X-Git-Url: https://granicus.if.org/sourcecode?a=blobdiff_plain;f=CHANGES;h=5cbcd36210ebedfc627522e1cc5ab27facc86058;hb=531901931cd7c65ff6085bdb2568b726e6301012;hp=d655fd6bee9ee5a8f7d4f7322ab6c8319cf8364f;hpb=a61fdd90b2bf8708a9d7cd0f583b5b560135c464;p=apache diff --git a/CHANGES b/CHANGES index d655fd6bee..5cbcd36210 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,253 @@ -*- coding: utf-8 -*- +Changes with Apache 2.4.30 + + *) mod_session: Strip Session header when SessionEnv is on. [Yann Ylavic] + + *) mod_cache_socache: Fix caching of empty headers up to carriage return. + [Yann Ylavic] + + *) core: For consistency, ensure that read lines are NUL terminated on any + error, not only on buffer full. [Yann Ylavic] + + *) mod_authnz_ldap: Fix language long names detection as short name. + [Yann Ylavic] + + *) mod_proxy: Worker schemes and hostnames which are too large are no + longer fatal errors; it is logged and the truncated values are stored. + [Jim Jagielski] + + *) regex: Allow to configure global/default options for regexes, like + caseless matching or extended format. [Yann Ylavic] + + *) mod_proxy: Allow setting options to globally defined balancer from + ProxyPass used in VirtualHost. Balancers are now merged using the new + merge_balancers method which merges the balancers options. [Jan Kaluza] + + *) logresolve: Fix incorrect behavior or segfault if -c flag is used + Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259 + [Stefan Fritsch] + + *) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla). + Add ability for PROXY protocol processing to be optional to donated code. + See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt + [Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri] + + *) mod_proxy, mod_ssl: Handle SSLProxy* directives in sections, + allowing per backend TLS configuration. [Yann Ylavic] + + *) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module. [Roberto De Ioris, + Jim Jagielski] + + *) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not + depend on the number of restarts (non-Unix systems) and preserve shared + names as much as possible on configuration changes for SHMs and persisted + files. PR 62044. [Yann Ylavic, Jim Jagielski] + + *) mod_http2: obsolete code removed, no more events on beam pool destruction, + discourage content encoders on http2-status response (where they do not work). + [Stefan Eissing] + + *) mpm_event: Let the listener thread do its maintenance job on resources + shortage. PR 61979. [Yann Ylavic] + + *) mpm_event: Wakeup the listener to re-enable listening sockets. + [Yann Ylavic] + + *) mod_ssl: The SSLCompression directive will now give an error if used + with an OpenSSL build which does not support any compression methods. + [Joe Orton] + + *) mpm_event,worker: Mask signals for threads created by modules in child + init, so that they don't receive (implicitely) the ones meant for the MPM. + PR 62009. [Armin Abfalterer , Yann Ylavic] + + *) mod_md: new experimental, module for managing domains across virtual hosts, + implementing the Let's Encrypt ACMEv1 protocol to signup and renew + certificates. Please read the modules documentation for further instructions + on how to use it. [Stefan Eissing] + + *) mod_proxy_html: skip documents shorter than 4 bytes + PR 56286 [Micha Lenk ] + + *) core, mpm_event: Avoid a small memory leak of the scoreboard handle, for + the lifetime of the connection, each time it is processed by MPM event. + [Yann Ylavic] + + *) mpm_event: Update scoreboard status for KeepAlive state. [Yann Ylavic] + + *) mod_ldap: Fix a case where a full LDAP cache would continually fail to + purge old entries and log AH01323. PR61891. + [Hendrik Harms ] + + *) mpm_event: close connections not reported as handled by any module to + avoid losing track of them and leaking scoreboard entries. PR 61551. + [Yann Ylavic] + + *) core: A signal received while stopping could have crashed the main + process. PR 61558. [Yann Ylavic] + + *) mod_ssl: support for mod_md added. [Stefan Eissing] + + *) mod_proxy_html: process parsed comments immediately. + Fixes bug (seen in the wild when used with IBM's HTTPD bundle) + where parsed comments may be lost. [Nick Kew] + + *) mod_proxy_html: introduce doctype for HTML 5 [Nick Kew] + + *) mod_proxy_html: fix typo-bug processing "strict" vs "transitional" + HTML/XHTML. PR 56457 [Nick Kew] + + *) mpm_event: avoid a very unlikely race condition between the listener and + the workers when the latter fails to add a connection to the pollset. + [Yann Ylavic] + + *) core: silently ignore a not existent file path when IncludeOptional + is used. PR 57585. [Alberto Murillo Silva , Luca Toscano] + + *) mod_macro: fix usability of globally defined macros in .htaccess files. + PR 57525. [Jose Kahan , Yann Ylavic] + + *) mod_rewrite, core: add the Vary header when a condition evaluates to true + and the related RewriteRule is used in a Directory context + (triggering an internal redirect). [Luca Toscano] + + *) ab: Make the TLS layer aware that the underlying socket is nonblocking, + and use/handle POLLOUT where needed to avoid busy IOs and recover write + errors when appropriate. [Yann Ylavic] + + *) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous + read was incomplete (the SSL case can cause the next poll() to timeout + since data are buffered already). PR 61301 [Luca Toscano, Yann Ylavic] + + *) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain + information retrievals on null bucket beams where it makes sense. [Stefan Eissing] + +Changes with Apache 2.4.29 + + *) mod_unique_id: Use output of the PRNG rather than IP address and + pid, avoiding sleep() call and possible DNS issues at startup, + plus improving randomness for IPv6-only hosts. [Jan Kaluza] + + *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST + is used in a