-*- coding: utf-8 -*-
+Changes with Apache 2.4.30
+
+ *) mpm_event: avoid a very unlikely race condition between the listener and
+ the workers when the latter fails to add a connection to the pollset.
+ [Yann Ylavic]
+
+ *) mod_macro: fix usability of globally defined macros in .htaccess files.
+ PR 57525. [Jose Kahan <jose w3.org>, Yann Ylavic]
+
+ *) mod_rewrite, core: add the Vary header when a condition evaluates to true
+ and the related RewriteRule is used in a Directory context
+ (triggering an internal redirect). [Luca Toscano]
+
+ *) ab: Make the TLS layer aware that the underlying socket is nonblocking,
+ and use/handle POLLOUT where needed to avoid busy IOs and recover write
+ errors when appropriate. [Yann Ylavic]
+
+ *) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
+ read was incomplete (the SSL case can cause the next poll() to timeout
+ since data are buffered already). PR 61301 [Luca Toscano, Yann Ylavic]
+
+ *) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain
+ information retrievals on null bucket beams where it makes sense. [Stefan Eissing]
+
+Changes with Apache 2.4.29
+
+ *) mod_unique_id: Use output of the PRNG rather than IP address and
+ pid, avoiding sleep() call and possible DNS issues at startup,
+ plus improving randomness for IPv6-only hosts. [Jan Kaluza]
+
+ *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
+ is used in a condition that evaluates to true. PR 58231 [Luca Toscano, Yann Ylavic]
+
+ *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
+ beams that could lead to assertion failure in edge cases.
+ [Stefan Eissing]
+
+ *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
+ in 2.4.28. [Jim Jagielski]
+
+ *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
+ PR 61546. [Lubos Uhliarik <luhliari redhat.com>]
+
+ *) mod_rewrite: Add support for starting External Rewriting Programs
+ as non-root user on UNIX systems by specifying username and group
+ name as third argument of RewriteMap directive. [Jan Kaluza]
+
+ *) core: Rewrite the Content-Length filter to avoid excessive memory
+ consumption. Chunked responses will be generated in more cases
+ than in previous releases. PR 61222. [Joe Orton, Ruediger Pluem]
+
+ *) mod_ssl: Fix SessionTicket callback return value, which does seem to
+ matter with OpenSSL 1.1. [Yann Ylavic]
+
+Changes with Apache 2.4.28
+
+ *) SECURITY: CVE-2017-9798 (cve.mitre.org)
+ Corrupted or freed memory access. <Limit[Except]> must now be used in the
+ main configuration file (httpd.conf) to register HTTP methods before the
+ .htaccess files. [Yann Ylavic]
+
+ *) event: Avoid possible blocking in the listener thread when shutting down
+ connections. PR 60956. [Yann Ylavic]
+
+ *) mod_speling: Don't embed referer data in a link in error page.
+ PR 38923 [Nick Kew]
+
+ *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
+ length in a password file.
+ [Luca Toscano, Hanno Böck <hanno hboeck de>]
+
+ *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
+ [Jim Jagielski]
+
+ *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
+ PR 61142.
+
+ *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
+ down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
+ 's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]
+
+ *) mod_http2: Fix for stalling when more than 32KB are written to a
+ suspended stream. [Stefan Eissing]
+
+ *) build: allow configuration without APR sources. [Jacob Champion]
+
+ *) mod_ssl, ab: Fix compatibility with LibreSSL. PR 61184.
+ [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
+ Yann Ylavic]
+
+ *) core/log: Support use of optional "tag" in syslog entries.
+ PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]
+
+ *) mod_proxy: Fix ProxyAddHeaders merging. [Joe Orton]
+
+ *) core: Disallow multiple Listen on the same IP:port when listener buckets
+ are configured (ListenCoresBucketsRatio > 0), consistently with the single
+ bucket case (default), thus avoiding the leak of the corresponding socket
+ descriptors on graceful restart. [Yann Ylavic]
+
+ *) event: Avoid listener periodic wake ups by using the pollset wake-ability
+ when available. PR 57399. [Yann Ylavic, Luca Toscano]
+
+ *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
+ led to spurious HTTP 502 error messages sent on upgrade connections.
+ PR 61283. [Yann Ylavic]
+
+Changes with Apache 2.4.27
+
+ *) SECURITY: CVE-2017-9789 (cve.mitre.org)
+ mod_http2: Read after free. When under stress, closing many connections,
+ the HTTP/2 handling code would sometimes access memory after it has been
+ freed, resulting in potentially erratic behaviour.
+ [Stefan Eissing]
+
+ *) SECURITY: CVE-2017-9788 (cve.mitre.org)
+ mod_auth_digest: Uninitialized memory reflection. The value placeholder
+ in [Proxy-]Authorization headers type 'Digest' was not initialized or
+ reset before or between successive key=value assignments.
