-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_auth_digest: Fix a race condition. Authentication with valid credentials could be
+ refused in case of concurrent accesses from different users.
+ PR 63124 [Simon Kappel <simon.kappel axis.com>]
- *) mod_xml2enc: Fix forwarding of error metadata/responses. PR 62180.
- [Micha Lenk <micha lenk.info>, Yann Ylavic]
+ *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
+ configuration (SSLFIPS on) and not active by default in OpenSSL.
+ PR 63136. [Yann Ylavic]
- *) mod_proxy_http: Add new worker parameter 'responsefieldsize' to
- allow maximum HTTP response header size to be increased past 8192
- bytes. PR62199. [Hank Ibell <hwibell gmail.com>]
+ *) mod_http2: Configuration directoves H2Push and H2Upgrade can now be specified per
+ Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]
- *) core: Preserve the original HTTP request method in the '%<m' LogFormat
- when an path-based ErrorDocument is used. PR 62186.
- [Micha Lenk <micha lenk.info>]
+ *) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
+ terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.
+ Fixes <https://github.com/icing/mod_h2/issues/167>. [Michael Kaufmann]
- *) mod_proxy_balancer: Add hot spare member type and corresponding flag (R). Hot spare members are
- used as drop-in replacements for unusable workers in the same load balancer set. This differs
- from hot standbys which are only used when all workers in a set are unusable. PR 61140. [Jim
- Riggs]
+ *) mod_ssl: give mod_md the chance to override certificate after ALPN protocol
+ negotiation. [Stefan Eissing]
+
+ *) mod_http2: enable re-use of slave connections again. Fixed slave connection
+ keepalives counter. [Stefan Eissing]
+
+ *) mod_proxy_wstunnel: Fix websocket proxy over UDS.
+ PR 62932 <pavel dcmsys.com>
+
+ *) mod_negociation: LanguagePriority should be case-insensitive in order to
+ match AddLanguage behavior. PR 39730 [Christophe Jaillet]
+
+ *) mod_session: Always decode session attributes early. [Hank Ibell]
+
+ *) core: Incorrect values for environment variables are substituted when
+ multiple environment variables are specified in a directive. [Hank Ibell]
+
+ *) core: Split out the ability to parse wildcard files and directories
+ from the Include/IncludeOptional directives into a generic set of
+ functions ap_dir_nofnmatch() and ap_dir_fnmatch(). [Graham Leggett]
+
+ *) mod_dav: Fix an unlikely time-window where some incorrect data could be returned
+ from a PROPFIND request [Ruediger Pluem]
+
+ *) mod_ssl: Fix mod_authz provider for "require ssl" directive to check correctly
+ on HTTP/2 connections. Fixes PR 62654. [Stefan Eissing]
+
+ *) mod_ssl: clear *SSL errors before loading certificates and checking
+ afterwards. Otherwise errors are reported when other SSL using modules
+ are in play. Fixes PR 62880. [Michael Kaufmann]
+
+ *) mod_ssl: Correctly merge configurations that have client certificates set
+ by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]
+
+ *) core: Ensure that aborted connections are logged as such. PR 62823
+ [Arnaud Grandville <contact@grandville.net>]
+
+ *) mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when
+ there are still idle threads available. When there are less idle threads than
+ MinSpareThreads, issue new one-time message AH10159. Matches worker MPM.
+ [Eric Covener]
+
+ *) mod_http2: adding defensive code for stream EOS handling, in case the request handler
+ missed to signal it the normal way (eos buckets). Addresses github issues
+ https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
+ and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing]
+
+ *) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
+ body of the response. [Jim Jagielski]
+
+ *) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
+ [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]
+
+ *) mod_dav_fs: Set a default DAVLockDB within the state directory.
+ [Joe Orton]
+
+ *) core: Add DefaultStateDir and layout-specific state directory
+ created at "make install". [Joe Orton]
+
+ *) mod_ssl: Fix a regression that the configuration settings for verify mode
+ and verify depth were taken from the frontend connection in case of
+ connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
+
+ *) ab: Add client certificate support. [Graham Leggett]
+
+ *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
+ [Dominik Stillhard <dominik.stillhard united-security-providers.ch>]
+
+ *) mod_http2: connection IO event handling reworked. Instead of reacting on
+ incoming bytes, the state machine now acts on incoming frames that are
+ affecting it. This reduces state transitions. [Stefan Eissing]
+
+ *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
+ before signals handling to avoid lifetime issues on restart or shutdown.
+ PR 62658. [Yann Ylavic]
+
+ *) core: Add StrictHostCheck to allow ucnonfigured hostnames to be
+ rejected. [Eric Covener]
+
+ *) mod_status: Cumulate CPU time of exited child processes in the
+ "cu" and "cs" values. Add CPU time of the parent process to the
+ "c" and "s" values.
+ [Rainer Jung]
+
+ *) mod_status: Add cumulated response duration time in milliseconds.
+ [Rainer Jung]
+
+ *) mod_status: Complete the data shown for async MPMs in "auto" mode.
+ Added number of processes, number of stopping processes and number
+ of busy and idle workers. [Rainer Jung]
+
+ *) mod_proxy: Improve the balancer member data shown in mod_status when
+ "ProxyStatus" is "On": add "busy" count and show byte counts in auto
+ mode always in units of kilobytes. [Rainer Jung]
+
+ *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
+ redirects, subsequent ProxyPassReverse statements, whether they are
+ relative or absolute, may fail. PR 60408. [Peter Haworth <pmh1wheel gmail.com>]
+
+ *) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
+ introduced in 2.4.34. PR 62568. [Yann Ylavic]
+
+ *) mod_proxy_http: forward 100-continue, and minimize race conditions when
+ reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere]
+
+ *) mod_proxy: Remove load order and link dependency between mod_lbmethod_*
+ modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe]
+
+ *) mod_md: more robust handling of http-01 challenges and hands-off when module
+ should not be involved, e.g. challenge setup by another ACME client. [Stefan Eissing]
+
+ *) ru, zh-cn and zh-tw translations of errordocs have been added.
