Skip to content
CHANGES 260 KiB
Newer Older
Jeff Trawick's avatar
Jeff Trawick committed
                                                         -*- coding: utf-8 -*-
Daniel Ruggeri's avatar
Daniel Ruggeri committed
Changes with Apache 2.4.39

Joe Orton's avatar
Joe Orton committed
  *) mod_auth_digest: Fix a race condition. Authentication with valid
     credentials could be refused in case of concurrent accesses from
     different users.  PR 63124.  [Simon Kappel <simon.kappel axis.com>]

  *) mod_proxy_wstunnel: Fix websocket proxy over UDS.
     PR 62932 <pavel dcmsys.com>

  *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
     configuration (SSLFIPS on) and not active by default in OpenSSL.
     PR 63136. [Yann Ylavic]
Changes with Apache 2.4.38

  *) SECURITY: CVE-2018-17199 (cve.mitre.org)
     mod_session: mod_session_cookie does not respect expiry time allowing
     sessions to be reused.  [Hank Ibell]

  *) SECURITY: CVE-2018-17189 (cve.mitre.org)
     mod_http2: fixes a DoS attack vector. By sending slow request bodies
     to resources not consuming them, httpd cleanup code occupies a server
     thread unnecessarily. This was changed to an immediate stream reset
     which discards all stream state and incoming data.  [Stefan Eissing]

  *) SECURITY: CVE-2019-0190 (cve.mitre.org)
     mod_ssl: Fix infinite loop triggered by a client-initiated
     renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
     later.  PR 63052.  [Joe Orton]

  *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
     PR 63052 [Joe Orton]

  *) mod_negotiation: Treat LanguagePriority as case-insensitive to match
     AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]
  
  *) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
     have been fixed. [Michael Kaufmann, Stefan Eissing]
  
  *) mod_setenvif: We can have expressions that become true if a regex pattern
     in the expression does NOT match. In this case val is NULL
     and we should just set the value for the environment variable 
     like in the pattern case. [Ruediger Pluem]
  *) mod_session: Always decode session attributes early. [Hank Ibell]

  *) core: Incorrect values for environment variables are substituted when
     multiple environment variables are specified in a directive. [Hank Ibell]

  *) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
     this type of map is present in the configuration.  PR62311.  
     [Hank Ibell <hwibell gmail.com>]

  *) mod_dav: Fix invalid Location header when a resource is created by
     passing an absolute URI on the request line [Jim Jagielski]

  *) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
     [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]

  *) mod_ssl: clear *SSL errors before loading certificates and checking
     afterwards. Otherwise errors are reported when other SSL using modules
     are in play. Fixes PR 62880. [Michael Kaufmann]

  *) mod_ssl: Fix the error code returned in an error path of
     'ssl_io_filter_handshake()'. This messes-up error handling performed
     in 'ssl_io_filter_error()' [Yann Ylavic]

  *) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
     authz provider so "Require ssl" works correctly in HTTP/2.
     PR 61519, 62654.  [Joe Orton, Stefan Eissing]

  *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
     redirects, subsequent ProxyPassReverse statements, whether they are
     relative or absolute, may fail.  PR 60408.  [Peter Haworth <pmh1wheel gmail.com>]
  
  *) mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1]
Daniel Ruggeri's avatar
Daniel Ruggeri committed
Changes with Apache 2.4.37

  *) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1. [Rainer Jung]

  *) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
     when client certificates are available from the original handshake
     but were originally not verified and should get verified now.
     This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]

  *) mod_ssl: Correctly merge configurations that have client certificates set
     by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]

Daniel Ruggeri's avatar
Daniel Ruggeri committed
Changes with Apache 2.4.36

  *) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
     responses. Regression introduced in 2.4.35.

