Skip to content
CHANGES 226 KiB
Newer Older
Jeff Trawick's avatar
Jeff Trawick committed
                                                         -*- coding: utf-8 -*-
Ruediger Pluem's avatar
Ruediger Pluem committed

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.26

Joe Orton's avatar
Joe Orton committed
  *) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
     than zero.  [Eric Covener]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: moving session cleanup to pre_close hook to avoid races with
     modules already shut down and slave connections still operating.
     [Stefan Eissing]

  *) mod_http2: stream timeouts now change to vhost values once the request
     is parsed and processing starts. Initial values are taken from base
     server or SNI host as before. [Stefan Eissing]
     
  *) mod_proxy_http2: fixed retry behaviour when frontend connection uses 
     http/1.1. [Stefan Eissing]
     
  *) mod_http2: separate mutex instances for each bucket beam, resulting in 
     less lock contention. input beams only created when necessary.
     [Stefan Eissing]
     
  *) mod_lua: Support for Lua 5.3

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
  
  *) mod_http2: fix for crash when running out of memory.
     [Robert Swiecki <robert@swiecki.net>, Stefan Eissing]
     
  *) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
     [Luca Toscano]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: not counting file buckets again stream max buffer limits. 
     Effectively transfering static files in one step from slave to master 
     connection. [Stefan Eissing]
    
  *) mod_http2: comforting ap_check_pipeline() on slave connections
     to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
     [Stefan Eissing, reported by Armin Abfalterer]
     
  *) mod_http2: http/2 streams now with state handling/transitions as defined
     in RFC7540. Stream cleanup/connection shutdown reworked to become easier
     to understand/maintain/debug. Added many asserts on state and cleanup 
     transitions. [Stefan Eissing]
     
Joe Orton's avatar
Joe Orton committed
  *) mod_auth_digest: Use an anonymous shared memory segment by default,
     preventing startup failure after unclean shutdown.  PR 54622.
     [Jan Kaluza]

Joe Orton's avatar
Joe Orton committed
  *) mod_filter: Fix AddOutputFilterByType with non-content-level filters.
     PR 58856. [Micha Lenk <micha lenk.info>]
 
  *) mod_watchdog: Fix semaphore leak over restarts.  [Jim Jagielski]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: regression fix on PR 59348, on graceful restart, ongoing 
     streams are finished normally before the final GOAWAY is sent. 
     [Stefan Eissing, <slavko gmail.com>]

  *) mod_proxy: Allow the per-request environment variable "no-proxy" to
     be used as an alternative to ProxyPass /path !. This is primarily
     to set exceptions for ProxyPass specified in <Location> context.
     Use SetEnvIf, not SetEnv. PR 60458.
Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: fixes PR60599, sending proper response for conditional requests
     answered by mod_cache. [Jeff Wheelhouse, Stefan Eissing]
     
  *) mod_http2: rework of stream resource cleanup to avoid a crash in a close
     of a lingering connection. Prohibit special file bucket beaming for
     shared buckets. Files sent in stream output now use the stream pool
     as read buffer, reducing memory footprint of connections.
     [Yann Ylavic, Stefan Eissing]
     
  *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
     modules add empty environment variables to the request. PR60275.
     [<alex2grad AT gmail.com>]
  *) mod_http2: fix for possible page fault when stream is resumed during 
     session shutdown. [sidney-j-r-m (github)]
     
  *) mod_http2: fix for h2 session ignoring new responses while already
     open streams continue to have data available. [Stefan Eissing]
     
  *) mod_http2: adding support for MergeTrailers directive. [Stefan Eissing]
  
  *) mod_http2: limiting DATA frame sizes by TLS record sizes in use on the 
     connection. Flushing outgoing frames earlier. [Stefan Eissing]

  *) mod_http2: cleanup beamer registry on server reload, Fixes PR60510.
     [Pavel Mateja <pavel@verotel.cz>, Stefan Eissing]
     
  *) mod_proxy_{ajp,fcgi}: Fix a possible crash when reusing an established
     backend connection, happening with LogLevel trace2 or higher configured,
     or at any log level with compilers not detected as C99 compliant (e.g.
     MSVC on Windows).  [Yann Ylavic]

  *) mod_ext_filter: Don't interfere with "error buckets" issued by other
     modules. PR60375.  [Eric Covener, Lubos Uhliarik]

