+ *) SECURITY: CVE-2015-0228 (cve.mitre.org)
+ mod_lua: A maliciously crafted websockets PING after a script
+ calls r:wsupgrade() can cause a child process crash.
+ [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_deflate: A misplaced check prevents limiting small bodies with the
+ new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic]
+
+ *) ab: Add missing longest request (100%) to CSV export.
+ [Marcin Fabrykowski <bugzilla fabrykowski.pl>]
+
+ *) core: Add expression support to ErrorDocument. Switch from a fixed
+ sized 664 byte array per merge to a hash table. [Graham Leggett]
+
+ *) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
+ a combination of certificate serialNumber and issuer as defined by
+ CertificateExactMatch in RFC4523. [Graham Leggett]
+
+ *) suexec: Filter out the HTTP_PROXY environment variable because it is
+ treated as alias for http_proxy by some programs. [Stefan Fritsch]
+
+ *) mod_proxy_http: Use the "Connection: close" header for requests to
+ backends not recycling connections (disablereuse), including the default
+ reverse and forward proxies. [Yann Ylavic]
+
+ *) mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
+ finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
+ or force-proxy-request-1.0, and respond with 502 instead of 400 if its
+ Connection header is invalid. [Yann Ylavic]
+
+ *) mod_proxy(es): Avoid error response/document handling by the core if some
+ input filter already did it while reading client's payload. [Yann Ylavic]
+
+ *) http: Make ap_die() robust against any HTTP error code and not modify
+ response status (finally logged) when nothing is to be done. [Yann Ylavic]
+
+ *) mod_proxy_connect/wstunnel: If both client and backend sides get readable
+ at the same time, don't lose errors occuring while forwarding on the first
+ side when none occurs next on the other side, and abort. [Yann Ylavic]
+
+ *) mod_lua: After a r:wsupgrade(), mod_lua was not properly
+ responding to a websockets PING but instead invoking the specified
+ script. PR57524. [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_macro: Clear macros before initialization to avoid use-after-free
+ on startup or restart when the module is linked statically. PR 57525
+ [apache.org tech.futurequest.net, Yann Ylavic]
+
+ *) mod_proxy_http: Don't establish or reuse a backend connection before pre-
+ fetching the request body, so to minimize the delay between it is supposed
+ to be alive and the first bytes sent: this is a best effort to prevent the
+ backend from closing because of idle or keepalive timeout in the meantime.
+ Also, handle a new "proxy-flushall" environment variable which allows to
+ flush any forwarded body data immediately. PR 56541+37920. [Yann Ylavic]
+
+ *) core: Define and UnDefine are no longer permitted in
+ directory context. Previously they would always be evaulated
+ as the configuration was read without regard for the directory
+ context. [Eric Covener]