summaryrefslogtreecommitdiffstats
path: root/CHANGES
diff options
context:
space:
mode:
Diffstat (limited to 'CHANGES')
-rw-r--r--CHANGES7688
1 files changed, 7688 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
new file mode 100644
index 0000000..b0e8b11
--- /dev/null
+++ b/CHANGES
@@ -0,0 +1,7688 @@
+ -*- coding: utf-8 -*-
+Changes with Apache 2.4.57
+
+ *) mod_proxy: Check before forwarding that a nocanon path has not been
+ rewritten with spaces during processing. [Yann Ylavic]
+
+ *) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
+ double encode encoded slashes in the URL sent by the reverse proxy to the
+ backend. [Ruediger Pluem]
+
+ *) mod_http2: fixed a crash during connection termination. See PR 66539.
+ [Stefan Eissing]
+
+ *) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
+ in a question mark. PR66547. [Eric Covener]
+
+ *) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
+ characters on redirections without the "NE" flag.
+ [Yann Ylavic, Eric Covener]
+
+ *) mod_proxy: Fix double encoding of the uri-path of the request forwarded
+ to the origin server, when using mapping=encoded|servlet. [Yann Ylavic]
+
+ *) mod_mime: Do not match the extention against possible query string
+ parameters in case ProxyPass was used with the nocanon option.
+ [Ruediger Pluem]
+
+Changes with Apache 2.4.56
+
+ *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
+ HTTP response splitting (cve.mitre.org)
+ HTTP Response Smuggling vulnerability in Apache HTTP Server via
+ mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
+ 2.4.30 through 2.4.55.
+ Special characters in the origin response header can
+ truncate/split the response forwarded to the client.
+ Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)
+
+ *) SECURITY: CVE-2023-25690: HTTP request splitting with
+ mod_rewrite and mod_proxy (cve.mitre.org)
+ Some mod_proxy configurations on Apache HTTP Server versions
+ 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
+ Configurations are affected when mod_proxy is enabled along with
+ some form of RewriteRule or ProxyPassMatch in which a non-specific
+ pattern matches some portion of the user-supplied request-target (URL)
+ data and is then re-inserted into the proxied request-target
+ using variable substitution. For example, something like:
+ RewriteEngine on
+ RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
+ ProxyPassReverse /here/ http://example.com:8080/
+ Request splitting/smuggling could result in bypass of access
+ controls in the proxy server, proxying unintended URLs to
+ existing origin servers, and cache poisoning.
+ Credits: Lars Krapf of Adobe
+
+ *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
+ truncated without the initial logfile being truncated. [Eric Covener]
+
+ *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
+ allow connections of any age to be reused. Up to now, a negative value
+ was handled as an error when parsing the configuration file. PR 66421.
+ [nailyk <bzapache nailyk.fr>, Christophe Jaillet]
+
+ *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
+ of headers. [Ruediger Pluem]
+
+ *) mod_md:
+ - Enabling ED25519 support and certificate transparency information when
+ building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
+ - MDChallengeDns01 can now be configured for individual domains.
+ Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
+ - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
+ teardown not being invoked as it should.
+ [Stefan Eissing]
+
+ *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
+ reported in access logs and error documents. The processing of the
+ reset was correct, only unneccesary reporting was caused.
+ [Stefan Eissing]
+
+ *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
+ [Yann Ylavic]
+
+Changes with Apache 2.4.55
+
+ *) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
+ 2.4.55 allows a backend to trigger HTTP response splitting
+ (cve.mitre.org)
+ Prior to Apache HTTP Server 2.4.55, a malicious backend can
+ cause the response headers to be truncated early, resulting in
+ some headers being incorporated into the response body. If the
+ later headers have any security purpose, they will not be
+ interpreted by the client.
+ Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
+
+ *) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
+ Possible request smuggling (cve.mitre.org)
+ Inconsistent Interpretation of HTTP Requests ('HTTP Request
+ Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
+ allows an attacker to smuggle requests to the AJP server it
+ forwards requests to. This issue affects Apache HTTP Server
+ Apache HTTP Server 2.4 version 2.4.54 and prior versions.
+ Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
+ at Qi'anxin Group
+
+ *) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write
+ of zero byte (cve.mitre.org)
+ A carefully crafted If: request header can cause a memory read,
+ or write of a single zero byte, in a pool (heap) memory location
+ beyond the header value sent. This could cause the process to
+ crash.
+ This issue affects Apache HTTP Server 2.4.54 and earlier.
+
+ *) mod_dav: Open the lock database read-only when possible.
+ PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
+
+ *) mod_proxy_http2: apply the standard httpd content type handling
+ to responses from the backend, as other proxy modules do. Fixes PR 66391.
+ Thanks to Jérôme Billiras for providing the patch.
+ [Stefan Eissing]
+
+ *) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
+ [Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
+ <alejandro.alvarez.ayllon cern.ch>]
+
+ *) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic]
+
+ *) mod_http2: version 2.0.11 of the module, synchronizing changes
+ with the gitgub version. This is a partial rewrite of how connections
+ and streams are handled.
+ - an APR pollset and pipes (where supported) are used to monitor
+ the main connection and react to IO for request/response handling.
+ This replaces the stuttered timed waits of earlier versions.
+ - H2SerializeHeaders directive still exists, but has no longer an effect.
+ - Clients that seemingly misbehave still get less resources allocated,
+ but ongoing requests are no longer disrupted.
+ - Fixed an issue since 1.15.24 that "Server" headers in proxied requests
+ were overwritten instead of preserved. [PR by @daum3ns]
+ - A regression in v1.15.24 was fixed that could lead to httpd child
+ processes not being terminated on a graceful reload or when reaching
+ MaxConnectionsPerChild. When unprocessed h2 requests were queued at
+ the time, these could stall. See #212.
+ - Improved information displayed in 'server-status' for H2 connections when
+ Extended Status is enabled. Now one can see the last request that IO
+ operations happened on and transferred IO stats are updated as well.
+ - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
+ send a GOAWAY frame much too early on new connections, leading to invalid
+ protocol state and a client failing the request. See PR65731 at
+ <https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
+ The module now initializes the HTTP/2 protocol correctly and allows the
+ client to submit one request before the shutdown via a GOAWAY frame
+ is being announced.
+ - :scheme pseudo-header values, not matching the
+ connection scheme, are forwarded via absolute uris to the
+ http protocol processing to preserve semantics of the request.
+ Checks on combinations of pseudo-headers values/absence
+ have been added as described in RFC 7540. Fixes #230.
+ - A bug that prevented trailers (e.g. HEADER frame at the end) to be
+ generated in certain cases was fixed. See #233 where it prevented
+ gRPC responses to be properly generated.
+ - Request and response header values are automatically stripped of leading
+ and trialing space/tab characters. This is equivalent behaviour to what
+ Apache httpd's http/1.1 parser does.
+ The checks for this in nghttp2 v1.50.0+ are disabled.
+ - Extensive testing in production done by Alessandro Bianchi (@alexskynet)
+ on the v2.0.x versions for stability. Many thanks!
+
+ *) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
+ request ':authority' is known. Improved test case that did not catch that
+ the previous 'fix' was incorrect.
+
+ *) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
+ using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
+
+ *) mod_proxy: The AH03408 warning for a forcibly closed backend
+ connection is now logged at INFO level. [Yann Ylavic]
+
+ *) mod_ssl: When dumping the configuration, the existence of
+ certificate/key files is no longer tested. [Joe Orton]
+
+ *) mod_authn_core: Add expression support to AuthName and AuthType.
+ [Graham Leggett]
+
+ *) mod_ssl: when a proxy connection had handled a request using SSL, an
+ error was logged when "SSLProxyEngine" was only configured in the
+ location/proxy section and not the overall server. The connection
+ continued to work, the error log was in error. Fixed PR66190.
+ [Stefan Eissing]
+
+ *) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
+ [Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
+
+ *) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
+ [Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
+
+ *) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
+
+ *) mod_md: a new directive `MDStoreLocks` can be used on cluster
+ setups with a shared file system for `MDStoreDir` to order
+ activation of renewed certificates when several cluster nodes are
+ restarted at the same time. Store locks are not enabled by default.
+ Restored curl_easy cleanup behaviour from v2.4.14 and refactored
+ the use of curl_multi for OCSP requests to work with that.
+ Fixes <https://github.com/icing/mod_md/issues/293>.
+
+ *) core: Avoid an overflow on large inputs in ap_is_matchexp. PR 66033
+ [Ruediger Pluem]
+
+ *) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
+ storage instead of slotmem. Needed after setting
+ HeartbeatMaxServers default to the documented value 10 in 2.4.54.
+ PR 66131. [Jérôme Billiras]
+
+ *) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
+ This is a game changer for performances if client use PROPFIND a lot,
+ PR 66313. [Emmanuel Dreyfus]
+
+Changes with Apache 2.4.54
+
+ *) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
+ hop-by-hop mechanism (cve.mitre.org)
+ Apache HTTP Server 2.4.53 and earlier may not send the
+ X-Forwarded-* headers to the origin server based on client side
+ Connection header hop-by-hop mechanism.
+ This may be used to bypass IP based authentication on the origin
+ server/application.
+ Credits: The Apache HTTP Server project would like to thank
+ Gaetan Ferry (Synacktiv) for reporting this issue
+
+ *) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
+ websockets (cve.mitre.org)
+ Apache HTTP Server 2.4.53 and earlier may return lengths to
+ applications calling r:wsread() that point past the end of the
+ storage allocated for the buffer.
+ Credits: The Apache HTTP Server project would like to thank
+ Ronald Crane (Zippenhop LLC) for reporting this issue
+
+ *) SECURITY: CVE-2022-30522: mod_sed denial of service
+ (cve.mitre.org)
+ If Apache HTTP Server 2.4.53 is configured to do transformations
+ with mod_sed in contexts where the input to mod_sed may be very
+ large, mod_sed may make excessively large memory allocations and
+ trigger an abort.
+ Credits: This issue was found by Brian Moussalli from the JFrog
+ Security Research team
+
+ *) SECURITY: CVE-2022-29404: Denial of service in mod_lua
+ r:parsebody (cve.mitre.org)
+ In Apache HTTP Server 2.4.53 and earlier, a malicious request to
+ a lua script that calls r:parsebody(0) may cause a denial of
+ service due to no default limit on possible input size.
+ Credits: The Apache HTTP Server project would like to thank
+ Ronald Crane (Zippenhop LLC) for reporting this issue
+
+ *) SECURITY: CVE-2022-28615: Read beyond bounds in
+ ap_strcmp_match() (cve.mitre.org)
+ Apache HTTP Server 2.4.53 and earlier may crash or disclose
+ information due to a read beyond bounds in ap_strcmp_match()
+ when provided with an extremely large input buffer. While no
+ code distributed with the server can be coerced into such a
+ call, third-party modules or lua scripts that use
+ ap_strcmp_match() may hypothetically be affected.
+ Credits: The Apache HTTP Server project would like to thank
+ Ronald Crane (Zippenhop LLC) for reporting this issue
+
+ *) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite()
+ (cve.mitre.org)
+ The ap_rwrite() function in Apache HTTP Server 2.4.53 and
+ earlier may read unintended memory if an attacker can cause the
+ server to reflect very large input using ap_rwrite() or
+ ap_rputs(), such as with mod_luas r:puts() function.
+ Credits: The Apache HTTP Server project would like to thank
+ Ronald Crane (Zippenhop LLC) for reporting this issue
+
+ *) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi
+ (cve.mitre.org)
+ Apache HTTP Server 2.4.53 and earlier on Windows may read beyond
+ bounds when configured to process requests with the mod_isapi
+ module.
+ Credits: The Apache HTTP Server project would like to thank
+ Ronald Crane (Zippenhop LLC) for reporting this issue
+
+ *) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request
+ smuggling (cve.mitre.org)
+ Inconsistent Interpretation of HTTP Requests ('HTTP Request
+ Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
+ allows an attacker to smuggle requests to the AJP server it
+ forwards requests to. This issue affects Apache HTTP Server
+ Apache HTTP Server 2.4 version 2.4.53 and prior versions.
+ Credits: Ricter Z @ 360 Noah Lab
+
+ *) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063.
+ [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]
+
+ *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
+ PR 65666. [Yann Ylavic]
+
+ *) mod_md: a bug was fixed that caused very large MDomains
+ with the combined DNS names exceeding ~7k to fail, as
+ request bodies would contain partially wrong data from
+ uninitialized memory. This would have appeared as failure
+ in signing-up/renewing such configurations.
+ [Stefan Eissing, Ronald Crane (Zippenhop LLC)]
+
+ *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
+ PR 65666. [Yann Ylavic]
+
+ *) MPM event: Restart children processes killed before idle maintenance.
+ PR 65769. [Yann Ylavic, Ruediger Pluem]
+
+ *) ab: Allow for TLSv1.3 when the SSL library supports it.
+ [abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic]
+
+ *) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
+ transmission delays. PR 66019. [Yann Ylavic]
+
+ *) MPM event: Fix accounting of active/total processes on ungraceful restart,
+ PR 66004 (follow up to PR 65626 from 2.4.52). [Yann Ylavic]
+
+ *) core: make ap_escape_quotes() work correctly on strings
+ with more than MAX_INT/2 characters, counting quotes double.
+ Credit to <generalbugs@zippenhop.com> for finding this.
+ [Stefan Eissing]
+
+ *) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
+ an ACME CA. This gives a failover for renewals when several consecutive attempts
+ to get a certificate failed.
+ A new directive was added: `MDRetryDelay` sets the delay of retries.
+ A new directive was added: `MDRetryFailover` sets the number of errored
+ attempts before an alternate CA is selected for certificate renewals.
+ [Stefan Eissing]
+
+ *) mod_http2: remove unused and insecure code. Fixes PR66037.
+ Thanks to Ronald Crane (Zippenhop LLC) for reporting this.
+ [Stefan Eissing]
+
+ *) mod_proxy: Add backend port to log messages to
+ ease identification of involved service. [Rainer Jung]
+
+ *) mod_http2: removing unscheduling of ongoing tasks when
+ connection shows potential abuse by a client. This proved
+ counter-productive and the abuse detection can false flag
+ requests using server-side-events.
+ Fixes <https://github.com/icing/mod_h2/issues/231>.
+ [Stefan Eissing]
+
+ *) mod_md: Implement full auto status ("key: value" type status output).
+ Especially not only status summary counts for certificates and
+ OCSP stapling but also lists. Auto status format is similar to
+ what was used for mod_proxy_balancer.
+ [Rainer Jung]
+
+ *) mod_md: fixed a bug leading to failed transfers for OCSP
+ stapling information when more than 6 certificates needed
+ updates in the same run. [Stefan Eissing]
+
+ *) mod_proxy: Set a status code of 502 in case the backend just closed the
+ connection in reply to our forwarded request. [Ruediger Pluem]
+
+ *) mod_md: a possible NULL pointer deref was fixed in
+ the JSON code for persisting time periods (start+end).
+ Fixes #282 on mod_md's github.
+ Thanks to @marcstern for finding this. [Stefan Eissing]
+
+ *) mod_heartmonitor: Set the documented default value
+ "10" for HeartbeatMaxServers instead of "0". With "0"
+ no shared memory slotmem was initialized. [Rainer Jung]
+
+ *) mod_md: added support for managing certificates via a
+ local tailscale daemon for users of that secure networking.
+ This gives trusted certificates for tailscale assigned
+ domain names in the *.ts.net space.
+ [Stefan Eissing]
+
+ *) core: Change default value of LimitRequestBody from 0 (unlimited)
+ to 1GB. [Eric Covener]
+
+Changes with Apache 2.4.53
+
+ *) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
+ (cve.mitre.org)
+ Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
+ Server allows an attacker to overwrite heap memory with possibly
+ attacker provided data.
+ This issue affects Apache HTTP Server 2.4 version 2.4.52 and
+ prior versions.
+ Credits: Ronald Crane (Zippenhop LLC)
+
+ *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
+ very large or unlimited LimitXMLRequestBody (cve.mitre.org)
+ If LimitXMLRequestBody is set to allow request bodies larger
+ than 350MB (defaults to 1M) on 32 bit systems an integer
+ overflow happens which later causes out of bounds writes.
+ This issue affects Apache HTTP Server 2.4.52 and earlier.
+ Credits: Anonymous working with Trend Micro Zero Day Initiative
+
+ *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
+ in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
+ Apache HTTP Server 2.4.52 and earlier fails to close inbound
+ connection when errors are encountered discarding the request
+ body, exposing the server to HTTP Request Smuggling
+ Credits: James Kettle <james.kettle portswigger.net>
+
+ *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
+ in r:parsebody (cve.mitre.org)
+ A carefully crafted request body can cause a read to a random
+ memory area which could cause the process to crash.
+ This issue affects Apache HTTP Server 2.4.52 and earlier.
+ Credits: Chamal De Silva
+
+ *) core: Make sure and check that LimitXMLRequestBody fits in system memory.
+ [Ruediger Pluem, Yann Ylavic]
+
+ *) core: Simpler connection close logic if discarding the request body fails.
+ [Yann Ylavic, Ruediger Pluem]
+
+ *) mod_http2: preserve the port number given in a HTTP/1.1
+ request that was Upgraded to HTTP/2. Fixes PR65881.
+ [Stefan Eissing]
+
+ *) mod_proxy: Allow for larger worker name. PR 53218. [Yann Ylavic]
+
+ *) dbm: Split the loading of a dbm driver from the opening of a dbm file. When
+ an attempt to load a dbm driver fails, log clearly which driver triggered
+ the error (not "default"), and what the error was. [Graham Leggett]
+
+ *) mod_proxy: Use the maxium of front end and backend timeouts instead of the
+ minimum when tunneling requests (websockets, CONNECT requests).
+ Backend timeouts can be configured more selectively (per worker if needed)
+ as front end timeouts and typically the backend timeouts reflect the
+ application requirements better. PR 65886 [Ruediger Pluem]
+
+ *) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers
+ when an efficient TLS implementation is available. [Yann Ylavic]
+
+ *) core, mod_info: Add compiled and loaded PCRE versions to version
+ number display. [Rainer Jung]
+
+ *) mod_md: do not interfere with requests to /.well-known/acme-challenge/
+ resources if challenge type 'http-01' is not configured for a domain.
+ Fixes <https://github.com/icing/mod_md/issues/279>.
+ [Stefan Eissing]
+
+ *) mod_dav: Fix regression when gathering properties which could lead to huge
+ memory consumption proportional to the number of resources.
+ [Evgeny Kotkov, Ruediger Pluem]
+
+ *) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x)
+ for regular expression evaluation. This depends on locating pcre2-config.
+ [William Rowe, Petr Pisar <ppisar redhat.com>, Rainer Jung]
+
+ *) Add the ldap function to the expression API, allowing LDAP filters and
+ distinguished names based on expressions to be escaped correctly to
+ guard against LDAP injection. [Graham Leggett]
+
+ *) mod_md: the status description in MDomain's JSON, exposed in the
+ md-status handler (if configured) did sometimes not carry the correct
+ message when certificates needed renew.
+ [Stefan Eissing]
+
+ *) mpm_event: Fix a possible listener deadlock on heavy load when restarting
+ and/or reaching MaxConnectionsPerChild. PR 65769. [Yann Ylavic]
+
+Changes with Apache 2.4.52
+
+ *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
+ multipart content in mod_lua of Apache HTTP Server 2.4.51 and
+ earlier (cve.mitre.org)
+ A carefully crafted request body can cause a buffer overflow in
+ the mod_lua multipart parser (r:parsebody() called from Lua
+ scripts).
+ The Apache httpd team is not aware of an exploit for the
+ vulnerability though it might be possible to craft one.
+ This issue affects Apache HTTP Server 2.4.51 and earlier.
+ Credits: Chamal
+
+ *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
+ forward proxy configurations in Apache HTTP Server 2.4.51 and
+ earlier (cve.mitre.org)
+ A crafted URI sent to httpd configured as a forward proxy
+ (ProxyRequests on) can cause a crash (NULL pointer dereference)
+ or, for configurations mixing forward and reverse proxy
+ declarations, can allow for requests to be directed to a
+ declared Unix Domain Socket endpoint (Server Side Request
+ Forgery).
+ This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
+ (included).
+ Credits: 漂亮鼠
+ TengMA(@Te3t123)
+
+ *) http: Enforce that fully qualified uri-paths not to be forward-proxied
+ have an http(s) scheme, and that the ones to be forward proxied have a
+ hostname, per HTTP specifications. [Ruediger Pluem, Yann Ylavic]
+
+ *) configure: OpenSSL detection will now use pkg-config data from
+ .../lib64/ within the --with-ssl path. [Jean-Frederic Clere]
+
+ *) mod_proxy_connect, mod_proxy: Do not change the status code after we
+ already sent it to the client. [Ruediger Pluem]
+
+ *) mod_http: Correctly sent a 100 Continue status code when sending an interim
+ response as result of an Expect: 100-Continue in the request and not the
+ current status code of the request. PR 65725 [Ruediger Pluem]
+
+ *) mod_dav: Some DAV extensions, like CalDAV, specify both document
+ elements and property elements that need to be taken into account
+ when generating a property. The document element and property element
+ are made available in the dav_liveprop_elem structure by calling
+ dav_get_liveprop_element(). [Graham Leggett]
+
+ *) mod_dav: Add utility functions dav_validate_root_ns(),
+ dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
+ dav_find_attr() so that other modules get to play too.
+ [Graham Leggett]
+
+ *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.
+ [Yann Ylavic, Ruediger Pluem]
+
+ *) mod_http2: fixes 2 regressions in server limit handling.
+ 1. When reaching server limits, such as MaxRequestsPerChild, the
+ HTTP/2 connection send a GOAWAY frame much too early on new
+ connections, leading to invalid protocol state and a client
+ failing the request. See PR65731.
+ The module now initializes the HTTP/2 protocol correctly and
+ allows the client to submit one request before the shutdown
+ via a GOAWAY frame is being announced.
+ 2. A regression in v1.15.24 was fixed that could lead to httpd
+ child processes not being terminated on a graceful reload or
+ when reaching MaxConnectionsPerChild. When unprocessed h2
+ requests were queued at the time, these could stall.
+ See <https://github.com/icing/mod_h2/issues/212>.
+ [Stefan Eissing]
+
+ *) mod_ssl: Add build support for OpenSSL v3. [Rainer Jung,
+ Stefan Fritsch, Yann Ylavic, Stefan Eissing, Joe Orton,
+ Giovanni Bechis]
+
+ *) mod_proxy_connect: Honor the smallest of the backend or client timeout
+ while tunneling. [Yann Ylavic]
+
+ *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
+ half-close forwarding when tunneling protocols. [Yann Ylavic]
+
+ *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
+ a third-party module. PR 65627.
+ [acmondor <bz.apache.org acmondor.ca>, Yann Ylavic]
+
+ *) mod_md: Fix memory leak in case of failures to load the private key.
+ PR 65620 [ Filipe Casal <filipe.casal@trailofbits.com> ]
+
+ *) mod_md: adding v2.4.8 with the following changes
+ - Added support for ACME External Account Binding (EAB).
+ Use the new directive `MDExternalAccountBinding` to provide the
+ server with the value for key identifier and hmac as provided by
+ your CA.
+ While working on some servers, EAB handling is not uniform
+ across CAs. First tests with a Sectigo Certificate Manager in
+ demo mode are successful. But ZeroSSL, for example, seems to
+ regard EAB values as a one-time-use-only thing, which makes them
+ fail if you create a seconde account or retry the creation of the
+ first account with the same EAB.
+ - The directive 'MDCertificateAuthority' now checks if its parameter
+ is a http/https url or one of a set of known names. Those are
+ 'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
+ for now and they are not case-sensitive.
+ The default of LetsEncrypt is unchanged.
+ - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
+ section.
+ - Treating 401 HTTP status codes for orders like 403, since some ACME
+ servers seem to prefer that for accessing oders from other accounts.
+ - When retrieving certificate chains, try to read the response even
+ if the HTTP Content-Type is unrecognized.
+ - Fixed a bug that reset the error counter of a certificate renewal
+ and prevented the increasing delays in further attempts.
+ - Fixed the renewal process giving up every time on an already existing
+ order with some invalid domains. Now, if such are seen in a previous
+ order, a new order is created for a clean start over again.
+ See <https://github.com/icing/mod_md/issues/268>
+ - Fixed a mixup in md-status handler when static certificate files
+ and renewal was configured at the same time.
+
+ *) mod_md: values for External Account Binding (EAB) can
+ now also be configured to be read from a separate JSON
+ file. This allows to keep server configuration permissions
+ world readable without exposing secrets.
+ [Stefan Eissing]
+
+ *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
+ PR 65616. [Ruediger Pluem]
+
+Changes with Apache 2.4.51
+
+ *) SECURITY: CVE-2021-42013: Path Traversal and Remote Code
+ Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
+ fix of CVE-2021-41773) (cve.mitre.org)
+ It was found that the fix for CVE-2021-41773 in Apache HTTP
+ Server 2.4.50 was insufficient. An attacker could use a path
+ traversal attack to map URLs to files outside the directories
+ configured by Alias-like directives.
+ If files outside of these directories are not protected by the
+ usual default configuration "require all denied", these requests
+ can succeed. If CGI scripts are also enabled for these aliased
+ paths, this could allow for remote code execution.
+ This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
+ earlier versions.
+ Credits: Reported by Juan Escobar from Dreamlab Technologies,
+ Fernando Muñoz from NULL Life CTF Team, and Shungo Kumasaka
+
+ *) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
+ unused AP_NORMALIZE_DROP_PARAMETERS flag.
+ [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton]
+
+Changes with Apache 2.4.50
+
+ *) SECURITY: CVE-2021-41773: Path traversal and file disclosure
+ vulnerability in Apache HTTP Server 2.4.49 (cve.mitre.org)
+ A flaw was found in a change made to path normalization in
+ Apache HTTP Server 2.4.49. An attacker could use a path
+ traversal attack to map URLs to files outside the expected
+ document root.
+ If files outside of the document root are not protected by
+ "require all denied" these requests can succeed. Additionally
+ this flaw could leak the source of interpreted files like CGI
+ scripts.
+ This issue is known to be exploited in the wild.
+ This issue only affects Apache 2.4.49 and not earlier versions.
+ Credits: This issue was reported by Ash Daulton along with the
+ cPanel Security Team
+
+ *) SECURITY: CVE-2021-41524: null pointer dereference in h2 fuzzing
+ (cve.mitre.org)
+ While fuzzing the 2.4.49 httpd, a new null pointer dereference
+ was detected during HTTP/2 request processing,
+ allowing an external source to DoS the server. This requires a
+ specially crafted request.
+ The vulnerability was recently introduced in version 2.4.49. No
+ exploit is known to the project.
+ Credits: Apache httpd team would like to thank LI ZHI XIN from
+ NSFocus Security Team for reporting this issue.
+
+ *) core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second dot in
+ the uri-path when it's preceded by a dot. [Yann Ylavic]
+
+ *) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
+ fails (!= 0 exit), the renewal process is aborted and an error is
+ reported for the MDomain. This provides scripts that distribute
+ information in a cluster to abort early with bothering an ACME
+ server to validate a dns name that will not work. The common
+ retry logic will make another attempt in the future, as with
+ other failures.
+ Fixed a bug when adding private key specs to an already working
+ MDomain, see <https://github.com/icing/mod_md/issues/260>.
+ [Stefan Eissing]
+
+ *) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they
+ had no hostname ("unix:/..."). [Yann Ylavic]
+
+ *) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could
+ run into an assertion which terminated (and restarted) the child process where
+ the task was running. Eventually, all OCSP responses were collected, but not
+ in the way that things are supposed to work.
+ See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
+ The bug was possibly triggered when more than one OCSP status needed updating
+ at the same time. For example for several renewed certificates after a server
+ reload.
+
+ *) mod_rewrite: Fix UDS ("unix:") scheme for [P] rules. PR 57691 + 65590.
+ [Janne Peltonen <janne.peltonen sange.fi>]
+
+ *) event mpm: Correctly count active child processes in parent process if
+ child process dies due to MaxConnectionsPerChild.
+ PR 65592 [Ruediger Pluem]
+
+ *) mod_http2: when a server is restarted gracefully, any idle h2 worker
+ threads are shut down immediately.
+ Also, change OpenSSL API use for deprecations in OpenSSL 3.0.
+ Adds all other, never proposed code changes to make a clean
+ sync of http2 sources. [Stefan Eissing]
+
+ *) mod_dav: Correctly handle errors returned by dav providers on REPORT
+ requests. [Ruediger Pluem]
+
+ *) core: do not install core input/output filters on secondary
+ connections. [Stefan Eissing]
+
+ *) core: Add ap_pre_connection() as a wrapper to ap_run_pre_connection()
+ and use it to prevent that failures in running the pre_connection
+ hook cause crashes afterwards. [Ruediger Pluem]
+
+ *) mod_speling: Add CheckBasenameMatch PR 44221. [Christophe Jaillet]
+
+Changes with Apache 2.4.49
+
+ *) SECURITY: CVE-2021-40438 (cve.mitre.org)
+ mod_proxy: Server Side Request Forgery (SSRF) vulnerability [Yann Ylavic]
+
+ *) SECURITY: CVE-2021-39275 (cve.mitre.org)
+ core: ap_escape_quotes buffer overflow
+
+ *) SECURITY: CVE-2021-36160 (cve.mitre.org)
+ mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]
+
+ *) SECURITY: CVE-2021-34798 (cve.mitre.org)
+ core: null pointer dereference on malformed request
+
+ *) SECURITY: CVE-2021-33193 (cve.mitre.org)
+ mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]
+
+ *) core/mod_proxy/mod_ssl:
+ Adding `outgoing` flag to conn_rec, indicating a connection is
+ initiated by the server to somewhere, in contrast to incoming
+ connections from clients.