Stefan Eissing's avatar
Stefan Eissing committed
  *) mod_http2: fixes https://github.com/icing/mod_h2/issues/126 e.g. beam
     bucket lifetime handling when data is sent over temporary pools.
     [Stefan Eissing] 
  
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.25

Jim Jagielski's avatar
 
Jim Jagielski committed
  *) Fix some build issues related to various modules.
     [Rainer Jung]

Changes with Apache 2.4.24 (not released)
Eric Covener's avatar
Eric Covener committed
  *) SECURITY: CVE-2016-8740 (cve.mitre.org)
     mod_http2: Mitigate DoS memory exhaustion via endless
     CONTINUATION frames.
Jim Jagielski's avatar
Jim Jagielski committed
     [Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State
     University, Stefan Eissing]

  *) SECURITY: CVE-2016-2161 (cve.mitre.org)
     mod_auth_digest: Prevent segfaults during client entry allocation when
     the shared memory space is exhausted.
     [Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion]
  *) SECURITY: CVE-2016-0736 (cve.mitre.org)
     mod_session_crypto: Authenticate the session data/cookie with a
     MAC (SipHash) to prevent deciphering or tampering with a padding
     oracle attack.  [Yann Ylavic, Colm MacCarthaigh]

William A. Rowe Jr's avatar
William A. Rowe Jr committed
  *) SECURITY: CVE-2016-8743 (cve.mitre.org)
     Enforce HTTP request grammar corresponding to RFC7230 for request lines
     and request headers, to prevent response splitting and cache pollution by
     malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]

  *) Validate HTTP response header grammar defined by RFC7230, resulting
     in a 500 error in the event that invalid response header contents are
     detected when serving the response, to avoid response splitting and cache
     pollution by malicious clients, upstream servers or faulty modules.
     [Stefan Fritsch, Eric Covener, Yann Ylavic]

  *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]

Eric Covener's avatar
Eric Covener committed
  *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
     looping RewriteRules when the local path significantly exceeds 
     LimitRequestLine.  PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]

  *) mod_ratelimit: Allow for initial "burst" amount at full speed before
     throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>,
     Jim Jagielski]

  *) mod_socache_memcache: Provide memcache stats to mod_status.
     [Jim Jagielski]

  *) http_filters: Fix potential looping in new check_headers() due to new
     pattern of ap_die() from http header filter. Explicitly clear the
     previous headers and body.

  *) core: Drop Content-Length header and message-body from HTTP 204 responses.
     PR 51350 [Luca Toscano]

  *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is
     configured in <Location>, like in 2.2. PR 60458.
     [Eric Covener]

  *) mod_lua: Fix default value of LuaInherit directive. It should be 
     'parent-first' instead of 'none', as per documentation.  PR 60419
     [Christophe Jaillet]

Jim Jagielski's avatar
Jim Jagielski committed
  *) core: New directive HttpProtocolOptions to control httpd enforcement
     of various RFC7230 requirements. [Stefan Fritsch, William Rowe]

  *) core: Permit unencoded ';' characters to appear in proxy requests and
     Location: response headers. Corresponds to modern browser behavior.
     [William Rowe]

  *) core: ap_rgetline_core now pulls from r->proto_input_filters.

  *) core: Correctly parse an IPv6 literal host specification in an absolute
     URL in the request line. [Stefan Fritsch]

  *) core: New directive RegisterHttpMethod for registering non-standard
     HTTP methods. [Stefan Fritsch]
  *) mod_socache_memcache: Pass expiration time through to memcached.
     [Faidon Liambotis <paravoid debian.org>, Joe Orton]

  *) mod_cache: Use the actual URI path and query-string for identifying the
     cached entity (key), such that rewrites are taken into account when
     running afterwards (CacheQuickHandler off).  PR 21935.  [Yann Ylavic]

  *) mod_http2: new directive 'H2EarlyHints' to enable sending of HTTP status
     103 interim responses. Disabled by default. [Stefan Eissing]
     
  *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
     in the client certificate chain.  PR 55786.  [Yann Ylavic]

  *) event: Allow to use the whole allocated scoreboard (up to ServerLimit
     slots) to avoid scoreboard full errors when some processes are finishing
     gracefully. Also, make gracefully finishing processes close all
     keep-alive connections. PR 53555. [Stefan Fritsch]

  *) mpm_event: Don't take over scoreboard slots from gracefully finishing
     threads. [Stefan Fritsch]
Loading full blame...