1 APACHE 2.4 STATUS: -*- mode: text; coding: utf-8 -*-
2 Last modified at [$Date$]
4 The current version of this file can be found at:
6 * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/STATUS
8 Documentation status is maintained separately and can be found at:
10 * docs/STATUS in this source tree, or
11 * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/docs/STATUS
13 The current development branch of this software can be found at:
15 * http://svn.apache.org/repos/asf/httpd/httpd/trunk
17 Consult the following STATUS files for information on related projects:
19 * http://svn.apache.org/repos/asf/apr/apr/trunk/STATUS
20 * http://svn.apache.org/repos/asf/apr/apr/branches/1.4.x/STATUS
21 * http://svn.apache.org/repos/asf/apr/apr-util/branches/1.4.x/STATUS
22 * http://svn.apache.org/repos/asf/apr/apr/branches/1.5.x/STATUS
23 * http://svn.apache.org/repos/asf/apr/apr-util/branches/1.5.x/STATUS
25 Patches considered for backport are noted in their branches' STATUS:
27 * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x/STATUS
28 * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/STATUS
29 * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/STATUS
34 [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
35 while x.{even}.z versions are Stable/GA releases.]
37 2.4.24 : In development.
38 2.4.23 : Tagged on June 30, 2016. Released on July 05, 2016.
39 2.4.22 : Tagged on June 20, 2016, not released.
40 2.4.21 : Tagged on June 16, 2016, not released.
41 2.4.20 : Tagged on April 4, 2016. Released on April 11, 2016.
42 2.4.19 : Tagged on March 21, 2016, not released.
43 2.4.18 : Tagged on December 8, 2015. Released on December 14, 2015.
44 2.4.17 : Tagged on October 9, 2015. Released October 13, 2015.
45 2.4.16 : Tagged on July 9, 2015. Released July 15, 2015
46 2.4.15 : Tagged on June 19, 2015. Not released.
47 2.4.14 : Tagged on June 11, 2015. Not released.
48 2.4.13 : Tagged on June 4, 2015. Not released.
49 2.4.12 : Tagged on January 22, 2015. Released Jan 29, 2015
50 2.4.11 : Tagged on January 15, 2015. Not released.
51 2.4.10 : Tagged on July 15, 2014. Released July 21, 2014
52 2.4.9 : Tagged on March 13, 2014. Released on March 17, 2014
53 2.4.8 : Tagged on March 11, 2014. Not released.
54 2.4.7 : Tagged on November 19, 2013. Released on Nov 25, 2013
55 2.4.6 : Tagged on July 15, 2013. Released July, 22, 2013
56 2.4.5 : Tagged on July 11, 2013, not released.
57 2.4.4 : Tagged on February 18, 2013. Released Feb 25, 2013
58 2.4.3 : Tagged on August 17, 2012. Released Aug 18, 2012
59 2.4.2 : Tagged on April 5, 2012. Released Apr 17, 2012.
60 2.4.1 : Tagged on February 13, 2012. Released Feb 21, 2012.
61 2.4.0 : Tagged on January 16, 2012, not released.
62 2.3.16 : Tagged on December 15, 2011.
63 2.3.15 : Tagged on November 8, 2011. Released Nov. 15, 2011.
64 2.3.14 : Tagged on August 1, 2011. Released Aug. 9, 2011.
65 2.3.13 : Tagged on June 28, 2011, not released.
66 2.3.12 : Tagged on May 11, 2011. Released May 23, 2011.
67 2.3.11 : Released as Beta on March 7, 2011.
68 2.3.10 : Tagged on December 13, 2010. Released Dec 21, 2010.
69 2.3.9 : Tagged on November 23, 2010, not released.
70 2.3.8 : Tagged on August 24, 2010.
71 2.3.7 : Tagged on August 19, 2010, not released.
72 2.3.6 : Released on June 21, 2010.
73 2.3.5 : Released on January 26, 2010.
74 2.3.4 : Released on December 8, 2009.
75 2.3.3 : Tagged on November 11, 2009, not released.
76 2.3.2 : Tagged on March 23, 2009, not released.
77 2.3.1 : Tagged on January 2, 2009, not released.
78 2.3.0 : Tagged on December 6, 2008, not released.
80 Contributors looking for a mission:
82 * Just do an egrep on "TODO" or "XXX" in the source.
