-*- coding: utf-8 -*-
+Changes with Apache 2.4.30
+
+ *) mod_session: Strip Session header when SessionEnv is on. [Yann Ylavic]
+
+ *) mod_cache_socache: Fix caching of empty headers up to carriage return.
+ [Yann Ylavic]
+
+ *) core: For consistency, ensure that read lines are NUL terminated on any
+ error, not only on buffer full. [Yann Ylavic]
+
+ *) mod_authnz_ldap: Fix language long names detection as short name.
+ [Yann Ylavic]
+
+ *) mod_proxy: Worker schemes and hostnames which are too large are no
+ longer fatal errors; it is logged and the truncated values are stored.
+ [Jim Jagielski]
+
+ *) regex: Allow to configure global/default options for regexes, like
+ caseless matching or extended format. [Yann Ylavic]
+
+ *) mod_proxy: Allow setting options to globally defined balancer from
+ ProxyPass used in VirtualHost. Balancers are now merged using the new
+ merge_balancers method which merges the balancers options. [Jan Kaluza]
+
+ *) logresolve: Fix incorrect behavior or segfault if -c flag is used
+ Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259
+ [Stefan Fritsch]
+
+ *) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
+ Add ability for PROXY protocol processing to be optional to donated code.
+ See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
+ [Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri]
+
+ *) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
+ allowing per backend TLS configuration. [Yann Ylavic]
+
+ *) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module. [Roberto De Ioris,
+ Jim Jagielski]
+
+ *) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
+ depend on the number of restarts (non-Unix systems) and preserve shared
+ names as much as possible on configuration changes for SHMs and persisted
+ files. PR 62044. [Yann Ylavic, Jim Jagielski]
+
+ *) mod_http2: obsolete code removed, no more events on beam pool destruction,
+ discourage content encoders on http2-status response (where they do not work).
+ [Stefan Eissing]
+
+ *) mpm_event: Let the listener thread do its maintenance job on resources
+ shortage. PR 61979. [Yann Ylavic]
+
+ *) mpm_event: Wakeup the listener to re-enable listening sockets.
+ [Yann Ylavic]
+
+ *) mod_ssl: The SSLCompression directive will now give an error if used
+ with an OpenSSL build which does not support any compression methods.
+ [Joe Orton]
+
+ *) mpm_event,worker: Mask signals for threads created by modules in child
+ init, so that they don't receive (implicitely) the ones meant for the MPM.
+ PR 62009. [Armin Abfalterer <a.abfalterer gmail com>, Yann Ylavic]
+
+ *) mod_md: new experimental, module for managing domains across virtual hosts,
+ implementing the Let's Encrypt ACMEv1 protocol to signup and renew
+ certificates. Please read the modules documentation for further instructions
+ on how to use it. [Stefan Eissing]
+
+ *) mod_proxy_html: skip documents shorter than 4 bytes
+ PR 56286 [Micha Lenk <micha lenk info>]
+
+ *) core, mpm_event: Avoid a small memory leak of the scoreboard handle, for
+ the lifetime of the connection, each time it is processed by MPM event.
+ [Yann Ylavic]
+
+ *) mpm_event: Update scoreboard status for KeepAlive state. [Yann Ylavic]
+
+ *) mod_ldap: Fix a case where a full LDAP cache would continually fail to
+ purge old entries and log AH01323. PR61891.
+ [Hendrik Harms <hendrik.harms gmail.com>]
+
+ *) mpm_event: close connections not reported as handled by any module to
+ avoid losing track of them and leaking scoreboard entries. PR 61551.
+ [Yann Ylavic]
+
+ *) core: A signal received while stopping could have crashed the main
+ process. PR 61558. [Yann Ylavic]
+
+ *) mod_ssl: support for mod_md added. [Stefan Eissing]
+
+ *) mod_proxy_html: process parsed comments immediately.
+ Fixes bug (seen in the wild when used with IBM's HTTPD bundle)
+ where parsed comments may be lost. [Nick Kew]
+
+ *) mod_proxy_html: introduce doctype for HTML 5 [Nick Kew]
+
+ *) mod_proxy_html: fix typo-bug processing "strict" vs "transitional"
+ HTML/XHTML. PR 56457 [Nick Kew]
+
+ *) mpm_event: avoid a very unlikely race condition between the listener and
+ the workers when the latter fails to add a connection to the pollset.
+ [Yann Ylavic]
+
+ *) core: silently ignore a not existent file path when IncludeOptional
+ is used. PR 57585. [Alberto Murillo Silva <powerbsd yahoo.com>, Luca Toscano]
+
+ *) mod_macro: fix usability of globally defined macros in .htaccess files.
+ PR 57525. [Jose Kahan <jose w3.org>, Yann Ylavic]
+
+ *) mod_rewrite, core: add the Vary header when a condition evaluates to true
+ and the related RewriteRule is used in a Directory context
+ (triggering an internal redirect). [Luca Toscano]
+
+ *) ab: Make the TLS layer aware that the underlying socket is nonblocking,
+ and use/handle POLLOUT where needed to avoid busy IOs and recover write
+ errors when appropriate. [Yann Ylavic]
+
+ *) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
+ read was incomplete (the SSL case can cause the next poll() to timeout
+ since data are buffered already). PR 61301 [Luca Toscano, Yann Ylavic]
+
+ *) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain
+ information retrievals on null bucket beams where it makes sense. [Stefan Eissing]
+
+Changes with Apache 2.4.29
+
+ *) mod_unique_id: Use output of the PRNG rather than IP address and
+ pid, avoiding sleep() call and possible DNS issues at startup,
+ plus improving randomness for IPv6-only hosts. [Jan Kaluza]
+
+ *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
+ is used in a condition that evaluates to true. PR 58231 [Luca Toscano, Yann Ylavic]
+
+ *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
+ beams that could lead to assertion failure in edge cases.