+ Adding 'ap_ssl_bind_outgoing()` function that marks a connection
+ as outgoing and is used by mod_proxy instead of the previous
+ optional function `ssl_engine_set`. This enables other SSL
+ module to secure proxy connections.
+ The optional functions `ssl_engine_set`, `ssl_engine_disable` and
+ `ssl_proxy_enable` are now provided by the core to have backward
+ compatibility with non-httpd modules that might use them. mod_ssl
+ itself no longer registers these functions, but keeps them in its
+ header for backward compatibility.
+ The core provided optional function wrap any registered function
+ like it was done for `ssl_is_ssl`.
+ [Stefan Eissing]
+
+ *) mod_ssl: Support logging private key material for use with
+ wireshark via log file given by SSLKEYLOGFILE environment
+ variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
+
+ *) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
+ "ProxyPassInterpolateEnv On" are configured. PR 65549.
+ [Joel Self <joelself gmail.com>]
+
+ *) mpm_event: Fix children processes possibly not stopped on graceful
+ restart. PR 63169. [Joel Self <joelself gmail.com>]
+
+ *) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
+ protocols from mod_proxy_http, and a timeout triggering falsely when
+ using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
+ upgrade= setting. PRs 65521 and 65519. [Yann Ylavic]
+
+ *) mod_unique_id: Reduce the time window where duplicates may be generated
+ PR 65159
+ [Christophe Jaillet]
+
+ *) mpm_prefork: Block signals for child_init hooks to prevent potential
+ threads created from there to catch MPM's signals.
+ [Ruediger Pluem, Yann Ylavic]
+
+ *) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
+ PR 65159" added in 2.4.47.
+ This causes issue on Windows.
+ [Christophe Jaillet]
+
+ *) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic]
+
+ *) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
+ as successful or a staged renewal is replacing the existing certificates.
+ This avoid potential mess ups in the md store file system to render the active
+ certificates non-working. [@mkauf]
+
+ *) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
+ [Yann Ylavic]
+
+ *) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
+ connections. If ALPN protocols are provided and sent to the
+ remote server, the received protocol selected is inspected
+ and checked for a match. Without match, the peer handshake
+ fails.
+ An exception is the proposal of "http/1.1" where it is
+ accepted if the remote server did not answer ALPN with
+ a selected protocol. This accommodates for hosts that do
+ not observe/support ALPN and speak http/1.x be default.
+
+ *) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
+ with others when their URLs contain a '$' substitution. PR 65419 + 65429.
+ [Yann Ylavic]
+
+ *) mod_dav: Add method_precondition hook. WebDAV extensions define
+ conditions that must exist before a WebDAV method can be executed.
+ This hook allows a WebDAV extension to verify these preconditions.
+ [Graham Leggett]
+
+ *) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
+ modules apart from versioning implementations to handle the REPORT method.
+ [Graham Leggett]
+
+ *) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
+ dav_get_resource() to mod_dav.h. [Graham Leggett]
+
+ *) core: fix ap_escape_quotes substitution logic. [Eric Covener]
+
+ *) core/mpm: add hook 'child_stopping` that gets called when the MPM is
+ stopping a child process. The additional `graceful` parameter allows
+ registered hooks to free resources early during a graceful shutdown.
+ [Yann Ylavic, Stefan Eissing]
+
+ *) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
+ balancer-manager, which can lead to a crash. [Yann Ylavic]
+
+ *) mpm_event: Fix graceful stop/restart of children processes if connections
+ are in lingering close for too long. [Yann Ylavic]
+
+ *) mod_md: fixed a potential null pointer dereference if ACME/OCSP
+ server returned 2xx responses without content type. Reported by chuangwen.
+ [chuangwen, Stefan Eissing]
+
+ *) mod_md:
+ - Domain names in `<MDomain ...>` can now appear in quoted form.
+ - Fixed a failure in ACME challenge selection that aborted further searches
+ when the tls-alpn-01 method did not seem to be suitable.
+ - Changed the tls-alpn-01 setup to only become unsuitable when none of the
+ dns names showed support for a configured 'Protocols ... acme-tls/1'. This
+ allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
+ [Stefan Eissing]
+
+ *) Add CPING to health check logic. [Jean-Frederic Clere]
+
+ *) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
+
+ *) core, h2: common ap_parse_request_line() and ap_check_request_header()
+ code. [Yann Ylavic]
+
+ *) core: Add StrictHostCheck to allow unconfigured hostnames to be
+ rejected. [Eric Covener]
+
+ *) htcacheclean: Improve help messages. [Christophe Jaillet]
+
+Changes with Apache 2.4.48
+
+ *) SECURITY: CVE-2021-31618 (cve.mitre.org)
+ mod_http2: Fix a potential NULL pointer dereference [Ivan Zhakov]
+
+ *) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
+ fallback to mod_proxy_http for WebSocket upgrade and tunneling.
+ [Yann Ylavic]
+
+ *) mod_proxy: Fix flushing of THRESHOLD_MIN_WRITE data while tunneling.
+ BZ 65294. [Yann Ylavic]
+
+ *) core: Fix a regression that stripped the ETag header from 304 responses.
+ PR 61820 [Ruediger Pluem, Roy T. Fielding]
+
+ *) core: Adding SSL related inquiry functions to the server API.
+ These function are always available, even when no module providing
+ SSL is loaded. They provide their own "shadowing" implementation for
+ the optional functions of similar name that mod_ssl and impersonators
+ of mod_ssl provide.
+ This enables loading of several SSL providing modules when all but
+ one of them registers itself into the new hooks. Two old-style SSL
+ modules will not work, as they replace the others optional functions
+ with their own.
+ Modules using the old-style optional functions will continue to work
+ as core supplies its own versions of those.
+ The following has been added so far:
+ - ap_ssl_conn_is_ssl() to query if a connection is using SSL.
+ - ap_ssl_var_lookup() to query SSL related variables for a
+ server/connection/request.
+ - Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules
+ providing SSL can install their own value supplying functions.
+ - ap_ssl_add_cert_files() to enable other modules like mod_md to provide
+ certificate and keys for an SSL module like mod_ssl.
+ - ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to
+ provide a fallback certificate in case no 'proper' certificate is
+ available for an SSL module like mod_ssl.
+ - ap_ssl_answer_challenge() to enable other modules like mod_md to
+ provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge
+ for the ACME protocol for an SSL module like mod_ssl. The function
+ and its hook provide PEM encoded data instead of file names.
+ - Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and
+ 'ssl_answer_challenge' where modules like mod_md can provide providers
+ to the above mentioned functions.
+ - These functions reside in the new 'http_ssl.h' header file.
+ [Stefan Eissing]
+
+ *) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. This
+ allows modules to access and provide OCSP response data without being tied
+ of each other. The data is exchanged in standard, portable formats (PEM encoded
+ certificates and DER encoded responses), so that the actual SSL/crypto
+ implementations used by the modules are independant of each other.
+ Registration and retrieval happen in the context of a server (server_rec)
+ which modules may use to decide if they are configured for this or not.
+ The area of changes:
+ 1. core: defines 2 functions in include/http_ssl.h, so that modules may
+ register a certificate, together with its issuer certificate for OCSP
+ response provisioning and ask for current response data (DER bytes) later.
+ Also, 2 hooks are defined that allow modules to implement this OCSP
+ provisioning.
+ 2. mod_ssl uses the new functions, in addition to what it did already, to
+ register its certificates this way. If no one is interested in providing
+ OCSP, it falls back to its own (if configured) stapling implementation.
+ 3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
+ on configuration, it will accept registrations of its own certificates only,
+ all certificates or none.
+ [Stefan Eissing]
+
+ *) mod_md: v2.4.0 with improvements and bugfixes
+ - MDPrivateKeys allows the specification of several types. Beside "RSA" plus
+ optional key lengths elliptic curves can be configured. This means you can
+ have multiple certificates for a Managed Domain with different key types.
+ With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA
+ certificate and all modern client will use the shorter ECDSA, while older
+ client will get the RSA certificate.
+ Many thanks to @tlhackque who pushed and helped on this.
+ - Support added for MDomains consisting of a wildcard. Configuring
+ ```MDomain *.host.net``` will match all virtual hosts matching that pattern
+ and obtain one certificate for it (assuming you have 'dns-01' challenge
+ support configured). Addresses #239.
+ - Removed support for ACMEv1 servers. The only known installation used to
+ be Let's Encrypt which has disabled that version more than a year ago for
+ new accounts.
+ - Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the
+ ```renewing``` call to ```MDMessageCmd``` that can deny a certificate
+ renewal attempt. This is useful in clustered installations, as
+ discussed in #233).
+ - New event ```challenge-setup:<type>:<domain>```, triggered when the
+ challenge data for a domain has been created. This is invoked before the
+ ACME server is told to check for it. The type is one of the ACME challenge
+ types. This is invoked for every DNS name in a MDomain.
+ - The max delay for retries has been raised to daily (this is like all
+ retries jittered somewhat to avoid repeats at fixed time of day).
+ - Certain error codes reported by the ACME server that indicate a problem
+ with the configured data now immediately switch to daily retries. For
+ example: if the ACME server rejects a contact email or a domain name,
+ frequent retries will most likely not solve the problem. But daily retries
+ still make sense as there might be an error at the server and un-supervised
+ certificate renewal is the goal. Refs #222.
+ - Test case and work around for domain names > 64 octets. Fixes #227.
+ When the first DNS name of an MD is longer than 63 octets, the certificate
+ request will not contain a CN field, but leave it up to the CA to choose one.
+ Currently, Lets Encrypt looks for a shorter name in the SAN list given and
+ fails the request if none is found. But it is really up to the CA (and what
+ browsers/libs accept here) and may change over the years. That is why
+ the decision is best made at the CA.
+ - Retry delays now have a random +/-[0-50]% modification applied to let
+ retries from several servers spread out more, should they have been
+ restarted at the same time of day.
+ - Fixed several places where the 'badNonce' return code from an ACME server
+ was not handled correctly. The test server 'pebble' simulates this behaviour
+ by default and helps nicely in verifying this behaviour. Thanks, pebble!
+ - Set the default `MDActivationDelay` to 0. This was confusing to users that
+ new certificates were deemed not usably before a day of delay. When clocks are
+ correct, using a new certificate right away should not pose a problem.
+ - When handling ACME authorization resources, the module no longer requires
+ the server to return a "Location" header, as was necessary in ACMEv1.
+ Fixes #216.
+ - Fixed a theoretical uninitialized read when testing for JSON error responses
+ from the ACME CA. Reported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>.
+ - ACME problem reports from CAs that include parameters in the Content-Type
+ header are handled correctly. (Previously, the problem text would not be
+ reported and retries could exceed CA limits.)
+ - Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
+ Previously, an empty JSON object was sent - which apparently LE accepted,
+ but others reject.
+ [Stefan Eissing, @tlhackque, Andreas Ulm]
+
+Changes with Apache 2.4.47
+
+ *) SECURITY: CVE-2021-30641 (cve.mitre.org)
+ Unexpected <Location> section matching with 'MergeSlashes OFF'
+
+ *) SECURITY: CVE-2020-35452 (cve.mitre.org)
+ mod_auth_digest: possible stack overflow by one nul byte while validating
+ the Digest nonce. [Yann Ylavic]
+
+ *) SECURITY: CVE-2021-26691 (cve.mitre.org)
+ mod_session: Fix possible crash due to NULL pointer dereference, which
+ could be used to cause a Denial of Service with a malicious backend
+ server and SessionHeader. [Yann Ylavic]
+
+ *) SECURITY: CVE-2021-26690 (cve.mitre.org)
+ mod_session: Fix possible crash due to NULL pointer dereference, which
+ could be used to cause a Denial of Service. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-13950 (cve.mitre.org)
+ mod_proxy_http: Fix possible crash due to NULL pointer dereference, which
+ could be used to cause a Denial of Service. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-13938 (cve.mitre.org)
+ Windows: Prevent local users from stopping the httpd process [Ivan Zhakov]
+
+ *) SECURITY: CVE-2019-17567 (cve.mitre.org)
+ mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end
+ negotiation. [Yann Ylavic]
+
+ *) mod_dav_fs: Improve logging output when failing to open files for
+ writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>]
+
+ *) mod_http2: Fixed a race condition that could lead to streams being
+ aborted (RST to the client), although a response had been produced.
+ [Stefan Eissing]
+
+ *) mod_lua: Add support to Lua 5.4 [Joe Orton, Giovanni Bechis, Ruediger Pluem]
+
+ *) MPM event/worker: Fix possible crash in child process on early signal
+ delivery. PR 64533. [Ruediger Pluem]
+
+ *) mod_http2: sync with github standalone version 1.15.17
+ - Log requests and sent the configured error response in case of early detected
+ errors like too many or too long headers. [Ruediger Pluem]
+ - new option 'H2OutputBuffering on/off' which controls the buffering of stream output.
+ The default is on, which is the behaviour of older mod-h2 versions. When off, all
+ bytes are made available immediately to the main connection for sending them
+ out to the client. This fixes interop issues with certain flavours of gRPC, see
+ also <https://github.com/icing/mod_h2/issues/207>.
+ [Stefan Eissing]
+
+ *) mod_unique_id: Fix potential duplicated ID generation under heavy load.
+ PR 65159
+ [Jonas Müntener <jonas.muentener ergon.ch>, Christophe Jaillet]
+
+ *) "[mod_dav_fs etag handling] should really honor the FileETag setting".
+ - It now does.
+ - Add "Digest" to FileETag directive, allowing a strong ETag to be
+ generated using a file digest.
+ - Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over
+ ETag generation.
+ - Add concept of "binary notes" to request_rec, allowing packed bit flags
+ to be added to a request.
+ - First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force
+ the ETag to a strong ETag to comply with RFC requirements, such as those
+ mandated by various WebDAV extensions.
+ [Graham Leggett]
+
+ *) mod_proxy_http: Fix a possibly crash when the origin connection gets
+ interrupted before completion. PR 64234.
+ [Barnim Dzwillo <dzwillo strato.de>, Ruediger Pluem]
+
+ *) mod_ssl: Do not keep connections to OCSP responders alive when doing
+ OCSP requests. PR 64135. [Ruediger Pluem]
+
+ *) mod_ssl: Improve the coalescing filter to buffer into larger TLS
+ records, and avoid revealing the HTTP header size via TLS record
+ boundaries (for common response generators).
+ [Joe Orton, Ruediger Pluem]
+
+ *) mod_proxy_hcheck: Don't pile up health checks if the previous one did
+ not finish before hcinterval. PR 63010. [Yann Ylavic]
+
+ *) mod_session: Improve session parsing. [Yann Yalvic]
+
+ *) mod_authnz_ldap: Prevent authentications with empty passwords for the
+ initial bind to fail with status 500. [Ruediger Pluem]
+
+ *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
+ Transfer-Encoding from the client, spooling the request body when needed
+ to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
+
+ *) mod_proxy: Improve tunneling loop to support half closed connections and
+ pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
+
+ *) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
+ allowing for (non-)Upgrade negotiation with the origin server.
+ [Yann Ylavic]
+
+ *) mod_proxy: Allow ProxyErrorOverride to be restricted to specific status
+ codes. PR63628. [Martin Drößler <mail martindroessler.de>]
+
+ *) core: Add ReadBufferSize, FlushMaxThreshold and FlushMaxPipelined
+ directives. [Yann Ylavic]
+
+ *) core: Ensure that aborted connections are logged as such. PR 62823
+ [Arnaud Grandville <contact@grandville.net>]
+
+ *) http: Allow unknown response status' lines returned in the form of
+ "HTTP/x.x xxx Status xxx". [Yann Ylavic]
+
+ *) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies,
+ leading to Request Timeout (408). PR 63855. [Yann Ylavic]
+
+ *) core: Remove headers on 304 Not Modified as specified by RFC7234, as
+ opposed to passing an explicit subset of headers. PR 61820.
+ [Giovanni Bechis]
+
+ *) mpm_event: Don't reset connections after lingering close, restoring prior
+ to 2.4.28 behaviour. [Yann Ylavic]
+
+ *) mpm_event: Kill connections in keepalive state only when there is no more
+ workers available, not when the maximum number of connections is reached,
+ restoring prior to 2.4.30 behaviour. [Yann Ylavic]
+
+ *) mod_unique_id: Use base64url encoding for UNIQUE_ID variable,
+ avoiding the use of '@'. PR 57044.
+ [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>]
+
+ *) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a
+ SameSite attribute. [Eric Covener]
+
+ *) mod_proxy: Add proxy check_trans hook. This allows proxy
+ modules to decline request handling at early stage.
+
+ *) mod_proxy_wstunnel: Decline requests without an Upgrade
+ header so ws/wss can be enabled overlapping with later
+ http/https.
+
+ *) mod_http2: Log requests and sent the configured error response in case of
+ early detected errors like too many or too long headers.
+ [Ruediger Pluem, Stefan Eissing]
+
+ *) mod_md: Lowered the required minimal libcurl version from 7.50 to 7.29
+ as proposed by <alexander.gerasimov codeit.pro>. [Stefan Eissing]
+
+ *) mod_ssl: Fix request body buffering with PHA in TLSv1.3. [Joe Orton]
+
+ *) mod_proxy_uwsgi: Fix a crash when sending environment variables with no
+ value. PR 64598 [Ruediger Pluem]
+
+ *) mod_proxy: Recognize parameters from ProxyPassMatch workers with dollar
+ substitution, such that they apply to the backend connection. Note that
+ connection reuse is disabled by default to avoid compatibility issues.
+ [Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere]
+
+Changes with Apache 2.4.46
+
+ *) SECURITY: CVE-2020-11984 (cve.mitre.org)
+ mod_proxy_uwsgi: Malicious request may result in information disclosure
+ or RCE of existing file on the server running under a malicious process
+ environment. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-11993 (cve.mitre.org)
+ mod_http2: when throttling connection requests, log statements
+ where possibly made that result in concurrent, unsafe use of
+ a memory pool. [Stefan Eissing]
+
+ *) SECURITY: CVE-2020-9490 (cve.mitre.org)
+ mod_http2: a specially crafted value for the 'Cache-Digest' header
+ request would result in a crash when the server actually tries
+ to HTTP/2 PUSH a resource afterwards. [Stefan Eissing]
+
+ *) mod_proxy_fcgi: Fix missing APLOGNO macro argument
+ [Eric Covener, Christophe Jaillet]
+
+Changes with Apache 2.4.45
+
+ *) mod_http2: remove support for abandoned http-wg draft
+ <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
+ [Stefan Eissing]
+
+Changes with Apache 2.4.44
+
+ *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
+ protocol limit). [Yann Ylavic]
+
+ *) mod_http2:
+ Fixes <https://github.com/icing/mod_h2/issues/200>:
+ "LimitRequestFields 0" now disables the limit, as documented.
+ Fixes <https://github.com/icing/mod_h2/issues/201>:
+ Do not count repeated headers with same name against the field
+ count limit. The are merged internally, as if sent in a single HTTP/1 line.
+ [Stefan Eissing]
+
+ *) mod_http2: Avoid segfaults in case of handling certain responses for
+ already aborted connections. [Stefan Eissing, Ruediger Pluem]
+
+ *) mod_http2: The module now handles master/secondary connections and has marked
+ methods according to use. [Stefan Eissing]
+
+ *) core: Drop an invalid Last-Modified header value coming
+ from a FCGI/CGI script instead of replacing it with Unix epoch.
+ [Yann Ylavic, Luca Toscano]
+
+ *) Add support for strict content-length parsing through addition of
+ ap_parse_strict_length() [Yann Ylavic]
+
+ *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
+ evaluates to false. PR64365. [Michael König <mail ikoenig.net>]
+
+ *) mod_proxy_http: flush spooled request body in one go to avoid
+ leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]
+
+ *) mod_ssl: Fix a race condition and possible crash when using a proxy client
+ certificate (SSLProxyMachineCertificateFile).
+ [Armin Abfalterer <a.abfalterer gmail.com>]
+
+ *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]
+
+ *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
+ PR64330 [Stefan Eissing]
+
+ *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
+ was configured with a handshake timeout. Fixes gitub issue #196.
+ [Stefan Eissing]
+
+ *) mod_proxy_http2: the "ping" proxy parameter
+ (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
+ when checking the liveliness of a new or reused h2 connection to the backend.
+ With short durations, this makes load-balancing more responsive. The module
+ will hold back requests until ping conditions are met, using features of the
+ HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
+
+ *) core: httpd is no longer linked against -lsystemd if mod_systemd
+ is enabled (and built as a DSO). [Rainer Jung]
+
+ *) mod_proxy_http2: respect ProxyTimeout settings on backend connections
+ while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
+
+Changes with Apache 2.4.43
+
+ *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
+
+Changes with Apache 2.4.42
+
+ *) SECURITY: CVE-2020-1934 (cve.mitre.org)
+ mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
+ server. [Eric Covener]
+
+ *) SECURITY: CVE-2020-1927 (cve.mitre.org)
+ rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
+ matches and substitutions with encoded line break characters.
+ The fix for CVE-2019-10098 was not effective. [Ruediger Pluem]
+
+ *) mod_proxy_http: Fix the forwarding of requests with content body when a
+ balancer member is unavailable; the retry on the next member was issued
+ with an empty body (regression introduced in 2.4.41). PR63891.
+ [Yann Ylavic]
+
+ *) core: Use a temporary file when writing the pid file, avoiding
+ startup failure if an empty pidfile is left over from a
+ previous crashed or aborted invocation of httpd. PR 63140.
+ [Nicolas Carrier <carrier.nicolas0 gmail.com>, Joe Orton]
+
+ *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
+ identifier under load, see <https://github.com/icing/mod_h2/issues/195>.
+ [Michael Kaufmann, Stefan Eissing]
+
+ *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
+ PR64140. [Renier Velazco <renier.velazco upr.edu>]
+
+ *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
+ PR64172.
+
+ *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
+ to allow customization of the usertrack cookie. PR64077.
+ [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]
+
+ *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
+ AJP13 authentication. PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]
+
+ *) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
+ [Eric Covener, Yann Ylavic]
+
+ *) Add a config layout for OpenWRT. [Graham Leggett]
+
+ *) Add support for cross compiling to apxs. If apxs is being executed from
+ somewhere other than its target location, add that prefix to includes and
+ library directories. Without this, apxs would fail to find config_vars.mk
+ and exit. [Graham Leggett]
+
+ *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
+ issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
+ [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
+
+ *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
+ [Graham Leggett]
+
+ *) mod_ssl: Support use of private keys and certificates from an
+ OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
+ [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]
+
+ *) mod_md:
+ - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
+ thanks to Timothe Litt (@tlhackque).
+ - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
+ check all matching virtual hosts for protocol support. Thanks to @mkauf.
+ - Corrected a check when OCSP stapling was configured for hosts
+ where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
+ - Softening the restrictions where mod_md configuration directives may appear. This should
+ allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
+ you wanted in the first place, is another matter.
+ [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
+ Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
+
+ *) test: Added continuous testing with Travis CI.
+ This tests various scenarios on Ubuntu with the full test suite.
+ Architectures tested: amd64, s390x, ppc64le, arm64
+ The tests pass successfully.
+ [Luca Toscano, Joe Orton, Mike Rumph, and others]
+
+ *) core: Be stricter in parsing of Transfer-Encoding headers.
+ [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]
+
+ *) mod_ssl: negotiate the TLS protocol version per name based vhost
+ configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
+ SSLProtocol (from the first vhost declared on the IP:port) is now only
+ relevant if no SSLProtocol is declared for the vhost or globally,
+ otherwise the vhost or global value apply. [Yann Ylavic]
+
+ *) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
+ output. PR 64096. [Joe Orton]
+
+ *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
+ [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]
+
+ *) mod_systemd: New module providing integration with systemd. [Jan Kaluza]
+
+ *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
+ r:notes_table, r:subprocess_env_table as read-only native table alternatives
+ that can be iterated over. [Eric Covener]
+
+ *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
+ [Yann Ylavic, Stefan Eissing]
+
+ *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
+ r.headers_out, etc) to remove the key from the table. PR63971.
+ [Eric Covener]
+
+ *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
+ ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
+ always `on`, regardless of configuration. Found and reported by
+ <Armin.Abfalterer@united-security-providers.ch> and
+ <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]
+
+ *) mod_http2: Multiple field length violations in the same request no longer cause
+ several log entries to be written. [@mkauf]
+
+ *) mod_ssl: OCSP does not apply to proxy mode. PR 63679.
+ [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]
+
+ *) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
+ [Jim Jagielski]
+
+ *) mod_authn_socache: Increase the maximum length of strings that can be cached by
+ the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>]
+
+ *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
+ [Ruediger Pluem, Eric Covener]
+
+ *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
+ valid (For example, testing for a file on a flash drive that is not mounted)
+ [Christophe Jaillet]
+
+ *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
+ means 'foo' is "not acceptable". PR 58158 [Chistophe Jaillet]
+
+ *) mod_md v2.2.3:
+ - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
+ had been additive before which was not the intended behaviour. [@mkauf]
+ - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
+ documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
+ - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
+ - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
+ "transfer-encoding" to POST requests. This failed in direct communication with
+ Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]
+
+ *) mod_md: Adding the several new features.
+ The module offers an implementation of OCSP Stapling that can replace fully or
+ for a limited set of domains the existing one from mod_ssl. OCSP handling
+ is part of mod_md's monitoring and message notifications. If can be used
+ for sites that do not have ACME certificates.
+ The url for a CTLog Monitor can be configured. It is used in the server-status
+ to link to the external status page of a certificate.
+ The MDMessageCmd is called with argument "installed" when a new certificate
+ has been activated on server restart/reload. This allows for processing of
+ the new certificate, for example to applications that require it in different
+ locations or formats.
+ [Stefan Eissing]
+
+ *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
+ protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
+
+Changes with Apache 2.4.41
+
+ *) SECURITY: CVE-2019-10097 (cve.mitre.org)
+ mod_remoteip: Fix stack buffer overflow and NULL pointer deference
+ when reading the PROXY protocol header. [Joe Orton,
+ Daniel McCarney <cpu letsencrypt.org>]
+
+ *) SECURITY: CVE-2019-9517 (cve.mitre.org)
+ mod_http2: a malicious client could perform a DoS attack by flooding
+ a connection with requests and basically never reading responses
+ on the TCP connection. Depending on h2 worker dimensioning, it was
+ possible to block those with relatively few connections. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-10098 (cve.mitre.org)
+ rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
+ matches and substitutions with encoded line break characters.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2019-10092 (cve.mitre.org)
+ Remove HTML-escaped URLs from canned error responses to prevent misleading
+ text/links being displayed via crafted links. [Eric Covener]
+
+ *) SECURITY: CVE-2019-10082 (cve.mitre.org)
+ mod_http2: Using fuzzed network input, the http/2 session
+ handling could be made to read memory after being freed,
+ during connection shutdown. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-10081 (cve.mitre.org)
+ mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
+ could lead to an overwrite of memory in the pushing request's pool,
+ leading to crashes. The memory copied is that of the configured push
+ link header values, not data supplied by the client. [Stefan Eissing]
+
+ *) mod_proxy_balancer: Improve balancer-manager protection against
+ XSS/XSRF attacks from trusted users. [Joe Orton,
+ Niels Heinen <heinenn google.com>]
+
+ *) mod_session: Introduce SessionExpiryUpdateInterval which allows to
+ configure the session/cookie expiry's update interval. PR 57300.
+ [Paul Spangler <paul.spangler ni.com>]
+
+ *) modules/filters: Fix broken compilation when using old GCC (<4.2.x).
+ PR 63633. [Rainer Jung, Joe Orton]
+
+ *) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
+ configured for a domain managed by mod_md. [Stefan Eissing]
+
+Changes with Apache 2.4.40
+
+ *) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via
+ RegexDefaultOptions -DOTALL [Yann Ylavic]
+
+ *) core: Remove request details from built-in error documents [Eric Covener]
+
+ *) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on
+ merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]
+
+ *) mod_http2: fixed a bug that prevented proper stream cleanup when connection
+ throttling was in place. Stream resets by clients on streams initiated by them
+ are counted as possible trigger for throttling. [Stefan Eissing]
+
+ *) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing
+ more to write with streams ongoing (flow control block). The timeout waiting
+ for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not
+ Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]
+
+ *) mod_proxy_balancer: Load balancer required byrequests when bytraffic chosen.
+ PR 62372. [Jim Jagielski]
+
+ *) mod_proxy_hcheck: Create the configuration for mod_proxy_hcheck
+ when used in BalancerMember. PR 60757. [Jean-Frederic Clere]
+
+ *) mod_proxy_hcheck: Mute extremely frequent debug message. [Yann Ylavic]
+
+ *) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for
+ adding certificates and keys to a virtual host. An additional hook allows
+ answering special TLS connections as used in ACME challenges.
+ Adding 2 new hooks for init/get of OCSP stapling status information when
+ other modules want to provide those. Falls back to own implementation with
+ same behaviour as before.