+ [William Rowe]
+
+ *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
+ global variable when using Lua 5.2 or later. This was exported as a
+ side effect from luaL_register, which is no longer supported as of
+ Lua 5.2 which deprecates pollution of the global namespace.
+ [Rainer Jung]
+
+ *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
+ The server will continue to run, but HTTP/2 will no longer be negotiated.
+ [Stefan Eissing]
+
+ *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
+ default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
+ [Jacob Champion, Jim Jagielski]
+
+ *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
+ PR58188, PR60831, PR61245. [Rainer Jung]
+
+ *) mod_http2: Simplify ready queue, less memory and better performance. Update
+ mod_http2 version to 1.10.7. [Stefan Eissing]
+
+ *) Allow single-char field names inadvertently disallowed in 2.4.25.
+ PR 61220. [Yann Ylavic]
+
+ *) htpasswd / htdigest: Do not apply the strict permissions of the temporary
+ passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]
+
+ *) core: Avoid duplicate HEAD in Allow header.
+ This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
+ PR 61207. [Christophe Jaillet]
Changes with Apache 2.4.26
+ *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+ mod_mime can read one byte past the end of a buffer when sending a
+ malicious Content-Type response header. [Yann Ylavic]
+
+ *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+ The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+ bug in token list parsing, which allows ap_find_token() to search past
+ the end of its input string. By maliciously crafting a sequence of
+ request headers, an attacker may be able to cause a segmentation fault,
+ or to force ap_find_token() to return an incorrect value.
+ [Jacob Champion]
+
+ *) SECURITY: CVE-2017-7659 (cve.mitre.org)
+ A maliciously constructed HTTP/2 request could cause mod_http2 to
+ dereference a NULL pointer and crash the server process.
+
+ *) SECURITY: CVE-2017-3169 (cve.mitre.org)
+ mod_ssl may dereference a NULL pointer when third-party modules call
+ ap_hook_process_connection() during an HTTP request to an HTTPS port.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2017-3167 (cve.mitre.org)
+ Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+ authentication phase may lead to authentication requirements being
+ bypassed.
+ [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+
+ *) HTTP/2 support no longer tagged as "experimental" but is instead considered
+ fully production ready.
+
+ *) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
+ the session in continuous check for state changes that never happen.
+ [Stefan Eissing]
+
+ *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
+ protocols. [Jean-Frederic Clere]
+
+ *) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
+ a possible crash if a signal is caught during (graceful) restart.
+ PR 60487. [Yann Ylavic]
+
+ *) mod_rewrite: When a substitution is a fully qualified URL, and the
+ scheme/host/port matches the current virtual host, stop interpreting the
+ path component as a local path just because the first component of the
+ path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
+ to revert to previous behavior. PR60009.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
+ platforms. PR61124. [Hank Ibell <hwibell gmail.com>]
+
+ *) ab: enable option processing for setting a custom HTTP method also for
+ non-SSL builds. [Rainer Jung]
+
+ *) core: EBCDIC fixes for interim responses with additional headers.
+ [Eric Covener]
+
+ *) mod_env: when processing a 'SetEnv' directive, warn if the environment
+ variable name includes a '='. It is likely a configuration error.
+ PR 60249 [Christophe Jaillet]
+
+ *) Evaluate nested If/ElseIf/Else configuration blocks.
+ [Luca Toscano, Jacob Champion]
+
+ *) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
+ allow spaces in backreferences to be encoded as %20 instead of '+'.
+ [Eric Covener]
+
+ *) mod_rewrite: Add the possibility to limit the escaping to specific
+ characters in backreferences by listing them in the B flag.
+ [Eric Covener]
+
+ *) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
+ systems. [Eric Covener]
+
+ *) mod_http2: fail requests without ERROR log in case we need to read interim
+ responses and see only garbage. This can happen if proxied servers send
+ data where none should be, e.g. a body for a HEAD request. [Stefan Eissing]
+
+ *) mod_proxy_http2: adding support for Reverse Proxy Request headers.
+ [Stefan Eissing]
+
+ *) mod_http2: fixed possible deadlock that could occur when connections were
+ terminated early with ongoing streams. Fixed possible hanger with timeout
+ on race when connection considers itself idle. [Stefan Eissing]
+
+ *) mod_http2: MaxKeepAliveRequests now limits the number of times a
+ slave connection gets reused. [Stefan Eissing]
+
+ *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
+ [Evgeny Kotkov]
+
+ *) mod_proxy_http2: Fixed bug in re-attempting proxy requests after
+ connection error. Reliability of reconnect handling improved.
+ [Stefan Eissing]
+
+ *) mod_http2: better performance, eliminated need for nested locks and
+ thread privates. Moving request setups from the main connection to the
+ worker threads. Increase number of spare connections kept.
