X-Git-Url: https://granicus.if.org/sourcecode?a=blobdiff_plain;f=CHANGES;h=b686be6be94191d995cf1b54f394d8ceff55ea92;hb=7cdf97cd49d67b77cdffb02acf9713a692ba33e6;hp=672d5b4b9d1287552efd6dd72243c8dfe664f7f7;hpb=8b305c839724e92990c54c5e096330f3710e93d0;p=apache diff --git a/CHANGES b/CHANGES index 672d5b4b9d..b686be6be9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,23 +1,193 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_auth_digest: Fix a race condition. Authentication with valid credentials could be + refused in case of concurrent accesses from different users. + PR 63124 [Simon Kappel ] - *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may - need more sugar). Added configuration directives for TLSv1.3 cipher suites (which - are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity - to find a better name. - [Stefan Eissing] + *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by + configuration (SSLFIPS on) and not active by default in OpenSSL. + PR 63136. [Yann Ylavic] + + *) mod_http2: Configuration directoves H2Push and H2Upgrade can now be specified per + Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing] + + *) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to + terminate improperly and cause a HTTP/2 PROTOCOL_ERROR. + Fixes . [Michael Kaufmann] + + *) mod_ssl: give mod_md the chance to override certificate after ALPN protocol + negotiation. [Stefan Eissing] + + *) mod_http2: enable re-use of slave connections again. Fixed slave connection + keepalives counter. [Stefan Eissing] + + *) mod_proxy_wstunnel: Fix websocket proxy over UDS. + PR 62932 + + *) mod_negociation: LanguagePriority should be case-insensitive in order to + match AddLanguage behavior. PR 39730 [Christophe Jaillet] + + *) mod_session: Always decode session attributes early. [Hank Ibell] + + *) core: Incorrect values for environment variables are substituted when + multiple environment variables are specified in a directive. [Hank Ibell] + + *) core: Split out the ability to parse wildcard files and directories + from the Include/IncludeOptional directives into a generic set of + functions ap_dir_nofnmatch() and ap_dir_fnmatch(). [Graham Leggett] + + *) mod_dav: Fix an unlikely time-window where some incorrect data could be returned + from a PROPFIND request [Ruediger Pluem] + + *) mod_ssl: Fix mod_authz provider for "require ssl" directive to check correctly + on HTTP/2 connections. Fixes PR 62654. [Stefan Eissing] + + *) mod_ssl: clear *SSL errors before loading certificates and checking + afterwards. Otherwise errors are reported when other SSL using modules + are in play. Fixes PR 62880. [Michael Kaufmann] + + *) mod_ssl: Correctly merge configurations that have client certificates set + by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem] + + *) core: Ensure that aborted connections are logged as such. PR 62823 + [Arnaud Grandville ] - *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard). + *) mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when + there are still idle threads available. When there are less idle threads than + MinSpareThreads, issue new one-time message AH10159. Matches worker MPM. [Eric Covener] + *) mod_http2: adding defensive code for stream EOS handling, in case the request handler + missed to signal it the normal way (eos buckets). Addresses github issues + https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167 + and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing] + + *) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the + body of the response. [Jim Jagielski] + + *) mod_session_cookie: avoid duplicate Set-Cookie header in the response. + [Emmanuel Dreyfus , Luca Toscano] + + *) mod_dav_fs: Set a default DAVLockDB within the state directory. + [Joe Orton] + + *) core: Add DefaultStateDir and layout-specific state directory + created at "make install". [Joe Orton] + + *) mod_ssl: Fix a regression that the configuration settings for verify mode + and verify depth were taken from the frontend connection in case of + connections by the proxy to the backend. PR 62769. [Ruediger Pluem] + + *) ab: Add client certificate support. [Graham Leggett] + + *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499 + [Dominik Stillhard ] + + *) mod_http2: connection IO event handling reworked. Instead of reacting on + incoming bytes, the state machine now acts on incoming frames that are + affecting it. This reduces state transitions. [Stefan Eissing] + + *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and + before signals handling to avoid lifetime issues on restart or shutdown. + PR 62658. [Yann Ylavic] + + *) core: Add StrictHostCheck to allow ucnonfigured hostnames to be + rejected. [Eric Covener] + + *) mod_status: Cumulate CPU time of exited child processes in the + "cu" and "cs" values. Add CPU time of the parent process to the + "c" and "s" values. + [Rainer Jung] + + *) mod_status: Add cumulated response duration time in milliseconds. + [Rainer Jung] + + *) mod_status: Complete the data shown for async MPMs in "auto" mode. + Added number of processes, number of stopping processes and number + of busy and idle workers. [Rainer Jung] + + *) mod_proxy: Improve the balancer member data shown in mod_status when + "ProxyStatus" is "On": add "busy" count and show byte counts in auto + mode always in units of kilobytes. [Rainer Jung] + + *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative + redirects, subsequent ProxyPassReverse statements, whether they are + relative or absolute, may fail. PR 60408. [Peter Haworth ] + + *) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression + introduced in 2.4.34. PR 62568. [Yann Ylavic] + + *) mod_proxy_http: forward 100-continue, and minimize race conditions when + reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere] + + *) mod_proxy: Remove load order and link dependency between