Skip to content
CHANGES 249 KiB
Newer Older
Jeff Trawick's avatar
Jeff Trawick committed
                                                         -*- coding: utf-8 -*-
Daniel Ruggeri's avatar
Daniel Ruggeri committed
Changes with Apache 2.4.34

  *) mod_proxy_balancer: Add hot spare member type and corresponding flag (R).
     Hot spare members are used as drop-in replacements for unusable workers
     in the same load balancer set. This differs from hot standbys which are
     only used when all workers in a set are unusable. PR 61140. [Jim Riggs]

  *) suexec: Add --enable-suexec-capabilites support on Linux, to use
     setuid/setgid capability bits rather than a setuid root binary.
     [Joe Orton]

  *) suexec: Add support for logging to syslog as an alternative to
     logging to a file; use --without-suexec-logfile --with-suexec-syslog.
     [Joe Orton]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling
     which broke some rare but previously-working configs.  [Joe Orton]

  *) core, log: improve sanity checks for the ErrorLog's syslog config, and
Christophe Jaillet's avatar
Christophe Jaillet committed
     explicitly allow only lowercase 'syslog' settings. PR 62102
     [Luca Toscano, Jim Riggs, Christophe Jaillet]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_http2: accurate reporting of h2 data input/output per request via
     mod_logio. Fixes an issue where output sizes where counted n-times on
     reused slave connections.  [Stefan Eissing]
Yann Ylavic's avatar
Yann Ylavic committed
     See github issue: https://github.com/icing/mod_h2/issues/158
Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_http2: Fix unnecessary timeout waits in case streams are aborted.
     [Stefan Eissing]

  *) mod_http2: restoring the v1.10.16 keepalive timeout behaviour of mod_http2.
     [Stefan Eissing]

  *) mod_proxy: Do not restrict the maximum pool size for backend connections
     any longer by the maximum number of threads per process and use a better
     default if mod_http2 is loaded.
     [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Gregg Smith]

  *) core: Preserve the original HTTP request method in the '%<m' LogFormat
     when an path-based ErrorDocument is used.  PR 62186. 
     [Micha Lenk <micha lenk.info>]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_remoteip: make proxy-protocol work on slave connections, e.g. in
     HTTP/2 requests.  [Stefan Eissing]
     See also https://github.com/roadrunner2/mod-proxy-protocol/issues/6
  *) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
     regression introduced in 2.4.30. PR 62232. [Rainer Jung, Yann Ylavic]

  *) mod_md: Fix compilation with OpenSSL before version 1.0.2.  [Rainer Jung]

  *) mod_dumpio: do nothing below log level TRACE7.  [Yann Ylavic]

  *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
     [Eric Covener]

  *) core: On ECBDIC platforms, some errors related to oversized headers
Jim Jagielski's avatar
Jim Jagielski committed
     may be misreported or be logged as ASCII escapes.  PR 62200
Yann Ylavic's avatar
Yann Ylavic committed
     [Hank Ibell <hwibell gmail.com>]
Rainer Jung's avatar
Rainer Jung committed
  *) mod_ssl: Fix cmake-based build.  PR 62266.  [Rainer Jung]
  *) core: Add <IfFile>, <IfDirective> and <IfSection> conditional
     section containers.  [Eric Covener, Joe Orton]

Daniel Ruggeri's avatar
Daniel Ruggeri committed
Changes with Apache 2.4.33

  *) core: Fix request timeout logging and possible crash for error_log hooks.
     [Yann Ylavic]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_slomem_shm: Fix failure to create balancers's slotmems in Windows MPM,
     where children processes need to attach them instead since they are owned
     by the parent process already.  [Yann Ylavic]

  *) ab: try all destination socket addresses returned by
     apr_sockaddr_info_get instead of failing on first one when not available.
     Needed for instance if localhost resolves to both ::1 and 127.0.0.1
     e.g. if both are in /etc/hosts.  [Jan Kaluza]

  *) ab: Use only one connection to determine working destination socket
     address.  [Jan Kaluza]

Rainer Jung's avatar
Rainer Jung committed
  *) ab: LibreSSL doesn't have or require Windows applink.c.  [Gregg L. Smith]

  *) htpasswd/htdigest: Disable support for bcrypt on EBCDIC platforms. 
     apr-util's bcrypt implementation doesn't tolerate EBCDIC.  [Eric Covener]

Rainer Jung's avatar
Rainer Jung committed
  *) htpasswd/htdbm: report the right limit when get_password() overflows.
     [Yann Ylavic]

Rainer Jung's avatar
Rainer Jung committed
  *) htpasswd: Don't fail in -v mode if password file is unwritable.
     PR 61631.  [Joe Orton]