+ [Stefan Eissing]
+
+ *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
+ in 2.4.28. [Jim Jagielski]
+
+ *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
+ PR 61546. [Lubos Uhliarik <luhliari redhat.com>]
+
+ *) mod_rewrite: Add support for starting External Rewriting Programs
+ as non-root user on UNIX systems by specifying username and group
+ name as third argument of RewriteMap directive. [Jan Kaluza]
+
+ *) core: Rewrite the Content-Length filter to avoid excessive memory
+ consumption. Chunked responses will be generated in more cases
+ than in previous releases. PR 61222. [Joe Orton, Ruediger Pluem]
+
+ *) mod_ssl: Fix SessionTicket callback return value, which does seem to
+ matter with OpenSSL 1.1. [Yann Ylavic]
+
+Changes with Apache 2.4.28
+
+ *) SECURITY: CVE-2017-9798 (cve.mitre.org)
+ Corrupted or freed memory access. <Limit[Except]> must now be used in the
+ main configuration file (httpd.conf) to register HTTP methods before the
+ .htaccess files. [Yann Ylavic]
+
+ *) event: Avoid possible blocking in the listener thread when shutting down
+ connections. PR 60956. [Yann Ylavic]
+
+ *) mod_speling: Don't embed referer data in a link in error page.
+ PR 38923 [Nick Kew]
+
+ *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
+ length in a password file.
+ [Luca Toscano, Hanno Böck <hanno hboeck de>]
+
+ *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
+ [Jim Jagielski]
+
+ *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
+ PR 61142.
+
+ *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
+ down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
+ 's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]
+
+ *) mod_http2: Fix for stalling when more than 32KB are written to a
+ suspended stream. [Stefan Eissing]
+
+ *) build: allow configuration without APR sources. [Jacob Champion]
+
+ *) mod_ssl, ab: Fix compatibility with LibreSSL. PR 61184.
+ [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
+ Yann Ylavic]
+
+ *) core/log: Support use of optional "tag" in syslog entries.
+ PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]
+
+ *) mod_proxy: Fix ProxyAddHeaders merging. [Joe Orton]
+
+ *) core: Disallow multiple Listen on the same IP:port when listener buckets
+ are configured (ListenCoresBucketsRatio > 0), consistently with the single
+ bucket case (default), thus avoiding the leak of the corresponding socket
+ descriptors on graceful restart. [Yann Ylavic]
+
+ *) event: Avoid listener periodic wake ups by using the pollset wake-ability
+ when available. PR 57399. [Yann Ylavic, Luca Toscano]
+
+ *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
+ led to spurious HTTP 502 error messages sent on upgrade connections.
+ PR 61283. [Yann Ylavic]
Changes with Apache 2.4.27
+ *) SECURITY: CVE-2017-9789 (cve.mitre.org)
+ mod_http2: Read after free. When under stress, closing many connections,
+ the HTTP/2 handling code would sometimes access memory after it has been
+ freed, resulting in potentially erratic behaviour.
+ [Stefan Eissing]
+
+ *) SECURITY: CVE-2017-9788 (cve.mitre.org)
+ mod_auth_digest: Uninitialized memory reflection. The value placeholder
+ in [Proxy-]Authorization headers type 'Digest' was not initialized or
+ reset before or between successive key=value assignments.
+ [William Rowe]
+
+ *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
+ global variable when using Lua 5.2 or later. This was exported as a
+ side effect from luaL_register, which is no longer supported as of
+ Lua 5.2 which deprecates pollution of the global namespace.
+ [Rainer Jung]
+
+ *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
+ The server will continue to run, but HTTP/2 will no longer be negotiated.
+ [Stefan Eissing]
+
+ *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
+ default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
+ [Jacob Champion, Jim Jagielski]
+
+ *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
+ PR58188, PR60831, PR61245. [Rainer Jung]
+
+ *) mod_http2: Simplify ready queue, less memory and better performance. Update
+ mod_http2 version to 1.10.7. [Stefan Eissing]
+
+ *) Allow single-char field names inadvertently disallowed in 2.4.25.
+ PR 61220. [Yann Ylavic]
+
+ *) htpasswd / htdigest: Do not apply the strict permissions of the temporary
+ passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]
+
+ *) core: Avoid duplicate HEAD in Allow header.
+ This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
+ PR 61207. [Christophe Jaillet]
Changes with Apache 2.4.26
*) mod_socache_memcache: Provide memcache stats to mod_status.
[Jim Jagielski]
+ *) mod_file_cache: mod_file_cache should be able to serve files that
+ haven't had a Content-Type set via e.g. mod_mime. [Eric Covener]
+
*) http_filters: Fix potential looping in new check_headers() due to new
pattern of ap_die() from http header filter. Explicitly clear the
previous headers and body.
*) core: New directive RegisterHttpMethod for registering non-standard
HTTP methods. [Stefan Fritsch]
- *) mod_socache_memcache: Pass expiration time through to memcached.
+ *) mod_socache_memcache: Pass expiration time through to memcached. PR 55445.
[Faidon Liambotis <paravoid debian.org>, Joe Orton]
*) mod_cache: Use the actual URI path and query-string for identifying the
Changes with Apache 2.4.21
+ *) core: Added support for HTTP code 451. PR 58985.
+ [Yehuda Katz <yehuda ymkatz.net>, Jim Jagielski]
+
*) ab: Use caseless matching for HTTP tokens (e.g. content-length). PR 59111.
[Yann Ylavic]