mod_lbmethod_* + modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe] + + *) mod_md: more robust handling of http-01 challenges and hands-off when module + should not be involved, e.g. challenge setup by another ACME client. [Stefan Eissing] + + *) ru, zh-cn and zh-tw translations of errordocs have been added. + Contributed by Alexander Gaganashvili and CodeingBoy + + *) mod_userdir: If several directories are given in a UserDir directive, only files + in the first existing one are checked. If the file is not found there, the + other possible directories are not checked. The doc clearly states that they + will be checked one by one, until a match is found or an external redirect is + performed. PR 59636. + [Christophe Jaillet] + + *) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when + this type of map is present in the configuration. PR62311. + [Hank Ibell ] + + *) mod_ldap: Abort on LDAP locking errors. [Eric Covener] + + *) mod_ssl: Support loading certificates and private keys from the + PKCS#11 OpenSSL engine. [Anderson Sasaki , + Joe Orton] + + *) mod_http2: adding an abort function to slave connections' pools, so out-of-memory + events lead to a control process abort, as on HTTP/1.x connections. [Stefan Eissing] + + *) mod_http2: adding regular memory cleanup when transferring large response bodies. This + reduces memory footprint and avoids memory exhaustion when transferring large files + on 32-bit architectures. Fixes PR 62325. [Stefan Eissing] + + *) http: LimitRequestBody applies to proxied requests. [Yann Ylavic] + + *) mod_logio: Add LogIOTrackTTFU and %^FU logformat to log the time + difference between request start and last request body byte read (finished upload). + [Rainer Jung] + + *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre4, other libs may + need more sugar). SSL(Proxy)CipherSuite now has an optional first parameter for the + protocol the ciphers are for. + Directive "SSLVerifyClient" now triggers certificate retrieval from the client (this + is not fully tested - but fails in similar fashion as in TLSv1.2 in my setups). + Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols, + as this would need to trigger the master connection thread - which we do not support + right now. + Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite" + does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and + TLSv1.2 or lower ciphers are not relevant, as cipher suites are completely separate. + This means there is a bit if a world split when simultaneously having TLSv1.2 and TLSv1.3 + connections to the same server. + [Yann Ylavic, Stefan Eissing] + + *) mod_ssl: proper checks for libressl 2.07/8 and its TLSv1_3 support, see PR 62236. + [Bernard Spil ] + + *) mod_http2: on level trace2, log any unsuccessful HTTP/2 direct connection upgrade + with base64 encoding to unify its appearance in possible bug reports. [Stefan Eissing] + + *) mod_cgi: Add CGIScriptTimeout to make mod_cgi's timeout per-directory and + independent of the core Timeout directive. PR 62229. + [Hank Ibell ] + *) mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies, just the basic "modern", "intermediate" and "old" as specified by Mozilla security. [Stefan Eissing] - *) mod_remoteip: make proxy-protocol work on slave connections, e.g. in HTTP/2 - requests. See also https://github.com/roadrunner2/mod-proxy-protocol/issues/6 - [Stefan Eissing] - *) mod_md: fixes error in renew window calculation that may lead to mod_md running watchdog in a tight loop until actual renewal becomes necessary. [Stefan Eissing] @@ -26,8 +196,6 @@ Changes with Apache 2.5.1 co-existance between mod_md and other ACME clients on the same server (implements PR62189). [Stefan Eissing, Arkadiusz Miskiewicz ] - *) mod_md: Fix compilation with OpenSSL before version 1.0.2. [Rainer Jung] - *) core: Create a conn_config_t structure to hold an extendable core config rather than consuming the whole pointer with the connection socket. [Graham Leggett] @@ -79,8 +247,6 @@ Changes with Apache 2.5.1 error logging of exact ACME response when challenges failed. [Stefan Eissing] - *) mod_dumpio: do nothing below log level TRACE7. [Yann Ylavic] - *) mod_md: reverses most of v1.0.5 optimization of post_config init, so that mod_ssl can ask for certiticates without crashing. [Stefan Eissing] @@ -235,10 +401,6 @@ Changes with Apache 2.5.0-alpha associated with an active connection in the "ACC" field. Previously zero was always reported with this MPM. PR60647. [Eric Covener] - *) mod_remoteip: When overriding the useragent address from X-Forwarded-For, - zero out what had been initialized as the connection-level port. PR59931. - [Hank Ibell ] - *) mod_proxy_wstunnel: Reliably run before mod_proxy_http. [Eric Covener] @@ -466,7 +628,9 @@ Changes with Apache 2.5.0-alpha *) mod_status, mod_echo: Fix the display of client addresses. They were truncated to 31 characters which is not enough for IPv6 addresses. - PR 54848 [Bernhard Schmidt ] + This is done by deprecating the use of the 'client' field and using + the new 'client64' field in worker_score. + PR 54848 [Bernhard Schmidt , Jim Jagielski] *) core: merge AllowEncodedSlashes from the base configuration into virtual hosts. [Eric Covener] @@ -551,14 +715,6 @@ Changes with Apache 2.5.0-alpha - mod_socache_shmcb, mod_socache_dbm: shared memory or dbm for cache [Jeff Trawick] - *) suexec: Add --enable-suexec-capabilites support on Linux, to use - setuid/setgid capability bits rather than a setuid root binary. - [Joe Orton] - - *) suexec: Add support for logging to syslog as an alternative to logging - to a file; configure --without-suexec-logfile --with-suexec-syslog. - [Joe Orton] - *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210. [Matthew Steele ] @@ -601,4 +757,3 @@ Changes with Apache 2.2.x and later: Changes with Apache 2.0.x and later: *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup -