Newer
Older
*) http: Fix small memory leak per request when handling persistent
connections. [Ruediger Pluem, Joe Orton]
*) mod_proxy_html: Fix variable interpolation and memory allocation failure
in ProxyHTMLURLMap. [Ewald Dieterich <ewald mailbox.org>]
*) mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.
PR 62220. [Chritophe Jaillet, Yann Ylavic]
*) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
zero out what had been initialized as the connection-level port. PR59931.
[Hank Ibell <hwibell gmail.com>]
*) core: In ONE_PROCESS/debug mode, cleanup everything when exiting.
[Yann Ylavic]
*) mod_proxy_balancer: Add hot spare member type and corresponding flag (R).
Hot spare members are used as drop-in replacements for unusable workers
in the same load balancer set. This differs from hot standbys which are
only used when all workers in a set are unusable. PR 61140. [Jim Riggs]
Jim Jagielski
committed
*) suexec: Add --enable-suexec-capabilites support on Linux, to use
setuid/setgid capability bits rather than a setuid root binary.
[Joe Orton]
*) suexec: Add support for logging to syslog as an alternative to
logging to a file; use --without-suexec-logfile --with-suexec-syslog.
[Joe Orton]
*) mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling
which broke some rare but previously-working configs. [Joe Orton]
*) core, log: improve sanity checks for the ErrorLog's syslog config, and
explicitly allow only lowercase 'syslog' settings. PR 62102
[Luca Toscano, Jim Riggs, Christophe Jaillet]
*) mod_http2: accurate reporting of h2 data input/output per request via
mod_logio. Fixes an issue where output sizes where counted n-times on
reused slave connections. [Stefan Eissing]
*) mod_http2: Fix unnecessary timeout waits in case streams are aborted.
[Stefan Eissing]
*) mod_http2: restoring the v1.10.16 keepalive timeout behaviour of mod_http2.
[Stefan Eissing]
Yann Ylavic
committed
*) mod_proxy: Do not restrict the maximum pool size for backend connections
any longer by the maximum number of threads per process and use a better
default if mod_http2 is loaded.
[Yann Ylavic, Ruediger Pluem, Stefan Eissing, Gregg Smith]
*) core: Preserve the original HTTP request method in the '%<m' LogFormat
when an path-based ErrorDocument is used. PR 62186.
[Micha Lenk <micha lenk.info>]
*) mod_remoteip: make proxy-protocol work on slave connections, e.g. in
HTTP/2 requests. [Stefan Eissing]
See also https://github.com/roadrunner2/mod-proxy-protocol/issues/6
*) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
regression introduced in 2.4.30. PR 62232. [Rainer Jung, Yann Ylavic]
*) mod_md: Fix compilation with OpenSSL before version 1.0.2. [Rainer Jung]
*) mod_dumpio: do nothing below log level TRACE7. [Yann Ylavic]
*) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
[Eric Covener]
*) core: On ECBDIC platforms, some errors related to oversized headers
may be misreported or be logged as ASCII escapes. PR 62200
*) mod_ssl: Fix cmake-based build. PR 62266. [Rainer Jung]
*) core: Add <IfFile>, <IfDirective> and <IfSection> conditional
section containers. [Eric Covener, Joe Orton]
*) core: Fix request timeout logging and possible crash for error_log hooks.
[Yann Ylavic]
*) mod_slomem_shm: Fix failure to create balancers's slotmems in Windows MPM,
where children processes need to attach them instead since they are owned
by the parent process already. [Yann Ylavic]
*) ab: try all destination socket addresses returned by
apr_sockaddr_info_get instead of failing on first one when not available.
Needed for instance if localhost resolves to both ::1 and 127.0.0.1
e.g. if both are in /etc/hosts. [Jan Kaluza]
*) ab: Use only one connection to determine working destination socket
address. [Jan Kaluza]
*) ab: LibreSSL doesn't have or require Windows applink.c. [Gregg L. Smith]
*) htpasswd/htdigest: Disable support for bcrypt on EBCDIC platforms.
apr-util's bcrypt implementation doesn't tolerate EBCDIC. [Eric Covener]
*) htpasswd/htdbm: report the right limit when get_password() overflows.
[Yann Ylavic]
*) htpasswd: Don't fail in -v mode if password file is unwritable.
PR 61631. [Joe Orton]
*) htpasswd: don't point to (unused) stack memory on output
to make static analysers happy. PR 60634.
[Yann Ylavic, reported by shqking and Zhenwei Zou]
*) mod_access_compat: Fail if a comment is found in an Allow or Deny
directive. [Jan Kaluza]
*) mod_authz_host: Ignore comments after "Require host", logging a
warning, or logging an error if the line is otherwise empty.
[Jan Kaluza, Joe Orton]
*) rotatelogs: Fix expansion of %Z in localtime (-l) mode, and fix
Y2K38 bug. [Joe Orton]
*) mod_ssl: Support SSL DN raw variable extraction without conversion
to UTF-8, using _RAW suffix on variable names. [Joe Orton]
*) ab: Fix https:// connection failures (regression in 2.4.30); fix
crash generating CSV output for large -n. [Joe Orton, Jan Kaluza]
Changes with Apache 2.4.31 (not released)
*) mod_proxy_fcgi: Add the support for mod_proxy's flushpackets and flushwait
parameters. [Luca Toscano, Ruediger Pluem, Yann Ylavic]
*) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
improper merging of the cache lock in vhost config.
PR 43164 [Eric Covener]
Yann Ylavic
committed
*) mpm_event: Do lingering close in worker(s). [Yann Ylavic]
Yann Ylavic
committed
*) mpm_queue: Put fdqueue code in common for MPMs event and worker.
[Yann Ylavic]
Changes with Apache 2.4.30 (not released)
*) SECURITY: CVE-2017-15710 (cve.mitre.org)
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
[Eric Covener, Luca Toscano, Yann Ylavic]
*) SECURITY: CVE-2018-1283 (cve.mitre.org)
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
[Yann Ylavic]
*) SECURITY: CVE-2018-1303 (cve.mitre.org)
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data. [Ruediger Pluem]
*) SECURITY: CVE-2018-1301 (cve.mitre.org)
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
[Yann Ylavic]
*) SECURITY: CVE-2017-15715 (cve.mitre.org)
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'. [Yann Ylavic]
*) SECURITY: CVE-2018-1312 (cve.mitre.org)
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
[Stefan Fritsch]
*) SECURITY: CVE-2018-1302 (cve.mitre.org)
mod_http2: Potential crash w/ mod_http2.
[Stefan Eissing]
*) mod_proxy: Worker schemes and hostnames which are too large are no
longer fatal errors; it is logged and the truncated values are stored.
[Jim Jagielski]
*) mod_proxy: Allow setting options to globally defined balancer from
ProxyPass used in VirtualHost. Balancers are now merged using the new
merge_balancers method which merges the balancers options. [Jan Kaluza]
*) logresolve: Fix incorrect behavior or segfault if -c flag is used
Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259
[Stefan Fritsch]
Yann Ylavic
committed
*) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
Add ability for PROXY protocol processing to be optional to donated code.
See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
[Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri]
*) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
Loading full blame...