Skip to content
CHANGES 234 KiB
Newer Older
Jeff Trawick's avatar
Jeff Trawick committed
                                                         -*- coding: utf-8 -*-
Ruediger Pluem's avatar
Ruediger Pluem committed

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.28

  *) event: Avoid listener periodic wake ups by using the pollset wake-ability
     when available.  PR 57399.  [Yann Ylavic, Luca Toscano]

  *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
     led to spurious HTTP 502 error messages sent on upgrade connections.
     PR 61283.  [Yann Ylavic]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.27

  *) SECURITY: CVE-2017-9789 (cve.mitre.org)
     mod_http2: Read after free. When under stress, closing many connections,
     the HTTP/2 handling code would sometimes access memory after it has been
Yann Ylavic's avatar
Yann Ylavic committed
     freed, resulting in potentially erratic behaviour.
     [Stefan Eissing]

  *) SECURITY: CVE-2017-9788 (cve.mitre.org)
     mod_auth_digest: Uninitialized memory reflection.  The value placeholder
     in [Proxy-]Authorization headers type 'Digest' was not initialized or
     reset before or between successive key=value assignments.
Yann Ylavic's avatar
Yann Ylavic committed
     [William Rowe]
  *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
     global variable when using Lua 5.2 or later. This was exported as a
     side effect from luaL_register, which is no longer supported as of
     Lua 5.2 which deprecates pollution of the global namespace.
     [Rainer Jung]

  *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
     The server will continue to run, but HTTP/2 will no longer be negotiated.
     [Stefan Eissing]

  *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
     default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
     [Jacob Champion, Jim Jagielski]

  *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
     PR58188, PR60831, PR61245. [Rainer Jung]
  
  *) mod_http2: Simplify ready queue, less memory and better performance. Update
     mod_http2 version to 1.10.7. [Stefan Eissing]
Jim Jagielski's avatar
Jim Jagielski committed
  *) Allow single-char field names inadvertently disallowed in 2.4.25.
  *) htpasswd / htdigest: Do not apply the strict permissions of the temporary
     passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]

  *) core: Avoid duplicate HEAD in Allow header.
     This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
     PR 61207. [Christophe Jaillet]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.26
Jim Jagielski's avatar
Jim Jagielski committed
  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
     mod_mime can read one byte past the end of a buffer when sending a
Eric Covener's avatar
Eric Covener committed
     malicious Content-Type response header.  [Yann Ylavic]
Jim Jagielski's avatar
Jim Jagielski committed

  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
     bug in token list parsing, which allows ap_find_token() to search past
     the end of its input string. By maliciously crafting a sequence of
     request headers, an attacker may be able to cause a segmentation fault,
     or to force ap_find_token() to return an incorrect value.
Eric Covener's avatar
Eric Covener committed
     [Jacob Champion]
Jim Jagielski's avatar
Jim Jagielski committed

  *) SECURITY: CVE-2017-7659 (cve.mitre.org)
     A maliciously constructed HTTP/2 request could cause mod_http2 to
     dereference a NULL pointer and crash the server process.

  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
     mod_ssl may dereference a NULL pointer when third-party modules call
     ap_hook_process_connection() during an HTTP request to an HTTPS port.
Eric Covener's avatar
Eric Covener committed
     [Yann Ylavic]
Jim Jagielski's avatar
Jim Jagielski committed

  *) SECURITY: CVE-2017-3167 (cve.mitre.org)
     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
     authentication phase may lead to authentication requirements being
     bypassed.
Eric Covener's avatar
Eric Covener committed
     [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
Jim Jagielski's avatar
Jim Jagielski committed

  *) HTTP/2 support no longer tagged as "experimental" but is instead considered
     fully production ready.