84 * Review the bug database at: http://issues.apache.org/bugzilla/
86 * Review the "PatchAvailable" bugs in the bug database:
88 https://issues.apache.org/bugzilla/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&product=Apache+httpd-2&keywords=PatchAvailable
90 After testing, you can append a comment saying "Reviewed and tested".
92 * Open bugs in the bug database.
94 * See also the STATUS file in the docs/ directory, which lists documentation-specific TODO items.
97 CURRENT RELEASE NOTES:
99 * Forward binary compatibility is expected of Apache 2.4.x releases, such
100 that no MMN major number changes will occur after 2.4.1. Such changes can
101 only be made in the trunk.
103 * All commits to branches/2.4.x must be reflected in SVN trunk,
104 as well, if they apply. Logical progression is commit to trunk
105 then merge into branches/2.4.x, as applicable.
107 * Current exceptions for RTC for this branch:
112 . non-Unix, single-platform code
114 RELEASE SHOWSTOPPERS:
117 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
118 [ start all new proposals below, under PATCHES PROPOSED. ]
120 * mod_cgid: Wrong CGI process killed when a small CGI response is followed
121 by another CGI request, because of min bytes to write in core output filter
122 delaying the pool cleanup. Likely fixes PR57771 too.
123 trunk patch: http://svn.apache.org/r1758083
124 2.4.x: trunk works modulo CHANGES
125 +1 covener, jim, icing
128 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
129 [ New proposals should be added at the end of the list ]
131 *) mod_ssl: Return 502 instead of 500 when SSL peer check or
132 proxy_post_handshake hook fails.
133 Trunk patch: r1645529 (works)
134 2.4.x patch which adds CHANGES: https://emptyhammock.com/media/downloads/r1645529-to-2.4.x.txt
136 ylavic: there may be missing bits, see thread for commit r1736510.
138 *) core: Drop an invalid Last-Modified header value coming
139 from a (F)CGI script instead of replacing it with Unix epoch.
140 Warn the users about Last-Modified header value replacements
141 and violations of the RFC.
142 trunk patch: http://svn.apache.org/r1748379
143 http://svn.apache.org/r1750747
144 http://svn.apache.org/r1750749
145 http://svn.apache.org/r1750953
146 http://svn.apache.org/r1751138
147 http://svn.apache.org/r1751139
148 http://svn.apache.org/r1751147
149 http://svn.apache.org/r1757818
150 2.4.x: trunk patches works (final view http://apaste.info/FCs)
151 The last revision has been discussed extensively in dev@ and this seems to be
152 a good compromise for the moment.
153 Tested the code with a simple PHP script returning different Last-Modified
154 headers (GMT now, GMT now Europe/Paris, GMT tomorrow, GMT yesterday, PST now).
157 *) CMake: fix various issues for Windows/Visual Studio build environments.
159 trunk patch: http://svn.apache.org/r1752331
160 http://svn.apache.org/r1752332
161 http://svn.apache.org/r1752333
162 +1: jchampion, jim (by inspection)
164 *) autoconf: minor cleanup and removal of some dead code.
165 trunk patch: http://svn.apache.org/r1753315
166 http://svn.apache.org/r1753316
167 2.4.x patch: http://home.apache.org/~jchampion/patches/2.4.x-autoconf-cleanup.patch
168 (combines both patches and corrects for differences in the
169 AC_CONFIG_FILES list)
171 ylavic: some conflicts with r1753315 in 2.4.x's configure.in.
172 jchampion: added a 2.4.x backport patch.
174 *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
175 in the client certificate chain. PR 55786.
176 trunk patch: http://svn.apache.org/r1756542
177 2.4.x patch: trunk works (modulo CHANGES)
180 *) mod_cache: Use the actual URI path and query-string for identifying the
181 cached entity (key), such that rewrites are taken into account when
182 running afterwards (CacheQuickHandler off). PR 21935.
183 trunk patch: http://svn.apache.org/r1756553
184 http://svn.apache.org/r1756631
185 2.4.x patch: trunk works (modulo CHANGES)
188 *) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data
189 available before the request is sent. PR 57832.
190 This also backports deprecation of ap_proxy_ssl_connection_cleanup() and
191 newly introduced proxy_conn->tmp_bb's usage in proxy code (both almost
192 related and immediate/simple follow ups, merge simplified by doing so).
193 trunk patch: http://svn.apache.org/r1750392
194 http://svn.apache.org/r1750412
195 http://svn.apache.org/r1750416
196 http://svn.apache.org/r1750474
197 http://svn.apache.org/r1750494
198 http://svn.apache.org/r1750508
199 2.4.x patch: trunk works (modulo CHANGES/MMN), or:
200 http://home.apache.org/~ylavic/patches/httpd-2.4.x-r1750392.patch
203 * mpm_winnt: disable the 'data' accept filter entirely to prevent denial of
205 trunk patch: http://svn.apache.org/r1758307
206 http://svn.apache.org/r1758308
207 http://svn.apache.org/r1758309
208 http://svn.apache.org/r1758311
209 2.4.x patch: trunk works (modulo CHANGES and APLOGNO's next-number)
212 * mpm_winnt: always zero out OVERLAPPED structs when recycling them.
213 trunk patch: http://svn.apache.org/r1758310
214 2.4.x patch: trunk works
217 * mod_status: Delay some memory allocation
218 Fix <p> tag closing syntax
219 trunk patch: http://svn.apache.org/r1757010
220 http://svn.apache.org/r1757011
221 2.4.x patch: trunk works
222 +1: jailletc36, jchampion
223 jchampion: nitpick: r1757010 introduces trailing whitespace
225 * mod_proxy_connect: Delay some memory allocation
226 Fix some style (space only)
227 trunk patch: http://svn.apache.org/r1756852
228 http://svn.apache.org/r1756853
229 2.4.x patch: trunk works
230 +1: jailletc36, jchampion
232 * mod_authn_dbd: Remove an unused structure
233 trunk patch: http://svn.apache.org/r1756846
234 2.4.x patch: trunk works
235 +1: jailletc36, jchampion
237 PATCHES/ISSUES THAT ARE BEING WORKED
239 *) http: Don't remove the Content-Length of zero from a HEAD response if
240 it comes from an origin server, module or script. Allow the previous
241 behaviour (for legacy/buggy modules only, not origin) by also backporting
242 the HttpContentLengthHeadZero directive (and also HttpExpectStrict which
243 comes for free with the same commit).
244 trunk patch: http://svn.apache.org/r1554303
245 http://svn.apache.org/r1678215
246 2.4.x patch: http://people.apache.org/~ylavic/httpd-2.4.x-preserve_head_cl_zero.patch
248 ylavic: r1554303 issued a major MMN bump, but since the ABI change is two
249 ints added at the end of core_server_config, the proposed merge
250 does a minor bump only.
251 minfrin: Two new directives need to be documented.
253 * mod_proxy_http: Don't establish or reuse a backend connection before pre-
254 fetching the request body, so to minimize the delay between it is supposed
255 to be alive and the first bytes sent: this is a best effort to prevent the
256 backend from closing because of idle or keepalive timeout in the meantime.
257 Also, handle a new "proxy-flushall" environment variable which allows to
258 flush any forwarded body data immediately. PR 56541+37920.
259 trunk patch: http://svn.apache.org/r1656259
260 http://svn.apache.org/r1656359 (CHANGES entry)
261 2.4.x patch: trunk works (modulo CHANGES, docs/log-message-tags)
263 -0: jim: This seems to be a hit to normal performance, to handle an
264 error and/or non-normal condition. The pre-fetch is
265 expensive, and is always done, even before we know that
266 the backend is available to rec' it. I understand the
267 error described, but is the fix actually worth it (plus
268 it seems to allow for a DDoS vector).
269 ylavic: It seems to me that the problem is real since we reuse the
270 connection before prefetching 16K (either controlled by the
271 client, or by an input filter), we currently always prefetch
272 these bytes already. Regarding performance I don't see any
273 difference (more cycles) compared with the current code.
274 However I think I failed to rebuild the header_brigade when
275 the proxy loop is retried (ping), so I need to rework this.
276 Do you think we'd better remove the prefetch, or maybe just
277 make it nonblocking (by default)?
278 jim: Non-blocking seems the best way to handle...
280 * mod_dav: Allow other modules to become providers and add ACLs
281 to the DAV response. Requires a release of apr-util v1.6.
282 trunk patch: http://svn.apache.org/r1748322
283 2.4.x: trunk works modulo CHANGES/MMN
285 rpluem asks: Will this compile with apr-util < v1.6 and keep
286 mod_dav working (without the new features of the patch of course)?
287 I doubt that we will require apr-util 1.6 for the lifetime of 2.4.x
288 (see the discussion around ap_cstr_casecmp[n] an apr 1.6)
289 minfrin: Yes, as you can see in the patch everything applies only
290 if APR_XML_X2T_PARSED is defined, and the patch was tested with
291 both apr-util v1.6 and apr-util v1.5.
293 PATCHES/ISSUES THAT ARE STALLED
295 * core: Add ap_errorlog_provider to make ErrorLog logging modular. This
296 backport keeps syslog logging as part of httpd core and only adds
297 API to allow other modules to be used for error logging.
298 trunk patch: http://svn.apache.org/r1525597
299 http://svn.apache.org/r1525664
300 http://svn.apache.org/r1525845
301 http://svn.apache.org/r1527003
302 http://svn.apache.org/r1527005
303 http://svn.apache.org/r1532344
304 http://svn.apache.org/r1539988
305 http://svn.apache.org/r1541029
306 http://svn.apache.org/r1543979
307 http://svn.apache.org/r1544156
308 http://svn.apache.org/r1626978
309 2.4.x patch: http://people.apache.org/~jkaluza/patches/httpd-2.4.x-errorlog_provider.patch
311 +1: covener w/ doc or code to fix syntax (providername:providerarg not supported like syslog or socacheproviders,
312 needs 2 args which is not valid in ErrorLog manual)
313 trawick: nit: fix "writing" in "/* NULL if we are writing to syslog */"
314 (sorry, haven't finished reviewing completely)
315 jim: What is the status of this??
317 * mod_proxy: Add ap_proxy_define_match_worker() and use it for ProxyPassMatch
318 and ProxyMatch section to distinguish between normal workers and workers
319 with regex substitutions in the name. Implement handling of such workers
320 in ap_proxy_get_worker(). Fixes the bug when regex workers were not
321 matched and used for request. PR 43513.
322 trunk patch: http://svn.apache.org/r1609680
323 http://svn.apache.org/r1609688
324 http://svn.apache.org/r1641381
325 ylavic: Merge patch provided (reusing new->real to avoid double de_socketfy() call).
326 Also added missing r1609688 to the patchset.
327 2.4.x patch: http://people.apache.org/~ylavic/httpd-2.4.x-ap_proxy_define_match_worker.patch
329 -0: covener tried to review this one in Austin with Jeff. Does the added match function
330 really cover a very narrow set of parameters with the way it skips over backreferences?
331 Also, why a new API vs. just setting the field inline?
333 * mod_systemd: New module, for integration with systemd on Linux.
334 trunk patch: http://svn.apache.org/r1393976
335 http://svn.apache.org/r1393997
336 http://svn.apache.org/r1484554
337 http://svn.apache.org/r1528032
338 http://svn.apache.org/r1528034
339 http://svn.apache.org/r1614821
340 http://svn.apache.org/r1618579
341 http://svn.apache.org/r1618588
342 2.4.x patch: http://people.apache.org/~jkaluza/patches/mod_systemd/httpd-2.4.x-mod_systemd.patch
344 sf comments: The IdleShutdown logic seems broken. Consider a single
345 active connection that is stalled for 10 seconds. That
346 connection will be broken after GracefulShutdownTimeout.
347 A better logic would be to check if there is any open
348 connection that is not in keep-alive state.
350 * mod_journald: Add new module mod_journald to log error logs into journald.
351 This patch needs changes done in mod_systemd patch (already
353 trunk patch: http://svn.apache.org/r1610339
354 http://svn.apache.org/r1621806
355 2.4.x patch: http://people.apache.org/~jkaluza/patches/httpd-2.4.x-mod_journald.patch
357 rjung, minfrin: Not understanding "This patch needs changes done in
358 mod_systemd patch", am I right in understanding this patch is
360 jkaluza: No, that patch is not committed yet. It is in STALLED section.
361 The link for that patch is: http://people.apache.org/~jkaluza/patches/mod_systemd/httpd-2.4.x-mod_systemd.patch
363 * core: Add support for systemd socket activation.
364 trunk patch: http://svn.apache.org/r1511033
365 http://svn.apache.org/r1608686
366 http://svn.apache.org/r1608694
367 http://svn.apache.org/r1608703
368 http://svn.apache.org/r1608721
369 http://svn.apache.org/r1608744
370 2.4.x patch: http://people.apache.org/~jkaluza/patches/mod_systemd/httpd-2.4.x-socket-activation.patch
373 * mod_proxy: Ensure network errors detected by the proxy are returned as
374 504 Gateway Timeout as opposed to 502 Bad Gateway
375 trunk patch: https://svn.apache.org/viewvc?view=revision&revision=1480058
376 2.4.x patch: trunk patch works modulo CHANGES
378 -1: rpluem: This change is still disputed. See
379 http://mail-archives.apache.org/mod_mbox/httpd-dev/201305.mbox/%3C1B16B9E3-87BA-4EEF-939C-7C7313B54714%40gbiv.com%3E
381 * cross-compile: allow to provide CC_FOR_BUILD so that gen_test_char will be
382 compiled by the build compiler instead of the host compiler.
383 Also set CC_FOR_BUILD to 'cc' when cross-compilation is detected.
384 Trunk patches: http://svn.apache.org/viewvc?view=revision&revision=1327907
385 http://svn.apache.org/viewvc?view=revision&revision=1328390
386 http://svn.apache.org/viewvc?view=revision&revision=1328714
387 2.4 patch: http://people.apache.org/~fuankg/diffs/httpd-2.4.x-cross_compile.diff
388 fuankg: on hold until we agree for a better and more simple solution ...
390 * Makefile.win: Added copying of .vbs / .wsf CGIs to Windows install target.
391 Moved fixing of shebang to separate target so that it is
392 no longer executed by default and all CGIs remain inactive.
393 trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1387984
394 http://svn.apache.org/viewvc?view=revision&revision=1421203
395 http://svn.apache.org/viewvc?view=revision&revision=1421591
396 2.4.x patch: http://people.apache.org/~fuankg/diffs/httpd-2.4.x-Makefile.win.diff
399 This commit is essentially deciding that an httpd install on
400 Windows now has printenv/testcgi written in 2 more languages.
401 To the extent that the usefulness is that it shows how to make scripts
402 of these types executable by httpd, I believe that the documentation
403 is the proper place to solve that. To the extent that the usefullness
404 is to show how to implement a CGI in these particular languages, I believe
405 that the httpd distribution and documentation in general is not the
406 place for that. Historically these types of scripts have caused problems
407 for downstream vendorsas well as newbies (and sometimes the intersection
408 of those two groups) who don't understand that these are information leaks
409 once they are enabled, and the subtlety of the way they are disabled ("Apache
410 messed up the first line; let me fix that") contributes to that.
411 fuankg notes: I've just added a big warning to all CGI scripts which should now
412 make absolutely clear that these CGIs are for testing purpose only - so those
413 who enable those scripts with inserting the right shebang should be 100% aware
414 of any risks (this should cover your last point).
415 jim: trawick, does the above address your concerns?
416 trawick: to some extent (somebody reading the script gets an idea)
417 Why isn't the configuration requirement documented instead
418 of described indirectly in a sample?
419 Why are these new samples added to the install without three
420 votes? (I didn't veto it; put your name next to the two
421 existing ones and I'll be satisfied that enough people
422 considered this addition as an appropriate solution for a
423 real httpd usability problem.)
424 wrowe: I'd agree with trawick, and suggest that these scripts can begin
425 their life somewhere in the manual/ tree. This really seems like
426 the place where /usr/share/httpd/examples/ would be useful, but
427 there isn't an ordinary directory for that. Since we want none
428 of the scripts to function 'out of the box', what about a new
429 cgi-examples/ dir alongside cgi-bin/? Otherwise manual/cgi/examples
432 * core: block Define and Undefine in vhost and directory context. Because
433 it is EXEC_ON_READ, it "breaks out" of these contexts anyway.
434 trunk patch: http://svn.apache.org/r1656063
435 http://svn.apache.org/r1656122
436 2.4.x patch: http://people.apache.org/~covener/patches/2.4.x-define-limits.diff
437 +1: covener (I need to review the docs manually in this area)
438 -1: wrowe (blocking will break "working" .conf files on a subversion update
439 meant to pick up security fixes. "Alerting" I would agree to.)