+ [Stefan Eissing]
+
+ *) mod_md: new features
+ - protocol
+ - supports the ACMEv2 protocol. It is the default and will be used on the next
+ certificate renewal, unless another "MDCertificateAuthority" is configured
+ - ACMEv2 endpoints use the GET via empty POST way of accessing resources, see
+ announcement by Let's Encrypt:
+ https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
+ - challenges
+ - new challenge method 'tls-alpn-01' implemented
+ - challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer
+ - supports command configuration to setup/teardown 'dns-01' challenges
+ - supports wildcard certificates when dns challenges are configured
+ - status information and monitoring
+ - a domain exposes its status at https://<domain>/.httpd/certificate-status
+ - Managed Domains are now in Apache's 'server-status' page
+ - A new handler 'md-status' exposes verbose status information in JSON format
+ - new directives
+ - "MDCertificateFile" and "MDCertificateKeyFile" to configure a
+ Managed Domain that uses static files. Auto-renewal is turned off for those.
+ - "MDMessageCmd" that is invoked on several events: 'renewed', 'expiring' and
+ 'errored'.
+ - "MDWarnWindow" directive to configure when expiration warnings shall be issued.
+ [Stefan Eissing]
+
+ *) mod_mime_magic: Fix possible corruption of returned strings.
+ [Christophe Jaillet]
+
+ *) Default "conf/magic": Fix pattern for "audio/x-wav" for WAV files,
+ remove "audio/unknown" pattern for other RIFF files.
+ [Àngel Ollé Blázquez <aollebla redhat.com>]
+
+ *) mod_proxy_http2: fixing a potential NULL pointer use in logging.
+ [Christophe Jaillet, Dr Silvio Cesare InfoSect]
+
+ *) mod_dav: Reduce the amount of memory needed when doing PROPFIND's on large
+ collections by improving the memory management. [Joe Orton, Ruediger Pluem]
+
+ *) mod_proxy_http2: adding support for handling trailers in both directions.
+ PR 63502. [Stefan Eissing]
+
+ *) mod_proxy_http: forward 100-continue, and minimize race conditions when
+ reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere]
+
+ *) mod_proxy_balancer: Fix some HTML syntax issues. [Christophe Jaillet]
+
+ *) When using mod_status with the Event MPM, report the number of requests
+ associated with an active connection in the "ACC" field. Previously
+ zero was always reported with this MPM. PR60647. [Eric Covener]
+
+ *) mod_http2: remove the no longer existing h2_ngn_shed.c from Cmake.
+ [Stefan Eissing]
+
+ *) mod_proxy/ssl: Proxy SSL client certificate configuration and other proxy
+ SSL configurations broken inside <Proxy> context. PR 63430.
+ [Ruediger Pluem, Yann Ylavic]
+
+ *) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.
+ PR 61857. [Markus Gausling <markusgausling googlemail.com>, Yann Ylavic]
+
+ *) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39.
+ PR 63325. [Yann Ylavic]
+
+ *) mod_info: Fix output of server settings for PIPE_BUF in mod_info in
+ the rare case that PIPE_BUF is defined. [Rainer Jung]
+
+ *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
+ spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]
+
+Changes with Apache 2.4.39
+
+ *) SECURITY: CVE-2019-0197 (cve.mitre.org)
+ mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
+ host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
+ request from http/1.1 to http/2 that was not the first request on a
+ connection could lead to a misconfiguration and crash. Servers that
+ never enabled the h2 protocol or only enabled it for https: and
+ did not set "H2Upgrade on" are unaffected by this issue.
+ [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-0196 (cve.mitre.org)
+ mod_http2: using fuzzed network input, the http/2 request
+ handling could be made to access freed memory in string
+ comparison when determining the method of a request and
+ thus process the request incorrectly. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-0211 (cve.mitre.org)
+ MPMs unix: Fix a local privilege escalation vulnerability by not
+ maintaining each child's listener bucket number in the scoreboard,
+ preventing unprivileged code like scripts run by/on the server (e.g. via
+ mod_php) from modifying it persistently to abuse the privileged main
+ process. [Charles Fol <folcharles gmail.com>, Yann Ylavic]
+
+ *) SECURITY: CVE-2019-0217 (cve.mitre.org)
+ mod_auth_digest: Fix a race condition checking user credentials which
+ could allow a user with valid credentials to impersonate another,
+ under a threaded MPM. PR 63124. [Simon Kappel <simon.kappel axis.com>]
+
+ *) SECURITY: CVE-2019-0215 (cve.mitre.org)
+ mod_ssl: Fix access control bypass for per-location/per-dir client
+ certificate verification in TLSv1.3.
+
+ *) SECURITY: CVE-2019-0220 (cve.mitre.org)
+ Merge consecutive slashes in URL's. Opt-out with
+ `MergeSlashes OFF`. [Eric Covener]
+
+ *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
+ connection is recycled/reused to avoid a possible crash with some SSLProxy
+ configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]
+
+ *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
+ PR 55348
+
+ *) mod_socache_redis: Support for Redis as socache storage provider.
+
+ *) core: new configuration option 'MergeSlashes on|off' that controls handling of
+ multiple, consecutive slash ('/') characters in the path component of the request URL.
+ [Eric Covener]
+
+ *) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
+ in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.
+ Fixed. [Michael Kaufmann]
+
+ *) mod_http2: new configuration directive: `H2Padding numbits` to control
+ padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
+ controlling the range of padding bytes added to a frame. The actual number
+ added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE
+ frames equally. The default continues to be 0, e.g. no padding. [Stefan Eissing]
+
+ *) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2
+ has no more need for it. Optional functions are still declared but no longer implemented.
+ While previous mod_proxy_http2 will work with this, it is recommended to run the matching
+ versions of both modules. [Stefan Eissing]
+
+ *) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which
+ resolve PR63170. The proxy module does now a single h2 request on the (reused)
+ connection and returns. [Stefan Eissing]
+
+ *) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status
+ to trigger immediate shutdown of backend connections. This is now always signalled
+ by mod_http2 when the the session is being released.
+ proxy_http2 now only sends a PING frame to the backend when there is not already one
+ in flight. [Stefan Eissing]
+
+ *) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite
+ loop when encountering certain errors on the backend connection.
+ See <https://bz.apache.org/bugzilla/show_bug.cgi?id=63170>. [Stefan Eissing]
+
+ *) mod_http2: Configuration directives H2Push and H2Upgrade can now be specified per
+ Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]
+
+ *) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
+ terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.
+ Fixes <https://github.com/icing/mod_h2/issues/167>. [Michael Kaufmann]
+
+ *) http: Fix possible empty response with mod_ratelimit for HEAD requests.
+ PR 63192. [Yann Ylavic]
+
+ *) mod_cache_socache: Avoid reallocations and be safe with outgoing data
+ lifetime. [Yann Ylavic]
+
+ *) mod_http2: enable re-use of slave connections again. Fixed slave connection
+ keepalives counter. [Stefan Eissing]
+
+ *) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.
+ PR 61310. [Yann Ylavic]
+
+ *) core: Split out the ability to parse wildcard files and directories
+ from the Include/IncludeOptional directives into a generic set of
+ functions ap_dir_nofnmatch() and ap_dir_fnmatch(). [Graham Leggett]
+
+ *) mod_proxy_wstunnel: Fix websocket proxy over UDS.
+ PR 62932 <pavel dcmsys.com>
+
+ *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
+ configuration (SSLFIPS on) and not active by default in OpenSSL.
+ PR 63136. [Yann Ylavic]
+
+Changes with Apache 2.4.38
+
+ *) SECURITY: CVE-2018-17199 (cve.mitre.org)
+ mod_session: mod_session_cookie does not respect expiry time allowing
+ sessions to be reused. [Hank Ibell]
+
+ *) SECURITY: CVE-2018-17189 (cve.mitre.org)
+ mod_http2: fixes a DoS attack vector. By sending slow request bodies
+ to resources not consuming them, httpd cleanup code occupies a server
+ thread unnecessarily. This was changed to an immediate stream reset
+ which discards all stream state and incoming data. [Stefan Eissing]
+
+ *) SECURITY: CVE-2019-0190 (cve.mitre.org)
+ mod_ssl: Fix infinite loop triggered by a client-initiated
+ renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
+ later. PR 63052. [Joe Orton]
+
+ *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
+ PR 63052 [Joe Orton]
+
+ *) mod_negotiation: Treat LanguagePriority as case-insensitive to match
+ AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]
+
+ *) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
+ have been fixed. [Michael Kaufmann, Stefan Eissing]
+
+ *) mod_setenvif: We can have expressions that become true if a regex pattern
+ in the expression does NOT match. In this case val is NULL
+ and we should just set the value for the environment variable
+ like in the pattern case. [Ruediger Pluem]
+
+ *) mod_session: Always decode session attributes early. [Hank Ibell]
+
+ *) core: Incorrect values for environment variables are substituted when
+ multiple environment variables are specified in a directive. [Hank Ibell]
+
+ *) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
+ this type of map is present in the configuration. PR62311.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_dav: Fix invalid Location header when a resource is created by
+ passing an absolute URI on the request line [Jim Jagielski]
+
+ *) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
+ [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]
+
+ *) mod_ssl: clear *SSL errors before loading certificates and checking
+ afterwards. Otherwise errors are reported when other SSL using modules
+ are in play. Fixes PR 62880. [Michael Kaufmann]
+
+ *) mod_ssl: Fix the error code returned in an error path of
+ 'ssl_io_filter_handshake()'. This messes-up error handling performed
+ in 'ssl_io_filter_error()' [Yann Ylavic]
+
+ *) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
+ authz provider so "Require ssl" works correctly in HTTP/2.
+ PR 61519, 62654. [Joe Orton, Stefan Eissing]
+
+ *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
+ redirects, subsequent ProxyPassReverse statements, whether they are
+ relative or absolute, may fail. PR 60408. [Peter Haworth <pmh1wheel gmail.com>]
+
+ *) mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1]
+
+Changes with Apache 2.4.37
+
+ *) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1. [Rainer Jung]
+
+ *) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
+ when client certificates are available from the original handshake
+ but were originally not verified and should get verified now.
+ This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]
+
+ *) mod_ssl: Correctly merge configurations that have client certificates set
+ by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]
+
+Changes with Apache 2.4.36
+
+ *) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
+ responses. Regression introduced in 2.4.35.
+
+ *) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
+ body of the response. [Jim Jagielski]
+
+ *) mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when
+ there are still idle threads available. When there are less idle threads than
+ MinSpareThreads, issue new one-time message AH10159. Matches worker MPM.
+ [Eric Covener]
+
+ *) mod_http2: adding defensive code for stream EOS handling, in case the request handler
+ missed to signal it the normal way (eos buckets). Addresses github issues
+ https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
+ and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing]
+
+ *) ab: Add client certificate support. PR 55774. [Graham Leggett]
+
+ *) ab: Disable printing temp key for OpenSSL before
+ version 1.0.2. SSL_get_server_tmp_key is not available
+ there. [Rainer Jung]
+
+ *) mod_ssl: Fix a regression that the configuration settings for verify mode
+ and verify depth were taken from the frontend connection in case of
+ connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
+
+ *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
+ before signals handling to avoid lifetime issues on restart or shutdown.
+ PR 62658. [Yann Ylavic]
+
+ *) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has
+ behavioural changes compared to v1.2 and earlier; client and
+ configuration changes should be expected. SSLCipherSuite is
+ enhanced for TLSv1.3 ciphers, but applies at vhost level only.
+ [Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]
+
+ *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
+ should be accepted after the authorization scheme. \t are also tolerated.
+ [Christophe Jaillet]
+
+ *) mod_socache_redis: New socache submodule provider to allow use
+ of Redis as storage backend. [Jim Jagielski]
+
+ *) mod_proxy_hcheck: Fix issues with interval determination. PR 62318
+ [Jim Jagielski]
+
+ *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
+ [Dominik Stillhard <dominik.stillhard united-security-providers.ch>]
+
+ *) mod_proxy_hcheck: take balancer's SSLProxy* directives into account.
+ [Jim Jagielski]
+
+ *) mod_status, mod_echo: Fix the display of client addresses.
+ They were truncated to 31 characters which is not enough for IPv6 addresses.
+ This is done by deprecating the use of the 'client' field and using
+ the new 'client64' field in worker_score.
+ PR 54848 [Bernhard Schmidt <berni birkenwald de>, Jim Jagielski]
+
+Changes with Apache 2.4.35
+
+ *) http: Enforce consistently no response body with both 204 and 304
+ statuses. [Yann Ylavic]
+
+ *) mod_status: Cumulate CPU time of exited child processes in the
+ "cu" and "cs" values. Add CPU time of the parent process to the
+ "c" and "s" values.
+ [Rainer Jung]
+
+ *) mod_proxy: Improve the balancer member data shown in mod_status when
+ "ProxyStatus" is "On": add "busy" count and show byte counts in
+ auto mode always in units of kilobytes. [Rainer Jung]
+
+ *) mod_status: Add cumulated response duration time in milliseconds.
+ [Rainer Jung]
+
+ *) mod_status: Complete the data shown for async MPMs in "auto" mode.
+ Added number of processes, number of stopping processes and number
+ of busy and idle workers. [Rainer Jung]
+
+ *) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
+ introduced in 2.4.34. PR 62568. [Yann Ylavic]
+
+ *) mod_proxy: Remove load order and link dependency between mod_lbmethod_*
+ modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe]
+
+ *) Allow the argument to <IfFile>, <IfDefine>, <IfSection>, <IfDirective>,
+ and <IfModule> to be quoted. This is primarily for the benefit of
+ <IfFile>. [Eric Covener]
+
+ *) mod_watchdog: Correct some log messages. [Rainer Jung]
+
+ *) mod_md: When the last domain name from an MD is moved to another one,
+ that now empty MD gets moved to the store archive. PR 62572.
+ [Stefan Eissing]
+
+ *) mod_ssl: Fix merging of SSLOCSPOverrideResponder. [Jeff Trawick,
+ [Frank Meier <frank meier ergon.ch>]
+
+ *) mod_proxy_balancer: Restore compatibility with APR 1.4. [Joe Orton]
+
+Changes with Apache 2.4.34
+
+ *) SECURITY: CVE-2018-8011 (cve.mitre.org)
+ mod_md: DoS via Coredumps on specially crafted requests
+
+ *) SECURITY: CVE-2018-1333 (cve.mitre.org)
+ mod_http2: DoS for HTTP/2 connections by specially crafted requests
+
+ *) Introduce zh-cn and zh-tw (simplified and traditional Chinese) error
+ document translations. [CodeingBoy, popcorner]
+
+ *) event: avoid possible race conditions with modules on the child pool.
+ [Stefan Fritsch]
+
+ *) mod_proxy: Fix a corner case where the ProxyPassReverseCookieDomain or
+ ProxyPassReverseCookiePath directive could fail to update correctly
+ 'domain=' or 'path=' in the 'Set-Cookie' header. PR 61560.
+ [Christophe Jaillet]
+
+ *) mod_ratelimit: fix behavior when proxing content. PR 62362.
+ [Luca Toscano, Yann Ylavic]
+
+ *) core: Re-allow '_' (underscore) in hostnames.
+ [Eric Covener]
+
+ *) mod_authz_core: If several parameters are used in a AuthzProviderAlias
+ directive, if these parameters are not enclosed in quotation mark, only
+ the first one is handled. The other ones are silently ignored.
+ Add a message to warn about such a spurious configuration.
+ PR 62469 [Hank Ibell <hwibell gmail.com>, Christophe Jaillet]
+
+ *) mod_md: improvements and bugfixes
+ - MDNotifyCmd now takes additional parameter that are passed on to the called command.
+ - ACME challenges have better checks for interference with other modules
+ - ACME challenges are only handled for domains managed by the module, allowing
+ other ACME clients to operate for other domains in the server.
+ - better libressl integration
+
+ *) mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'.
+ PR 62480. [Lubos Uhliarik <luhliari redhat.com>}
+
+ *) logging: Some early logging-related startup messages could be lost
+ when using syslog for the global ErrorLog. [Eric Covener]
+
+ *) mod_cache: Handle case of an invalid Expires header value RFC compliant
+ like the case of an Expires time in the past: allow to overwrite the
+ non-caching decision using CacheStoreExpired and respect Cache-Control
+ "max-age" and "s-maxage". [Rainer Jung]
+
+ *) mod_xml2enc: Fix forwarding of error metadata/responses. PR 62180.
+ [Micha Lenk <micha lenk.info>, Yann Ylavic]
+
+ *) mod_proxy_http: Fix response header thrown away after the previous one
+ was considered too large and truncated. PR 62196. [Yann Ylavic]
+
+ *) core: Add and handle AP_GETLINE_NOSPC_EOL flag for ap_getline() family
+ of functions to consume the end of line when the buffer is exhausted.
+ PR 62198. [Yann Ylavic]
+
+ *) mod_proxy_http: Add new worker parameter 'responsefieldsize' to
+ allow maximum HTTP response header size to be increased past 8192
+ bytes. PR 62199. [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_ssl: Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf
+ of a certificate chain. PR62112.
+ [Ricardo Martin Camarero <rickyepoderi yahoo.es>]
+
+ *) http: Fix small memory leak per request when handling persistent
+ connections. [Ruediger Pluem, Joe Orton]
+
+ *) mod_proxy_html: Fix variable interpolation and memory allocation failure
+ in ProxyHTMLURLMap. PR 62344. [Ewald Dieterich <ewald mailbox.org>]
+
+ *) mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.
+ PR 62220. [Chritophe Jaillet, Yann Ylavic]
+
+ *) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
+ zero out what had been initialized as the connection-level port. PR59931.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: In ONE_PROCESS/debug mode, cleanup everything when exiting.
+ [Yann Ylavic]
+
+ *) mod_proxy_balancer: Add hot spare member type and corresponding flag (R).
+ Hot spare members are used as drop-in replacements for unusable workers
+ in the same load balancer set. This differs from hot standbys which are
+ only used when all workers in a set are unusable. PR 61140. [Jim Riggs]
+
+ *) suexec: Add --enable-suexec-capabilites support on Linux, to use
+ setuid/setgid capability bits rather than a setuid root binary.
+ [Joe Orton]
+
+ *) suexec: Add support for logging to syslog as an alternative to
+ logging to a file; use --without-suexec-logfile --with-suexec-syslog.
+ [Joe Orton]
+
+ *) mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling
+ which broke some rare but previously-working configs. [Joe Orton]
+
+ *) core, log: improve sanity checks for the ErrorLog's syslog config, and
+ explicitly allow only lowercase 'syslog' settings. PR 62102
+ [Luca Toscano, Jim Riggs, Christophe Jaillet]
+
+ *) mod_http2: accurate reporting of h2 data input/output per request via
+ mod_logio. Fixes an issue where output sizes where counted n-times on
+ reused slave connections. [Stefan Eissing]
+ See github issue: https://github.com/icing/mod_h2/issues/158
+
+ *) mod_http2: Fix unnecessary timeout waits in case streams are aborted.
+ [Stefan Eissing]
+
+ *) mod_http2: restoring the v1.10.16 keepalive timeout behaviour of mod_http2.
+ [Stefan Eissing]
+
+ *) mod_proxy: Do not restrict the maximum pool size for backend connections
+ any longer by the maximum number of threads per process and use a better
+ default if mod_http2 is loaded.
+ [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Gregg Smith]
+
+ *) mod_slotmem_shm: Add generation number to shm filename to fix races
+ with graceful restarts. PRs 62044 and 62308. [Jim Jagielski, Yann Ylavic]
+
+ *) core: Preserve the original HTTP request method in the '%<m' LogFormat
+ when an path-based ErrorDocument is used. PR 62186.
+ [Micha Lenk <micha lenk.info>]
+
+ *) mod_remoteip: make proxy-protocol work on slave connections, e.g. in
+ HTTP/2 requests. [Stefan Eissing]
+ See also https://github.com/roadrunner2/mod-proxy-protocol/issues/6
+
+ *) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
+ regression introduced in 2.4.30. PR 62232. [Rainer Jung, Yann Ylavic]
+
+ *) mod_md: Fix compilation with OpenSSL before version 1.0.2. [Rainer Jung]
+
+ *) mod_dumpio: do nothing below log level TRACE7. [Yann Ylavic]
+
+ *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
+ [Eric Covener]
+
+ *) core: On ECBDIC platforms, some errors related to oversized headers
+ may be misreported or be logged as ASCII escapes. PR 62200
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_ssl: Fix cmake-based build. PR 62266. [Rainer Jung]
+
+ *) core: Add <IfFile>, <IfDirective> and <IfSection> conditional
+ section containers. [Eric Covener, Joe Orton]
+
+ *) rotatelogs: Add -D option to create parent directories. PR 46669.
+ [Philippe Lantin <plantin cobaltgroup.com>, Ben Reser, Rainer Jung]
+
+Changes with Apache 2.4.33
+
+ *) core: Fix request timeout logging and possible crash for error_log hooks.
+ [Yann Ylavic]
+
+ *) mod_slomem_shm: Fix failure to create balancers's slotmems in Windows MPM,
+ where children processes need to attach them instead since they are owned
+ by the parent process already. [Yann Ylavic]
+
+ *) ab: try all destination socket addresses returned by
+ apr_sockaddr_info_get instead of failing on first one when not available.
+ Needed for instance if localhost resolves to both ::1 and 127.0.0.1
+ e.g. if both are in /etc/hosts. [Jan Kaluza]
+
+ *) ab: Use only one connection to determine working destination socket
+ address. [Jan Kaluza]
+
+ *) ab: LibreSSL doesn't have or require Windows applink.c. [Gregg L. Smith]
+
+ *) htpasswd/htdigest: Disable support for bcrypt on EBCDIC platforms.
+ apr-util's bcrypt implementation doesn't tolerate EBCDIC. [Eric Covener]
+
+ *) htpasswd/htdbm: report the right limit when get_password() overflows.
+ [Yann Ylavic]
+
+ *) htpasswd: Don't fail in -v mode if password file is unwritable.
+ PR 61631. [Joe Orton]
+
+ *) htpasswd: don't point to (unused) stack memory on output
+ to make static analysers happy. PR 60634.
+ [Yann Ylavic, reported by shqking and Zhenwei Zou]
+
+Changes with Apache 2.4.32
+
+ *) mod_access_compat: Fail if a comment is found in an Allow or Deny
+ directive. [Jan Kaluza]
+
+ *) mod_authz_host: Ignore comments after "Require host", logging a
+ warning, or logging an error if the line is otherwise empty.
+ [Jan Kaluza, Joe Orton]
+
+ *) rotatelogs: Fix expansion of %Z in localtime (-l) mode, and fix
+ Y2K38 bug. [Joe Orton]
+
+ *) mod_ssl: Support SSL DN raw variable extraction without conversion
+ to UTF-8, using _RAW suffix on variable names. [Joe Orton]
+
+ *) ab: Fix https:// connection failures (regression in 2.4.30); fix
+ crash generating CSV output for large -n. [Joe Orton, Jan Kaluza]
+
+Changes with Apache 2.4.31 (not released)
+
+ *) mod_proxy_fcgi: Add the support for mod_proxy's flushpackets and flushwait
+ parameters. [Luca Toscano, Ruediger Pluem, Yann Ylavic]
+
+ *) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
+ improper merging of the cache lock in vhost config.
+ PR 43164 [Eric Covener]
+
+ *) mpm_event: Do lingering close in worker(s). [Yann Ylavic]
+
+ *) mpm_queue: Put fdqueue code in common for MPMs event and worker.
+ [Yann Ylavic]
+
+Changes with Apache 2.4.30 (not released)
+
+ *) SECURITY: CVE-2017-15710 (cve.mitre.org)
+ Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
+ [Eric Covener, Luca Toscano, Yann Ylavic]
+
+ *) SECURITY: CVE-2018-1283 (cve.mitre.org)
+ mod_session: CGI-like applications that intend to read from mod_session's
+ 'SessionEnv ON' could be fooled into reading user-supplied data instead.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2018-1303 (cve.mitre.org)
+ mod_cache_socache: Fix request headers parsing to avoid a possible crash
+ with specially crafted input data. [Ruediger Pluem]
+
+ *) SECURITY: CVE-2018-1301 (cve.mitre.org)
+ core: Possible crash with excessively long HTTP request headers.
+ Impractical to exploit with a production build and production LogLevel.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2017-15715 (cve.mitre.org)
+ core: Configure the regular expression engine to match '$' to the end of
+ the input string only, excluding matching the end of any embedded
+ newline characters. Behavior can be changed with new directive
+ 'RegexDefaultOptions'. [Yann Ylavic]
+
+ *) SECURITY: CVE-2018-1312 (cve.mitre.org)
+ mod_auth_digest: Fix generation of nonce values to prevent replay
+ attacks across servers using a common Digest domain. This change
+ may cause problems if used with round robin load balancers. PR 54637
+ [Stefan Fritsch]
+
+ *) SECURITY: CVE-2018-1302 (cve.mitre.org)
+ mod_http2: Potential crash w/ mod_http2.
+ [Stefan Eissing]
+
+ *) mod_proxy: Provide an RFC1035 compliant version of the hostname in the
+ proxy_worker_shared structure. PR62085 [Graham Leggett]
+
+ *) mod_proxy: Worker schemes and hostnames which are too large are no
+ longer fatal errors; it is logged and the truncated values are stored.
+ [Jim Jagielski]
+
+ *) mod_proxy: Allow setting options to globally defined balancer from
+ ProxyPass used in VirtualHost. Balancers are now merged using the new
+ merge_balancers method which merges the balancers options. [Jan Kaluza]
+
+ *) logresolve: Fix incorrect behavior or segfault if -c flag is used
+ Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259
+ [Stefan Fritsch]
+
+ *) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
+ Add ability for PROXY protocol processing to be optional to donated code.
+ See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
+ [Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri]
+
+ *) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
+ allowing per backend TLS configuration. [Yann Ylavic]
+
+ *) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module. [Roberto De Ioris,
+ Jim Jagielski]
+
+ *) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
+ depend on the number of restarts (non-Unix systems) and preserve shared
+ names as much as possible on configuration changes for SHMs and persisted
+ files. PR 62044. [Yann Ylavic, Jim Jagielski]
+
+ *) mod_http2: obsolete code removed, no more events on beam pool destruction,
+ discourage content encoders on http2-status response (where they do not work).
+ [Stefan Eissing]
+
+ *) mpm_event: Let the listener thread do its maintenance job on resources
+ shortage. PR 61979. [Yann Ylavic]
+
+ *) mpm_event: Wakeup the listener to re-enable listening sockets.
+ [Yann Ylavic]
+
+ *) mod_ssl: The SSLCompression directive will now give an error if used
+ with an OpenSSL build which does not support any compression methods.
+ [Joe Orton]
+
+ *) mpm_event,worker: Mask signals for threads created by modules in child
+ init, so that they don't receive (implicitly) the ones meant for the MPM.
+ PR 62009. [Armin Abfalterer <a.abfalterer gmail com>, Yann Ylavic]
+
+ *) mod_md: new experimental, module for managing domains across virtual hosts,
+ implementing the Let's Encrypt ACMEv1 protocol to signup and renew
+ certificates. Please read the modules documentation for further instructions
+ on how to use it. [Stefan Eissing]
+
+ *) mod_proxy_html: skip documents shorter than 4 bytes
+ PR 56286 [Micha Lenk <micha lenk info>]
+
+ *) core, mpm_event: Avoid a small memory leak of the scoreboard handle, for
+ the lifetime of the connection, each time it is processed by MPM event.
+ [Yann Ylavic]
+
+ *) mpm_event: Update scoreboard status for KeepAlive state. [Yann Ylavic]
+
+ *) mod_ldap: Fix a case where a full LDAP cache would continually fail to
+ purge old entries and log AH01323. PR61891.
+ [Hendrik Harms <hendrik.harms gmail.com>]
+
+ *) mpm_event: close connections not reported as handled by any module to
+ avoid losing track of them and leaking scoreboard entries. PR 61551.
+ [Yann Ylavic]
+
+ *) core: A signal received while stopping could have crashed the main
+ process. PR 61558. [Yann Ylavic]
+
+ *) mod_ssl: support for mod_md added. [Stefan Eissing]
+
+ *) mod_proxy_html: process parsed comments immediately.
+ Fixes bug (seen in the wild when used with IBM's HTTPD bundle)
+ where parsed comments may be lost. [Nick Kew]
+
+ *) mod_proxy_html: introduce doctype for HTML 5 [Nick Kew]
+
+ *) mod_proxy_html: fix typo-bug processing "strict" vs "transitional"
+ HTML/XHTML. PR 56457 [Nick Kew]
+
+ *) mpm_event: avoid a very unlikely race condition between the listener and
+ the workers when the latter fails to add a connection to the pollset.
+ [Yann Ylavic]
+
+ *) core: silently ignore a not existent file path when IncludeOptional
+ is used. PR 57585. [Alberto Murillo Silva <powerbsd yahoo.com>, Luca Toscano]
+
+ *) mod_macro: fix usability of globally defined macros in .htaccess files.
+ PR 57525. [Jose Kahan <jose w3.org>, Yann Ylavic]
+
+ *) mod_rewrite, core: add the Vary header when a condition evaluates to true
+ and the related RewriteRule is used in a Directory context
+ (triggering an internal redirect). [Luca Toscano]
+
+ *) ab: Make the TLS layer aware that the underlying socket is nonblocking,
+ and use/handle POLLOUT where needed to avoid busy IOs and recover write
+ errors when appropriate. [Yann Ylavic]
+
+ *) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
+ read was incomplete (the SSL case can cause the next poll() to timeout
+ since data are buffered already). PR 61301 [Luca Toscano, Yann Ylavic]
+
+ *) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain
+ information retrievals on null bucket beams where it makes sense. [Stefan Eissing]
+
+Changes with Apache 2.4.29
+
+ *) mod_unique_id: Use output of the PRNG rather than IP address and
+ pid, avoiding sleep() call and possible DNS issues at startup,
+ plus improving randomness for IPv6-only hosts. [Jan Kaluza]
+
+ *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
+ is used in a condition that evaluates to true. PR 58231 [Luca Toscano, Yann Ylavic]
+
+ *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
+ beams that could lead to assertion failure in edge cases.