  *) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
     body of the response. [Jim Jagielski]

  *) mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when
     there are still idle threads available. When there are less idle threads than
     MinSpareThreads, issue new one-time message AH10159. Matches worker MPM.
     [Eric Covener]

  *) mod_http2: adding defensive code for stream EOS handling, in case the request handler
     missed to signal it the normal way (eos buckets). Addresses github issues 
     https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
     and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing] 

Joe Orton's avatar
Joe Orton committed
  *) ab: Add client certificate support.  PR 55774.  [Graham Leggett]
  *) ab: Disable printing temp key for OpenSSL before
     version 1.0.2. SSL_get_server_tmp_key is not available
     there. [Rainer Jung]

Eric Covener's avatar
Eric Covener committed
  *) mod_ssl: Fix a regression that the configuration settings for verify mode
     and verify depth were taken from the frontend connection in case of
     connections by the proxy to the backend. PR 62769. [Ruediger Pluem]

  *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
     before signals handling to avoid lifetime issues on restart or shutdown.
     PR 62658. [Yann Ylavic]

  *) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3.  TLSv1.3 has
     behavioural changes compared to v1.2 and earlier; client and
     configuration changes should be expected.  SSLCipherSuite is
     enhanced for TLSv1.3 ciphers, but applies at vhost level only.
     [Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]
  *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
     should be accepted after the authorization scheme. \t are also tolerated.
     [Christophe Jaillet]

  *) mod_proxy_hcheck: Fix issues with interval determination. PR 62318
     [Jim Jagielski]

  *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
     [Dominik Stillhard <dominik.stillhard united-security-providers.ch>]

  *) mod_proxy_hcheck: take balancer's SSLProxy* directives into account.
     [Jim Jagielski]

  *) mod_status, mod_echo: Fix the display of client addresses.
    They were truncated to 31 characters which is not enough for IPv6 addresses.
    This is done by deprecating the use of the 'client' field and using
    the new 'client64' field in worker_score.
    PR 54848 [Bernhard Schmidt <berni birkenwald de>, Jim Jagielski]

  *) http: Enforce consistently no response body with both 204 and 304
     statuses.  [Yann Ylavic]

  *) mod_status: Cumulate CPU time of exited child processes in the
     "cu" and "cs" values. Add CPU time of the parent process to the
     "c" and "s" values.
     [Rainer Jung]

  *) mod_proxy: Improve the balancer member data shown in mod_status when
     "ProxyStatus" is "On": add "busy" count and show byte counts in
     auto mode always in units of kilobytes.  [Rainer Jung]
  *) mod_status: Add cumulated response duration time in milliseconds.
  *) mod_status: Complete the data shown for async MPMs in "auto" mode.
     Added number of processes, number of stopping processes and number
     of busy and idle workers.  [Rainer Jung]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
     introduced in 2.4.34.  PR 62568.  [Yann Ylavic]

  *) mod_proxy: Remove load order and link dependency between mod_lbmethod_*
     modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe]

  *) Allow the argument to <IfFile>, <IfDefine>, <IfSection>, <IfDirective>,
Eric Covener's avatar
Eric Covener committed
     and <IfModule> to be quoted.  This is primarily for the benefit of
     <IfFile>. [Eric Covener]

  *) mod_watchdog: Correct some log messages.  [Rainer Jung]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_md: When the last domain name from an MD is moved to another one,
Eric Covener's avatar
Eric Covener committed
     that now empty MD gets moved to the store archive. PR 62572. 
     [Stefan Eissing]
Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Fix merging of SSLOCSPOverrideResponder.  [Jeff Trawick,
     [Frank Meier <frank meier ergon.ch>]

  *) mod_proxy_balancer: Restore compatibility with APR 1.4.  [Joe Orton]

Daniel Ruggeri's avatar
Daniel Ruggeri committed
Changes with Apache 2.4.34
Jim Jagielski's avatar
Jim Jagielski committed
  *) SECURITY: CVE-2018-8011 (cve.mitre.org)
     mod_md: DoS via Coredumps on specially crafted requests

  *) SECURITY: CVE-2018-1333 (cve.mitre.org)
     mod_http2: DoS for HTTP/2 connections by specially crafted requests

William A. Rowe Jr's avatar
William A. Rowe Jr committed
  *) Introduce zh-cn and zh-tw (simplified and traditional Chinese) error
     document translations. [CodeingBoy, popcorner]

Loading full blame...