Newer
Older
*) core: Disallow multiple Listen on the same IP:port when listener buckets
are configured (ListenCoresBucketsRatio > 0), consistently with the single
bucket case (default), thus avoiding the leak of the corresponding socket
descriptors on graceful restart. [Yann Ylavic]
*) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
computing and using the same entity key according to when the cache
checks, loads and saves the request.
PR 60577. [Yann Ylavic]
*) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
in use (ProxyHCTPsize > 0). PR 60071. [Yann Ylavic, Jim Jagielski]
*) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
URI originally requsted by the user, not the nested documents URI. This
restores the behavior of this variable to match the "legacy" SSI parser.
PR60624. [Hank Ibell <hwibell gmail.com>]
Jim Jagielski
committed
*) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
variables just before invoking the FastCGI. [Eric Covener,
Jacob Champion]
*) mod_proxy: Allow the per-request environment variable "no-proxy" to
be used as an alternative to ProxyPass /path !. This is primarily
to set exceptions for ProxyPass specified in <Location> context.
Use SetEnvIf, not SetEnv. [Eric Covener]
*) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
default. Add ProxyFCGIBackendType to allow the type of backend to be
specified so these kinds of fixups can be restored without impacting
FPM. PR60576 [Eric Covener, Jim Jagielski]
*) mod_ssl: work around leaks on (graceful) restart. [Yann Ylavic]
*) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
*) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
than zero. [Eric Covener]
*) mod_http2: moving session cleanup to pre_close hook to avoid races with
modules already shut down and slave connections still operating.
[Stefan Eissing]
*) mod_http2: stream timeouts now change to vhost values once the request
is parsed and processing starts. Initial values are taken from base
server or SNI host as before. [Stefan Eissing]
*) mod_proxy_http2: fixed retry behaviour when frontend connection uses
http/1.1. [Stefan Eissing]
*) mod_http2: separate mutex instances for each bucket beam, resulting in
less lock contention. input beams only created when necessary.
[Stefan Eissing]
*) mod_lua: Support for Lua 5.3
*) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
*) mod_http2: fix for crash when running out of memory.
*) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
[Luca Toscano]
*) mod_http2: not counting file buckets again stream max buffer limits.
Effectively transfering static files in one step from slave to master
connection. [Stefan Eissing]
*) mod_http2: comforting ap_check_pipeline() on slave connections
to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
[Stefan Eissing, reported by Armin Abfalterer]
*) mod_http2: http/2 streams now with state handling/transitions as defined
in RFC7540. Stream cleanup/connection shutdown reworked to become easier
to understand/maintain/debug. Added many asserts on state and cleanup
transitions. [Stefan Eissing]
*) mod_auth_digest: Use an anonymous shared memory segment by default,
preventing startup failure after unclean shutdown. PR 54622.
[Jan Kaluza]
*) mod_filter: Fix AddOutputFilterByType with non-content-level filters.
PR 58856. [Micha Lenk <micha lenk.info>]
*) mod_watchdog: Fix semaphore leak over restarts. [Jim Jagielski]
*) mod_http2: regression fix on PR 59348, on graceful restart, ongoing
streams are finished normally before the final GOAWAY is sent.
[Stefan Eissing, <slavko gmail.com>]
*) mod_proxy: Allow the per-request environment variable "no-proxy" to
be used as an alternative to ProxyPass /path !. This is primarily
to set exceptions for ProxyPass specified in <Location> context.
*) mod_http2: fixes PR60599, sending proper response for conditional requests
answered by mod_cache. [Jeff Wheelhouse, Stefan Eissing]
Stefan Eissing
committed
*) mod_http2: rework of stream resource cleanup to avoid a crash in a close
of a lingering connection. Prohibit special file bucket beaming for
shared buckets. Files sent in stream output now use the stream pool
as read buffer, reducing memory footprint of connections.
[Yann Ylavic, Stefan Eissing]
*) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
modules add empty environment variables to the request. PR 60275.
[<alex2grad AT gmail.com>]
*) mod_http2: fix for possible page fault when stream is resumed during
session shutdown. [sidney-j-r-m (github)]
*) mod_http2: fix for h2 session ignoring new responses while already
open streams continue to have data available. [Stefan Eissing]
*) mod_http2: adding support for MergeTrailers directive. [Stefan Eissing]
*) mod_http2: limiting DATA frame sizes by TLS record sizes in use on the
connection. Flushing outgoing frames earlier. [Stefan Eissing]
*) mod_http2: cleanup beamer registry on server reload. PR 60510.
[Pavel Mateja <pavel verotel.cz>, Stefan Eissing]
*) mod_proxy_{ajp,fcgi}: Fix a possible crash when reusing an established
backend connection, happening with LogLevel trace2 or higher configured,
or at any log level with compilers not detected as C99 compliant (e.g.
MSVC on Windows). [Yann Ylavic]
*) mod_ext_filter: Don't interfere with "error buckets" issued by other
*) mod_http2: fixes https://github.com/icing/mod_h2/issues/126 e.g. beam
bucket lifetime handling when data is sent over temporary pools.
[Stefan Eissing]
*) Fix some build issues related to various modules.
[Rainer Jung]
Changes with Apache 2.4.24 (not released)
*) SECURITY: CVE-2016-8740 (cve.mitre.org)
mod_http2: Mitigate DoS memory exhaustion via endless
[Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State
University, Stefan Eissing]
Jim Jagielski
committed
mod_auth_digest: Prevent segfaults during client entry allocation when
the shared memory space is exhausted.
[Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion]
*) SECURITY: CVE-2016-0736 (cve.mitre.org)
mod_session_crypto: Authenticate the session data/cookie with a
MAC (SipHash) to prevent deciphering or tampering with a padding
oracle attack. [Yann Ylavic, Colm MacCarthaigh]
*) SECURITY: CVE-2016-8743 (cve.mitre.org)
Enforce HTTP request grammar corresponding to RFC7230 for request lines
and request headers, to prevent response splitting and cache pollution by
malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
*) Validate HTTP response header grammar defined by RFC7230, resulting
in a 500 error in the event that invalid response header contents are
detected when serving the response, to avoid response splitting and cache
pollution by malicious clients, upstream servers or faulty modules.
[Stefan Fritsch, Eric Covener, Yann Ylavic]
William A. Rowe Jr
committed
*) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
[Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
*) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
looping RewriteRules when the local path significantly exceeds
LimitRequestLine. PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]
*) mod_ratelimit: Allow for initial "burst" amount at full speed before
throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>,
Jim Jagielski]
*) mod_socache_memcache: Provide memcache stats to mod_status.
[Jim Jagielski]
Jim Jagielski
committed
*) http_filters: Fix potential looping in new check_headers() due to new
pattern of ap_die() from http header filter. Explicitly clear the
previous headers and body.
*) core: Drop Content-Length header and message-body from HTTP 204 responses.
PR 51350 [Luca Toscano]
*) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is
configured in <Location>, like in 2.2. PR 60458.
[Eric Covener]
*) mod_lua: Fix default value of LuaInherit directive. It should be
'parent-first' instead of 'none', as per documentation. PR 60419
Loading full blame...