+ [Stefan Eissing]
+
+ *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
+ in 2.4.28. [Jim Jagielski]
+
+ *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
+ PR 61546. [Lubos Uhliarik <luhliari redhat.com>]
+
+ *) mod_rewrite: Add support for starting External Rewriting Programs
+ as non-root user on UNIX systems by specifying username and group
+ name as third argument of RewriteMap directive. [Jan Kaluza]
+
+ *) core: Rewrite the Content-Length filter to avoid excessive memory
+ consumption. Chunked responses will be generated in more cases
+ than in previous releases. PR 61222. [Joe Orton, Ruediger Pluem]
+
+ *) mod_ssl: Fix SessionTicket callback return value, which does seem to
+ matter with OpenSSL 1.1. [Yann Ylavic]
+
+Changes with Apache 2.4.28
+
+ *) SECURITY: CVE-2017-9798 (cve.mitre.org)
+ Corrupted or freed memory access. <Limit[Except]> must now be used in the
+ main configuration file (httpd.conf) to register HTTP methods before the
+ .htaccess files. [Yann Ylavic]
+
+ *) event: Avoid possible blocking in the listener thread when shutting down
+ connections. PR 60956. [Yann Ylavic]
+
+ *) mod_speling: Don't embed referer data in a link in error page.
+ PR 38923 [Nick Kew]
+
+ *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
+ length in a password file. PR 61511.
+ [Luca Toscano, Hanno Böck <hanno hboeck de>]
+
+ *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
+ [Jim Jagielski]
+
+ *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
+ PR 61142.
+
+ *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be specified
+ down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
+ 's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]
+
+ *) mod_http2: Fix for stalling when more than 32KB are written to a
+ suspended stream. [Stefan Eissing]
+
+ *) build: allow configuration without APR sources. [Jacob Champion]
+
+ *) mod_ssl, ab: Fix compatibility with LibreSSL. PR 61184.
+ [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
+ Yann Ylavic]
+
+ *) core/log: Support use of optional "tag" in syslog entries.
+ PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]
+
+ *) mod_proxy: Fix ProxyAddHeaders merging. [Joe Orton]
+
+ *) core: Disallow multiple Listen on the same IP:port when listener buckets
+ are configured (ListenCoresBucketsRatio > 0), consistently with the single
+ bucket case (default), thus avoiding the leak of the corresponding socket
+ descriptors on graceful restart. [Yann Ylavic]
+
+ *) event: Avoid listener periodic wake ups by using the pollset wake-ability
+ when available. PR 57399. [Yann Ylavic, Luca Toscano]
+
+ *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
+ led to spurious HTTP 502 error messages sent on upgrade connections.
+ PR 61283. [Yann Ylavic]
+
+Changes with Apache 2.4.27
+
+ *) SECURITY: CVE-2017-9789 (cve.mitre.org)
+ mod_http2: Read after free. When under stress, closing many connections,
+ the HTTP/2 handling code would sometimes access memory after it has been
+ freed, resulting in potentially erratic behaviour.
+ [Stefan Eissing]
+
+ *) SECURITY: CVE-2017-9788 (cve.mitre.org)
+ mod_auth_digest: Uninitialized memory reflection. The value placeholder
+ in [Proxy-]Authorization headers type 'Digest' was not initialized or
+ reset before or between successive key=value assignments.
+ [William Rowe]
+
+ *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
+ global variable when using Lua 5.2 or later. This was exported as a
+ side effect from luaL_register, which is no longer supported as of
+ Lua 5.2 which deprecates pollution of the global namespace.
+ [Rainer Jung]
+
+ *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
+ The server will continue to run, but HTTP/2 will no longer be negotiated.
+ [Stefan Eissing]
+
+ *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
+ default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
+ [Jacob Champion, Jim Jagielski]
+
+ *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
+ PR58188, PR60831, PR61245. [Rainer Jung]
+
+ *) mod_http2: Simplify ready queue, less memory and better performance. Update
+ mod_http2 version to 1.10.7. [Stefan Eissing]
+
+ *) Allow single-char field names inadvertently disallowed in 2.4.25.
+ PR 61220. [Yann Ylavic]
+
+ *) htpasswd / htdigest: Do not apply the strict permissions of the temporary
+ passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]
+
+ *) core: Avoid duplicate HEAD in Allow header.
+ This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
+ PR 61207. [Christophe Jaillet]
+
+Changes with Apache 2.4.26
+
+ *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+ mod_mime can read one byte past the end of a buffer when sending a
+ malicious Content-Type response header. [Yann Ylavic]
+
+ *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+ The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+ bug in token list parsing, which allows ap_find_token() to search past
+ the end of its input string. By maliciously crafting a sequence of
+ request headers, an attacker may be able to cause a segmentation fault,
+ or to force ap_find_token() to return an incorrect value.
+ [Jacob Champion]
+
+ *) SECURITY: CVE-2017-7659 (cve.mitre.org)
+ A maliciously constructed HTTP/2 request could cause mod_http2 to
+ dereference a NULL pointer and crash the server process.
+
+ *) SECURITY: CVE-2017-3169 (cve.mitre.org)
+ mod_ssl may dereference a NULL pointer when third-party modules call
+ ap_hook_process_connection() during an HTTP request to an HTTPS port.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2017-3167 (cve.mitre.org)
+ Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+ authentication phase may lead to authentication requirements being
+ bypassed.
+ [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+
+ *) HTTP/2 support no longer tagged as "experimental" but is instead considered
+ fully production ready.
+
+ *) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
+ the session in continuous check for state changes that never happen.
+ [Stefan Eissing]
+
+ *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
+ protocols. [Jean-Frederic Clere]
+
+ *) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
+ a possible crash if a signal is caught during (graceful) restart.
+ PR 60487. [Yann Ylavic]
+
+ *) mod_rewrite: When a substitution is a fully qualified URL, and the
+ scheme/host/port matches the current virtual host, stop interpreting the
+ path component as a local path just because the first component of the
+ path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
+ to revert to previous behavior. PR60009.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
+ platforms. PR61124. [Hank Ibell <hwibell gmail.com>]
+
+ *) ab: enable option processing for setting a custom HTTP method also for
+ non-SSL builds. [Rainer Jung]
+
+ *) core: EBCDIC fixes for interim responses with additional headers.
+ [Eric Covener]
+
+ *) mod_env: when processing a 'SetEnv' directive, warn if the environment
+ variable name includes a '='. It is likely a configuration error.
+ PR 60249 [Christophe Jaillet]
+
+ *) Evaluate nested If/ElseIf/Else configuration blocks.
+ [Luca Toscano, Jacob Champion]
+
+ *) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
+ allow spaces in backreferences to be encoded as %20 instead of '+'.
+ [Eric Covener]
+
+ *) mod_rewrite: Add the possibility to limit the escaping to specific
+ characters in backreferences by listing them in the B flag.
+ [Eric Covener]
+
+ *) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
+ systems. [Eric Covener]
+
+ *) mod_http2: fail requests without ERROR log in case we need to read interim
+ responses and see only garbage. This can happen if proxied servers send
+ data where none should be, e.g. a body for a HEAD request. [Stefan Eissing]
+
+ *) mod_proxy_http2: adding support for Reverse Proxy Request headers.
+ [Stefan Eissing]
+
+ *) mod_http2: fixed possible deadlock that could occur when connections were
+ terminated early with ongoing streams. Fixed possible hanger with timeout
+ on race when connection considers itself idle. [Stefan Eissing]
+
+ *) mod_http2: MaxKeepAliveRequests now limits the number of times a
+ slave connection gets reused. [Stefan Eissing]
+
+ *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
+ [Evgeny Kotkov]
+
+ *) mod_proxy_http2: Fixed bug in re-attempting proxy requests after
+ connection error. Reliability of reconnect handling improved.
+ [Stefan Eissing]
+
+ *) mod_http2: better performance, eliminated need for nested locks and
+ thread privates. Moving request setups from the main connection to the
+ worker threads. Increase number of spare connections kept.
+ [Stefan Eissing]
+
+ *) mod_http2: input buffering and dynamic flow windows for increased
+ throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
+ in mod_http2 INFO log as feature 'DWINS'. [Stefan Eissing]
+
+ *) mod_http2: h2 workers with improved scalability for better scheduling
+ performance. There are H2MaxWorkers threads created at start and the
+ number is kept constant for now. [Stefan Eissing]
+
+ *) mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and
+ just log a warning. [Stefan Eissing]
+
+ *) mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date
+ format from 2.2 in the Last Modified column. PR60846.
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) core: Add %{REMOTE_PORT} to the expression parser. PR59938
+ [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
+ computing and using the same entity key according to when the cache
+ checks, loads and saves the request.
+ PR 60577. [Yann Ylavic]
+
+ *) mod_proxy_hcheck: Don't validate timed out responses. [Yann Ylavic]
+
+ *) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
+ in use (ProxyHCTPsize > 0). PR 60071. [Yann Ylavic, Jim Jagielski]
+
+ *) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
+ URI originally requested by the user, not the nested documents URI. This
+ restores the behavior of this variable to match the "legacy" SSI parser.
+ PR60624. [Hank Ibell <hwibell gmail.com>]
+
+ *) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
+ variables just before invoking the FastCGI. [Eric Covener,
+ Jacob Champion]
+
+ *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
+ a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
+ default. Add ProxyFCGIBackendType to allow the type of backend to be
+ specified so these kinds of fixups can be restored without impacting
+ FPM. PR60576 [Eric Covener, Jim Jagielski]
+
+ *) mod_ssl: work around leaks on (graceful) restart. [Yann Ylavic]
+
+ *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
+
+ *) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
+ than zero. [Eric Covener]
+
+ *) mod_http2: moving session cleanup to pre_close hook to avoid races with
+ modules already shut down and slave connections still operating.
+ [Stefan Eissing]
+
+ *) mod_lua: Support for Lua 5.3
+
+ *) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
+
+ *) mod_http2: fix for crash when running out of memory.
+ [Robert Swiecki <robert swiecki.net>, Stefan Eissing]
+
+ *) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
+ [Luca Toscano]
+
+ *) mod_http2: not counting file buckets again stream max buffer limits.
+ Effectively transferring static files in one step from slave to master
+ connection. [Stefan Eissing]
+
+ *) mod_http2: comforting ap_check_pipeline() on slave connections
+ to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
+ [Stefan Eissing, reported by Armin Abfalterer]
+
+ *) mod_http2: http/2 streams now with state handling/transitions as defined
+ in RFC7540. Stream cleanup/connection shutdown reworked to become easier
+ to understand/maintain/debug. Added many asserts on state and cleanup
+ transitions. [Stefan Eissing]
+
+ *) mod_auth_digest: Use an anonymous shared memory segment by default,
+ preventing startup failure after unclean shutdown. PR 54622.
+ [Jan Kaluza]
+
+ *) mod_filter: Fix AddOutputFilterByType with non-content-level filters.
+ PR 58856. [Micha Lenk <micha lenk.info>]
+
+ *) mod_watchdog: Fix semaphore leak over restarts. [Jim Jagielski]
+
+ *) mod_http2: regression fix on PR 59348, on graceful restart, ongoing
+ streams are finished normally before the final GOAWAY is sent.
+ [Stefan Eissing, <slavko gmail.com>]
+
+ *) mod_proxy: Allow the per-request environment variable "no-proxy" to
+ be used as an alternative to ProxyPass /path !. This is primarily
+ to set exceptions for ProxyPass specified in <Location> context.
+ Use SetEnvIf, not SetEnv. PR 60458. [Eric Covener]
+
+ *) mod_http2: fixes PR60599, sending proper response for conditional requests
+ answered by mod_cache. [Jeff Wheelhouse, Stefan Eissing]
+
+ *) mod_http2: rework of stream resource cleanup to avoid a crash in a close
+ of a lingering connection. Prohibit special file bucket beaming for
+ shared buckets. Files sent in stream output now use the stream pool
+ as read buffer, reducing memory footprint of connections.
+ [Yann Ylavic, Stefan Eissing]
+
+ *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
+ modules add empty environment variables to the request. PR 60275.
+ [<alex2grad AT gmail.com>]
+
+ *) mod_http2: fix for possible page fault when stream is resumed during
+ session shutdown. [sidney-j-r-m (github)]
+
+ *) mod_http2: fix for h2 session ignoring new responses while already
+ open streams continue to have data available. [Stefan Eissing]
+
+ *) mod_http2: adding support for MergeTrailers directive. [Stefan Eissing]
+
+ *) mod_http2: limiting DATA frame sizes by TLS record sizes in use on the
+ connection. Flushing outgoing frames earlier. [Stefan Eissing]
+
+ *) mod_http2: cleanup beamer registry on server reload. PR 60510.
+ [Pavel Mateja <pavel verotel.cz>, Stefan Eissing]
+
+ *) mod_proxy_{ajp,fcgi}: Fix a possible crash when reusing an established
+ backend connection, happening with LogLevel trace2 or higher configured,
+ or at any log level with compilers not detected as C99 compliant (e.g.
+ MSVC on Windows). [Yann Ylavic]
+
+ *) mod_ext_filter: Don't interfere with "error buckets" issued by other
+ modules. PR 60375. [Eric Covener, Lubos Uhliarik]
+
+ *) mod_http2: fixes https://github.com/icing/mod_h2/issues/126 e.g. beam
+ bucket lifetime handling when data is sent over temporary pools.
+ [Stefan Eissing]
+
+Changes with Apache 2.4.25
+
+ *) Fix some build issues related to various modules.
+ [Rainer Jung]
+
+Changes with Apache 2.4.24 (not released)
+
+ *) SECURITY: CVE-2016-8740 (cve.mitre.org)
+ mod_http2: Mitigate DoS memory exhaustion via endless
+ CONTINUATION frames.
+ [Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State
+ University, Stefan Eissing]
+
+ *) SECURITY: CVE-2016-2161 (cve.mitre.org)
+ mod_auth_digest: Prevent segfaults during client entry allocation when
+ the shared memory space is exhausted.
+ [Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion]
+
+ *) SECURITY: CVE-2016-0736 (cve.mitre.org)
+ mod_session_crypto: Authenticate the session data/cookie with a
+ MAC (SipHash) to prevent deciphering or tampering with a padding
+ oracle attack. [Yann Ylavic, Colm MacCarthaigh]
+
+ *) SECURITY: CVE-2016-8743 (cve.mitre.org)
+ Enforce HTTP request grammar corresponding to RFC7230 for request lines
+ and request headers, to prevent response splitting and cache pollution by
+ malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
+
+ *) Validate HTTP response header grammar defined by RFC7230, resulting
+ in a 500 error in the event that invalid response header contents are
+ detected when serving the response, to avoid response splitting and cache
+ pollution by malicious clients, upstream servers or faulty modules.
+ [Stefan Fritsch, Eric Covener, Yann Ylavic]
+
+ *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
+ [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+
+ *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
+ looping RewriteRules when the local path significantly exceeds
+ LimitRequestLine. PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]
+
+ *) mod_ratelimit: Allow for initial "burst" amount at full speed before
+ throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>,
+ Jim Jagielski]
+
+ *) mod_socache_memcache: Provide memcache stats to mod_status.
+ [Jim Jagielski]
+
+ *) mod_file_cache: mod_file_cache should be able to serve files that
+ haven't had a Content-Type set via e.g. mod_mime. [Eric Covener]
+
+ *) http_filters: Fix potential looping in new check_headers() due to new
+ pattern of ap_die() from http header filter. Explicitly clear the
+ previous headers and body.
+
+ *) core: Drop Content-Length header and message-body from HTTP 204 responses.
+ PR 51350 [Luca Toscano]
+
+ *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is
+ configured in <Location>, like in 2.2. PR 60458.
+ [Eric Covener]
+
+ *) mod_lua: Fix default value of LuaInherit directive. It should be
+ 'parent-first' instead of 'none', as per documentation. PR 60419
+ [Christophe Jaillet]
+
+ *) core: New directive HttpProtocolOptions to control httpd enforcement
+ of various RFC7230 requirements. [Stefan Fritsch, William Rowe]
+
+ *) core: Permit unencoded ';' characters to appear in proxy requests and
+ Location: response headers. Corresponds to modern browser behavior.
+ [William Rowe]
+
+ *) core: ap_rgetline_core now pulls from r->proto_input_filters.
+
+ *) core: Correctly parse an IPv6 literal host specification in an absolute
+ URL in the request line. [Stefan Fritsch]
+
+ *) core: New directive RegisterHttpMethod for registering non-standard
+ HTTP methods. [Stefan Fritsch]
+
+ *) mod_socache_memcache: Pass expiration time through to memcached. PR 55445.
+ [Faidon Liambotis <paravoid debian.org>, Joe Orton]
+
+ *) mod_cache: Use the actual URI path and query-string for identifying the
+ cached entity (key), such that rewrites are taken into account when
+ running afterwards (CacheQuickHandler off). PR 21935. [Yann Ylavic]
+
+ *) mod_http2: new directive 'H2EarlyHints' to enable sending of HTTP status
+ 103 interim responses. Disabled by default. [Stefan Eissing]
+
+ *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
+ in the client certificate chain. PR 55786. [Yann Ylavic]
+
+ *) event: Allow to use the whole allocated scoreboard (up to ServerLimit
+ slots) to avoid scoreboard full errors when some processes are finishing
+ gracefully. Also, make gracefully finishing processes close all
+ keep-alive connections. PR 53555. [Stefan Fritsch]
+
+ *) mpm_event: Don't take over scoreboard slots from gracefully finishing
+ threads. [Stefan Fritsch]
+
+ *) mpm_event: Free memory earlier when shutting down processes.
+ [Stefan Fritsch]
+
+ *) mod_status: Display the process slot number in the async connection
+ overview. [Stefan Fritsch]
+
+ *) mod_dir: Responses that go through "FallbackResource" might appear to
+ hang due to unterminated chunked encoding. PR58292. [Eric Covener]
+
+ *) mod_dav: Fix a potential cause of unbounded memory usage or incorrect
+ behavior in a routine that sends <DAV:response>'s to the output filters.
+ [Evgeny Kotkov]
+
+ *) mod_http2: new directive 'H2PushResource' to enable early pushes before
+ processing of the main request starts. Resources are announced to the
+ client in Link headers on a 103 early hint response.
+ All responses with status code <400 are inspected for Link header and
+ trigger pushes accordingly. 304 still does prevent pushes.
+ 'H2PushResource' can mark resources as 'critical' which gives them higher
+ priority than the main resource. This leads to preferred scheduling for
+ processing and, when content is available, will send it first. 'critical'
+ is also recognized on Link headers. [Stefan Eissing]
+
+ *) mod_proxy_http2: uris in Link headers are now mapped back to a suitable
+ local url when available. Relative uris with an absolute path are mapped
+ as well. This makes reverse proxy mapping available for resources
+ announced in this header.
+ With 103 interim responses being forwarded to the main client connection,
+ this effectively allows early pushing of resources by a reverse proxied
+ backend server. [Stefan Eissing]
+
+ *) mod_proxy_http2: adding support for newly proposed 103 status code.
+ [Stefan Eissing]
+
+ *) mpm_unix: Apache fails to start if previously crashed then restarted with
+ the same PID (e.g. in container). PR 60261.
+ [Val <valentin.bremond gmail.com>, Yann Ylavic]
+
+ *) mod_http2: unannounced and multiple interim responses (status code < 200)
+ are parsed and forwarded to client until a final response arrives.
+ [Stefan Eissing]
+
+ *) mod_proxy_http2: improved robustness when main connection is closed early
+ by resetting all ongoing streams against the backend.
+ [Stefan Eissing]
+
+ *) mod_http2: allocators from slave connections are released earlier,
+ resulting in less overall memory use on busy, long lived connections.
+ [Stefan Eissing]
+
+ *) mod_remoteip: Pick up where we left off during a subrequest rather
+ than running with the modified XFF but original TCP address.
+ PR 49839/PR 60251
+
+ *) http: Respond with "408 Request Timeout" when a timeout occurs while
+ reading the request body. [Yann Ylavic]
+
+ *) mod_http2: connection shutdown revisited: corrected edge cases on
+ shutting down ongoing streams, changed log warnings to be less noisy
+ when waiting on long running tasks. [Stefan Eissing]
+
+ *) mod_http2: changed all AP_DEBUG_ASSERT to ap_assert to have them
+ available also in normal deployments. [Stefan Eissing]
+
+ *) mod_http2/mod_proxy_http2: 100-continue handling now properly implemented
+ up to the backend. Reused HTTP/2 proxy connections with more than a second
+ not used will block request bodies until a PING answer is received.
+ Requests headers are not delayed by this, since they are repeatable in
+ case of failure. This greatly increases robustness, especially with
+ busy server and/or low keepalive connections. [Stefan Eissing]
+
+ *) mod_proxy_http2: fixed duplicate symbols with mod_http2.
+ [Stefan Eissing]
+
+ *) mod_http2: rewrite of how responses and trailers are transferred between
+ master and slave connection. Reduction of internal states for tasks
+ and streams, stability. Heuristic id generation for slave connections
+ to better keep promise of connection ids unique at given point int time.
+ Fix for mod_cgid interop in high load situations.
+ Fix for handling of incoming trailers when no request body is sent.
+ [Stefan Eissing]
+
+ *) mod_http2: fix suspended handling for streams. Output could become
+ blocked in rare cases. [Stefan Eissing]
+
+ *) mpm_winnt: Prevent a denial of service when the 'data' AcceptFilter is in
+ use by replacing it with the 'connect' filter. PR 59970. [Jacob Champion]
+
+ *) mod_cgid: Resolve a case where a short CGI response causes a subsequent
+ CGI to be killed prematurely, resulting in a truncated subsequent
+ response. [Eric Covener]
+
+ *) mod_proxy_hcheck: Set health check URI and expression correctly for health
+ check worker. PR 60038 [zdeno <zdeno@scnet.sk>]
+
+ *) mod_http2: if configured with nghttp2 1.14.0 and onward, invalid request
+ headers will immediately reset the stream with a PROTOCOL error. Feature
+ logged by module on startup as 'INVHD' in info message.
+ [Stefan Eissing]
+
+ *) mod_http2: fixed handling of stream buffers during shutdown.
+ [Stefan Eissing]
+
+ *) mod_reqtimeout: Fix body timeout disabling for CONNECT requests to avoid
+ triggering mod_proxy_connect's AH01018 once the tunnel is established.
+ [Yann Ylavic]
+
+ *) ab: Set the Server Name Indication (SNI) extension on outgoing TLS
+ connections (unless -I is specified), according to the Host header (if
+ any) or the requested URL's hostname otherwise. [Yann Ylavic]
+
+ *) mod_proxy_fcgi: avoid loops when ProxyErrorOverride is enabled
+ and the error documents are proxied. PR 55415. [Luca Toscano]
+
+ *) mod_proxy_fcgi: read the whole FCGI response even when the content
+ has not been modified (HTTP 304) or in case of a precondition failure
+ (HTTP 412) to avoid subsequent bogus reads and confusing
+ error messages logged. [Luca Toscano]
+
+ *) mod_http2: h2 status resource follows latest draft, see
+ http://www.ietf.org/id/draft-benfield-http2-debug-state-01.txt
+ [Stefan Eissing]
+
+ *) mod_http2: handling graceful shutdown gracefully, e.g. handling existing
+ streams to the end. [Stefan Eissing]
+
+ *) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data
+ available before the request is sent. PR 57832. [Yann Ylavic]
+
+ *) mod_proxy_balancer: Prevent redirect loops between workers within a
+ balancer by limiting the number of redirects to the number balancer
+ members. PR 59864 [Ruediger Pluem]
+
+ *) mod_proxy: Correctly consider error response codes by the backend when
+ processing failonstatus. PR 59869 [Ruediger Pluem]
+
+ *) mod_dav: Add dav_get_provider_name() function to obtain the name
+ of the provider from mod_dav. [Graham Leggett]
+
+ *) mod_dav: Add support for childtags to dav_error.
+ [Jari Urpalainen <jari.urpalainen nokia.com>]
+
+ *) mod_proxy_fcgi: Fix 2.4.23 breakage for mod_rewrite per-dir and query
+ string showing up in SCRIPT_FILENAME. PR59815
+
+ *) mod_include: Fix a potential memory misuse while evaluating expressions.
+ PR59844. [Eric Covener]
+
+ *) mod_http2: new H2CopyFiles directive that changes treatment of file
+ handles in responses. Necessary in order to fix broken lifetime handling
+ in modules such as mod_wsgi.
+
+ *) mod_http2: removing timeouts on master connection while requests are
+ being processed. Requests may timeout, but the master only times out when
+ no more requests are active. [Stefan Eissing]
+
+ *) mod_http2: fixes connection flush when answering SETTINGS without any
+ stream open. [Moto Ishizawa <@summerwind>, Stefan Eissing]
+
+Changes with Apache 2.4.23
+
+ *) mod_ssl: reset client-verify state of ssl when aborting renegotiations.
+ [Erki Aring <erki@example.ee>, Stefan Eissing]
+
+ *) mod_sed: Fix 'x' command processing. [Christophe Jaillet]
+
+ *) configure: Fix ./configure edge-case failures around dependencies
+ of mod_proxy_hcheck. [William Rowe, Ruediger Pluem, Jeff Trawick]
+
+Changes with Apache 2.4.22
+
+ *) mod_http2: fix for request abort when connections drops, introduced in
+ 1.5.8
+
+Changes with Apache 2.4.21
+
+ *) core: Added support for HTTP code 451. PR 58985.
+ [Yehuda Katz <yehuda ymkatz.net>, Jim Jagielski]
+
+ *) ab: Use caseless matching for HTTP tokens (e.g. content-length). PR 59111.
+ [Yann Ylavic]
+
+ *) mod_http2: more rigid error handling in DATA frame assembly, leading
+ to deterministic connection errors if assembly fails.
+ [Stefan Eissing, Pal Nilsen <https://github.com/maedox>]
+
+ *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
+ failures under Visual Studio 2015 and other mismatched MSVCRT flavors.
+ PR59630 [Jan Ehrhardt <phpdev ehrhardt.nl>]
+
+ *) mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive
+ to opt-in previous behaviour (2.2) with CRLs verification when checking
+ certificate(s) with no corresponding CRL. [Yann Ylavic]
+
+ *) mpm_event, mpm_worker: Fix computation of MinSpareThreads' lower bound
+ according the number of listeners buckets. [Yann Ylavic]
+
+ *) Add ap_cstr_casecmp[n]() - placeholder of apr_cstr_casecmp[n] functions
+ for case-insensitive C/POSIX-locale token comparison.
+ [Jim Jagielski, William Rowe, Yann Ylavic, Branko Čibej]
+
+ *) mod_userdir: Constify and save a few bytes in the conf pool when
+ parsing the "UserDir" directive. [Christophe Jaillet]
+
+ *) mod_cache: Fix (max-stale with no '=') and enforce (check
+ integers after '=') Cache-Control header parsing.
+ [Christophe Jaillet]
+
+ *) core: Add -DDUMP_INCLUDES configtest option to show the tree
+ of Included configuration files.
+ [Jacob Champion <champion.pxi gmail.com>]
+
+ *) mod_proxy_fcgi: Avoid passing a filename of proxy:fcgi:// as
+ SCRIPT_FILENAME to a FastCGI server. PR59618.
+ [Jacob Champion <champion.pxi gmail.com>]
+
+ *) mod_dav: Add dav_get_provider_name() function to obtain the name
+ of the provider from mod_dav.
+ [Jari Urpalainen <jari.urpalainen nokia.com>]
+
+ *) mod_proxy_http2: properly care for HTTP2 flow control of the frontend
+ connection is HTTP/1.1. [Patch supplied by Evgeny Kotkov]
+
+ *) mod_http2: improved cleanup of connection/streams/tasks to always
+ have deterministic order regardless of event initiating it. Addresses
+ reported crashes due to memory read after free issues.
+ [Stefan Eissing]
+
+ *) mod_ssl: Correct the interaction between SSLProxyCheckPeerCN and newer
+ SSLProxyCheckPeerName directives since release 2.4.5, such that disabling
+ either disables both, and that enabling either triggers the new, more
+ comprehensive SSLProxyCheckPeerName behavior. Only a single configuration
+ remains to enable the legacy behavior, which is to explicitly disable
+ SSLProxyCheckPeerName, and enable SSLProxyCheckPeerCN. [William Rowe]
+
+ *) mod_include: add the <!--#comment ...> syntax in order to include comments
+ in a SSI file. [Christophe Jaillet based on a suggestion from Rob]
+
+ *) mod_http2: improved event handling for suspended streams, responses
+ and window updates. [Stefan Eissing]
+
+ *) mod_proxy_hcheck: Provide for dynamic background health
+ checks on reverse proxies associated with BalancerMember
+ workers. [Jim Jagielski]
+
+ *) mod_http2: Fix async write issue that led to selection of wrong timeout
+ vs. keepalive timeout selection for idle sessions. [Stefan Eissing]
+
+ *) mod_http2: checking LimitRequestLine, LimitRequestFields and
+ LimitRequestFieldSize configurated values for incoming streams. Returning
+ HTTP status 431 for too long/many headers fields and 414 for a too long
+ pseudo header. [Stefan Eissing]
+
+ *) mod_http2: tracking conn_rec->current_thread on slave connections, so
+ that mod_lua finds the correct one. Fixes PR 59542. [Stefan Eissing]
+
+ *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
+ urls. Part of the httpd mod_proxy framework, common settings apply.