Rainer Jung's avatar
Rainer Jung committed
  *) htpasswd: don't point to (unused) stack memory on output
     to make static analysers happy.  PR 60634.
     [Yann Ylavic, reported by shqking and Zhenwei Zou]

Daniel Ruggeri's avatar
Daniel Ruggeri committed
Changes with Apache 2.4.32

  *) mod_access_compat: Fail if a comment is found in an Allow or Deny
     directive.  [Jan Kaluza]

  *) mod_authz_host: Ignore comments after "Require host", logging a
     warning, or logging an error if the line is otherwise empty.
     [Jan Kaluza, Joe Orton]

  *) rotatelogs: Fix expansion of %Z in localtime (-l) mode, and fix
     Y2K38 bug.  [Joe Orton]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Support SSL DN raw variable extraction without conversion
     to UTF-8, using _RAW suffix on variable names.  [Joe Orton]

Joe Orton's avatar
Joe Orton committed
  *) ab: Fix https:// connection failures (regression in 2.4.30); fix
     crash generating CSV output for large -n.  [Joe Orton, Jan Kaluza]
Changes with Apache 2.4.31 (not released)
  *) mod_proxy_fcgi: Add the support for mod_proxy's flushpackets and flushwait
     parameters. [Luca Toscano, Ruediger Pluem, Yann Ylavic]

Yann Ylavic's avatar
Yann Ylavic committed
  *) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
     improper merging of the cache lock in vhost config.
     PR 43164 [Eric Covener]

  *) mpm_event: Do lingering close in worker(s).  [Yann Ylavic]

  *) mpm_queue: Put fdqueue code in common for MPMs event and worker.
     [Yann Ylavic]

Changes with Apache 2.4.30 (not released)
  *) SECURITY: CVE-2017-15710 (cve.mitre.org)
     Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
     [Eric Covener, Luca Toscano, Yann Ylavic]
  *) SECURITY: CVE-2018-1283 (cve.mitre.org)
     mod_session: CGI-like applications that intend to read from mod_session's 
     'SessionEnv ON' could be fooled into reading user-supplied data instead.
  *) SECURITY: CVE-2018-1303 (cve.mitre.org)
     mod_cache_socache: Fix request headers parsing to avoid a possible crash
     with specially crafted input data.  [Ruediger Pluem]

  *) SECURITY: CVE-2018-1301 (cve.mitre.org)
     core: Possible crash with excessively long HTTP request headers. 
     Impractical to exploit with a production build and production LogLevel.
     [Yann Ylavic]
  *) SECURITY: CVE-2017-15715 (cve.mitre.org)
     core: Configure the regular expression engine to match '$' to the end of
     the input string only, excluding matching the end of any embedded 
     newline characters. Behavior can be changed with new directive 
     'RegexDefaultOptions'. [Yann Ylavic]
     
  *) SECURITY: CVE-2018-1312 (cve.mitre.org)
     mod_auth_digest: Fix generation of nonce values to prevent replay
     attacks across servers using a common Digest domain. This change
     may cause problems if used with round robin load balancers. PR 54637
     [Stefan Fritsch]

Eric Covener's avatar
Eric Covener committed
  *) SECURITY: CVE-2018-1302 (cve.mitre.org)
     mod_http2: Potential crash w/ mod_http2.
     [Stefan Eissing]

  *) mod_proxy: Worker schemes and hostnames which are too large are no
     longer fatal errors; it is logged and the truncated values are stored.
     [Jim Jagielski]

  *) mod_proxy: Allow setting options to globally defined balancer from
     ProxyPass used in VirtualHost. Balancers are now merged using the new
     merge_balancers method which merges the balancers options.  [Jan Kaluza]

Christophe Jaillet's avatar
Christophe Jaillet committed
  *) logresolve: Fix incorrect behavior or segfault if -c flag is used
     Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259
     [Stefan Fritsch]

  *) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
     Add ability for PROXY protocol processing to be optional to donated code.
     See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
     [Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri]

  *) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
     allowing per backend TLS configuration.  [Yann Ylavic]

  *) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module. [Roberto De Ioris,
     Jim Jagielski]

  *) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
     depend on the number of restarts (non-Unix systems) and preserve shared
     names as much as possible on configuration changes for SHMs and persisted
     files.  PR 62044.  [Yann Ylavic, Jim Jagielski]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: obsolete code removed, no more events on beam pool destruction,
     discourage content encoders on http2-status response (where they do not work).
     [Stefan Eissing]

  *) mpm_event: Let the listener thread do its maintenance job on resources
     shortage.  PR 61979.  [Yann Ylavic]
Loading full blame...