Newer
Older
*) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1. [Rainer Jung]
*) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
when client certificates are available from the original handshake
but were originally not verified and should get verified now.
This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]
*) mod_ssl: Correctly merge configurations that have client certificates set
by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]
*) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
responses. Regression introduced in 2.4.35.
*) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
body of the response. [Jim Jagielski]
*) mod_http2: adding defensive code for stream EOS handling, in case the request handler
missed to signal it the normal way (eos buckets). Addresses github issues
https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing]
*) ab: Add client certificate support. [Graham Leggett]
*) ab: Disable printing temp key for OpenSSL before
version 1.0.2. SSL_get_server_tmp_key is not available
there. [Rainer Jung]
*) mod_ssl: Fix a regression that the configuration settings for verify mode
and verify depth were taken from the frontend connection in case of
connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
*) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
before signals handling to avoid lifetime issues on restart or shutdown.
PR 62658. [Yann Ylavic]
*) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has
behavioural changes compared to v1.2 and earlier; client and
configuration changes should be expected. SSLCipherSuite is
enhanced for TLSv1.3 ciphers, but applies at vhost level only.
[Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]
Jim Jagielski
committed
*) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
should be accepted after the authorization scheme. \t are also tolerated.
[Christophe Jaillet]
*) mod_proxy_hcheck: Fix issues with interval determination. PR 62318
[Jim Jagielski]
*) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
[Dominik Stillhard <dominik.stillhard united-security-providers.ch>]
*) mod_proxy_hcheck: take balancer's SSLProxy* directives into account.
[Jim Jagielski]
*) mod_status, mod_echo: Fix the display of client addresses.
They were truncated to 31 characters which is not enough for IPv6 addresses.
This is done by deprecating the use of the 'client' field and using
the new 'client64' field in worker_score.
PR 54848 [Bernhard Schmidt <berni birkenwald de>, Jim Jagielski]
Changes with Apache 2.4.35
*) http: Enforce consistently no response body with both 204 and 304
statuses. [Yann Ylavic]
*) mod_status: Cumulate CPU time of exited child processes in the
"cu" and "cs" values. Add CPU time of the parent process to the
"c" and "s" values.
[Rainer Jung]
*) mod_proxy: Improve the balancer member data shown in mod_status when
"ProxyStatus" is "On": add "busy" count and show byte counts in
auto mode always in units of kilobytes. [Rainer Jung]
*) mod_status: Add cumulated response duration time in milliseconds.
*) mod_status: Complete the data shown for async MPMs in "auto" mode.
Added number of processes, number of stopping processes and number
of busy and idle workers. [Rainer Jung]
*) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
introduced in 2.4.34. PR 62568. [Yann Ylavic]
*) mod_proxy: Remove load order and link dependency between mod_lbmethod_*
modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe]
*) Allow the argument to <IfFile>, <IfDefine>, <IfSection>, <IfDirective>,
and <IfModule> to be quoted. This is primarily for the benefit of
<IfFile>. [Eric Covener]
Jim Jagielski
committed
*) mod_watchdog: Correct some log messages. [Rainer Jung]
*) mod_md: When the last domain name from an MD is moved to another one,
that now empty MD gets moved to the store archive. PR 62572.
[Stefan Eissing]
*) mod_ssl: Fix merging of SSLOCSPOverrideResponder. [Jeff Trawick,
[Frank Meier <frank meier ergon.ch>]
*) mod_proxy_balancer: Restore compatibility with APR 1.4. [Joe Orton]
*) SECURITY: CVE-2018-8011 (cve.mitre.org)
mod_md: DoS via Coredumps on specially crafted requests
*) SECURITY: CVE-2018-1333 (cve.mitre.org)
mod_http2: DoS for HTTP/2 connections by specially crafted requests
*) Introduce zh-cn and zh-tw (simplified and traditional Chinese) error
document translations. [CodeingBoy, popcorner]
*) event: avoid possible race conditions with modules on the child pool.
*) mod_proxy: Fix a corner case where the ProxyPassReverseCookieDomain or
ProxyPassReverseCookiePath directive could fail to update correctly
'domain=' or 'path=' in the 'Set-Cookie' header. PR 61560.
[Christophe Jaillet]
*) mod_ratelimit: fix behavior when proxing content. PR 62362.
[Luca Toscano, Yann Ylavic]
*) core: Re-allow '_' (underscore) in hostnames.
[Eric Covener]
*) mod_authz_core: If several parameters are used in a AuthzProviderAlias
directive, if these parameters are not enclosed in quotation mark, only
the first one is handled. The other ones are silently ignored.
Add a message to warn about such a spurious configuration.
PR 62469 [Hank Ibell <hwibell gmail.com>, Christophe Jaillet]
*) mod_md: improvements and bugfixes
- MDNotifyCmd now takes additional parameter that are passed on to the called command.
- ACME challenges have better checks for interference with other modules
- ACME challenges are only handled for domains managed by the module, allowing
other ACME clients to operate for other domains in the server.
*) mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'.
PR 62480. [Lubos Uhliarik <luhliari redhat.com>}
*) logging: Some early logging-related startup messages could be lost
when using syslog for the global ErrorLog. [Eric Covener]
*) mod_cache: Handle case of an invalid Expires header value RFC compliant
like the case of an Expires time in the past: allow to overwrite the
non-caching decision using CacheStoreExpired and respect Cache-Control
"max-age" and "s-maxage". [Rainer Jung]
*) mod_xml2enc: Fix forwarding of error metadata/responses. PR 62180.
[Micha Lenk <micha lenk.info>, Yann Ylavic]
Yann Ylavic
committed
*) mod_proxy_http: Fix response header thrown away after the previous one
was considered too large and truncated. PR 62196. [Yann Ylavic]
*) core: Add and handle AP_GETLINE_NOSPC_EOL flag for ap_getline() family
of functions to consume the end of line when the buffer is exhausted.
PR 62198. [Yann Ylavic]
*) mod_proxy_http: Add new worker parameter 'responsefieldsize' to
allow maximum HTTP response header size to be increased past 8192
Yann Ylavic
committed
*) mod_ssl: Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf
of a certificate chain. PR62112.
[Ricardo Martin Camarero <rickyepoderi yahoo.es>]
*) http: Fix small memory leak per request when handling persistent
connections. [Ruediger Pluem, Joe Orton]
*) mod_proxy_html: Fix variable interpolation and memory allocation failure
in ProxyHTMLURLMap. [Ewald Dieterich <ewald mailbox.org>]
*) mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.
PR 62220. [Chritophe Jaillet, Yann Ylavic]
*) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
zero out what had been initialized as the connection-level port. PR59931.
[Hank Ibell <hwibell gmail.com>]
*) core: In ONE_PROCESS/debug mode, cleanup everything when exiting.
[Yann Ylavic]
*) mod_proxy_balancer: Add hot spare member type and corresponding flag (R).
Hot spare members are used as drop-in replacements for unusable workers
in the same load balancer set. This differs from hot standbys which are
only used when all workers in a set are unusable. PR 61140. [Jim Riggs]
Jim Jagielski
committed
*) suexec: Add --enable-suexec-capabilites support on Linux, to use
setuid/setgid capability bits rather than a setuid root binary.
[Joe Orton]
*) suexec: Add support for logging to syslog as an alternative to
Loading full blame...