+ Requests from the same HTTP/2 frontend connection against the same backend
+ are aggregated on a single connection.
+ [Stefan Eissing]
+
+ *) mod_http2: slave connections have conn_rec->aborted flag set when a stream
+ has been reset by the client. [Stefan Eissing]
+
+ *) mod_http2: merge of some 2.4.x adaptions re filters on slave connections.
+ Small fixes in bucket beams when forwarding file buckets. Output handling
+ on master connection uses less FLUSH and passes automatically when more
+ than half of H2StreamMaxMemSize bytes have accumulated.
+ Workaround for http: when forwarding partial file buckets to keep the
+ output filter from closing these too early. [Stefan Eissing]
+
+ *) mod_http2: elimination of fixed master connection buffer for TLS
+ connections. New scratch bucket handling optimized for TLS write sizes.
+ File bucket data read directly into scratch buffers, avoiding one
+ copy. Non-TLS connections continue to pass buckets unchanged to the core
+ filters to allow sendfile() usage. [Stefan Eissing]
+
+ *) mod_http2/mod_proxy_http2: h2_request.c is no longer shared between these
+ modules. This simplifies building on platforms such as Windows, as module
+ reference used in logging is now clear. [Stefan Eissing]
+
+ *) Scoreboard: Fix a regression in 2.4.20 that causes wrong request data
+ to be displayed on the status page. PR 59333. [Yann Ylavic, William Rowe]
+
+ *) mod_http2: fixed a bug that caused mod_proxy_http2 to be called for window
+ updates on requests it had already reported done. Added synchronization
+ on early connection/stream close that lets ongoing requests safely drain
+ their input filters.
+ [Stefan Eissing]
+
+ *) mod_http2: scoreboard updates that summarize the h2 session (and replace
+ the last request information) will only happen when the session is idle or
+ in shutdown/done phase. [Stefan Eissing]
+
+ *) mod_http2: new "bucket beam" technology to transport buckets across
+ threads without buffer copy. Delaying response start until flush or
+ enough body data has been accumulated. Overall significantly smaller
+ memory footprint. [Stefan Eissing]
+
+ *) core: New CGIVar directive can configure REQUEST_URI to represent the
+ current URI being processed instead of always the original request.
+ [Jeff Trawick]
+
+ *) scoreboard/status: Restore behavior of showing workers' previous Client,
+ VHost and Request values when idle, like in 2.4.18 and earlier.
+
+ *) mod_http2: r->protocol changed to "HTTP/2.0" (was "HTTP/2") as this will
+ give expected syntax in CGI's SERVER_PROTOCOL is more compatible with
+ existing major/minor handling. Fixes PR 59313.
+
+ *) mod_http2: disabling mmap for file buckets transport due to segmenation
+ faults when files change on the fly.
+
+Changes with Apache 2.4.20
+
+ *) SECURITY: CVE-2016-1546 (cve.mitre.org)
+ mod_http2: restricting number of concurrent stream workers per connection
+ if client is slow.
+
+ *) core: Do not read .htaccess if AllowOverride and AllowOverrideList
+ are "None". PR 58528.
+ [Michael Schlenker <msc contact.de, Ruediger Pluem, Daniel Ruggeri]
+
+ *) mod_proxy_express: Fix possible use of DB handle after close. PR 59230.
+ [Petr <pgajdos suse.cz>]
+
+ *) core/util_script: relax alphanumeric filter of environment variable names
+ on Windows to allow '(' and ')' for passing PROGRAMFILES(X86) et.al.
+ unadulterated in 64 bit versions of Windows. PR 46751.
+ [John <john leineweb de>]
+
+ *) mod_http2: incrementing keepalives on each request started so that logging
+ %k gives increasing numbers per master http2 connection.
+ New documented variables in env, usable in custom log formats: H2_PUSH,
+ H2_PUSHED, H2_PUSHED_ON, H2_STREAM_ID and H2_STREAM_TAG.
+ [Stefan Eissing]
+
+ *) mod_http2: more efficient passing of response bodies with less contention
+ and file bucket forwarding. [Stefan Eissing]
+
+ *) mod_http2: fix for missing score board updates on request count, fix for
+ memory leak on slave connection reuse. [Stefan Eissing]
+
+ *) mod_http2: Fix build on Windows from dsp files.
+ [Stefan Eissing]
+
+Changes with Apache 2.4.19
+
+ *) mod_ssl: Add missing Upgrade/Connection headers in case of TRACE or
+ OPTIONS * requests. PR 58688. [William Rowe]
+
+ *) mod_include: Add variable DOCUMENT_ARGS, with the arguments to the
+ request for the SSI document. [Jeff Trawick]
+
+ *) mod_authz_host: Add a new "forward-dns" authorization type, not relying on
+ reverse DNS lookups. [Fabien]
+
+ *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
+ urls. Uses backend connections for concurrent requests if frontend
+ connection is http2 as well.
+ [Stefan Eissing]
+
+ *) mod_ssl: Add hooks to allow other modules to perform processing at
+ several stages of initialization and connection handling. See
+ mod_ssl_openssl.h. [Jeff Trawick]
+
+ *) mod_http2: disabling PUSH when client sends GOAWAY. Slave connections are
+ reused for several requests, improved performance and better memory use.
+ [Stefan Eissing]
+
+ *) mod_rewrite: Don't implicitly URL-escape the original query string
+ when no substitution has changed it (like PR50447 but server context)
+ [Evgeny Kotkov <evgeny.kotkov visualsvn.com>]
+
+ *) mod_http2: fixes problem with wrong lifetime of file buckets on main
+ connection. [Stefan Eissing]
+
+ *) mod_http2: fixes incorrect denial of requests without :authority header.
+ [Stefan Eissing]
+
+ *) mod_reqtimeout: Prevent long response times from triggering a timeout once
+ the request has been fully read. PR 59045. [Yann Ylavic]
+
+ *) ap_expr: expression support for variable HTTP2=on|off. [Stefan Eissing]
+
+ *) mod_http2: give control to async mpm for keepalive timeouts only when
+ no streams are open and even if only after 1 sec delay. Under load, event
+ mpm discards connections otherwise too quickly. [Stefan Eissing]
+
+ *) mod_ssl: Don't lose track of the SSL context if an unlikely failure occurs
+ in ssl_init_ssl_connection(). [Graham Leggett]
+
+ *) mod_rewrite: Add QSL|qslast flag to allow rewrites to files with
+ literal question marks in their names. PR 58777. [Eric Covener]
+
+ *) event: use pre_connection hook to properly initialize connection state for
+ slave connections. use protocol_switch hook to initialize server config
+ early based on SNI selected vhost.
+ [Stefan Eissing]
+
+ *) hostname: Test and log useragent_host per-request across various modules,
+ including the scoreboard, expression and rewrite engines, setenvif,
+ authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.
+ PR55348 [William Rowe]
+
+ *) core: Track the useragent_host per-request when mod_remoteip or similar
+ modules track a per-request useragent_ip. Modules should be updated
+ to inquire for ap_get_useragent_host() in place of ap_get_remote_host().
+ [William Rowe]
+
+ *) core: fix a bug in <UnDefine ...> directive processing. When used, the last
+ <Define...>'ed variable was also withdrawn. PR 59019
+ [Christophe Jaillet]
+
+ *) mod_http2: Accept-Encoding is, when present on the initiating request,
+ added to push promises. This lets compressed content work in pushes.
+ by the client. [Stefan Eissing]
+
+ *) mod_http2: fixed possible read after free when streams were cancelled early
+ by the client. [Stefan Eissing]
+
+ *) mod_http2: fixed possible deadlock during connection shutdown. Thanks to
+ @FrankStolle for reporting and getting the necessary data.
+ [Stefan Eissing]
+
+ *) mod_http2: fixed apr_uint64_t formatting in a log statement to user proper
+ APR def, thanks to @Sp1l.
+
+ *) mod_http2: number of worker threads allowed to a connection is adjusting
+ dynamically. Starting with 4, the number is doubled when streams can be
+ served without block on http/2 connection flow. The number is halfed, when
+ the server has to wait on client flow control grants.
+ This can happen with a maximum frequency of 5 times per second.
+ When a connection occupies too many workers, repeatable requests
+ (GET/HEAD/OPTIONS) are cancelled and placed back in the queue. Should that
+ not suffice and a stream is busy longer than the server timeout, the
+ connection will be aborted with error code ENHANCE_YOUR_CALM.
+ This does *not* limit the number of streams a client may open, rather the
+ number of server threads a connection might use.
+ [Stefan Eissing]
+
+ *) mod_http2: allowing link header to specify multiple "rel" values,
+ space-separated inside a quoted string. Prohibiting push when Link
+ parameter "nopush" is present.
+ [Stefan Eissing]
+
+ *) mod_http2: reworked connection state handling. Idle connections accept a
+ GOAWAY from the client without further reply. Otherwise the
+ module makes a best effort to send one last GOAWAY to the client.
+
+ *) mod_http2: the values from standard directives Timeout and KeepAliveTimeout
+ properly are applied to http/2 connections.
+ [Stefan Eissing]
+
+ *) mod_http2: idle connections are returned to async mpms. new hook
+ "pre_close_connection" used to send GOAWAY frame when not already done.
+ Setting event mpm server config "by hand" for the main connection to
+ the correct negotiated server.
+ [Stefan Eissing]
+
+ *) mod_http2: keep-alive blocking reads are done with 1 second timeouts to
+ check for MPM stopping. Will announce early GOAWAY and finish processing
+ open streams, then close.
+ [Stefan Eissing]
+
+ *) mod_http2: bytes read/written on slave connections are reported via the
+ optional mod_logio functions. Fixes PR 58871.
+
+ *) prefork: Initialize the POD when running in ONE_PROCESS (or -X) mode to
+ avoid a crash. [Jan Kaluza, Yann Ylavic]
+
+ *) mod_ssl: When SSLVerify is disabled (NONE), don't force a renegotiation if
+ the SSLVerifyDepth applied with the default/handshaken vhost differs from
+ the one applicable with the finally selected vhost. [Yann Ylavic]
+
+ *) core: Ensure that httpd exits with an error status when the MPM fails
+ to run. [Yann Ylavic]
+
+ *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
+ [Jan Kaluza, Yann Ylavic]
+
+ *) mod_ssl: Add SSLOCSPProxyURL to add the possibility to do all queries
+ to OCSP responders through a HTTP proxy. [Ruediger Pluem]
+
+ *) mod_proxy: Play/restore the TLS-SNI on new backend connections which
+ had to be issued because the remote closed the previous/reusable one
+ during idle (keep-alive) time. [Yann Ylavic]
+
+ *) mod_cache_socache: Fix a possible cached entity body corruption when it
+ is received from an origin server in multiple batches and forwarded by
+ mod_proxy. [Yann Ylavic]
+
+ *) core: Add expression support to SetHandler.
+ [Eric Covener]
+
+ *) mod_remoteip: Prevent an external proxy from presenting an internal
+ proxy. PR 55962. [Mike Rumph]
+
+ *) core: Prevent a server crash in case of an invalid CONNECT request with
+ a custom error page for status code 400 that uses server side includes.
+ PR 58929 [Ruediger Pluem]
+
+ *) mod_ssl: handle TIMEOUT on empty SSL input as non-fatal, returning
+ APR_TIMEUP and preserving connection state for later retry.
+ [Stefan Eissing]
+
+ *) mod_ssl: Save some TLS record (application data) fragmentations by
+ including the last and subsequent suitable buckets when coalescing.
+ [Yann Ylavic]
+
+ *) mod_proxy_fcgi: Suppress HTTP error 503 and message 01075,
+ "Error dispatching request", when the cause appears to be
+ due to the client closing the connection.
+ PR58118. [Tobias Adolph <adolph lrz.de>]
+
+ *) mod_cgid: Message AH02550, failure to flush a response to the client,
+ is now logged at TRACE1 level to match the underlying core output filter
+ severity. [Eric Covener]
+
+ *) mime.types: add common extension "m4a" for MPEG 4 Audio.
+ PR 57895 [Dylan Millikin <dylan.millikin gmail.com>]
+
+ *) Added many log numbers to log statements that had none.
+ [Rainer Jung]
+
+ *) mod_log_config: Add GlobalLog to allow a globally defined log to
+ be inherited by virtual hosts that define a CustomLog.
+ [Edward Lu]
+
+ *) mod_http2: connections how keep a "push diary" where hashes of already
+ pushed resources are kept. See directive H2PushDiarySize for managing this.
+ Push diaries can be initialized by clients via the "Cache-Digest" request
+ header. This carries a base64url encoded. compressed Golomb set as described
+ in https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/
+ Introduced a status handler for HTTP/2 connections, giving various counters
+ and statistics about the current connection, plus its cache digest value
+ in a JSON record. Not a replacement for more HTTP/2 in the server status.
+ Configured as
+ <Location "/http2-status">
+ SetHandler http2-status
+ </Location>
+ [Stefan Eissing]
+
+ *) mod_http2: Fixed flushing of last GOAWAY frame. Previously, that frame
+ did not always reach the client, causing some to fail the next request.
+ Fixed calculation of last stream id accepted as described in rfc7540.
+ Reading in KEEPALIVE state now correctly shown in scoreboard.
+ Fixed possible race in connection shutdown after review by Ylavic.
+ Fixed segfault on connection shutdown, callback ran into a semi dismantled session.
+ [Stefan Eissing]
+
+ *) mod_http2: Added support for experimental accept-push-policy draft
+ (https://tools.ietf.org/html/draft-ruellan-http-accept-push-policy-00). Clients
+ may now influence server pushes by sending accept-push-policy headers.
+ [Stefan Eissing]
+
+ *) mod_http2: new r->subprocess_env variables HTTP2 and H2PUSH, set to "on"
+ when available for request.
+ [Stefan Eissing]
+
+ *) mod_http2: fixed bug in input window size calculation by moving chunked
+ request body encoding into later stage of processing. Fixes PR 58825.
+ [Stefan Eissing]
+
+ *) core: new hook "pre_close_connection" which is run before the lingering
+ close of connections is started. This gives protocol handlers one last
+ chance to use a connection before it goes down.
+ [Stefan Eissing]
+
+ *) mod_status/scoreboard: showing connection protocol in new column, new
+ ap_update_child_status methods for updating server/description. mod_ssl
+ sets vhost negotiated by servername directly.
+ [Stefan Eissing]
+
+Changes with Apache 2.4.18
+
+ *) mod_ssl: for all ssl_engine_vars.c lookups, fall back to master connection
+ if conn_rec itself holds no valid SSLConnRec*. Fixes PR58666.
+ [Stefan Eissing]
+
+ *) mod_http2: connection level window for flow control is set to protocol
+ maximum of 2GB-1, preventing window exhaustion when sending data on many
+ streams with higher cumulative window size.
+ Reducing write frequency unless push promises need to be flushed.
+ [Stefan Eissing]
+
+ *) mod_http2: required minimum version of libnghttp2 is 1.2.1
+ [Stefan Eissing]
+
+ *) mod_proxy_fdpass: Fix AH01153 error when using the default configuration.
+ In earlier version of httpd, you can explicitly set the 'flusher' parameter
+ to 'flush' as a workaround. (i.e. flusher=flush)
+ Add documentation for the 'flusher' parameter when defining a proxy worker.
+ [Christophe Jaillet]
+
+ *) mod_ssl: For the "SSLStaplingReturnResponderErrors off" case, make sure
+ to only staple responses with certificate status "good". [Kaspar Brand]
+
+ *) mod_http2: new directive 'H2PushPriority' to allow priority specifications
+ on server pushed streams according to their content-type.
+ [Stefan Eissing]
+
+ *) mod_http2: fixes crash on connection abort for a busy connection.
+ fixes crash on a request that did not produce any response.
+ [Stefan Eissing]
+
+ *) mod_http2: trailers are sent after response body if set in request_rec
+ trailers_out before the end-of-request bucket is sent through the
+ output filters. [Stefan Eissing]
+
+ *) mod_http2: incoming trailers (headers after request body) are properly
+ forwarded to the processing engine. [Stefan Eissing]
+
+ *) mod_http2: new directive 'H2Push' to en-/disable HTTP/2 server
+ pushes a server/virtual host. Pushes are initiated by the presence
+ of 'Link:' headers with relation 'preload' on a response. [Stefan Eissing]
+
+ *) mod_http2: write performance of http2 improved for larger resources,
+ especially static files. [Stefan Eissing]
+
+ *) core: if the first HTTP/1.1 request on a connection goes to a server that
+ prefers different protocols, these protocols are announced in a Upgrade:
+ header on the response, mentioning the preferred protocols.
+ [Stefan Eissing]
+
+ *) mod_http2: new directives 'H2TLSWarmUpSize' and 'H2TLSCoolDownSecs'
+ to control TLS record sizes during connection lifetime.
+ [Stefan Eissing]
+
+ *) mod_http2: new directive 'H2ModernTLSOnly' to enforce security
+ requirements of RFC 7540 on TLS connections. [Stefan Eissing]
+
+ *) core: add ap_get_protocol_upgrades() to retrieve the list of protocols
+ that a client could possibly upgrade to. Use in first request on a
+ connection to announce protocol choices. [Stefan Eissing]
+
+ *) mod_http2: reworked deallocation on connection shutdown and worker
+ abort. Separate parent pool for all workers. worker threads are joined
+ on planned worker shutdown. [Yann Ylavic, Stefan Eissing]
+
+ *) mod_ssl: when receiving requests for other virtual hosts than the handshake
+ server, the SSL parameters are checked for equality. With equal
+ configuration, requests are passed for processing. Any change will trigger
+ the old behaviour of "421 Misdirected Request".
+ SSL now remembers the cipher suite that was used for the last handshake.
+ This is compared against for any vhost/directory cipher specification.
+ Detailed examination of renegotiation is only done when these do not
+ match.
+ Renegotiation is 403ed when a master connection is present. Exact reason
+ is given additionally in a request note. [Stefan Eissing]
+
+ *) mod_ssl: Make the output filter more friendly with deferred write and
+ response pipelining. [Yann Ylavic, Joe Orton]
+
+ *) core: Fix scoreboard crash (SIGBUS) on hardware requiring strict 64bit
+ alignment (SPARC64, PPC64). [Yann Ylavic]
+
+ *) mod_cache: Accept HT (Horizontal Tab) when parsing cache related header
+ fields as described in RFC7230. [Christophe Jaillet]
+
+ *) core/util_script: making REDIRECT_URL a full URL is now opt-in
+ via new 'QualifyRedirectURL' directive.
+
+ *) core: Limit to ten the number of tolerated empty lines between request,
+ and consume them before the pipelining check to avoid possible response
+ delay when reading the next request without flushing. [Yann Ylavic]
+
+ *) mod_ssl: Extend expression parser registration to support ssl variables
+ in any expression using mod_rewrite syntax "%{SSL:VARNAME}" or function
+ syntax "ssl(VARNAME)". [Rainer Jung]
+
+Changes with Apache 2.4.17
+
+ *) mod_http2: added donated HTTP/2 implementation via core module. Similar
+ configuration options to mod_ssl. [Stefan Eissing]
+
+ *) mod_proxy: don't recycle backend announced "Connection: close" connections
+ to avoid reusing it should the close be effective after some new request
+ is ready to be sent. [Yann Ylavic]
+
+ *) mod_substitute: Allow to configure the patterns merge order with the new
+ SubstituteInheritBefore on|off directive. PR 57641
+ [Marc.Stern <Marc.Stern approach.be>, Yann Ylavic, William Rowe]
+
+ *) mod_proxy: Fix ProxySourceAddress binding failure with AH00938.
+ PR 56687. [Arne de Bruijn <apache arbruijn.dds.nl>
+
+ *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3,
+ and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
+ in accordance with RFC 7568. PR 58349, PR 57120. [Kaspar Brand]
+
+ *) mod_ssl: append :!aNULL:!eNULL:!EXP to the cipher string settings,
+ instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
+ and later). Enables support for configuring the SUITEB* cipher
+ strings introduced in OpenSSL 1.0.2. PR 58213. [Kaspar Brand]
+
+ *) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
+ of subjectAltName entries of type "otherName" into
+ SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
+ variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,
+ Kaspar Brand]
+
+ *) mod_logio: Fix logging of %^FB (time to first byte) on the first request on
+ an SSL connection. PR 58454.
+ [Konstantin J. Chernov <k.j.chernov gmail.com>]
+
+ *) mod_cache: r->err_headers_out is not merged into
+ r->headers when mod_cache is enabled and the response
+ is cached for the first time. [Edward Lu]
+
+ *) mod_slotmem_shm: Fix slots/SHM files names on restart for systems that
+ can't create new (clear) slots while previous children gracefully stopping
+ still use the old ones (e.g. Windows, OS2). mod_proxy_balancer failed to
+ restart whenever the number of configured balancers/members changed during
+ restart. PR 58024. [Yann Ylavic]
+
+ *) core/util_script: make REDIRECT_URL a full URL. PR 57785. [Nick Kew]
+
+ *) MPMs: Support SO_REUSEPORT to create multiple duplicated listener
+ records for scalability. [Yingqi Lu <yingqi.lu@intel.com>,
+ Jeff Trawick, Jim Jagielski, Yann Ylavic]
+
+ *) mod_alias: Introduce expression parser support for Alias, ScriptAlias
+ and Redirect. Limit Redirect expressions to directory (Location) context
+ and redirect statuses (implicit or explicit).
+ [Graham Leggett, Yann Ylavic, Ruediger Pluem]
+
+ *) mod_proxy: Fix a race condition that caused a failed worker to be retried
+ before the retry period is over. [Ruediger Pluem]
+
+ *) mod_autoindex: Allow autoindexes when neither mod_dir nor mod_mime are
+ loaded. [Eric Covener]
+
+ *) mod_rewrite: Allow cookies set by mod_rewrite to contain ':' by accepting
+ ';' as an alternate separator. PR47241.
+ [<bugzilla schermesser com>, Eric Covener]
+
+ *) apxs: Add HTTPD_VERSION and HTTPD_MMN to the variables available with
+ apxs -q. PR58202. [Daniel Shahaf <danielsh apache.org>]
+
+ *) mod_rewrite: Avoid a crash when lacking correct DB access permissions
+ when using RewriteMap with MapType dbd or fastdbd. [Christophe Jaillet]
+
+ *) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions.
+ PR 57868. [Jose Kahan <jose w3.org>, Yann Ylavic]
+
+ *) mod_socache_memcache: Add the 'MemcacheConnTTL' directive to control how
+ long to keep idle connections with the memcache server(s).
+ Change default value from 600 usec (!) to 15 sec. PR 58091
+ [Christophe Jaillet]
+
+ *) mod_dir: Prevent the internal identifier "httpd/unix-directory" from
+ appearing as a Content-Type response header when requests for a directory
+ are rewritten by mod_rewrite. [Eric Covener]
+
+Changes with Apache 2.4.16
+
+ *) http: Fix LimitRequestBody checks when there is no more bytes to read.
+ [Michael Kaufmann <mail michael-kaufmann.ch>]
+
+ *) mod_alias: Revert expression parser support for Alias, ScriptAlias
+ and Redirect due to a regression (introduced in 2.4.13, not released).
+
+ *) mod_reqtimeout: Don't let pipelining checks and keep-alive times interfere
+ with the timeouts computed for subsequent requests. PR 56729.
+ [Eric Covener, Yann Ylavic]
+
+ *) core: Avoid a possible truncation of the faulty header included in the
+ HTML response when LimitRequestFieldSize is reached. [Yann Ylavic]
+
+ *) mod_ldap: In some case, LDAP_NO_SUCH_ATTRIBUTE could be returned instead
+ of an error during a compare operation. [Eric Covener]
+
+Changes with Apache 2.4.15 (not released)
+
+ *) mod_ext_filter, mod_charset_lite: Avoid inadvertent filtering of protocol
+ data during read of chunked request bodies. PR 58049.
+ [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_ldap: Stop leaking LDAP connections when 'LDAPConnectionPoolTTL 0'
+ is configured. PR 58037. [Ted Phelps <phelps gnusto.com>]
+
+ *) core: Allow spaces after chunk-size for compatibility with implementations
+ using a pre-filled buffer. [Yann Ylavic, Jeff Trawick]
+
+ *) mod_ssl: Remove deprecated SSLCertificateChainFile warning.
+ [Yann Ylavic]
+
+Changes with Apache 2.4.14 (not released)
+
+ *) SECURITY: CVE-2015-3183 (cve.mitre.org)
+ core: Fix chunk header parsing defect.
+ Remove apr_brigade_flatten(), buffering and duplicated code from
+ the HTTP_IN filter, parse chunks in a single pass with zero copy.
+ Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
+ authorized characters. [Graham Leggett, Yann Ylavic]
+
+ *) SECURITY: CVE-2015-3185 (cve.mitre.org)
+ Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
+ with new ap_some_authn_required and ap_force_authn hook. [Ben Reser]
+
+Changes with Apache 2.4.13 (not released)
+
+ *) SECURITY: CVE-2015-0253 (cve.mitre.org)
+ core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
+ with the INCLUDES filter active, introduced in 2.4.11. PR 57531.
+ [Yann Ylavic]
+
+ *) SECURITY: CVE-2015-0228 (cve.mitre.org)
+ mod_lua: A maliciously crafted websockets PING after a script
+ calls r:wsupgrade() can cause a child process crash.
+ [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_proxy: Don't put the worker in error state for 500 or 503 errors
+ returned by the backend unless failonstatus is configured to. PR 56925.
+ [Yann Ylavic]
+
+ *) core: Don't lowercase the argument to SetHandler if it begins with
+ "proxy:unix". PR 57968. [Eric Covener]
+
+ *) mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
+ the OCSP response for a different certificate. mod_ssl has an additional
+ global mutex, "ssl-stapling-refresh". PR 57131 (partial fix).
+ [Jeff Trawick]
+
+ *) mod_authz_dbm: Fix crashes when "dbm-file-group" is used and
+ authz modules were loaded in the "wrong" order. [Joe Orton]
+
+ *) mod_authn_dbd, mod_authz_dbd, mod_session_dbd, mod_rewrite: Fix lifetime
+ of DB lookup entries independently of the selected DB engine. PR 46421.
+ [Steven whitson <steven.whitson gmail com>, Jan Kaluza, Yann Ylavic].
+
+ *) In alignment with RFC 7525, the default recommended SSLCipherSuite
+ and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
+ default recommended SSLProtocol and SSLProxyProtocol directives now
+ exclude SSLv3. Existing configurations must be adjusted by the
+ administrator. [William Rowe]
+
+ *) mod_ssl: Add support for extracting subjectAltName entries of type
+ rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
+ environment variables. Also addresses PR 57207. [Kaspar Brand]
+
+ *) dav_validate_request: avoid validating locks and ETags when there are
+ no If headers providing them on a resource we aren't modifying.
+ [Ben Reser]
+
+ *) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
+ response header to be used by the application, for when the application
+ or framework is unable to return Location in the internal-redirect
+ form. [Jeff Trawick]
+
+ *) core: Cleanup the request soon/even if some output filter fails to
+ handle the EOR bucket. [Yann Ylavic]
+
+ *) mpm_event: Allow for timer events duplicates. [Jim Jagielski, Yann Ylavic]
+
+ *) mod_proxy, mod_ssl, mod_cache_socache, mod_socache_*: Support machine
+ readable server-status produced when using the "?auto" query string.
+ [Rainer Jung]
+
+ *) mod_status: Add more data to machine readable server-status produced
+ when using the "?auto" query string. [Rainer Jung]
+
+ *) mod_ssl: Check for the Entropy Gathering Daemon (EGD) availability at
+ configure time (RAND_egd), and complain if SSLRandomSeed requires using
+ it otherwise. [Bernard Spil <pil.oss gmail com>, Stefan Sperling,
+ Kaspar Brand]
+
+ *) mod_ssl: make sure to consistently output SSLCertificateChainFile
+ deprecation warnings, when encountered in a VirtualHost block.
+ [Falco Schwarz <hiding falco.me>]
+
+ *) mod_log_config: Add "%{UNIT}T" format to output request duration in
+ seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
+ [Ben Reser, Rainer Jung]
+
+ *) Allow FallbackResource to work when a directory is requested and
+ there is no autoindex nor DirectoryIndex.
+ [Jack <tjerk.meesters gmail.com>, Eric Covener]
+
+ *) mod_proxy_wstunnel: Bypass the handler while the connection is not
+ upgraded to WebSocket, so that other modules can possibly take over
+ the leading HTTP requests. [Yann Ylavic]
+
+ *) mod_http: Fix incorrect If-Match handling. PR 57358
+ [Kunihiko Sakamoto <ksakamoto google.com>]
+
+ *) mod_ssl: Add a warning if protocol given in SSLProtocol or SSLProxyProtocol
+ will override other parameters given in the same directive. This could be
+ a missing + or - prefix. PR 52820 [Christophe Jaillet]
+
+ *) core, modules: Avoid error response/document handling by the core if some
+ handler or input filter already did it while reading the request (causing
+ a double response body). [Yann Ylavic]
+
+ *) mod_proxy_ajp: Fix client connection errors handling and logged status
+ when it occurs. PR 56823. [Yann Ylavic]
+
+ *) mod_proxy: Use the correct server name for SNI in case the backend
+ SSL connection itself is established via a proxy server.
+ PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
+
+ *) mod_ssl: Fix possible crash when loading server certificate constraints.
