-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
+ [Michael Kaufmann <mail michael-kaufmann.ch>]
+
+ *) mod_md: Explicitly setting file permissions to break out of umasks. We want our
+ non-privilegded apache user to be able to read them. See github issue
+ <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]
+
+ *) Merge consecutive slashes in URL's. Opt-out with `MergeSlashes OFF`.
+ [Eric Covener]
+
+ *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
+ connection is recycled/reused to avoid a possible crash with some SSLProxy
+ configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]
+
+ *) mod_mime: Add `MimeOptions` directive to allow Content-Type or all metadata
+ detection to use only the last (right-most) file extension or to be
+ disabled per-dir. [Eric Covener]
+
+ *) MPMs unix: bind the bucket number of each child to its slot number, for a
+ more efficient per bucket maintenance. [Yann Ylavic]
+
+ *) http: Fix possible empty response with mod_ratelimit for HEAD requests.
+ PR 63192. [Yann Ylavic]
+
+ *) mod_cache_socache: Avoid reallocations and be safe with outgoing data
+ lifetime. [Yann Ylavic]
+
+ *) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.
+ PR 61310. [Yann Ylavic]
+
+ *) mod_auth_digest: Fix a race condition. Authentication with valid credentials could be
+ refused in case of concurrent accesses from different users.
+ PR 63124 [Simon Kappel <simon.kappel axis.com>]
+
+ *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
+ configuration (SSLFIPS on) and not active by default in OpenSSL.
+ PR 63136. [Yann Ylavic]
+
+ *) mod_ssl: give mod_md the chance to override certificate after ALPN protocol
+ negotiation. [Stefan Eissing]
+
+ *) mod_proxy_wstunnel: Fix websocket proxy over UDS.
+ PR 62932 <pavel dcmsys.com>
+
+ *) mod_negociation: LanguagePriority should be case-insensitive in order to
+ match AddLanguage behavior. PR 39730 [Christophe Jaillet]
+
+ *) mod_session: Always decode session attributes early. [Hank Ibell]
+
+ *) core: Incorrect values for environment variables are substituted when
+ multiple environment variables are specified in a directive. [Hank Ibell]
+
+ *) core: Split out the ability to parse wildcard files and directories
+ from the Include/IncludeOptional directives into a generic set of
+ functions ap_dir_nofnmatch() and ap_dir_fnmatch(). [Graham Leggett]
+
+ *) mod_dav: Fix an unlikely time-window where some incorrect data could be returned
+ from a PROPFIND request [Ruediger Pluem]
+
+ *) mod_ssl: Fix mod_authz provider for "require ssl" directive to check correctly
+ on HTTP/2 connections. Fixes PR 62654. [Stefan Eissing]
+
+ *) mod_ssl: clear *SSL errors before loading certificates and checking
+ afterwards. Otherwise errors are reported when other SSL using modules
+ are in play. Fixes PR 62880. [Michael Kaufmann]
+
+ *) mod_ssl: Correctly merge configurations that have client certificates set
+ by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]
+
+ *) core: Ensure that aborted connections are logged as such. PR 62823
+ [Arnaud Grandville <contact@grandville.net>]
+
+ *) mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when
+ there are still idle threads available. When there are less idle threads than
+ MinSpareThreads, issue new one-time message AH10159. Matches worker MPM.
+ [Eric Covener]
+
+ *) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
+ body of the response. [Jim Jagielski]
+
+ *) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
+ [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]
+
+ *) mod_dav_fs: Set a default DAVLockDB within the state directory.
+ [Joe Orton]
+
+ *) core: Add DefaultStateDir and layout-specific state directory
+ created at "make install". [Joe Orton]
+
+ *) mod_ssl: Fix a regression that the configuration settings for verify mode
+ and verify depth were taken from the frontend connection in case of
+ connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
+
+ *) ab: Add client certificate support. [Graham Leggett]
+
+ *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
+ [Dominik Stillhard <dominik.stillhard united-security-providers.ch>]
+
+ *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
+ before signals handling to avoid lifetime issues on restart or shutdown.
+ PR 62658. [Yann Ylavic]
+
+ *) core: Add StrictHostCheck to allow ucnonfigured hostnames to be
+ rejected. [Eric Covener]
+
*) mod_status: Cumulate CPU time of exited child processes in the
"cu" and "cs" values. Add CPU time of the parent process to the
"c" and "s" values.
*) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
introduced in 2.4.34. PR 62568. [Yann Ylavic]
- *) http: Enforce consistently no response body with both 204 and 304
- statuses. [Yann Ylavic]
-
*) mod_proxy_http: forward 100-continue, and minimize race conditions when
reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere]
*) ru, zh-cn and zh-tw translations of errordocs have been added.