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
     the session in continuous check for state changes that never happen. 
     [Stefan Eissing]

Eric Covener's avatar
Eric Covener committed
  *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
     protocols.  [Jean-Frederic Clere]

Yann Ylavic's avatar
Yann Ylavic committed
  *) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
     a possible crash if a signal is caught during (graceful) restart.
     PR 60487.  [Yann Ylavic]

  *) mod_rewrite: When a substitution is a fully qualified URL, and the 
     scheme/host/port matches the current virtual host, stop interpreting the 
     path component as a local path just because the first component of the 
     path exists in the filesystem.  Adds RewriteOption "LegacyPrefixDocRoot" 
     to revert to previous behavior. PR60009.
     [Hank Ibell <hwibell gmail.com>]
 
  *) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
     platforms. PR61124. [Hank Ibell <hwibell gmail.com>]

Rainer Jung's avatar
Rainer Jung committed
  *) ab: enable option processing for setting a custom HTTP method also for
     non-SSL builds.  [Rainer Jung]

  *) core: EBCDIC fixes for interim responses with additional headers.
     [Eric Covener]

  *) mod_env: when processing a 'SetEnv' directive, warn if the environment
     variable name includes a '='. It is likely a configuration error.
     PR 60249 [Christophe Jaillet]

  *) Evaluate nested If/ElseIf/Else configuration blocks.
     [Luca Toscano, Jacob Champion]

  *) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to 
     allow spaces in backreferences to be encoded as %20 instead of '+'.
     [Eric Covener]

  *) mod_rewrite: Add the possibility to limit the escaping to specific
     characters in backreferences by listing them in the B flag.
     [Eric Covener]

Eric Covener's avatar
Eric Covener committed
  *) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
     systems.  [Eric Covener]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: fail requests without ERROR log in case we need to read interim
     responses and see only garbage. This can happen if proxied servers send
     data where none should be, e.g. a body for a HEAD request. [Stefan Eissing]
     
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_proxy_http2: adding support for Reverse Proxy Request headers.
     [Stefan Eissing]
     
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: fixed possible deadlock that could occur when connections were 
     terminated early with ongoing streams. Fixed possible hanger with timeout
     on race when connection considers itself idle. [Stefan Eissing]  

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: MaxKeepAliveRequests now limits the number of times a 
     slave connection gets reused. [Stefan Eissing]

  *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
     [Evgeny Kotkov]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_proxy_http2: Fixed bug in re-attempting proxy requests after 
     connection error. Reliability of reconnect handling improved. 
     [Stefan Eissing]
  
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: better performance, eliminated need for nested locks and
     thread privates. Moving request setups from the main connection to the
     worker threads. Increase number of spare connections kept.
     [Stefan Eissing]
     
  *) mod_http2: input buffering and dynamic flow windows for increased 
     throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
     in mod_http2 INFO log as feature 'DWINS'. [Stefan Eissing]

  *) mod_http2: h2 workers with improved scalability for better scheduling
     performance. There are H2MaxWorkers threads created at start and the
     number is kept constant for now. [Stefan Eissing]
     
  *) mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and
     just log a warning. [Stefan Eissing]
     
  *) mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date
     format from 2.2 in the Last Modified column. PR60846.
     [Hank Ibell <hwibell gmail.com>]
  *) core: Add %{REMOTE_PORT} to the expression parser. PR59938
     [Hank Ibell <hwibell gmail.com>]

  *) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
     computing and using the same entity key according to when the cache
     checks, loads and saves the request.
     PR 60577.  [Yann Ylavic]
  *) mod_proxy_hcheck: Don't validate timed out responses.  [Yann Ylavic]

  *) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
     in use (ProxyHCTPsize > 0).  PR 60071.  [Yann Ylavic, Jim Jagielski]

  *) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
     URI originally requsted by the user, not the nested documents URI. This
     restores the behavior of this variable to match the "legacy" SSI parser.
     PR60624. [Hank Ibell <hwibell gmail.com>]
  *) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
     variables just before invoking the FastCGI. [Eric Covener,
     Jacob Champion]

  *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
     a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
     default.  Add ProxyFCGIBackendType to allow the type of backend to be
     specified so these kinds of fixups can be restored without impacting
     FPM. PR60576 [Eric Covener, Jim Jagielski]
Loading full blame...