).
Change default value from 600 usec (!) to 15 sec. PR 58091
[Christophe Jaillet]
*) mod_dir: Prevent the internal identifier "httpd/unix-directory" from
appearing as a Content-Type response header when requests for a directory
are rewritten by mod_rewrite. [Eric Covener]
*) http: Fix LimitRequestBody checks when there is no more bytes to read.
[Michael Kaufmann <mail michael-kaufmann.ch>]
*) mod_alias: Revert expression parser support for Alias, ScriptAlias
and Redirect due to a regression (introduced in 2.4.13, not released).
William A. Rowe Jr
committed
*) mod_reqtimeout: Don't let pipelining checks and keep-alive times interfere
with the timeouts computed for subsequent requests. PR 56729.
[Eric Covener, Yann Ylavic]
*) core: Avoid a possible truncation of the faulty header included in the
HTML response when LimitRequestFieldSize is reached. [Yann Ylavic]
*) mod_ldap: In some case, LDAP_NO_SUCH_ATTRIBUTE could be returned instead
of an error during a compare operation. [Eric Covener]
Changes with Apache 2.4.15 (not released)
*) mod_ext_filter, mod_charset_lite: Avoid inadvertent filtering of protocol
data during read of chunked request bodies. PR 58049.
[Edward Lu <Chaosed0 gmail.com>]
*) mod_ldap: Stop leaking LDAP connections when 'LDAPConnectionPoolTTL 0'
is configured. PR 58037. [Ted Phelps <phelps gnusto.com>]
*) core: Allow spaces after chunk-size for compatibility with implementations
using a pre-filled buffer. [Yann Ylavic, Jeff Trawick]
*) mod_ssl: Remove deprecated SSLCertificateChainFile warning.
[Yann Ylavic]
Changes with Apache 2.4.14 (not released)
*) SECURITY: CVE-2015-3183 (cve.mitre.org)
core: Fix chunk header parsing defect.
Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters. [Graham Leggett, Yann Ylavic]
*) SECURITY: CVE-2015-3185 (cve.mitre.org)
Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
with new ap_some_authn_required and ap_force_authn hook. [Ben Reser]
Changes with Apache 2.4.13 (not released)
core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
with the INCLUDES filter active, introduced in 2.4.11. PR 57531.
[Yann Ylavic]
*) SECURITY: CVE-2015-0228 (cve.mitre.org)
mod_lua: A maliciously crafted websockets PING after a script
calls r:wsupgrade() can cause a child process crash.
[Edward Lu <Chaosed0 gmail.com>]
*) mod_proxy: Don't put the worker in error state for 500 or 503 errors
returned by the backend unless failonstatus is configured to. PR 56925.
[Yann Ylavic]
*) core: Don't lowercase the argument to SetHandler if it begins with
"proxy:unix". PR 57968. [Eric Covener]
*) mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
the OCSP response for a different certificate. mod_ssl has an additional
global mutex, "ssl-stapling-refresh". PR 57131 (partial fix).
[Jeff Trawick]
*) mod_authz_dbm: Fix crashes when "dbm-file-group" is used and
authz modules were loaded in the "wrong" order. [Joe Orton]
*) mod_authn_dbd, mod_authz_dbd, mod_session_dbd, mod_rewrite: Fix lifetime
of DB lookup entries independently of the selected DB engine. PR 46421.
[Steven whitson <steven.whitson gmail com>, Jan Kaluza, Yann Ylavic].
*) In alignment with RFC 7525, the default recommended SSLCipherSuite
and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
default recommended SSLProtocol and SSLProxyProtocol directives now
exclude SSLv3. Existing configurations must be adjusted by the
*) mod_ssl: Add support for extracting subjectAltName entries of type
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
environment variables. Also addresses PR 57207. [Kaspar Brand]
*) dav_validate_request: avoid validating locks and ETags when there are
no If headers providing them on a resource we aren't modifying.
[Ben Reser]
*) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
response header to be used by the application, for when the application
or framework is unable to return Location in the internal-redirect
form. [Jeff Trawick]
*) core: Cleanup the request soon/even if some output filter fails to
handle the EOR bucket. [Yann Ylavic]
*) mpm_event: Allow for timer events duplicates. [Jim Jagielski, Yann Ylavic]
*) mod_proxy, mod_ssl, mod_cache_socache, mod_socache_*: Support machine
readable server-status produced when using the "?auto" query string.
[Rainer Jung]
*) mod_status: Add more data to machine readable server-status produced
when using the "?auto" query string. [Rainer Jung]
*) mod_ssl: Check for the Entropy Gathering Daemon (EGD) availability at
configure time (RAND_egd), and complain if SSLRandomSeed requires using
Loading full blame...