+ PR 57694. [Paul Spangler <paul.spangler ni com>, Yann Ylavic]
+
+ *) build: Don't load both mod_cgi and mod_cgid in the default configuration
+ if they're both built. [olli hauer <ohauer gmx.de>]
+
+ *) mod_logio: Add LogIOTrackTTFB and %^FB logformat to log the time
+ taken to start writing response headers. [Eric Covener]
+
+ *) mod_ssl: Avoid compilation errors with LibreSSL related to
+ the use of ENGINE_CTRL_CHIL_SET_FORKCHECK.
+ [Stuart Henderson <sthen openbsd.org>]
+
+ *) mod_proxy_http: Use the "Connection: close" header for requests to
+ backends not recycling connections (disablereuse), including the default
+ reverse and forward proxies. [Yann Ylavic]
+
+ *) mod_proxy: Add ap_connection_reusable() for checking if a connection
+ is reusable as of this point in processing. [Jeff Trawick]
+
+ *) mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad
+ Gateway) when no response is ever received from the backend.
+ [Jan Kaluza]
+
+ *) core_filters: Restore/disable TCP_NOPUSH option after non-blocking
+ sendfile. PR 53253. [Yann Ylavic]
+
+ *) mod_buffer: Forward flushed input data immediately and avoid (unlikely)
+ access to freed memory. [Yann Ylavic, Christophe Jaillet]
+
+ *) core: Add CGIPassAuth directive to control whether HTTP authorization
+ headers are passed to scripts as CGI variables. PR 56855. [Jeff
+ Trawick]
+
+ *) core: Initialize scoreboard's used optional functions on graceful restarts
+ to avoid a crash when relocation occurs. PR 57177. [Yann Ylavic]
+
+ *) mod_dav: Avoid a potential integer underflow in the lock timeout value sent
+ back to a client. The answer to a LOCK request could be an extremely large
+ integer if the time needed to lock the resource was longer that the
+ requested timeout given in the LOCK request. In such a case, we now answer
+ "Second-0". PR55420
+ [Christophe Jaillet]
+
+ *) mod_cgid: Within the first minute of a server start or restart,
+ allow mod_cgid to retry connecting to its daemon process. Previously,
+ 'No such file or directory: unable to connect to cgi daemon...' could
+ be logged without an actual retry. PR57685.
+ [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_proxy: Use the original (non absolute) form of the request-line's URI
+ for requests embedded in CONNECT payloads used to connect SSL backends via
+ a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms <hendrik.harms
+ gmail com>, William Rowe, Yann Ylavic]
+
+ *) http: Make ap_die() robust against any HTTP error code and not modify
+ response status (finally logged) when nothing is to be done. PR 56035.
+ [Yann Ylavic]
+
+ *) mod_proxy_connect/wstunnel: If both client and backend sides get readable
+ at the same time, don't lose errors occurring while forwarding on the first
+ side when none occurs next on the other side, and abort. [Yann Ylavic]
+
+ *) mod_rewrite: Improve relative substitutions in per-directory/htaccess
+ context for directories found by mod_userdir and mod_alias. These no
+ longer require RewriteBase to be specified. [Eric Covener]
+
+ *) mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
+ finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
+ or force-proxy-request-1.0. [Yann Ylavic]
+
+ *) core: If explicitly configured, use the KeepaliveTimeout value of the
+ virtual host which handled the latest request on the connection, or by
+ default the one of the first virtual host bound to the same IP:port.
+ PR56226. [Yann Ylavic]
+
+ *) mod_lua: After a r:wsupgrade(), mod_lua was not properly
+ responding to a websockets PING but instead invoking the specified
+ script. PR57524. [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
+ a combination of certificate serialNumber and issuer as defined by
+ CertificateExactMatch in RFC4523. [Graham Leggett]
+
+ *) core: Add expression support to ErrorDocument. Switch from a fixed
+ sized 664 byte array per merge to a hash table. [Graham Leggett]
+
+ *) ab: Add missing longest request (100%) to CSV export.
+ [Marcin Fabrykowski <bugzilla fabrykowski.pl>]
+
+ *) mod_macro: Clear macros before initialization to avoid use-after-free
+ on startup or restart when the module is linked statically. PR 57525
+ [apache.org tech.futurequest.net, Yann Ylavic]
+
+ *) mod_alias: Introduce expression parser support for Alias, ScriptAlias
+ and Redirect. [Graham Leggett]
+
+ *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
+ PR 57100. [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
+ Yann Ylavic]
+
+ *) mpm_event: Avoid access to the scoreboard from the connection while
+ it is suspended (waiting for events). [Eric Covener, Jeff Trawick]
+
+ *) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument.
+ PR 57334. [Yann Ylavic].
+
+ *) mod_deflate: A misplaced check prevents limiting small bodies with the
+ new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic]
+
+ *) mod_proxy_ajp: Forward SSL protocol name (SSLv3, TLSv1.1 etc.) as a
+ request attribute to the backend. Recent Tomcat versions will extract
+ it and provide it as a servlet request attribute named
+ "org.apache.tomcat.util.net.secure_protocol_version". [Rainer Jung]
+
+ *) core: Optimize string concatenation in expression parser when evaluating
+ a string expression. [Rainer Jung]
+
+ *) acinclude.m4: Generate #LoadModule directive in default httpd.conf for
+ every --enable-mpms-shared. PR 53882. [olli hauer <ohauer gmx.de>,
+ Yann Ylavic]
+
+ *) mod_authn_dbd: Fix the error message logged in case of error while querying
+ the database. This is associated to AH01656 and AH01661. [Christophe Jaillet]
+
+ *) mod_authz_groupfile: Reduce the severity of AH01667 from ERROR to DEBUG,
+ because it may be evaluated inside <RequireAny>. PR55523. [Eric Covener]
+
+ *) mod_ssl: Fix small memory leak during initialization when ECDH is used.
+ [Jan Kaluza]
+
+Changes with Apache 2.4.12
+
+ *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
+ internationalization. [William Rowe]
+
+ *) mpm_winnt: Normalize the error and status messages emitted by service.c,
+ the service control interface for Windows. [William Rowe]
+
+ *) configure: Fix --enable-v4-mapped configuration on *BSD. PR 53824.
+ [ olli hauer <ohauer gmx.de>, Yann Ylavic ]
+
+ *) Reverted <DirectoryMatch > behavior regression introduced in 2.4.11
+ (not released).
+
+Changes with Apache 2.4.11 (not released)
+
+ *) SECURITY: CVE-2014-3583 (cve.mitre.org)
+ mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with
+ response headers' size above 8K. [Yann Ylavic, Jeff Trawick]
+
+ *) SECURITY: CVE-2014-3581 (cve.mitre.org)
+ mod_cache: Avoid a crash when Content-Type has an empty value.
+ PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
+
+ *) SECURITY: CVE-2014-8109 (cve.mitre.org)
+ mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
+ used in multiple Require directives with different arguments.
+ PR57204 [Edward Lu <Chaosed0 gmail.com>]
+
+ *) SECURITY: CVE-2013-5704 (cve.mitre.org)
+ core: HTTP trailers could be used to replace HTTP headers
+ late during request processing, potentially undoing or
+ otherwise confusing modules that examined or modified
+ request headers earlier. Adds "MergeTrailers" directive to restore
+ legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
+
+ *) mod_ssl: New directive SSLSessionTickets (On|Off).
+ The directive controls the use of TLS session tickets (RFC 5077),
+ default value is "On" (unchanged behavior).
+ Session ticket creation uses a random key created during web
+ server startup and recreated during restarts. No other key
+ recreation mechanism is available currently. Therefore using session
+ tickets without restarting the web server with an appropriate frequency
+ (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
+
+ *) mod_proxy_fcgi: Provide some basic alternate options for specifying
+ how PATH_INFO is passed to FastCGI backends by adding significance to
+ the value of proxy-fcgi-pathinfo. PR 55329. [Eric Covener]
+
+ *) mod_proxy_fcgi: Enable UDS backends configured with SetHandler/RewriteRule
+ to opt-in to connection reuse and other Proxy options via explicitly
+ declared "proxy workers" (<Proxy unix:... enablereuse=on max=...)
+ [Eric Covener]
+
+ *) mod_proxy: Add "enablereuse" option as the inverse of "disablereuse".
+ [Eric Covener]
+
+ *) mod_proxy_fcgi: Enable opt-in to TCP connection reuse by explicitly
+ setting proxy option disablereuse=off. [Eric Covener] PR 57378.
+
+ *) event: Update the internal "connection id" when requests
+ move from thread to thread. Reuse can confuse modules like
+ mod_cgid. PR 57435. [Michael Thorpe <mike gistnet.com>]
+
+ *) mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME
+ passed to fastcgi backends. [Eric Covener]
+
+ *) core: Configuration files with long lines and continuation characters
+ are not read properly. PR 55910. [Manuel Mausz <manuel-as mausz.at>]
+
+ *) mod_include: the 'env' function was incorrectly handled as 'getenv' if the
+ leading 'e' was written in upper case in <!--#if expr="..." -->
+ statements. [Christophe Jaillet]
+
+ *) split-logfile: Fix perl error: 'Can't use string ("example.org:80")
+ as a symbol ref while "strict refs"'. PR 56329.
+ [Holger Mauermann <mauermann gmail.com>]
+
+ *) mod_proxy: Prevent ProxyPassReverse from doing a substitution when
+ the URL parameter interpolates to an empty string. PR 56603.
+ [<ajprout hotmail.com>]
+
+ *) core: Fix -D[efined] or <Define>[d] variables lifetime across restarts.
+ PR 57328. [Armin Abfalterer <a.abfalterer gmail.com>, Yann Ylavic].
+
+ *) mod_proxy: Preserve original request headers even if they differ
+ from the ones to be forwarded to the backend. PR 45387.
+ [Yann Ylavic]
+
+ *) mod_ssl: dump SSL IO/state for the write side of the connection(s),
+ like reads (level TRACE4). [Yann Ylavic]
+
+ *) mod_proxy_fcgi: Ignore body data from backend for 304 responses. PR 57198.
+ [Jan Kaluza]
+
+ *) mod_ssl: Do not crash when looking up SSL related variables during
+ expression evaluation on non SSL connections. PR 57070 [Ruediger Pluem]
+
+ *) mod_proxy_ajp: Fix handling of the default port (8009) in the
+ ProxyPass and <Proxy> configurations. PR 57259. [Yann Ylavic]
+
+ *) mpm_event: Avoid a possible use after free when notifying the end of
+ connection during lingering close. PR 57268. [Eric Covener, Yann Ylavic]
+
+ *) mod_ssl: Fix recognition of OCSP stapling responses that are encoded
+ improperly or too large. [Jeff Trawick]
+
+ *) core: Add ap_log_data(), ap_log_rdata(), etc. for logging buffers.
+ [Jeff Trawick]
+
+ *) mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an
+ error when parsing or forwarding the response fails. [Yann Ylavic]
+
+ *) mod_ssl: Fix a memory leak in case of graceful restarts with OpenSSL >= 0.9.8e
+ PR 53435 [tadanori <tadanori2007 yahoo.com>, Sebastian Wiedenroth <wiedi frubar.net>]
+
+ *) mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read
+ determine whether it is a normal close or a real error. PR 57168. [Yann
+ Ylavic]
+
+ *) mod_proxy_wstunnel: abort backend connection on polling error to avoid
+ further processing. [Yann Ylavic]
+
+ *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
+ PR 57167 [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC
+ systems. PR 57092 [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_cache: Avoid a 304 response to an unconditional request when an AH00752
+ CacheLock error occurs during cache revalidation. [Eric Covener]
+
+ *) mod_ssl: Move OCSP stapling information from a per-certificate store to
+ a per-server hash. PR 54357, PR 56919. [Alex Bligh <alex alex.org.uk>,
+ Yann Ylavic, Kaspar Brand]
+
+ *) mod_cache_socache: Change average object size hint from 32 bytes to
+ 2048 bytes. [Rainer Jung]
+
+ *) mod_cache_socache: Add cache status to server-status. [Rainer Jung]
+
+ *) event: Fix worker-listener deadlock in graceful restart.
+ PR 56960.
+
+ *) Concat strings at compile time when possible. PR 53741.
+
+ *) mod_substitute: Restrict configuration in .htaccess to
+ FileInfo as documented. [Rainer Jung]
+
+ *) mod_substitute: Make maximum line length configurable. [Rainer Jung]
+
+ *) mod_substitute: Fix line length limitation in case of regexp plus flatten.
+ [Rainer Jung]
+
+ *) mod_proxy: Truncated character worker names are no longer fatal
+ errors. PR53218. [Jim Jagielski]
+
+ *) mod_dav: Set r->status_line in dav_error_response. PR 55426.
+
+ *) mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory.
+ [Yann Ylavic, Christophe Jaillet]
+
+ *) http_protocol: fix logic in ap_method_list_(add|remove) in order:
+ - to correctly reset bits
+ - not to modify the 'method_mask' bitfield unnecessarily
+ [Christophe Jaillet]
+
+ *) mod_slotmem_shm: Increase log level for some originally debug messages.
+ [Jim Jagielski]
+
+ *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with
+ the wrong credentials when a backend connection is reused.
+ [Eric Covener]
+
+ *) mod_macro: Add missing APLOGNO for some Warning log messages.
+ [Christophe Jaillet]
+
+ *) mod_cache: Avoid sending 304 responses during failed revalidations
+ PR56881. [Eric Covener]
+
+ *) mod_status: Honor client IP address using mod_remoteip. PR 55886.
+ [Jim Jagielski]
+
+ *) cmake-based build for Windows: Fix incompatibility with cmake 2.8.12
+ and later. PR 56615. [Chuck Liu <cliu81 gmail.com>, Jeff Trawick]
+
+ *) mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade
+ failed) messages from ERROR to TRACE1. Other filters do not bother
+ re-reporting failures from lower level filters. PR56832. [Eric Covener]
+
+ *) core: Avoid useless warning message when parsing a section guarded by
+ <IfDefine foo> if $(foo) is used within the section.
+ PR 56503 [Christophe Jaillet]
+
+ *) mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the
+ application. PR 56858. [Manuel Mausz <manuel-asf mausz.at>]
+
+ *) mod_proxy_http: Proxy responses with error status and
+ "ProxyErrorOverride On" hang until proxy timeout.
+ PR53420 [Rainer Jung]
+
+ *) mod_log_config: Allow three character log formats to be registered. For
+ backwards compatibility, the first character of a three-character format
+ must be the '^' (caret) character. [Eric Covener]
+
+ *) mod_lua: Don't quote Expires and Path values. PR 56734.
+ [Keith Mashinter, <kmashint yahoo com>]
+
+ *) mod_authz_core: Allow <AuthzProviderAlias>'es to be seen from auth
+ stanzas under virtual hosts. PR 56870. [Eric Covener]
+
+Changes with Apache 2.4.10
+
+ *) SECURITY: CVE-2014-0117 (cve.mitre.org)
+ mod_proxy: Fix crash in Connection header handling which allowed a denial
+ of service attack against a reverse proxy with a threaded MPM.
+ [Ben Reser]
+
+ *) SECURITY: CVE-2014-3523 (cve.mitre.org)
+ Fix a memory consumption denial of service in the WinNT MPM, used in all
+ Windows installations. Workaround: AcceptFilter <protocol> {none|connect}
+ [Jeff Trawick]
+
+ *) SECURITY: CVE-2014-0226 (cve.mitre.org)
+ Fix a race condition in scoreboard handling, which could lead to
+ a heap buffer overflow. [Joe Orton, Eric Covener]
+
+ *) SECURITY: CVE-2014-0118 (cve.mitre.org)
+ mod_deflate: The DEFLATE input filter (inflates request bodies) now
+ limits the length and compression ratio of inflated request bodies to
+ avoid denial of service via highly compressed bodies. See directives
+ DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
+ and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
+
+ *) SECURITY: CVE-2014-0231 (cve.mitre.org)
+ mod_cgid: Fix a denial of service against CGI scripts that do
+ not consume stdin that could lead to lingering HTTPD child processes
+ filling up the scoreboard and eventually hanging the server. By
+ default, the client I/O timeout (Timeout directive) now applies to
+ communication with scripts. The CGIDScriptTimeout directive can be
+ used to set a different timeout for communication with scripts.
+ [Rainer Jung, Eric Covener, Yann Ylavic]
+
+ *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
+ resumed by TLS session resumption (RFC 5077). [Rainer Jung]
+
+ *) mod_deflate: Don't fail when flushing inflated data to the user-agent
+ and that coincides with the end of stream ("Zlib error flushing inflate
+ buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
+
+ *) mod_proxy_ajp: Forward local IP address as a custom request attribute
+ like we already do for the remote port. [Rainer Jung]
+
+ *) core: Include any error notes set by modules in the canned error
+ response for 403 errors. [Jeff Trawick]
+
+ *) mod_ssl: Set an error note for requests rejected due to
+ SSLStrictSNIVHostCheck. [Jeff Trawick]
+
+ *) mod_ssl: Fix issue with redirects to error documents when handling
+ SNI errors. [Jeff Trawick]
+
+ *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
+ larger keys and support up to 8192-bit keys. [Ruediger Pluem,
+ Joe Orton]
+
+ *) mod_dav: Fix improper encoding in PROPFIND responses. PR 56480.
+ [Ben Reser]
+
+ *) WinNT MPM: Improve error handling for termination events in child.
+ [Jeff Trawick]
+
+ *) mod_proxy: When ping/pong is configured for a worker, don't send or
+ forward "100 Continue" (interim) response to the client if it does
+ not expect one. [Yann Ylavic]
+
+ *) mod_ldap: Be more conservative with the last-used time for
+ LDAPConnectionPoolTTL. PR54587 [Eric Covener]
+
+ *) mod_ldap: LDAP connections used for authn were not respecting
+ LDAPConnectionPoolTTL. PR54587 [Eric Covener]
+
+ *) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.
+ [Jeff Trawick]
+
+ *) event MPM: Fix possible crashes (third-party modules accessing c->sbh)
+ or occasional missed mod_status updates under load. PR 56639.
+ [Edward Lu <Chaosed0 gmail com>]
+
+ *) mod_authnz_ldap: Support primitive LDAP servers do not accept
+ filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
+ filter "none" to be specified in AuthLDAPURL. [Eric Covener]
+
+ *) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
+ [Lukas Bezdicka <social v3.sk>]
+
+ *) mod_deflate: Handle Zlib header and validation bytes received in multiple
+ chunks. PR 46146. [Yann Ylavic]
+
+ *) mod_proxy: Allow reverse-proxy to be set via explicit handler.
+ [ryo takatsuki <ryotakatsuki gmail com>]
+
+ *) ab: support custom HTTP method with -m argument. PR 56604.
+ [Roman Jurkov <winfinit gmail.com>]
+
+ *) mod_proxy_balancer: Correctly encode user provided data in management
+ interface. PR 56532 [Maksymilian, <max cert.cx>]
+
+ *) mod_proxy: Don't limit the size of the connectable Unix Domain Socket
+ paths. [Graham Dumpleton, Christophe Jaillet, Yann Ylavic]
+
+ *) mod_proxy_fcgi: Support iobuffersize parameter. [Jeff Trawick]
+
+ *) event: Send the SSL close notify alert when the KeepAliveTimeout
+ expires. PR54998. [Yann Ylavic]
+
+ *) mod_ssl: Ensure that the SSL close notify alert is flushed to the client.
+ PR54998. [Tim Kosse <tim.kosse filezilla-project.org>, Yann Ylavic]
+
+ *) mod_proxy: Shutdown (eg. SSL close notify) the backend connection before
+ closing. [Yann Ylavic]
+
+ *) mod_auth_form: Add a debug message when the fields on a form are not
+ recognised. [Graham Leggett]
+
+ *) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
+ response. PR 55547. [Yann Ylavic]
+
+ *) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
+ scheme. PR55320. [Alex Liu <alex.leo.ca gmail.com>]
+
+ *) mod_socache_shmcb: Correct counting of expirations for status display.
+ Expirations happening during retrieval were not counted. [Rainer Jung]
+
+ *) mod_cache: Retry unconditional request with the full URL (including the
+ query-string) when the origin server's 304 response does not match the
+ conditions used to revalidate the stale entry. [Yann Ylavic].
+
+ *) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
+ variables as a result of AliasMatch. [Eric Covener]
+
+ *) mod_cache: Don't add cached/revalidated entity headers to a 304 response.
+ PR 55547. [Yann Ylavic]
+
+ *) mod_proxy_scgi: Support Unix sockets. ap_proxy_port_of_scheme():
+ Support default SCGI port (4000). [Jeff Trawick]
+
+ *) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
+ is enabled. [Eric Covener]
+
+ *) mod_expires: don't add Expires header to error responses (4xx/5xx),
+ be they generated or forwarded. PR 55669. [Yann Ylavic]
+
+ *) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
+ (regression in 2.4.9 release) [Jeff Trawick]
+
+ *) mod_authn_socache: Fix crash at startup in certain configurations.
+ PR 56371. (regression in 2.4.7) [Jan Kaluza]
+
+ *) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
+ programs to the form used in releases up to 2.4.7, and emulate
+ a backwards-compatible behavior for existing setups. [Kaspar Brand]
+
+ *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
+ OCSP requests should use a nonce to be checked against the responder's
+ one. PR 56233. [Yann Ylavic, Kaspar Brand]
+
+ *) mod_ssl: "SSLEngine off" will now override a Listen-based default
+ and does disable mod_ssl for the vhost. [Joe Orton]
+
+ *) mod_lua: Enforce the max post size allowed via r:parsebody()
+ [Daniel Gruno]
+
+ *) mod_lua: Use binary comparison to find boundaries for multipart
+ objects, as to not terminate our search prematurely when hitting
+ a NULL byte. [Daniel Gruno]
+
+ *) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
+ versions before 0.9.8h and not specifying an SSLCertificateChainFile
+ (regression introduced with 2.4.8). PR 56410. [Kaspar Brand]
+
+ *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
+ no longer send warning-level unrecognized_name(112) alerts,
+ and limit startup warnings to cases where an OpenSSL version
+ without TLS extension support is used. PR 56241. [Kaspar Brand]
+
+ *) mod_proxy_html: Avoid some possible memory access violation in case of
+ specially crafted files, when the ProxyHTMLMeta directive is turned on.
+ Follow up of PR 56287 [Christophe Jaillet]
+
+ *) mod_auth_form: Make sure the optional functions are loaded even when
+ the AuthFormProvider isn't specified. [Graham Leggett]
+
+ *) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
+ (and logging garbled file names). PR 56306. [Kaspar Brand]
+
+ *) mod_ssl: fix merging of global and vhost-level settings with the
+ SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
+ directives. PR 56353. [Kaspar Brand]
+
+ *) mod_headers: Allow the "value" parameter of Header and RequestHeader to
+ contain an ap_expr expression if prefixed with "expr=". [Eric Covener]
+
+ *) rotatelogs: Avoid creation of zombie processes when -p is used on
+ Unix platforms. [Joe Orton]
+
+ *) mod_authnz_fcgi: New module to enable FastCGI authorizer
+ applications to authenticate and/or authorize clients.
+ [Jeff Trawick]
+
+ *) mod_proxy: Do not try to parse the regular expressions passed by
+ ProxyPassMatch as URL as they do not follow their syntax.
+ PR 56074. [Ruediger Pluem]
+
+ *) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
+ under the Event MPM. PR56216. [Frank Meier <frank meier ergon ch>]
+
+ *) mod_proxy_fcgi: Fix sending of response without some HTTP headers
+ that might be set by filters. PR 55558. [Jim Riggs <jim riggs.me>]
+
+ *) mod_proxy_html: Do not delete the wrong data from HTML code when a
+ "http-equiv" meta tag specifies a Content-Type behind any other
+ "http-equiv" meta tag. PR 56287 [Micha Lenk <micha lenk info>]
+
+ *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
+ differs. PR 55782. [Yann Ylavic]
+
+ *) Add suspend_connection and resume_connection hooks to notify modules
+ when the thread/connection relationship changes. (Should be implemented
+ for any third-party async MPMs.) [Jeff Trawick]
+
+ *) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine
+ hangups from websockets origin servers. PR 56299
+ [Yann Ylavic, Edward Lu <Chaosed0 gmail com>, Eric Covener]
+
+ *) mod_proxy_wstunnel: Don't pool backend websockets connections,
+ because we need to handshake every time. PR 55890.
+ [Eric Covener]
+
+ *) mod_lua: Redesign how request record table access behaves,
+ in order to utilize the request record from within these tables.
+ [Daniel Gruno]
+
+ *) mod_lua: Add r:wspeek for peeking at WebSocket frames. [Daniel Gruno]
+
+ *) mod_lua: Log an error when the initial parsing of a Lua file fails.
+ [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
+
+ *) mod_lua: Reformat and escape script error output.
+ [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
+
+ *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
+ from causing response splitting.
+ [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
+
+ *) mod_lua: Disallow newlines in table values inside the request_rec,
+ to prevent HTTP Response Splitting via tainted headers.
+ [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
+
+ *) mod_lua: Remove the non-working early/late arguments for
+ LuaHookCheckUserID. [Daniel Gruno]
+
+ *) mod_lua: Change IVM storage to use shm [Daniel Gruno]
+
+ *) mod_lua: More verbose error logging when a handler function cannot be
+ found. [Daniel Gruno]
+
+Changes with Apache 2.4.9
+
+ *) mod_ssl: Work around a bug in some older versions of OpenSSL that
+ would cause a crash in SSL_get_certificate for servers where the
+ certificate hadn't been sent. [Stephen Henson]
+
+ *) mod_lua: Add a fixups hook that checks if the original request is intended
+ for LuaMapHandler. This fixes a bug where FallbackResource invalidates the
+ LuaMapHandler directive in certain cases by changing the URI before the map
+ handler code executes [Daniel Gruno, Daniel Ferradal <dferradal gmail com>].
+
+Changes with Apache 2.4.8 (not released)
+
+ *) SECURITY: CVE-2014-0098 (cve.mitre.org)
+ Clean up cookie logging with fewer redundant string parsing passes.
+ Log only cookies with a value assignment. Prevents segfaults when
+ logging truncated cookies.
+ [William Rowe, Ruediger Pluem, Jim Jagielski]
+
+ *) SECURITY: CVE-2013-6438 (cve.mitre.org)
+ mod_dav: Keep track of length of cdata properly when removing
+ leading spaces. Eliminates a potential denial of service from
+ specifically crafted DAV WRITE requests
+ [Amin Tora <Amin.Tora neustar.biz>]
+
+ *) core: Support named groups and backreferences within the LocationMatch,
+ DirectoryMatch, FilesMatch and ProxyMatch directives. (Requires
+ non-ancient PCRE library) [Graham Leggett]
+
+ *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
+ TE/CL conflicts. [Yann Ylavic, Jim Jagielski]
+
+ *) core: Detect incomplete request and response bodies, log an error and
+ forward it to the underlying filters. PR 55475 [Yann Ylavic]
+
+ *) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping
+ execution when a handler is already set. PR53929. [Eric Covener]
+
+ *) mod_ssl: Do not perform SNI / Host header comparison in case of a
+ forward proxy request. [Ruediger Pluem]
+
+ *) mod_ssl: Remove the hardcoded algorithm-type dependency for the
+ SSLCertificateFile and SSLCertificateKeyFile directives, to enable
+ future algorithm agility, and deprecate the SSLCertificateChainFile
+ directive (obsoleted by SSLCertificateFile). [Kaspar Brand]
+
+ *) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
+ and IgnoreInherit to allow RewriteRules to be pushed from parent scopes
+ to child scopes without explicitly configuring each child scope.
+ PR56153. [Edward Lu <Chaosed0 gmail com>]
+
+ *) prefork: Fix long delays when doing a graceful restart.
+ PR 54852 [Jim Jagielski, Arkadiusz Miskiewicz <arekm maven pl>]
+
+ *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
+ 5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick]
+
+ *) mod_proxy_wstunnel: Avoid busy loop on client errors, drop message
+ IDs 02445, 02446, and 02448 to TRACE1 from DEBUG. PR 56145.
+ [Joffroy Christen <joffroy.christen solvaxis com>, Eric Covener]
+
+ *) mod_remoteip: Correct the trusted proxy match test. PR 54651.
+ [Yoshinori Ehara <yoshinori ehara gmail com>, Eugene L <eugenel amazon com>]
+
+ *) mod_proxy_fcgi: Fix error message when an unexpected protocol version
+ number is received from the application. PR 56110. [Jeff Trawick]
+
+ *) mod_remoteip: Use the correct IP addresses to populate the proxy_ips field.
+ PR 55972. [Mike Rumph]
+
+ *) mod_lua: Update r:setcookie() to accept a table of options and add domain,
+ path and httponly to the list of options available to set.
