-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_auth_digest: Fix a race condition. Authentication with valid credentials could be
+ refused in case of concurrent accesses from different users.
+ PR 63124 [Simon Kappel <simon.kappel axis.com>]
- *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may
- need more sugar). Added configuration directives for TLSv1.3 cipher suites (which
- are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
- to find a better name.
- [Stefan Eissing]
+ *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
+ configuration (SSLFIPS on) and not active by default in OpenSSL.
+ PR 63136. [Yann Ylavic]
+
+ *) mod_http2: Configuration directoves H2Push and H2Upgrade can now be specified per
+ Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]
+
+ *) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
+ terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.
+ Fixes <https://github.com/icing/mod_h2/issues/167>. [Michael Kaufmann]
+
+ *) mod_ssl: give mod_md the chance to override certificate after ALPN protocol
+ negotiation. [Stefan Eissing]
+
+ *) mod_http2: enable re-use of slave connections again. Fixed slave connection
+ keepalives counter. [Stefan Eissing]
+
+ *) mod_proxy_wstunnel: Fix websocket proxy over UDS.
+ PR 62932 <pavel dcmsys.com>
+
+ *) mod_negociation: LanguagePriority should be case-insensitive in order to
+ match AddLanguage behavior. PR 39730 [Christophe Jaillet]
+
+ *) mod_session: Always decode session attributes early. [Hank Ibell]
+
+ *) core: Incorrect values for environment variables are substituted when
+ multiple environment variables are specified in a directive. [Hank Ibell]
+
+ *) core: Split out the ability to parse wildcard files and directories
+ from the Include/IncludeOptional directives into a generic set of
+ functions ap_dir_nofnmatch() and ap_dir_fnmatch(). [Graham Leggett]
+
+ *) mod_dav: Fix an unlikely time-window where some incorrect data could be returned
+ from a PROPFIND request [Ruediger Pluem]
+
+ *) mod_ssl: Fix mod_authz provider for "require ssl" directive to check correctly
+ on HTTP/2 connections. Fixes PR 62654. [Stefan Eissing]
+
+ *) mod_ssl: clear *SSL errors before loading certificates and checking
+ afterwards. Otherwise errors are reported when other SSL using modules
+ are in play. Fixes PR 62880. [Michael Kaufmann]
+
+ *) mod_ssl: Correctly merge configurations that have client certificates set
+ by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]
+
+ *) core: Ensure that aborted connections are logged as such. PR 62823
+ [Arnaud Grandville <contact@grandville.net>]
- *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
+ *) mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when
+ there are still idle threads available. When there are less idle threads than
+ MinSpareThreads, issue new one-time message AH10159. Matches worker MPM.
[Eric Covener]
+ *) mod_http2: adding defensive code for stream EOS handling, in case the request handler
+ missed to signal it the normal way (eos buckets). Addresses github issues
+ https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
+ and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing]
+
+ *) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
+ body of the response. [Jim Jagielski]
+
+ *) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
+ [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]
+
+ *) mod_dav_fs: Set a default DAVLockDB within the state directory.
+ [Joe Orton]
+
+ *) core: Add DefaultStateDir and layout-specific state directory
+ created at "make install". [Joe Orton]
+
+ *) mod_ssl: Fix a regression that the configuration settings for verify mode
+ and verify depth were taken from the frontend connection in case of
+ connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
+
+ *) ab: Add client certificate support. [Graham Leggett]
+
+ *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
+ [Dominik Stillhard <dominik.stillhard united-security-providers.ch>]
+
+ *) mod_http2: connection IO event handling reworked. Instead of reacting on
+ incoming bytes, the state machine now acts on incoming frames that are
+ affecting it. This reduces state transitions. [Stefan Eissing]
+
+ *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
+ before signals handling to avoid lifetime issues on restart or shutdown.
+ PR 62658. [Yann Ylavic]
+
+ *) core: Add StrictHostCheck to allow ucnonfigured hostnames to be
+ rejected. [Eric Covener]
+
+ *) mod_status: Cumulate CPU time of exited child processes in the
+ "cu" and "cs" values. Add CPU time of the parent process to the
+ "c" and "s" values.
+ [Rainer Jung]
+
+ *) mod_status: Add cumulated response duration time in milliseconds.
+ [Rainer Jung]
+
+ *) mod_status: Complete the data shown for async MPMs in "auto" mode.
+ Added number of processes, number of stopping processes and number
+ of busy and idle workers. [Rainer Jung]
+
+ *) mod_proxy: Improve the balancer member data shown in mod_status when
+ "ProxyStatus" is "On": add "busy" count and show byte counts in auto
+ mode always in units of kilobytes. [Rainer Jung]
+
+ *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
+ redirects, subsequent ProxyPassReverse statements, whether they are
+ relative or absolute, may fail. PR 60408. [Peter Haworth <pmh1wheel gmail.com>]
+
+ *) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
+ introduced in 2.4.34. PR 62568. [Yann Ylavic]
+
+ *) mod_proxy_http: forward 100-continue, and minimize race conditions when
+ reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere]
+
+ *) mod_proxy: Remove load order and link dependency between mod_lbmethod_*
+ modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe]
+
+ *) mod_md: more robust handling of http-01 challenges and hands-off when module
+ should not be involved, e.g. challenge setup by another ACME client. [Stefan Eissing]
+
+ *) ru, zh-cn and zh-tw translations of errordocs have been added.