condition that evaluates to true. PR 58231 [Luca Toscano, Yann Ylavic] + + *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket + beams that could lead to assertion failure in edge cases. + [Stefan Eissing] + + *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced + in 2.4.28. [Jim Jagielski] + + *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set. + PR 61546. [Lubos Uhliarik ] + + *) mod_rewrite: Add support for starting External Rewriting Programs + as non-root user on UNIX systems by specifying username and group + name as third argument of RewriteMap directive. [Jan Kaluza] + + *) core: Rewrite the Content-Length filter to avoid excessive memory + consumption. Chunked responses will be generated in more cases + than in previous releases. PR 61222. [Joe Orton, Ruediger Pluem] + + *) mod_ssl: Fix SessionTicket callback return value, which does seem to + matter with OpenSSL 1.1. [Yann Ylavic] + +Changes with Apache 2.4.28 + + *) SECURITY: CVE-2017-9798 (cve.mitre.org) + Corrupted or freed memory access. must now be used in the + main configuration file (httpd.conf) to register HTTP methods before the + .htaccess files. [Yann Ylavic] + + *) event: Avoid possible blocking in the listener thread when shutting down + connections. PR 60956. [Yann Ylavic] + + *) mod_speling: Don't embed referer data in a link in error page. + PR 38923 [Nick Kew] + + *) htdigest: prevent a buffer overflow when a string exceeds the allowed max + length in a password file. + [Luca Toscano, Hanno Böck ] + + *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25). + [Jim Jagielski] + + *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically. + PR 61142. + + *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified + down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond), + 's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski] + + *) mod_http2: Fix for stalling when more than 32KB are written to a + suspended stream. [Stefan Eissing] + + *) build: allow configuration without APR sources. [Jacob Champion] + + *) mod_ssl, ab: Fix compatibility with LibreSSL. PR 61184. + [Bernard Spil , Michael Schlenker , + Yann Ylavic] + + *) core/log: Support use of optional "tag" in syslog entries. + PR 60525. [Ben Rubson , Jim Jagielski] + + *) mod_proxy: Fix ProxyAddHeaders merging. [Joe Orton] + + *) core: Disallow multiple Listen on the same IP:port when listener buckets + are configured (ListenCoresBucketsRatio > 0), consistently with the single + bucket case (default), thus avoiding the leak of the corresponding socket + descriptors on graceful restart. [Yann Ylavic] + + *) event: Avoid listener periodic wake ups by using the pollset wake-ability + when available. PR 57399. [Yann Ylavic, Luca Toscano] + + *) mod_proxy_wstunnel: Fix detection of unresponded request which could have + led to spurious HTTP 502 error messages sent on upgrade connections. + PR 61283. [Yann Ylavic] Changes with Apache 2.4.27 + *) SECURITY: CVE-2017-9789 (cve.mitre.org) + mod_http2: Read after free. When under stress, closing many connections, + the HTTP/2 handling code would sometimes access memory after it has been + freed, resulting in potentially erratic behaviour. + [Stefan Eissing] + + *) SECURITY: CVE-2017-9788 (cve.mitre.org) + mod_auth_digest: Uninitialized memory reflection. The value placeholder + in [Proxy-]Authorization headers type 'Digest' was not initialized or + reset before or between successive key=value assignments. + [William Rowe] + + *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table' + global variable when using Lua 5.2 or later. This was exported as a + side effect from luaL_register, which is no longer supported as of + Lua 5.2 which deprecates pollution of the global namespace. + [Rainer Jung] + + *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork. + The server will continue to run, but HTTP/2 will no longer be negotiated. + [Stefan Eissing] + + *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the + default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202. + [Jacob Champion, Jim Jagielski] + + *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3. + PR58188, PR60831, PR61245. [Rainer Jung] + + *) mod_http2: Simplify ready queue, less memory and better performance. Update + mod_http2 version to 1.10.7. [Stefan Eissing] + + *) Allow single-char field names inadvertently disallowed in 2.4.25. + PR 61220. [Yann Ylavic] + + *) htpasswd / htdigest: Do not apply the strict permissions of the temporary + passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem] + + *) core: Avoid duplicate HEAD in Allow header. + This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26. + PR 61207. [Christophe Jaillet] Changes with Apache 2.4.26 @@ -288,6 +534,9 @@ Changes with Apache 2.4.24 (not released) *) mod_socache_memcache: Provide memcache stats to mod_status. [Jim Jagielski] + *) mod_file_cache: mod_file_cache should be able to serve files that + haven't had a Content-Type set via e.g. mod_mime. [Eric Covener] + *) http_filters: Fix potential looping in new check_headers() due to new pattern of ap_die() from http header filter. Explicitly clear the previous headers and body. @@ -318,7 +567,7 @@ Changes with Apache 2.4.24 (not released) *) core: New directive RegisterHttpMethod for registering non-standard HTTP methods. [Stefan Fritsch] - *) mod_socache_memcache: Pass expiration time through to memcached. + *) mod_socache_memcache: Pass expiration time through to memcached. PR 55445. [Faidon Liambotis , Joe Orton] *) mod_cache: Use the actual URI path and query-string for identifying the @@ -515,6 +764,9 @@ Changes with Apache 2.4.22 Changes with Apache 2.4.21 + *) core: Added support for HTTP code 451. PR 58985. + [Yehuda Katz , Jim Jagielski] + *) ab: Use caseless matching for HTTP tokens (e.g. content-length). PR 59111. [Yann Ylavic]