+ PR 56128 [Edward Lu <Chaosed0 gmail com>, Daniel Gruno]
+
+ *) mod_lua: Fix r:setcookie() to add, rather than replace,
+ the Set-Cookie header. PR56105
+ [Kevin J Walters <kjw ms com>, Edward Lu <Chaosed0 gmail com>]
+
+ *) mod_lua: Allow for database results to be returned as a hash with
+ row-name/value pairs instead of just row-number/value. [Daniel Gruno]
+
+ *) mod_rewrite: Add %{CONN_REMOTE_ADDR} as the non-useragent counterpart to
+ %{REMOTE_ADDR}. PR 56094. [Edward Lu <Chaosed0 gmail com>]
+
+ *) WinNT MPM: If ap_run_pre_connection() fails or sets c->aborted, don't
+ save the socket for reuse by the next worker as if it were an
+ APR_SO_DISCONNECTED socket. Restores 2.2 behavior. [Eric Covener]
+
+ *) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a URL
+ that was just rewritten by mod_rewrite. PR53929. [Eric Covener]
+
+ *) mod_session: When we have a session we were unable to decode,
+ behave as if there was no session at all. [Thomas Eckert
+ <thomas.r.w.eckert gmail com>]
+
+ *) mod_session: Fix problems interpreting the SessionInclude and
+ SessionExclude configuration. PR 56038. [Erik Pearson
+ <erik adaptations.com>]
+
+ *) mod_authn_core: Allow <AuthnProviderAlias>'es to be seen from auth
+ stanzas under virtual hosts. PR 55622. [Eric Covener]
+
+ *) mod_proxy_fcgi: Use apr_socket_timeout_get instead of hard-coded
+ 30 seconds timeout. [Jan Kaluza]
+
+ *) build: only search for modules (config*.m4) in known subdirectories, see
+ build/config-stubs. [Stefan Fritsch]
+
+ *) mod_cache_disk: Fix potential hangs on Windows when using mod_cache_disk.
+ PR 55833. [Eric Covener]
+
+ *) mod_ssl: Add support for OpenSSL configuration commands by introducing
+ the SSLOpenSSLConfCmd directive. [Stephen Henson, Kaspar Brand]
+
+ *) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
+ is equivalent to <ProxyMatch wildcard-url>. [Christophe Jaillet]
+
+ *) mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
+ mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
+ require directives. [Graham Leggett]
+
+ *) mod_proxy_http: Core dumped under high load. PR 50335.
+ [Jan Kaluza <jkaluza redhat.com>]
+
+ *) mod_socache_shmcb.c: Remove arbitrary restriction on shared memory size
+ previously limited to 64MB. [Jens Låås <jelaas gmail.com>]
+
+ *) mod_lua: Use binary copy when dealing with uploads through r:parsebody()
+ to prevent truncating files. [Daniel Gruno]
+
+Changes with Apache 2.4.7
+
+ *) SECURITY: CVE-2013-4352 (cve.mitre.org)
+ mod_cache: Fix a NULL pointer deference which allowed untrusted
+ origin servers to crash mod_cache in a forward proxy
+ configuration. [Graham Leggett]
+
+ *) APR 1.5.0 or later is now required for the event MPM.
+
+ *) slotmem_shm: Error detection. [Jim Jagielski]
+
+ *) event: Use skiplist data structure. [Jim Jagielski]
+
+ *) event: Fail at startup with message AP02405 if the APR atomic
+ implementation is not compatible with the MPM. [Jim Jagielski]
+
+ *) mpm_unix: Add ap_mpm_podx_* implementation to avoid code duplication
+ and align w/ trunk. [Jim Jagielski]
+
+ *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
+ directives. [Mike Rumph <mike.rumph oracle.com>]
+
+ *) mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars.
+ An individual envvar with an encoded length of more than 16K will be
+ omitted. [Jeff Trawick]
+
+ *) mod_proxy_fcgi: Handle reading protocol data that is split between
+ packets. [Jeff Trawick]
+
+ *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
+ allowing custom parameters to be configured via SSLCertificateFile,
+ and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
+ Unless custom parameters are configured, the standardized parameters
+ are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
+
+ *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand]
+
+ *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
+ keys, and unconditionally disable aNULL, eNULL and EXP ciphers
+ (not overridable via SSLCipherSuite). [Kaspar Brand]
+
+ *) mod_proxy: Added support for unix domain sockets as the
+ backend server endpoint. This also introduces an unintended
+ incompatibility for third party modules using the mod_proxy
+ proxy_worker_shared structure, especially for balancer lbmethod
+ modules. [Jim Jagielski, Blaise Tarr <blaise tarr gmail com>]
+
+ *) Add experimental cmake-based build system for Windows. [Jeff Trawick,
+ Tom Donovan]
+
+ *) event MPM: Fix possible crashes (third party modules accessing c->sbh)
+ or occasional missed mod_status updates for some keepalive requests
+ under load. [Eric Covener]
+
+ *) mod_authn_socache: Support optional initialization arguments for
+ socache providers. [Chris Darroch]
+
+ *) mod_session: Reset the max-age on session save. PR 47476. [Alexey
+ Varlamov <alexey.v.varlamov gmail com>]
+
+ *) mod_session: After parsing the value of the header specified by the
+ SessionHeader directive, remove the value from the response. PR 55279.
+ [Graham Leggett]
+
+ *) mod_headers: Allow for format specifiers in the substitution string
+ when using Header edit. [Daniel Ruggeri]
+
+ *) mod_dav: dav_resource->uri is treated as unencoded. This was an
+ unnecessary ABI changed introduced in 2.4.6. PR 55397.
+
+ *) mod_dav: Don't require lock tokens for COPY source. PR 55306.
+
+ *) core: Don't truncate output when sending is interrupted by a signal,
+ such as from an exiting CGI process. PR 55643. [Jeff Trawick]
+
+ *) WinNT MPM: Exit the child if the parent process crashes or is terminated.
+ [Oracle Corporation]
+
+ *) Windows: Correct failure to discard stderr in some error log
+ configurations. (Error message AH00093) [Jeff Trawick]
+
+ *) mod_session_crypto: Allow using exec: calls to obtain session
+ encryption key. [Daniel Ruggeri]
+
+ *) core: Add missing Reason-Phrase in HTTP response headers.
+ PR 54946. [Rainer Jung]
+
+ *) mod_rewrite: Make rewrite websocket-aware to allow proxying.
+ PR 55598. [Chris Harris <chris.harris kitware com>]
+
+ *) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
+ instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]
+
+ *) ab: Add wait time, fix processing time, and output write errors only if
+ they occurred. [Christophe Jaillet]
+
+ *) worker MPM: Don't forcibly kill worker threads if the child process is
+ exiting gracefully. [Oracle Corporation]
+
+ *) core: apachectl -S prints wildcard name-based virtual hosts twice.
+ PR54948 [Eric Covener]
+
+ *) mod_auth_basic: Add AuthBasicUseDigestAlgorithm directive to
+ allow migration of passwords from digest to basic authentication.
+ [Chris Darroch]
+
+ *) ab: Add a new -l parameter in order not to check the length of the responses.
+ This can be useful with dynamic pages.
+ PR9945, PR27888, PR42040 [<ccikrs1 cranbrook edu>]
+
+ *) Suppress formatting of startup messages written to the console when
+ ErrorLogFormat is used. [Jeff Trawick]
+
+ *) mod_auth_digest: Be more specific when the realm mismatches because the
+ realm has not been specified. [Graham Leggett]
+
+ *) mod_proxy: Add a note in the balancer manager stating whether changes
+ will or will not be persisted and whether settings are inherited.
+ [Daniel Ruggeri, Jim Jagielski]
+
+ *) core: Add util_fcgi.h and associated definitions and support
+ routines for FastCGI, based largely on mod_proxy_fcgi.
+ [Jeff Trawick]
+
+ *) mod_headers: Add 'Header note header-name note-name' for copying a response
+ headers value into a note. [Eric Covener]
+
+ *) mod_headers: Add 'setifempty' command to Header and RequestHeader.
+ [Eric Covener]
+
+ *) mod_logio: new format-specifier %S (sum) which is the sum of received
+ and sent byte counts.
+ PR54015 [Christophe Jaillet]
+
+ *) mod_deflate: Improve error detection when decompressing request bodies
+ with trailing garbage: handle case where trailing bytes are in
+ the same bucket. [Rainer Jung]
+
+ *) mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663
+ from ERROR to DEBUG, since these modules do not know what mod_authz_core
+ is doing with their AUTHZ_DENIED return value. [Eric Covener]
+
+ *) mod_ldap: add TRACE5 for LDAP retries. [Eric Covener]
+
+ *) mod_ldap: retry on an LDAP timeout during authn. [Eric Covener]
+
+ *) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP
+ SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK
+ default, sans rebind authentication callback.
+ [Jan Kaluza <kaluze AT redhat.com>]
+
+ *) core: Log a message at TRACE1 when the client aborts a connection.
+ [Eric Covener]
+
+ *) WinNT MPM: Don't crash during child process initialization if the
+ Listen protocol is unrecognized. [Jeff Trawick]
+
+ *) modules: Fix some compiler warnings. [Guenter Knauf]
+
+ *) Sync 2.4 and trunk
+ - Avoid some memory allocation and work when TRACE1 is not activated
+ - fix typo in include guard
+ - indent
+ - No need to lower the string before removing the path, it is just
+ a waste of time...
+ - Save a few cycles
+ [Christophe Jaillet <christophe.jaillet wanadoo.fr>]
+
+ *) mod_filter: Add "change=no" as a proto-flag to FilterProtocol
+ to remove a providers initial flags set at registration time.
+ [Eric Covener]
+
+ *) core, mod_ssl: Enable the ability for a module to reverse the sense of
+ a poll event from a read to a write or vice versa. This is a step on
+ the way to allow mod_ssl taking full advantage of the event MPM.
+ [Graham Leggett]
+
+ *) Makefile.win: Install proper pcre DLL file during debug build install.
+ PR 55235. [Ben Reser <ben reser org>]
+
+ *) mod_ldap: Fix a potential memory leak or corruption. PR 54936.
+ [Zhenbo Xu <zhenbo1987 gmail com>]
+
+ *) ab: Fix potential buffer overflows when processing the T and X
+ command-line options. PR 55360.
+ [Mike Rumph <mike.rumph oracle.com>]
+
+ *) fcgistarter: Specify SO_REUSEADDR to allow starting a server
+ with old connections in TIME_WAIT. [Jeff Trawick]
+
+ *) core: Add open_htaccess hook which, in conjunction with dirwalk_stat
+ and post_perdir_config (introduced in 2.4.5), allows mpm-itk to be
+ used without patches to httpd core. [Stefan Fritsch]
+
+ *) support/htdbm: fix processing of -t command line switch. Regression
+ introduced in 2.4.4
+ PR 55264 [Jo Rhett <jrhett netconsonance com>]
+
+ *) mod_lua: add websocket support via r:wsupgrade, r:wswrite, r:wsread
+ and r:wsping. [Daniel Gruno]
+
+ *) mod_lua: add support for writing/reading cookies via r:getcookie and
+ r:setcookie. [Daniel Gruno]
+
+ *) mod_lua: If the first yield() of a LuaOutputFilter returns a string, it should
+ be prefixed to the response as documented. [Eric Covener]
+ Note: Not present in 2.4.7 CHANGES
+
+ *) mod_lua: Remove ETAG, Content-Length, and Content-MD5 when a LuaOutputFilter
+ is configured without mod_filter. [Eric Covener]
+ Note: Not present in 2.4.7 CHANGES
+
+ *) mod_lua: Register LuaOutputFilter scripts as changing the content and
+ content-length by default, when run my mod_filter. Previously,
+ growing or shrinking a response that started with Content-Length set
+ would require mod_filter and FilterProtocol change=yes. [Eric Covener]
+ Note: Not present in 2.4.7 CHANGES
+
+ *) mod_lua: Return a 500 error if a LuaHook* script doesn't return a
+ numeric return code. [Eric Covener]
+ Note: Not present in 2.4.7 CHANGES
+
+Changes with Apache 2.4.6
+
+ *) Revert a broken fix for PR54948 that was applied to 2.4.5 (which was
+ not released) and found post-2.4.5 tagging.
+
+Changes with Apache 2.4.5
+
+ *) SECURITY: CVE-2013-1896 (cve.mitre.org)
+ mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
+ the source href (sent as part of the request body as XML) pointing to a
+ URI that is not configured for DAV will trigger a segfault. [Ben Reser
+ <ben reser.org>]
+
+ *) SECURITY: CVE-2013-2249 (cve.mitre.org)
+ mod_session_dbd: Make sure that dirty flag is respected when saving
+ sessions, and ensure the session ID is changed each time the session
+ changes. This changes the format of the updatesession SQL statement.
+ Existing configurations must be changed.
+ [Takashi Sato, Graham Leggett]
+
+ *) mod_auth_basic: Add a generic mechanism to fake basic authentication
+ using the ap_expr parser. AuthBasicFake allows the administrator to
+ construct their own username and password for basic authentication based
+ on their needs. [Graham Leggett]
+
+ *) mpm_event: Check that AsyncRequestWorkerFactor is not negative. PR 54254.
+ [Jackie Zhang <jackie qq zhang gmail com>]
+
+ *) mod_proxy: Ensure we don't attempt to amend a table we are iterating
+ through, ensuring that all headers listed by Connection are removed.
+ [Graham Leggett, Co-Advisor <coad measurement-factory.com>]
+
+ *) mod_proxy_http: Make the proxy-interim-response environment variable
+ effective by formally overriding origin server behaviour. [Graham
+ Leggett, Co-Advisor <coad measurement-factory.com>]
+
+ *) mod_proxy: Fix seg-faults when using the global pool on threaded
+ MPMs [Thomas Eckert <thomas.r.w.eckert gmail.com>, Graham Leggett,
+ Jim Jagielski]
+
+ *) mod_deflate: Remove assumptions as to when an EOS bucket might arrive.
+ Gracefully step aside if the body size is zero. [Graham Leggett]
+
+ *) mod_ssl: Fix possible truncation of OCSP responses when reading from the
+ server. [Joe Orton]
+
+ *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
+ on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun
+ <apache heilbrun.org>]
+
+ *) mod_cache_socache: Make sure the CacheSocacheMaxSize directive is merged
+ correctly. [Jens Låås <jelaas gmail.com>]
+
+ *) rotatelogs: add -n number-of-files option to rotate through a number
+ of fixed-name logfiles. [Eric Covener]
+
+ *) mod_proxy: Support web-socket tunnels via mod_proxy_wstunnel.
+ [Jim Jagielski]
+
+ *) mod_cache_socache: Use the name of the socache implementation when performing
+ a lookup rather than using the raw arguments. [Martin Ksellmann
+ <martin@ksellmann.de>]
+
+ *) core: Add dirwalk_stat hook. [Jeff Trawick]
+
+ *) core: Add post_perdir_config hook.
+ [Steinar Gunderson <sgunderson bigfoot.com>]
+
+ *) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
+ [Christophe Jaillet]
+
+ *) mod_remoteip: close file in error path. [Christophe Jaillet]
+
+ *) core: make the "default" parameter of the "ErrorDocument" option case
+ insensitive. PR 54419 [Tianyin Xu <tixu cs ucsd edu>]
+
+ *) mod_proxy_html: make the "ProxyHTMLFixups" options case insensitive.
+ PR 54420 [Tianyin Xu <tixu cs ucsd edu>]
+
+ *) mod_cache: Make option "CacheDisable" in mod_cache case insensitive.
+ PR 54462 [Tianyin Xu <tixu cs ucsd edu>]
+
+ *) mod_cache: If a 304 response indicates an entity not currently cached, then
+ the cache MUST disregard the response and repeat the request without the
+ conditional. [Graham Leggett, Co-Advisor <coad measurement-factory.com>]
+
+ *) mod_cache: Ensure that we don't attempt to replace a cached response
+ with an older response as per RFC2616 13.12. [Graham Leggett, Co-Advisor
+ <coad measurement-factory.com>]
+
+ *) core, mod_cache: Ensure RFC2616 compliance in ap_meets_conditions()
+ with weak validation combined with If-Range and Range headers. Break
+ out explicit conditional header checks to be useable elsewhere in the
+ server. Ensure weak validation RFC compliance in the byteranges filter.
+ Ensure RFC validation compliance when serving cached entities. PR 16142
+ [Graham Leggett, Co-Advisor <coad measurement-factory.com>]
+
+ *) core: Add the ability to do explicit matching on weak and strong ETags
+ as per RFC2616 Section 13.3.3. [Graham Leggett, Co-Advisor
+ <coad measurement-factory.com>]
+
+ *) mod_cache: Ensure that updated responses to HEAD requests don't get
+ mistakenly paired with a previously cached body. Ensure that any existing
+ body is removed when a HEAD request is cached. [Graham Leggett,
+ Co-Advisor <coad measurement-factory.com>]
+
+ *) mod_cache: Honour Cache-Control: no-store in a request. [Graham Leggett]
+
+ *) mod_cache: Make sure that contradictory entity headers present in a 304
+ Not Modified response are caught and cause the entity to be removed.
+ [Graham Leggett]
+
+ *) mod_cache: Make sure Vary processing handles multivalued Vary headers and
+ multivalued headers referred to via Vary. [Graham Leggett]
+
+ *) mod_cache: When serving from cache, only the last header of a multivalued
+ header was taken into account. Fixed. Ensure that Warning headers are
+ correctly handled as per RFC2616. [Graham Leggett]
+
+ *) mod_cache: Ignore response headers specified by no-cache=header and
+ private=header as specified by RFC2616 14.9.1 What is Cacheable. Ensure
+ that these headers are still processed when multiple Cache-Control
+ headers are present in the response. PR 54706 [Graham Leggett,
+ Yann Ylavic <ylavic.dev gmail.com>]
+
+ *) mod_cache: Invalidate cached entities in response to RFC2616 Section
+ 13.10 Invalidation After Updates or Deletions. PR 15868 [Graham
+ Leggett]
+
+ *) mod_dav: Improve error handling in dav_method_put(), add new
+ dav_join_error() function. PR 54145. [Ben Reser <ben reser.org>]
+
+ *) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
+ PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
+
+ *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
+ property on a resource for which there is no dead property in the same
+ namespace httpd segfaults. PR 52559 [Diego Santa Cruz
+ <diego.santaCruz spinetix.com>]
+
+ *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
+ result in a 412 Precondition Failed for a COPY operation. PR54610
+ [Timothy Wood <tjw omnigroup.com>]
+
+ *) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
+ we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
+
+ *) mod_deflate: Remove assumptions as to when an EOS bucket might arrive.
+ Gracefully step aside if the body size is zero. [Graham Leggett]
+
+ *) 'AuthGroupFile' and 'AuthUserFile' do not accept anymore the optional
+ 'standard' keyword . It was unused and not documented.
+ PR54463 [Tianyin Xu <tixu cs.ucsd.edu> and Christophe Jaillet]
+
+ *) core: Do not over allocate memory within 'ap_rgetline_core' for
+ the common case. [Christophe Jaillet]
+
+ *) core: speed up (for common cases) and reduce memory usage of
+ ap_escape_logitem(). This should save 70-100 bytes in the request
+ pool for a default config. [Christophe Jaillet]
+
+ *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
+ [Timothy Wood <tjw omnigroup.com>]
+
+ *) mod_proxy: Reject invalid values for Max-Forwards. [Graham Leggett,
+ Co-Advisor <coad measurement-factory.com>]
+
+ *) mod_cache: RFC2616 14.9.3 The s-maxage directive also implies the
+ semantics of the proxy-revalidate directive. [Graham Leggett]
+
+ *) mod_ssl: add support for subjectAltName-based host name checking
+ in proxy mode (SSLProxyCheckPeerName). PR 54030. [Kaspar Brand]
+
+ *) core: Use the proper macro for HTTP/1.1. [Graham Leggett]
+
+ *) event MPM: Provide error handling for ThreadStackSize. PR 54311
+ [Tianyin Xu <tixu cs.ucsd.edu>, Christophe Jaillet]
+
+ *) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
+ PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
+
+ *) core: Improve error message where client's request-line exceeds
+ LimitRequestLine. PR 54384 [Christophe Jaillet]
+
+ *) mod_macro: New module that provides macros within configuration files.
+ [Fabien Coelho]
+
+ *) mod_cache_socache: New cache implementation backed by mod_socache
+ that replaces mod_mem_cache known from httpd 2.2. [Graham
+ Leggett]
+
+ *) htpasswd: Add -v option to verify a password. [Stefan Fritsch]
+
+ *) mod_proxy: Add BalancerInherit and ProxyPassInherit to control
+ whether Proxy Balancers and Workers are inherited by vhosts
+ (default is On). [Jim Jagielski]
+
+ *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
+ password. [Daniel Ruggeri]
+
+ *) Added balancer parameter failontimeout to allow server admin
+ to configure an IO timeout as an error in the balancer.
+ [Daniel Ruggeri]
+
+ *) mod_auth_digest: Fix crashes if shm initialization failed. [Stefan
+ Fritsch]
+
+ *) htpasswd, htdbm: Fix password generation. PR 54735. [Stefan Fritsch]
+
+ *) core: Add workaround for gcc bug on sparc/64bit. PR 52900.
+ [Stefan Fritsch]
+
+ *) mod_setenvif: Fix crash in case SetEnvif and SetEnvIfExpr are used
+ together. PR 54881. [Ruediger Pluem]
+
+ *) htdigest: Fix buffer overflow when reading digest password file
+ with very long lines. PR 54893. [Rainer Jung]
+
+ *) ap_expr: Add the ability to base64 encode and base64 decode
+ strings and to generate their SHA1 and MD5 hash.
+ [Graham Leggett, Stefan Fritsch]
+
+ *) mod_log_config: Fix crash when logging request end time for a failed
+ request. PR 54828 [Rainer Jung]
+
+ *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
+ with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
+ [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
+
+ *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
+ in the error log to debug level. [William Rowe]
+
+ *) mod_cache_disk: CacheMinFileSize and CacheMaxFileSize were always
+ using compiled in defaults of 1000000/1 respectively. [Eric Covener]
+
+ *) mod_lbmethod_heartbeat, mod_heartmonitor: Respect DefaultRuntimeDir/
+ DEFAULT_REL_RUNTIMEDIR for the heartbeat storage file. [Jeff Trawick]
+
+ *) mod_include: Use new ap_expr for 'elif', like 'if',
+ if legacy parser is not specified. PR 54548 [Tom Donovan]
+
+ *) mod_lua: Add some new functions: r:htpassword(), r:mkdir(), r:mkrdir(),
+ r:rmdir(), r:touch(), r:get_direntries(), r.date_parse_rfc().
+ [Guenter Knauf]
+
+ *) mod_lua: Add multipart form data handling. [Daniel Gruno]
+
+ *) mod_lua: If a LuaMapHandler doesn't return any value, log a warning
+ and treat it as apache2.OK. [Eric Covener]
+
+ *) mod_lua: Add bindings for apr_dbd/mod_dbd database access
+ [Daniel Gruno]
+
+ *) mod_lua: Add LuaInputFilter/LuaOutputFilter for creating content
+ filters in Lua [Daniel Gruno]
+
+ *) mod_lua: Allow scripts handled by the lua-script handler to return
+ a status code to the client (such as a 302 or a 500) [Daniel Gruno]
+
+ *) mod_lua: Decline handling 'lua-script' if the file doesn't exist,
+ rather than throwing an internal server error. [Daniel Gruno]
+
+ *) mod_lua: Add functions r:flush and r:sendfile as well as additional
+ request information to the request_rec structure. [Daniel Gruno]
+
+ *) mod_lua: Add a server scope for Lua states, which creates a pool of
+ states with manageable minimum and maximum size. [Daniel Gruno]
+
+ *) mod_lua: Add new directive, LuaMapHandler, for dynamically mapping
+ URIs to Lua scripts and functions using regular expressions.
+ [Daniel Gruno]
+
+ *) mod_lua: Add new directive LuaCodeCache for controlling in-memory
+ caching of lua scripts. [Daniel Gruno]
+
+Changes with Apache 2.4.4
+
+ *) SECURITY: CVE-2012-3499 (cve.mitre.org)
+ Various XSS flaws due to unescaped hostnames and URIs HTML output in
+ mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
+ [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
+
+ *) SECURITY: CVE-2012-4558 (cve.mitre.org)
+ XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
+ Niels Heinen <heinenn google com>]
+
+ *) mod_dir: Add support for the value 'disabled' in FallbackResource.
+ [Vincent Deffontaines]
+
+ *) mod_proxy_connect: Don't keepalive the connection to the client if the
+ backend closes the connection. PR 54474. [Pavel Mateja <pavel netsafe cz>]
+
+ *) mod_lua: Add bindings for mod_dbd/apr_dbd database access.
+ [Daniel Gruno]
+
+ *) mod_proxy: Allow for persistence of local changes made via the
+ balancer-manager between graceful/normal restarts and power
+ cycles. [Jim Jagielski]
+
+ *) mod_proxy: Fix startup crash with mis-defined balancers.
+ PR 52402. [Jim Jagielski]
+
+ *) --with-module: Fix failure to integrate them into some existing
+ module directories. PR 40097. [Jeff Trawick]
+
+ *) htcacheclean: Fix potential segfault if "-p" is omitted. [Joe Orton]
+
+ *) mod_proxy_http: Honour special value 0 (unlimited) of LimitRequestBody
+ PR 54435. [Pavel Mateja <pavel netsafe.cz>]
+
+ *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
+ [Rainer Jung]
+
+ *) htcacheclean: Fix list options "-a" and "-A".
+ [Rainer Jung]
+
+ *) mod_slotmem_shm: Fix mistaken reset of num_free for restored shm.
+ [Jim Jagielski]
+
+ *) mod_proxy: non-existence of byrequests is not an immediate error.
+ [Jim Jagielski]
+
+ *) mod_proxy_balancer: Improve output of balancer-manager (re: Drn,
+ Dis, Ign, Stby). PR 52478 [Danijel <dt-ng rbfh de>]
+
+ *) configure: Fix processing of --disable-FEATURE for various features.
+ [Jeff Trawick]
+
+ *) mod_dialup/mod_http: Prevent a crash in mod_dialup in case of internal
+ redirect. PR 52230.
+
+ *) various modules, rotatelogs: Replace use of apr_file_write() with
+ apr_file_write_full() to prevent incomplete writes. PR 53131.
+ [Nicolas Viennot <apache viennot biz>, Stefan Fritsch]
+
+ *) ab: Support socket timeout (-s timeout).
+ [Guido Serra <zeph fsfe org>]
+
+ *) httxt2dbm: Correct length computation for the 'value' stored in the
+ DBM file. PR 47650 [jon buckybox com]
+
+ *) core: Be more correct about rejecting directives that cannot work in <If>
+ sections. [Stefan Fritsch]
+
+ *) core: Fix directives like LogLevel that need to know if they are invoked
+ at virtual host context or in Directory/Files/Location/If sections to
+ work properly in If sections that are not in a Directory/Files/Location.
+ [Stefan Fritsch]
+
+ *) mod_xml2enc: Fix problems with charset conversion altering the
+ Content-Length. [Micha Lenk <micha lenk info>]
+
+ *) ap_expr: Add req_novary function that allows HTTP header lookups
+ without adding the name to the Vary header. [Stefan Fritsch]
+
+ *) mod_slotmem_*: Add in new fgrab() function which forces a grab and
+ slot allocation on a specified slot. Allow for clearing of inuse
+ array. [Jim Jagielski]
+
+ *) mod_proxy_ftp: Fix segfaults on IPv4 requests to hosts with DNS
+ AAAA records. PR 40841. [Andrew Rucker Jones <arjones simultan
+ dyndns org>, <ast domdv de>, Jim Jagielski]
+
+ *) mod_auth_form: Make sure that get_notes_auth() sets the user as does
+ get_form_auth() and get_session_auth(). Makes sure that REMOTE_USER
+ does not vanish during mod_include driven subrequests. [Graham
+ Leggett]
+
+ *) mod_cache_disk: Resolve errors while revalidating disk-cached files on
+ Windows ("...rename tempfile to datafile failed..."). PR 38827
+ [Eric Covener]
+
+ *) mod_proxy_balancer: Bring XML output up to date. [Jim Jagielski]
+
+ *) htpasswd, htdbm: Optionally read passwords from stdin, as more
+ secure alternative to -b. PR 40243. [Adomas Paltanavicius <adomas
+ paltanavicius gmail com>, Stefan Fritsch]
+
+ *) htpasswd, htdbm: Add support for bcrypt algorithm (requires
+ apr-util 1.5 or higher). PR 49288. [Stefan Fritsch]
+
+ *) htpasswd, htdbm: Put full 48bit of entropy into salt, improve
+ error handling. Add some of htpasswd's improvements to htdbm,
+ e.g. warn if password is truncated by crypt(). [Stefan Fritsch]
+
+ *) mod_auth_form: Support the expr parser in the
+ AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and
+ AuthFormLogoutLocation directives. [Graham Leggett]
+
+ *) mod_ssl: Add support for TLS-SRP (Secure Remote Password key exchange
+ for TLS, RFC 5054). PR 51075. [Quinn Slack <sqs cs stanford edu>,
+ Christophe Renou, Peter Sylvester]
+
+ *) mod_rewrite: Stop mergeing RewriteBase down to subdirectories
+ unless new option 'RewriteOptions MergeBase' is configured.
+ PR 53963. [Eric Covener]
+
+ *) mod_header: Allow for exposure of loadavg and server load using new
+ format specifiers %l, %i, %b [Jim Jagielski]
+
+ *) core: Make ap_regcomp() return AP_REG_ESPACE if out of memory. Make
+ ap_pregcomp() abort if out of memory. This raises the minimum PCRE
+ requirement to version 6.0. [Stefan Fritsch]
+
+ *) mod_proxy: Add ability to configure the sticky session separator.
+ PR 53893. [<inu inusasha de>, Jim Jagielski]
+
+ *) mod_dumpio: Correctly log large messages
+ PR 54179 [Marek Wianecki <mieszek2 interia pl>]
+
+ *) core: Don't fail at startup with AH00554 when Include points to
+ a directory without any wildcard character. [Eric Covener]
+
+ *) core: Fail startup if the argument to ServerTokens is unrecognized.