+ Contributed by Alexander Gaganashvili and CodeingBoy
+
+ *) mod_userdir: If several directories are given in a UserDir directive, only files
+ in the first existing one are checked. If the file is not found there, the
+ other possible directories are not checked. The doc clearly states that they
+ will be checked one by one, until a match is found or an external redirect is
+ performed. PR 59636.
+ [Christophe Jaillet]
+
+ *) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
+ this type of map is present in the configuration. PR62311.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_ldap: Abort on LDAP locking errors. [Eric Covener]
+
+ *) mod_ssl: Support loading certificates and private keys from the
+ PKCS#11 OpenSSL engine. [Anderson Sasaki <ansasaki redhat.com>,
+ Joe Orton]
+
+ *) mod_http2: adding an abort function to slave connections' pools, so out-of-memory
+ events lead to a control process abort, as on HTTP/1.x connections. [Stefan Eissing]
+
+ *) mod_http2: adding regular memory cleanup when transferring large response bodies. This
+ reduces memory footprint and avoids memory exhaustion when transferring large files
+ on 32-bit architectures. Fixes PR 62325. [Stefan Eissing]
+
+ *) http: LimitRequestBody applies to proxied requests. [Yann Ylavic]
+
+ *) mod_logio: Add LogIOTrackTTFU and %^FU logformat to log the time
+ difference between request start and last request body byte read (finished upload).
+ [Rainer Jung]
+
+ *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre4, other libs may
+ need more sugar). SSL(Proxy)CipherSuite now has an optional first parameter for the
+ protocol the ciphers are for.
+ Directive "SSLVerifyClient" now triggers certificate retrieval from the client (this
+ is not fully tested - but fails in similar fashion as in TLSv1.2 in my setups).
+ Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols,
+ as this would need to trigger the master connection thread - which we do not support
+ right now.
+ Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite"
+ does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and
+ TLSv1.2 or lower ciphers are not relevant, as cipher suites are completely separate.
+ This means there is a bit if a world split when simultaneously having TLSv1.2 and TLSv1.3
+ connections to the same server.
+ [Yann Ylavic, Stefan Eissing]
+
+ *) mod_ssl: proper checks for libressl 2.07/8 and its TLSv1_3 support, see PR 62236.
+ [Bernard Spil <brnrd@freebsd.org>]
+
+ *) mod_http2: on level trace2, log any unsuccessful HTTP/2 direct connection upgrade
+ with base64 encoding to unify its appearance in possible bug reports. [Stefan Eissing]
+
+ *) mod_cgi: Add CGIScriptTimeout to make mod_cgi's timeout per-directory and
+ independent of the core Timeout directive. PR 62229.
+ [Hank Ibell <hwibell gmail.com>]
+
*) mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies,
just the basic "modern", "intermediate" and "old" as specified by Mozilla security.
[Stefan Eissing]
- *) mod_remoteip: make proxy-protocol work on slave connections, e.g. in HTTP/2
- requests. See also https://github.com/roadrunner2/mod-proxy-protocol/issues/6
- [Stefan Eissing]
-
*) mod_md: fixes error in renew window calculation that may lead to mod_md running
watchdog in a tight loop until actual renewal becomes necessary. [Stefan Eissing]
co-existance between mod_md and other ACME clients on the same server (implements PR62189).
[Stefan Eissing, Arkadiusz Miskiewicz <arekm@maven.pl>]
- *) mod_md: Fix compilation with OpenSSL before version 1.0.2. [Rainer Jung]
-
*) core: Create a conn_config_t structure to hold an extendable core config rather
than consuming the whole pointer with the connection socket. [Graham Leggett]
error logging of exact ACME response when challenges failed.
[Stefan Eissing]
- *) mod_dumpio: do nothing below log level TRACE7. [Yann Ylavic]
-
*) mod_md: reverses most of v1.0.5 optimization of post_config init, so that
mod_ssl can ask for certiticates without crashing. [Stefan Eissing]
associated with an active connection in the "ACC" field. Previously
zero was always reported with this MPM. PR60647. [Eric Covener]
- *) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
- zero out what had been initialized as the connection-level port. PR59931.
- [Hank Ibell <hwibell gmail.com>]
-
*) mod_proxy_wstunnel: Reliably run before mod_proxy_http.
[Eric Covener]
*) mod_status, mod_echo: Fix the display of client addresses.
They were truncated to 31 characters which is not enough for IPv6 addresses.
- PR 54848 [Bernhard Schmidt <berni birkenwald de>]
+ This is done by deprecating the use of the 'client' field and using
+ the new 'client64' field in worker_score.
+ PR 54848 [Bernhard Schmidt <berni birkenwald de>, Jim Jagielski]
*) core: merge AllowEncodedSlashes from the base configuration into
virtual hosts. [Eric Covener]
- mod_socache_shmcb, mod_socache_dbm: shared memory or dbm for cache
[Jeff Trawick]
- *) suexec: Add --enable-suexec-capabilites support on Linux, to use
- setuid/setgid capability bits rather than a setuid root binary.
- [Joe Orton]
-
- *) suexec: Add support for logging to syslog as an alternative to logging
- to a file; configure --without-suexec-logfile --with-suexec-syslog.
- [Joe Orton]
-
*) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210.
[Matthew Steele <mdsteele google.com>]
Changes with Apache 2.0.x and later:
*) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
-