+ Contributed by Alexander Gaganashvili and CodeingBoy
+
+ *) mod_userdir: If several directories are given in a UserDir directive, only files
+ in the first existing one are checked. If the file is not found there, the
+ other possible directories are not checked. The doc clearly states that they
+ will be checked one by one, until a match is found or an external redirect is
+ performed. PR 59636.
+ [Christophe Jaillet]
+
+ *) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
+ this type of map is present in the configuration. PR62311.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_ldap: Abort on LDAP locking errors. [Eric Covener]
+
+ *) mod_ssl: Support loading certificates and private keys from the
+ PKCS#11 OpenSSL engine. [Anderson Sasaki <ansasaki redhat.com>,
+ Joe Orton]
+
+ *) mod_http2: adding an abort function to slave connections' pools, so out-of-memory
+ events lead to a control process abort, as on HTTP/1.x connections. [Stefan Eissing]
+
+ *) mod_http2: adding regular memory cleanup when transferring large response bodies. This
+ reduces memory footprint and avoids memory exhaustion when transferring large files
+ on 32-bit architectures. Fixes PR 62325. [Stefan Eissing]
+
+ *) http: LimitRequestBody applies to proxied requests. [Yann Ylavic]
*) mod_logio: Add LogIOTrackTTFU and %^FU logformat to log the time
difference between request start and last request body byte read (finished upload).
TLSv1.2 or lower ciphers are not relevant, as cipher suites are completely separate.
This means there is a bit if a world split when simultaneously having TLSv1.2 and TLSv1.3
connections to the same server.
- [Stefan Eissing]
-
- *) mod_http2: accurate reporting of h2 data input/output per request via mod_logio. Fixes
- an issue where output sizes where counted n-times on reused slave connections. See
- gituhub issue: https://github.com/icing/mod_h2/issues/158
- [Stefan Eissing]
-
- *) mod_proxy: Do not restrict the maximum pool size for backend connections
- any longer by the maximum number of threads per process and use a better
- default if mod_http2 is loaded.
- [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Gregg Smith]
-
- *) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
- regression introduced in 2.4.30. PR 62232. [Rainer Jung, Yann Ylavic]
+ [Yann Ylavic, Stefan Eissing]
*) mod_ssl: proper checks for libressl 2.07/8 and its TLSv1_3 support, see PR 62236.
[Bernard Spil <brnrd@freebsd.org>]
independent of the core Timeout directive. PR 62229.
[Hank Ibell <hwibell gmail.com>]
- *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
- [Eric Covener]
-
*) mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies,
just the basic "modern", "intermediate" and "old" as specified by Mozilla security.
[Stefan Eissing]
- *) mod_remoteip: make proxy-protocol work on slave connections, e.g. in HTTP/2
- requests. See also https://github.com/roadrunner2/mod-proxy-protocol/issues/6
- [Stefan Eissing]
-
*) mod_md: fixes error in renew window calculation that may lead to mod_md running
watchdog in a tight loop until actual renewal becomes necessary. [Stefan Eissing]
co-existance between mod_md and other ACME clients on the same server (implements PR62189).
[Stefan Eissing, Arkadiusz Miskiewicz <arekm@maven.pl>]
- *) mod_md: Fix compilation with OpenSSL before version 1.0.2. [Rainer Jung]
-
*) core: Create a conn_config_t structure to hold an extendable core config rather
than consuming the whole pointer with the connection socket. [Graham Leggett]
error logging of exact ACME response when challenges failed.
[Stefan Eissing]
- *) mod_dumpio: do nothing below log level TRACE7. [Yann Ylavic]
-
*) mod_md: reverses most of v1.0.5 optimization of post_config init, so that
mod_ssl can ask for certiticates without crashing. [Stefan Eissing]
associated with an active connection in the "ACC" field. Previously
zero was always reported with this MPM. PR60647. [Eric Covener]
- *) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
- zero out what had been initialized as the connection-level port. PR59931.
- [Hank Ibell <hwibell gmail.com>]
-
*) mod_proxy_wstunnel: Reliably run before mod_proxy_http.
[Eric Covener]
*) mod_status, mod_echo: Fix the display of client addresses.
They were truncated to 31 characters which is not enough for IPv6 addresses.
- PR 54848 [Bernhard Schmidt <berni birkenwald de>]
+ This is done by deprecating the use of the 'client' field and using
+ the new 'client64' field in worker_score.
+ PR 54848 [Bernhard Schmidt <berni birkenwald de>, Jim Jagielski]
*) core: merge AllowEncodedSlashes from the base configuration into
virtual hosts. [Eric Covener]
- mod_socache_shmcb, mod_socache_dbm: shared memory or dbm for cache
[Jeff Trawick]
- *) suexec: Add --enable-suexec-capabilites support on Linux, to use
- setuid/setgid capability bits rather than a setuid root binary.
- [Joe Orton]
-
- *) suexec: Add support for logging to syslog as an alternative to logging
- to a file; configure --without-suexec-logfile --with-suexec-syslog.
- [Joe Orton]
-
*) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
[Matthew Steele <mdsteele google.com>]
projects / apache / blobdiff