-*- coding: utf-8 -*-
Changes with Apache 2.5.0
- *) mod_http2: fix suspended handling for streams. Output could become
- blocked in rare cases.
+ *) core: Drop Content-Length header and message-body from HTTP 204 responses.
+ PR 51350 [Luca Toscano]
+
+ *) SECURITY: CVE-2016-2161 (cve.mitre.org)
+ mod_auth_digest: Prevent segfaults during client entry allocation when the
+ shared memory space is exhausted. [Maksim Malyutin <m.malyutin dsec.ru>,
+ Eric Covener, Jacob Champion]
+
+ *) SECURITY: CVE-2016-0736 (cve.mitre.org)
+ mod_session_crypto: Authenticate the session data/cookie with a
+ MAC (SipHash) to prevent deciphering or tampering with a padding
+ oracle attack. [Yann Ylavic, Colm MacCarthaigh]
+
+ *) mod_lua: Fix default value of LuaInherit directive. It should be
+ 'parent-first' instead of 'none', as per documentation. PR 60419
+ [Christophe Jaillet]
+
+ *) mod_ratelimit: Allow for initial "burst" amount at full speed before
+ throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>,
+ Jim Jagielski]
+
+ *) event: Allow to use the whole allocated scoreboard (up to ServerLimit
+ slots) to avoid scoreboard full errors when some processes are finishing
+ gracefully. Also, make gracefully finishing processes close all
+ keep-alive connections. PR 53555. [Stefan Fritsch]
+
+ *) http: Allow unknown response status' lines returned in the form of
+ "HTTP/x.x xxx Status xxx". [Yann Ylavic]
+
+ *) core: Add <IfFile> configuration section to allow any file on disk to be
+ used as a conditional. [Edward Lu, Eric Covener]
+
+ *) event: Avoid listener periodic wake ups by using the pollset wake-ability
+ when available. PR 57399. [Yann Ylavic, Luca Toscano]
+
+ *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
+ [Evgeny Kotkov]
*) core: Permit unencoded ';' characters to appear in proxy requests and
Location: response headers. Corresponds to modern browser behavior.
[William Rowe]
- *) mpm_winnt: Prevent a denial of service when the 'data' AcceptFilter is in
- use by replacing it with the 'connect' filter. PR 59970. [Jacob Champion]
-
- *) mod_proxy_hcheck: Set health check URI and expression correctly for health
- check worker. PR 60038 [zdeno <zdeno@scnet.sk>]
-
*) mod_cache: Use the actual URI path and query-string for identifying the
cached entity (key), such that rewrites are taken into account when
running afterwards (CacheQuickHandler off). PR 21935. [Yann Ylavic]
triggering mod_proxy_connect's AH01018 once the tunnel is established.
[Yann Ylavic]
- *) mod_proxy_balancer: Prevent redirect loops between workers within a
- balancer by limiting the number of redirects to the number balancer
- members. PR 59864 [Ruediger Pluem]
-
- *) mod_proxy: Correctly consider error response codes by the backend when
- processing failonstatus. PR 59869 [Ruediger Pluem]
-
- *) mod_proxy_fcgi: avoid loops when ProxyErrorOverride is enabled
- and the error documents are proxied. PR 55415. [Luca Toscano]
-
- *) mod_proxy_fcgi: read the whole FCGI response even when the content has
- not been modified (HTTP 304) to avoid subsequent bogus reads and
- confusing error messages logged. [Luca Toscano]
-
*) mod_crypto: Add the all purpose crypto filters with support for HLS.
[Graham Leggett]
- *) ab: Add option -I to use the Server Name Indication (SNI) extension on
- outgoing TLS connections, according to the Host header (if any) or the
- requested URL's hostname otherwise. [Yann Ylavic]
-
- *) mod_ssl: reset client-verify state of ssl when aborting renegotiations.
- [Erki Aring <erki@example.ee>, Stefan Eissing]
-
- *) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data
- available before the request is sent. PR 57832. [Yann Ylavic]
-
- *) mod_sed: Fix 'x' command processing. [Christophe Jaillet]
-
*) core: Drop an invalid Last-Modified header value coming
from a FCGI/CGI script instead of replacing it with Unix epoch.
Warn the users about Last-Modified header value replacements
dav_failed_proppatch, dav_success_proppatch to mod_dav.h.
[Jari Urpalainen <jari.urpalainen nokia.com>, Graham Leggett]
- *) core: Add -DDUMP_INCLUDES configtest option to show the tree
- of Included configuration files. [Jacob Champion <champion.pxi gmail.com>]
-
- *) mod_dav: Add support for childtags to dav_error.
- [Jari Urpalainen <jari.urpalainen nokia.com>]
-
*) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
allowing per backend TLS configuration. [Yann Ylavic]
*) core: explicitly exclude 'h2' from protocols announced via an Upgrade:
header as commanded by http-wg. [Stefan Eissing]
- *) http: Respond with "408 Request Timeout" when a timeout occurs while
- reading the request body. [Yann Ylavic]
-
- *) scoreboard/status: Keep workers' previous Client, VHost and Request values
- when idle, like in 2.4.18 and earlier. [Yann Ylavic]
-
*) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
AJP13 authentication. PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]
- *) mpm_event: Don't take over scoreboard slots from gracefully finishing
- threads. [Stefan Fritsch]
-
- *) mod_status: Display the process slot number in the async connection
- overview. [Stefan Fritsch]
-
- *) mpm_event, mpm_worker: Fix computation of MinSpareThreads' lower bound
- according the number of listeners buckets. [Yann Ylavic]
-
*) mpm: Generalise the ap_mpm_register_socket functions to accept pipes
or sockets. [Graham Leggett]
*) core: Extend support for setting aside data from the network input filter
to any connection or request input filter. [Graham Leggett]
- *) mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive
- to opt-in previous behaviour (2.2) with CRLs verification when checking
- certificate(s) with no corresponding CRL. [Yann Ylavic]
-
*) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
- *) ab: Use caseless matching for HTTP tokens (e.g. content-length). PR 59111.
- [Yann Ylavic]
-
*) mod_auth_digest: Fix compatibility with expression-based Authname. PR59039.
[Eric Covener]
*) core: Extend support for asynchronous write completion from the
network filter to any connection or request filter. [Graham Leggett]
- *) mpm_event: Free memory earlier when shutting down processes.
- [Stefan Fritsch]
-
*) mod_auth_digest: remove AuthDigestEnableQueryStringHack which is no
more documented since dec 2012 (r1415960). [Christophe Jaillet]
*) mod_charset_lite: On EBCDIC platforms, make sure mod_charset_lite runs
after other resource-level filters. [Eric Covener]
- *) mod_dir: Responses that go through "FallbackResource" might appear to
- hang due to unterminated chunked encoding. PR58292. [Eric Covener]
-
*) http: Don't remove the Content-Length of zero from a HEAD response if
it comes from an origin server, module or script. [Yann Ylavic]