+ [Stefan Eissing]
+
+ *) mod_http2: input buffering and dynamic flow windows for increased
+ throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
+ in mod_http2 INFO log as feature 'DWINS'. [Stefan Eissing]
+
+ *) mod_http2: h2 workers with improved scalability for better scheduling
+ performance. There are H2MaxWorkers threads created at start and the
+ number is kept constant for now. [Stefan Eissing]
+
+ *) mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and
+ just log a warning. [Stefan Eissing]
+
+ *) mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date
+ format from 2.2 in the Last Modified column. PR60846.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: Add %{REMOTE_PORT} to the expression parser. PR59938
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
+ computing and using the same entity key according to when the cache
+ checks, loads and saves the request.
+ PR 60577. [Yann Ylavic]
+
+ *) mod_proxy_hcheck: Don't validate timed out responses. [Yann Ylavic]
+
+ *) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
+ in use (ProxyHCTPsize > 0). PR 60071. [Yann Ylavic, Jim Jagielski]
+
+ *) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
+ URI originally requsted by the user, not the nested documents URI. This
+ restores the behavior of this variable to match the "legacy" SSI parser.
+ PR60624. [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
+ variables just before invoking the FastCGI. [Eric Covener,
+ Jacob Champion]
+
+ *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
+ a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
+ default. Add ProxyFCGIBackendType to allow the type of backend to be
+ specified so these kinds of fixups can be restored without impacting
+ FPM. PR60576 [Eric Covener, Jim Jagielski]
+
+ *) mod_ssl: work around leaks on (graceful) restart. [Yann Ylavic]
+
+ *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
+
+ *) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
+ than zero. [Eric Covener]
+
+ *) mod_http2: moving session cleanup to pre_close hook to avoid races with
+ modules already shut down and slave connections still operating.
+ [Stefan Eissing]
+
+ *) mod_lua: Support for Lua 5.3
+
+ *) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
+
+ *) mod_http2: fix for crash when running out of memory.
+ [Robert Swiecki <robert swiecki.net>, Stefan Eissing]
+
+ *) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
+ [Luca Toscano]
+
*) mod_http2: not counting file buckets again stream max buffer limits.
Effectively transfering static files in one step from slave to master
connection. [Stefan Eissing]
*) mod_proxy: Allow the per-request environment variable "no-proxy" to
be used as an alternative to ProxyPass /path !. This is primarily
to set exceptions for ProxyPass specified in <Location> context.
- Use SetEnvIf, not SetEnv. PR 60458.
+ Use SetEnvIf, not SetEnv. PR 60458. [Eric Covener]
*) mod_http2: fixes PR60599, sending proper response for conditional requests
answered by mod_cache. [Jeff Wheelhouse, Stefan Eissing]
[Yann Ylavic, Stefan Eissing]
*) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
- modules add empty environment variables to the request. PR60275.
+ modules add empty environment variables to the request. PR 60275.
[<alex2grad AT gmail.com>]
*) mod_http2: fix for possible page fault when stream is resumed during
*) mod_http2: limiting DATA frame sizes by TLS record sizes in use on the
connection. Flushing outgoing frames earlier. [Stefan Eissing]
- *) mod_http2: cleanup beamer registry on server reload, Fixes PR60510.
- [Pavel Mateja <pavel@verotel.cz>, Stefan Eissing]
+ *) mod_http2: cleanup beamer registry on server reload. PR 60510.
+ [Pavel Mateja <pavel verotel.cz>, Stefan Eissing]
*) mod_proxy_{ajp,fcgi}: Fix a possible crash when reusing an established
backend connection, happening with LogLevel trace2 or higher configured,
MSVC on Windows). [Yann Ylavic]
*) mod_ext_filter: Don't interfere with "error buckets" issued by other
- modules. PR60375. [Eric Covener, Lubos Uhliarik]
+ modules. PR 60375. [Eric Covener, Lubos Uhliarik]
*) mod_http2: fixes https://github.com/icing/mod_h2/issues/126 e.g. beam
bucket lifetime handling when data is sent over temporary pools.
*) mod_socache_memcache: Provide memcache stats to mod_status.
[Jim Jagielski]
+ *) mod_file_cache: mod_file_cache should be able to serve files that
+ haven't had a Content-Type set via e.g. mod_mime. [Eric Covener]
+
*) http_filters: Fix potential looping in new check_headers() due to new
pattern of ap_die() from http header filter. Explicitly clear the
previous headers and body.
*) core: New directive RegisterHttpMethod for registering non-standard
HTTP methods. [Stefan Fritsch]
- *) mod_socache_memcache: Pass expiration time through to memcached.
+ *) mod_socache_memcache: Pass expiration time through to memcached. PR 55445.
[Faidon Liambotis <paravoid debian.org>, Joe Orton]
*) mod_cache: Use the actual URI path and query-string for identifying the
Changes with Apache 2.4.21
+ *) core: Added support for HTTP code 451. PR 58985.
+ [Yehuda Katz <yehuda ymkatz.net>, Jim Jagielski]
+
*) ab: Use caseless matching for HTTP tokens (e.g. content-length). PR 59111.
[Yann Ylavic]