Contributed by Alexander Gaganashvili and CodeingBoy
- *) mod_authz_core: If several parameters are used in a AuthzProviderAlias
- directive, if these parameters are not enclosed in quotation mark, only
- the first one is handled. The other ones are silently ignored.
- Add a message to warn about such a spurious configuration.
- PR 62469 [Hank Ibell <hwibell gmail.com>, Christophe Jaillet]
-
- *) mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'.
- PR 62480. [Lubos Uhliarik <luhliari redhat.com>}
-
- *) http: Fix small memory leak per request when handling persistent
- connections. [Ruediger Pluem, Joe Orton]
-
- *) mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.
- PR 62220. [Chritophe Jaillet, Yann Ylavic]
-
*) mod_userdir: If several directories are given in a UserDir directive, only files
in the first existing one are checked. If the file is not found there, the
other possible directories are not checked. The doc clearly states that they
performed. PR 59636.
[Christophe Jaillet]
- *) mod_proxy: Fix a corner case where the ProxyPassReverseCookieDomain or
- ProxyPassReverseCookiePath directive could fail to update correctly
- 'domain=' or 'path=' in the 'Set-Cookie' header. PR 61560.
- [Christophe Jaillet]
-
- *) mod_slotmem_shm: Add generation number to shm filename to fix races
- with graceful restarts. PRs 62044 and 62308. [Jim Jagielski, Yann Ylavic]
-
*) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
this type of map is present in the configuration. PR62311.
[Hank Ibell <hwibell gmail.com>]
PKCS#11 OpenSSL engine. [Anderson Sasaki <ansasaki redhat.com>,
Joe Orton]
- *) mod_proxy_html: Fix variable interpolation and memory allocation failure
- in ProxyHTMLURLMap. [Ewald Dieterich <ewald mailbox.org>]
-
- *) core: In ONE_PROCESS/debug mode, cleanup everything when exiting.
- [Yann Ylavic]
-
- *) mod_http2: adding an abort function to slave connections' pools, so out-of-memory
- events lead to a control process abort, as on HTTP/1.x connections. [Stefan Eissing]
-
- *) mod_http2: adding regular memory cleanup when transferring large response bodies. This
- reduces memory footprint and avoids memory exhaustion when transferring large files
- on 32-bit architectures. Fixes PR 62325. [Stefan Eissing]
-
*) http: LimitRequestBody applies to proxied requests. [Yann Ylavic]
*) mod_logio: Add LogIOTrackTTFU and %^FU logformat to log the time
TLSv1.2 or lower ciphers are not relevant, as cipher suites are completely separate.
This means there is a bit if a world split when simultaneously having TLSv1.2 and TLSv1.3
connections to the same server.
- [Stefan Eissing]
+ [Yann Ylavic, Stefan Eissing]
*) mod_ssl: proper checks for libressl 2.07/8 and its TLSv1_3 support, see PR 62236.
[Bernard Spil <brnrd@freebsd.org>]
- *) mod_http2: on level trace2, log any unsuccessful HTTP/2 direct connection upgrade
- with base64 encoding to unify its appearance in possible bug reports. [Stefan Eissing]
-
*) mod_cgi: Add CGIScriptTimeout to make mod_cgi's timeout per-directory and
independent of the core Timeout directive. PR 62229.
[Hank Ibell <hwibell gmail.com>]
*) core: adding AP_DECLARE for ap_parse_vhost_addrs() and minor bumb mmn. Resolves
building mod_ssl on Windows. [Stefan Eissing, Gregg Smith]
- *) mod_http2: discourage gzip/brotli content encoding on http2-status responses as
- they are inserted into the reponse when filters are already done. [Stefan Eissing]
-
*) core: adding defines to allow interworking with honggfuzz without
further patches. [Stefan Eissing, Robert Swiecki]
should be accepted after the authorization scheme. \t are also tolerated.
[Christophe Jaillet]
- *) mod_http2: fixed unfair scheduling when number of active connections
- exceeded the scheduling fifo capacity. [Stefan Eissing]
-
*) core: Support zone/scope in IPv6 link-local addresses in Listen and
VirtualHost directives (requires APR 1.7.x or later). PR 59396. [Joe Orton]
associated with an active connection in the "ACC" field. Previously
zero was always reported with this MPM. PR60647. [Eric Covener]
- *) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
- zero out what had been initialized as the connection-level port. PR59931.
- [Hank Ibell <hwibell gmail.com>]
-
*) mod_proxy_wstunnel: Reliably run before mod_proxy_http.
[Eric Covener]
projects / apache / blobdiff