+ [Jackie Zhang <jackie.qq.zhang gmail.com>]
+
+ *) mod_log_forensic: Don't log a spurious "-" if a request has been rejected
+ before mod_log_forensic could attach its id to it. [Stefan Fritsch]
+
+ *) rotatelogs: Omit the second argument for the first invocation of
+ a post-rotate program when -p is used, per the documentation.
+ [Joe Orton]
+
+ *) mod_session_dbd: fix a segmentation fault in the function dbd_remove.
+ PR 53452. [<rebanerebane gmail com>, Reimo Rebane]
+
+ *) core: Functions to provide server load values: ap_get_sload() and
+ ap_get_loadavg(). [Jim Jagielski, Jan Kaluza <jkaluza redhat.com>,
+ Jeff Trawick]
+
+ *) mod_ldap: Fix regression in handling "server unavailable" errors on
+ Windows. PR 54140. [Eric Covener]
+
+ *) syslog logging: Remove stray ", referer" at the end of some messages.
+ [Jeff Trawick]
+
+ *) "Iterate" directives: Report an error if no arguments are provided.
+ [Jeff Trawick]
+
+ *) mod_ssl: Change default for SSLCompression to off, as compression
+ causes security issues in most setups. (The so called "CRIME" attack).
+ [Stefan Fritsch]
+
+ *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
+ to more accurately report the negotiated protocol. PR 53916.
+ [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
+
+ *) core: ErrorDocument now works for requests without a Host header.
+ PR 48357. [Jeff Trawick]
+
+ *) prefork: Avoid logging harmless errors during graceful stop.
+ [Joe Orton, Jeff Trawick]
+
+ *) mod_proxy: When concatting for PPR, avoid cases where we
+ concat ".../" and "/..." to create "...//..." [Jim Jagielski]
+
+ *) mod_cache: Wrong content type and character set when
+ mod_cache serves stale content because of a proxy error.
+ PR 53539. [Rainer Jung, Ruediger Pluem]
+
+ *) mod_proxy_ajp: Fix crash in packet dump code when logging
+ with LogLevel trace7 or trace8. PR 53730. [Rainer Jung]
+
+ *) httpd.conf: Removed the configuration directives setting a bad_DNT
+ environment introduced in 2.4.3. The actual directives are commented
+ out in the default conf file.
+
+ *) core: Apply length limit when logging Status header values.
+ [Jeff Trawick, Chris Darroch]
+
+ *) mod_proxy_balancer: The nonce is only derived from the UUID iff
+ not set via the 'nonce' balancer param. [Jim Jagielski]
+
+ *) mod_ssl: Match wildcard SSL certificate names in proxy mode.
+ PR 53006. [Joe Orton]
+
+ *) Windows: Fix output of -M, -L, and similar command-line options
+ which display information about the server configuration.
+ [Jeff Trawick]
+
+Changes with Apache 2.4.3
+
+ *) SECURITY: CVE-2012-3502 (cve.mitre.org)
+ mod_proxy_ajp, mod_proxy_http: Fix an issue in back end
+ connection closing which could lead to privacy issues due
+ to a response mixup. PR 53727. [Rainer Jung]
+
+ *) SECURITY: CVE-2012-2687 (cve.mitre.org)
+ mod_negotiation: Escape filenames in variant list to prevent a
+ possible XSS for a site where untrusted users can upload files to
+ a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+
+ *) mod_authnz_ldap: Don't try a potentially expensive nested groups
+ search before exhausting all AuthLDAPGroupAttribute checks on the
+ current group. PR 52464 [Eric Covener]
+
+ *) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
+ authorization provider in lua. [Stefan Fritsch]
+
+ *) core: Be less strict when checking whether Content-Type is set to
+ "application/x-www-form-urlencoded" when parsing POST data,
+ or we risk losing data with an appended charset. PR 53698
+ [Petter Berntsen <petterb gmail.com>]
+
+ *) httpd.conf: Added configuration directives to set a bad_DNT environment
+ variable based on User-Agent and to remove the DNT header field from
+ incoming requests when a match occurs. This currently has the effect of
+ removing DNT from requests by MSIE 10.0 because it deliberately violates
+ the current specification of DNT semantics for HTTP. [Roy T. Fielding]
+
+ *) mod_socache_shmcb: Fix bus error due to a misalignment
+ in some 32 bit builds, especially on Solaris Sparc.
+ PR 53040. [Rainer Jung]
+
+ *) mod_cache: Set content type in case we return stale content.
+ [Ruediger Pluem]
+
+ *) Windows: Fix SSL failures on windows with AcceptFilter https none.
+ PR 52476. [Jeff Trawick]
+
+ *) ab: Fix read failure when targeting SSL server. [Jeff Trawick]
+
+ *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
+ - mod_auth_digest: shared memory file
+ [Jeff Trawick]
+
+ *) htpasswd: Use correct file mode for checking if file is writable.
+ PR 45923. [Stefan Fritsch]
+
+ *) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T.
+ <mi apache aldan algebra com>]
+
+ *) mod_ssl: Add new directive SSLCompression to disable TLS-level
+ compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
+
+ *) mod_lua: Add a few missing request_rec fields. Rename remote_ip to
+ client_ip to match conn_rec. [Stefan Fritsch]
+
+ *) mod_lua: Change prototype of vm_construct, to work around gcc bug which
+ causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>]
+
+ *) mpm_event: Don't count connections in lingering close state when
+ calculating how many additional connections may be accepted.
+ [Stefan Fritsch]
+
+ *) mod_ssl: If exiting during initialization because of a fatal error,
+ log a message to the main error log pointing to the appropriate
+ virtual host error log. [Stefan Fritsch]
+
+ *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
+ one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]
+
+ *) mod_proxy_balancer: Restore balancing after a failed worker has
+ recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick]
+
+ *) mod_setenvif: Compile some global regex only once during startup.
+ This should save some memory, especially with .htaccess.
+ [Stefan Fritsch]
+
+ *) core: Add the port number to the vhost's name in the scoreboard.
+ [Stefan Fritsch]
+
+ *) mod_proxy: Fix ProxyPassReverse for balancer configurations.
+ PR 45434. [Joe Orton]
+
+ *) mod_lua: Add the parsebody function for parsing POST data. PR 53064.
+ [Daniel Gruno]
+
+ *) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS.
+ [Stefan Fritsch]
+
+ *) mod_proxy: Fix memory leak or possible corruption in ProxyBlock
+ implementation. [Ruediger Pluem, Joe Orton]
+
+ *) mod_proxy: Check hostname from request URI against ProxyBlock list,
+ not forward proxy, if ProxyRemote* is configured. [Joe Orton]
+
+ *) mod_proxy_connect: Avoid DNS lookup on hostname from request URI
+ if ProxyRemote* is configured. PR 43697. [Joe Orton]
+
+ *) mpm_event, mpm_worker: Remain active amidst prevalent child process
+ resource shortages. [Jeff Trawick]
+
+ *) Add "strict" and "warnings" pragmas to Perl scripts. [Rich Bowen]
+
+ *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
+ - core: the scoreboard (ScoreBoardFile), pid file (PidFile), and
+ mutexes (Mutex)
+ [Jim Jagielski]
+
+ *) ab: Fix bind() errors. [Joe Orton]
+
+ *) mpm_event: Don't do a blocking write when starting a lingering close
+ from the listener thread. PR 52229. [Stefan Fritsch]
+
+ *) mod_so: If a filename without slashes is specified for LoadFile or
+ LoadModule and the file cannot be found in the server root directory,
+ try to use the standard dlopen() search path. [Stefan Fritsch]
+
+ *) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced
+ after child process resource shortages. [Jeff Trawick]
+
+ *) mpm_prefork: Reduce spawn rate after a child process exits due to
+ unexpected poll or accept failure. [Jeff Trawick]
+
+ *) core: Log value of Status header line in script responses rather
+ than the fixed header name. [Chris Darroch]
+
+ *) mod_ssl: Fix handling of empty response from OCSP server.
+ [Jim Meyering <meyering redhat.com>, Joe Orton]
+
+ *) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch]
+
+ *) mod_authz_core: If an expression in "Require expr" returns denied and
+ references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
+ [Stefan Fritsch]
+
+ *) core: Always log if LimitRequestFieldSize triggers. [Stefan Fritsch]
+
+ *) mod_deflate: Skip compression if compression is enabled at SSL level.
+ [Stefan Fritsch]
+
+ *) core: Add missing HTTP status codes registered with IANA.
+ [Julian Reschke <julian.reschke gmx.de>, Rainer Jung]
+
+ *) mod_ldap: Treat the "server unavailable" condition as a transient
+ error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>]
+
+ *) core: Fix spurious "not allowed here" error returned when the Options
+ directive is used in .htaccess and "AllowOverride Options" (with no
+ specific options restricted) is configured. PR 53444. [Eric Covener]
+
+ *) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
+ PR 53048. [Stefan Fritsch]
+
+ *) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
+ PR 53104. [Greg Ames]
+
+ *) mod_ext_filter: Fix error_log spam when input filters are configured.
+ [Joe Orton]
+
+ *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
+
+ *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
+ [Paul Wouters <pwouters redhat.com>, Joe Orton]
+
+ *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
+ the chosen listener is configured for https. [Joe Orton]
+
+ *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
+ forwarding to SSL backends. PR 53134.
+ [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
+
+ *) mod_info: Display all registered providers. [Stefan Fritsch]
+
+ *) mod_ssl: Send the error message for speaking http to an https port using
+ HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
+ using SNI. PR 50823. [Stefan Fritsch]
+
+ *) core: Fix segfault in logging if r->useragent_addr or c->client_addr is
+ unset. PR 53265. [Stefan Fritsch]
+
+ *) log_server_status: Bring Perl style forward to the present, use
+ standard modules, update for new format of server-status output.
+ PR 45424. [Richard Bowen, Dave Brondsema, and others]
+
+ *) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups.
+ [Joe Orton, André Malo]
+
+ *) core: Prevent "httpd -k restart" from killing server in presence of
+ config error. [Joe Orton]
+
+ *) mod_proxy_fcgi: If there is an error reading the headers from the
+ backend, send an error to the client. PR 52879. [Stefan Fritsch]
+
+Changes with Apache 2.4.2
+
+ *) SECURITY: CVE-2012-0883 (cve.mitre.org)
+ envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
+ current working directory to be searched for DSOs. [Stefan Fritsch]
+
+ *) mod_slotmem_shm: Honor DefaultRuntimeDir [Jim Jagielski]
+
+ *) mod_ssl: Fix crash with threaded MPMs due to race condition when
+ initializing EC temporary keys. [Stefan Fritsch]
+
+ *) mod_rewrite: Fix RewriteCond integer checks to be parsed correctly.
+ PR 53023. [Axel Reinhold <apache freakout.de>, André Malo]
+
+ *) mod_proxy: Add the forcerecovery balancer parameter that determines if
+ recovery for balancer workers is enforced. [Ruediger Pluem]
+
+ *) Fix MPM DSO load failure on AIX. [Jeff Trawick]
+
+ *) mod_proxy: Correctly set up reverse proxy worker. PR 52935.
+ [Petter Berntsen <petterb gmail.com>]
+
+ *) mod_sed: Don't define PATH_MAX to a potentially undefined value, causing
+ compile problems on GNU hurd. [Stefan Fritsch]
+
+ *) core: Add ap_runtime_dir_relative() and DefaultRuntimeDir.
+ [Jeff Trawick]
+
+ *) core: Fix breakage of Listen directives with MPMs that use a
+ per-directory config. PR 52904. [Stefan Fritsch]
+
+ *) core: Disallow directives in AllowOverrideList which are only allowed
+ in VirtualHost or server context. These are usually not prepared to be
+ called in .htaccess files. [Stefan Fritsch]
+
+ *) core: In AllowOverrideList, do not allow 'None' together with other
+ directives. PR 52823. [Stefan Fritsch]
+
+ *) mod_slotmem_shm: Support DEFAULT_REL_RUNTIMEDIR for file-based shm.
+ [Jim Jagielski]
+
+ *) core: Fix merging of AllowOverrideList and ContentDigest.
+ [Stefan Fritsch]
+
+ *) mod_request: Fix validation of the KeptBodySize argument so it
+ doesn't always throw a configuration error. PR 52981 [Eric Covener]
+
+ *) core: Add filesystem paths to access denied / access failed messages
+ AH00035 and AH00036. [Eric Covener]
+
+ *) mod_dumpio: Properly handle errors from subsequent input filters.
+ PR 52914. [Stefan Fritsch]
+
+ *) Unix MPMs: Fix small memory leak in parent process if connect()
+ failed when waking up children. [Joe Orton]
+
+ *) "DirectoryIndex disabled" now undoes DirectoryIndex settings in
+ the current configuration section, not just previous config sections.
+ PR 52845. [Eric Covener]
+
+ *) mod_xml2enc: Fix broken handling of EOS buckets which could lead to
+ response headers not being sent. PR 52766. [Stefan Fritsch]
+
+ *) mod_ssl: Properly free the GENERAL_NAMEs. PR 32652. [Kaspar Brand]
+
+ *) core: Check during config test that directories for the access
+ logs actually exist. PR 29941. [Stefan Fritsch]
+
+ *) mod_xml2enc, mod_proxy_html: Enable per-module loglevels.
+ [Stefan Fritsch]
+
+ *) mod_filter: Fix segfault with AddOutputFilterByType. PR 52755.
+ [Stefan Fritsch]
+
+ *) mod_session: Sessions are encoded as application/x-www-form-urlencoded
+ strings, however we do not handle the encoding of spaces properly.
+ Fixed. [Graham Leggett]
+
+ *) Configuration: Example in comment should use a path consistent
+ with the default configuration. PR 52715.
+ [Rich Bowen, Jens Schleusener, Rainer Jung]
+
+ *) Configuration: Switch documentation links from trunk to 2.4.
+ [Rainer Jung]
+
+ *) configure: Fix out of tree build using apr and apr-util in srclib.
+ [Rainer Jung]
+
+Changes with Apache 2.4.1
+
+ *) SECURITY: CVE-2012-0053 (cve.mitre.org)
+ Fix an issue in error responses that could expose "httpOnly" cookies
+ when no custom ErrorDocument is specified for status code 400.
+ [Eric Covener]
+
+ *) mod_proxy_balancer: Fix crash on Windows. PR 52402 [Mladen Turk]
+
+ *) core: Check during configtest that the directories for error logs exist.
+ PR 29941 [Stefan Fritsch]
+
+ *) Core configuration: add AllowOverride option to treat syntax
+ errors in .htaccess as non-fatal. PR 52439 [Nick Kew, Jim Jagielski]
+
+ *) core: Fix memory consumption in core output filter with streaming
+ bucket types like CGI or PIPE. [Joe Orton, Stefan Fritsch]
+
+ *) configure: Disable modules at configure time if a prerequisite module
+ is not enabled. PR 52487. [Stefan Fritsch]
+
+ *) Rewrite and proxy now decline what they don't support rather
+ than fail the request. [Joe Orton]
+
+ *) Fix building against external apr plus apr-util if apr is not installed
+ in a system default path. [Rainer Jung]
+
+ *) Doxygen fixes and improvements. [Joe Orton, Igor Galić]
+
+ *) core: Fix building against PCRE 8.30 by switching from the obsolete
+ pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]
+
+Changes with Apache 2.4.0
+
+ *) SECURITY: CVE-2012-0031 (cve.mitre.org)
+ Fix scoreboard issue which could allow an unprivileged child process
+ to cause the parent to crash at shutdown rather than terminate
+ cleanly. [Joe Orton]
+
+ *) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch]
+
+ *) SECURITY: CVE-2012-0021 (cve.mitre.org)
+ mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
+ string is in use and a client sends a nameless, valueless cookie, causing
+ a denial of service. The issue existed since version 2.2.17 and 2.3.3.
+ PR 52256. [Rainer Canavan <rainer-apache 7val com>]
+
+ *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
+ control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive.
+ [Kaspar Brand]
+
+ *) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
+ or later, to improve binary compatibility with future OpenSSL releases.
+ [Kaspar Brand]
+
+ *) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass,
+ but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime
+ behave identically in both cases. PR52342. [Graham Leggett]
+
+ *) Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with
+ corresponding man pages. [Graham Leggett]
+
+ *) Distinguish properly between the bindir and sbindir directories when
+ installing binaries. Previously all binaries were silently installed to
+ sbindir, whether they were system administration commands or not.
+ [Graham Leggett]
+
+Changes with Apache 2.3.16
+
+ *) SECURITY: CVE-2011-4317 (cve.mitre.org)
+ Resolve additional cases of URL rewriting with ProxyPassMatch or
+ RewriteRule, where particular request-URIs could result in undesired
+ backend network exposure in some configurations.
+ [Joe Orton]
+
+ *) core: Limit line length in .htaccess to 8K like in 2.2.x, to avoid
+ additional DoS potential. [Stefan Fritsch]
+
+ *) core, all modules: Add unique tag to most error log messages. [Stefan
+ Fritsch]
+
+ *) mod_socache_memcache: Change provider name from "mc" to "memcache" to
+ match module name. [Stefan Fritsch]
+
+ *) mod_slotmem_shm: Change provider name from "shared" to "shm" to match
+ module name. [Stefan Fritsch]
+
+ *) mod_ldap: Fix segfault with Solaris LDAP when enabling ldaps. This
+ requires an apr-util fix in which is available in apr-util >= 1.4.0.
+ PR 42682. [Stefan Fritsch]
+
+ *) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible
+ for RewriteRules to be placed in .htaccess files that match the directory
+ with no trailing slash. PR 48304.
+ [Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>]
+
+ *) mod_session_crypto: Add a SessionCryptoPassphraseFile directive so that
+ the administrator can hide the keys from the configuration. [Graham
+ Leggett]
+
+ *) Introduce a per request version of the remote IP address, which can be
+ optionally modified by a module when the effective IP of the client
+ is not the same as the real IP of the client (such as a load balancer).
+ Introduce a per connection "peer_ip" and a per request "client_ip" to
+ distinguish between the raw IP address of the connection and the effective
+ IP address of the request. [Graham Leggett]
+
+ *) ap_pass_brigade_fchk() function added. [Jim Jagielski]
+
+ *) core: Pass ap_errorlog_info struct to error log hook. [Stefan Fritsch]
+
+ *) mod_cache_disk: Make sure we check return codes on all writes and
+ attempts to close, and clean up after ourselves in these cases.
+ PR43589. [Graham Leggett]
+
+ *) mod_cache_disk: Remove the unnecessary intermediate brigade while
+ writing to disk. Fixes a problem where mod_disk_cache was leaving
+ buckets in the intermediate brigade and not passing them to out on
+ exit. [Florian S. <f_los_ch yahoo.com>, Graham Leggett]
+
+ *) mod_ssl: use a shorter setting for SSLCipherSuite in the default
+ default configuration file, and add some more information about
+ configuring a speed-optimized alternative.
+ [Kaspar Brand]
+
+ *) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand]
+
+ *) mod_lua: Stop losing track of all but the most specific LuaHook* directives
+ when multiple per-directory config sections are used. Adds LuaInherit
+ directive to control how parent sections are merged. [Eric Covener]
+
+ *) Server directive display (-L): Include directives of DSOs.
+ [Jeff Trawick]
+
+ *) mod_cache: Make sure we merge headers correctly when we handle a
+ non cacheable conditional response. PR52120. [Graham Leggett]
+
+ *) Pre GA removal of components that will not be included:
+ - mod_noloris was superseded by mod_reqtimeout
+ - mod_serf
+ - mpm_simple
+ [Rainer Jung]
+
+ *) core: Set MaxMemFree 2048 by default. [Stefan Fritsch]
+
+ *) mpm_event: Fix assertion failure during very high load. [Stefan Fritsch]
+
+ *) configure: Additional modules loaded by default: mod_headers.
+ Modules moved from module set "few" to "most" and no longer loaded
+ by default: mod_actions, mod_allowmethods, mod_auth_form, mod_buffer,
+ mod_cgi(d), mod_include, mod_negotiation, mod_ratelimit, mod_request,
+ mod_userdir. [Rainer Jung]
+
+ *) mod_lua: Use the right lua scope when used as a hook. [Rainer Jung]
+
+ *) configure: Only load the really imporant modules (i.e. those enabled by
+ the 'few' selection) by default. Don't handle modules enabled with
+ --enable-foo specially. [Stefan Fritsch]
+
+ *) end-generation hook: Fix false notification of end-of-generation for
+ temporary intervals with no active MPM children. [Jeff Trawick]
+
+ *) mod_ssl: Add support for configuring persistent TLS session ticket
+ encryption/decryption keys (useful for clustered environments).
+ [Paul Querna, Kaspar Brand]
+
+ *) mod_usertrack: Use random value instead of remote IP address.
+ [Stefan Fritsch]
+
+Changes with Apache 2.3.15
+
+ *) SECURITY: CVE-2011-3348 (cve.mitre.org)
+ mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
+ recognized. [Jean-Frederic Clere]
+
+ *) SECURITY: CVE-2011-3192 (cve.mitre.org)
+ core: Fix handling of byte-range requests to use less memory, to avoid
+ denial of service. If the sum of all ranges in a request is larger than
+ the original file, ignore the ranges and send the complete file.
+ PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
+ <lowprio20 gmail.com>]
+
+ *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+ core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
+ with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]
+
+ *) SECURITY: CVE-2011-3368 (cve.mitre.org)
+ Reject requests where the request-URI does not match the HTTP
+ specification, preventing unexpected expansion of target URLs in
+ some reverse proxy configurations. [Joe Orton]
+
+ *) configure: Load all modules in the generated default configuration
+ when using --enable-load-all-modules. [Rainer Jung]
+
+ *) mod_reqtimeout: Change the default to set some reasonable timeout
+ values. [Stefan Fritsch]
+
+ *) core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove
+ the inode. PR 49623. [Stefan Fritsch]
+
+ *) mod_lua: Expose SSL variables via r:ssl_var_lookup(). [Eric Covener]
+
+ *) mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName}
+ can now additionally be run as "early" or "late" relative to other modules.
+ [Eric Covener]
+
+ *) configure: By default, only load those modules that are either required
+ or explicitly selected by a configure --enable-foo argument. The
+ LoadModule statements for modules enabled by --enable-mods-shared=most
+ and friends will be commented out. [Stefan Fritsch]
+
+ *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and
+ LuaHookQuickHandler) from being configured in <Directory>, <Files>,
+ and htaccess where the configuration would have been ignored.
+ [Eric Covener]
+
+ *) mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors
+ in LuaMapHandler scripts [Eric Covener]
+
+ *) mod_log_debug: Rename optional argument from if= to expr=, to be more
+ in line with other config directives. [Stefan Fritsch]
+
+ *) mod_headers: Require an expression to be specified with expr=, to be more
+ in line with other config directives. [Stefan Fritsch]
+
+ *) mod_substitute: To prevent overboarding memory usage, limit line length
+ to 1MB. [Stefan Fritsch]
+
+ *) mod_lua: Make the query string (r.args) writable. [Eric Covener]
+
+ *) mod_include: Add support for application/x-www-form-urlencoded encoding
+ and decoding. [Graham Leggett]
+
+ *) rotatelogs: Add -c option to force logfile creation in every rotation
+ interval, even if empty. [Jan Kaluža <jkaluza redhat.com>]
+
+ *) core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings.
+ [Stefan Fritsch]
+
+ *) mod_session_crypto: Refactor to support the new apr_crypto API.
+ [Graham Leggett]
+
+ *) http: Add missing Location header if local URL-path is used as
+ ErrorDocument for 30x. [Stefan Fritsch]
+
+ *) mod_buffer: Make sure we step down for subrequests, but not for internal
+ redirects triggered by mod_rewrite. [Graham Leggett]
+
+ *) mod_lua: add r:construct_url as a wrapper for ap_construct_url.
+ [Eric Covener]
+
+ *) mod_remote_ip: Fix configuration of internal proxies. PR 49272.
+ [Jim Riggs <jim riggs me>]
+
+ *) mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific
+ server IP endpoint and remote client IP upon connection. [William Rowe]
+
+ *) mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with
+ PeerExtList(). [Stefan Fritsch]
+
+ *) mpm_prefork, mpm_worker, mpm_event: If a child is created just before
+ graceful restart and then exits because of a missing lock file, don't
+ shutdown the whole server. PR 39311. [Shawn Michael
+ <smichael rightnow com>]
+
+ *) mpm_event: Check the return value from ap_run_create_connection.
+ PR 41194. [Davi Arnaut]
+
+ *) mod_mime_magic: Add signatures for PNG and SWF to the example config.
+ PR 48352. [Jeremy Wagner-Kaiser <jwagner-kaiser adknowledge com>]
+
+ *) core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items
+ from the parsed (or default) config. This is useful for init scripts that
+ need to setup temporary directories and permissions. [Stefan Fritsch]
+
+ *) core, mod_actions, mod_asis: Downgrade error log messages which accompany
+ a 404 request status from loglevel error to info. PR 35768. [Stefan
+ Fritsch]
+
+ *) core: Fix hook sorting with Perl modules. PR 45076. [Torsten Foertsch
+ <torsten foertsch gmx net>]
+
+ *) core: Enforce LimitRequestFieldSize after multiple headers with the same
+ name have been merged. [Stefan Fritsch]
+
+ *) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory
+ usage. PR 51618. [Cristian Rodríguez <crrodriguez opensuse org>,
+ Stefan Fritsch]
+
+ *) mod_ssl: At startup, when checking a server certificate whether it
+ matches the configured ServerName, also take dNSName entries in the
+ subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand]
+
+ *) mod_substitute: Reduce memory usage and copying of data. PR 50559.
+ [Stefan Fritsch]
+
+ *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
+ [Kaspar Brand]
+
+ *) Add wrappers for malloc, calloc, realloc that check for out of memory
+ situations and use them in many places. PR 51568, PR 51569, PR 51571.
+ [Stefan Fritsch]
+
+ *) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is
+ false but RLIMIT_* are defined. PR51371. [Eric Covener]
+
+ *) core: Correctly obey ServerName / ServerAlias if the Host header from the
+ request matches the VirtualHost address.
+ PR 51709. [Micha Lenk <micha lenk.info>]
+
+ *) mod_unique_id: Use random number generator to initialize counter.
+ PR 45110. [Stefan Fritsch]
+
+ *) core: Add convenience API for apr_random. [Stefan Fritsch]
+
+ *) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control
+ the number of overlapping and reversing ranges (respectively) permitted
+ before returning the entire resource, with a default limit of 20.
+ [Jim Jagielski]
+
+ *) mod_ldap: Optional function uldap_ssl_supported(r) always returned false
+ if called from a virtual host with mod_ldap directives in it. Did not
+ affect mod_authnz_ldap's usage of mod_ldap. [Eric Covener]
+
+ *) mod_filter: Instead of dropping the Accept-Ranges header when a filter
+ registered with AP_FILTER_PROTO_NO_BYTERANGE is present,
+ set the header value to "none". [Eric Covener, Ruediger Pluem]
+
+ *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'
+ in the case Ranges are being ignored with MaxRanges none.
+ [Eric Covener]
+
+ *) mod_ssl: revamp CRL-based revocation checking when validating
+ certificates of clients or proxied servers. Completely delegate
+ CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck
+ directive for controlling the revocation checking mode. [Kaspar Brand]
+
+ *) core: Add MaxRanges directive to control the number of ranges permitted
+ before returning the entire resource, with a default limit of 200.
+ [Eric Covener]
+
+ *) mod_cache: Ensure that CacheDisable can correctly appear within
+ a LocationMatch. [Graham Leggett]
+
+ *) mod_cache: Fix the moving of the CACHE filter, which erroneously
+ stood down if the original filter was not added by configuration.
+ [Graham Leggett]
+
+ *) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]
+
+ *) mod_authz_groupfile: Increase length limit of lines in the group file to
+ 16MB. PR 43084. [Stefan Fritsch]
+
+ *) core: Increase length limit of lines in the configuration file to 16MB.
+ PR 45888. PR 50824. [Stefan Fritsch]
+
+ *) core: Add API for resizable buffers. [Stefan Fritsch]
+
+ *) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have
+ LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such
+ as Tivoli Directory Server 6.3 and later. [Eric Covener]
+
+ *) mod_ldap: Change default number of retries from 10 to 3, and add
+ an LDAPRetries and LDAPRetryDelay directives. [Eric Covener]
+
+ *) mod_authnz_ldap: Don't retry during authentication, because this just
+ multiplies the ample retries already being done by mod_ldap. [Eric Covener]
+
+ *) configure: Allow to explicitly disable modules even with module selection
+ 'reallyall'. [Stefan Fritsch]
+
+ *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the
+ RewriteEngine is disabled in server context, avoiding a crash while
+ referencing the invalid int: map at runtime. PR 50994.
+ [Ben Noordhuis <info noordhuis nl>]
+
+ *) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]
+
+ *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
+
+ *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
+ [Kaspar Brand]
+
+ *) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the
+ cookie is set when modules such as mod_rewrite trigger a redirect. Also
+ use r->err_headers_out for the cookie, for the same reason. PR29755.
+ [Sami J. Mäkinen <sjm almamedia fi>, Eric Covener]
+
+ *) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and
+ 'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch]
+
+ *) configure: Enable ldap modules in 'all' and 'most' selections if ldap
+ is compiled into apr-util. [Stefan Fritsch]
+
+ *) core: Add ap_check_cmd_context()-check if a command is executed in
+ .htaccess file. [Stefan Fritsch]
+
+ *) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590.
+ [Torsten Foertsch <torsten foertsch gmx net>]
+
+ *) mod_authn_socache: Fix to work in .htaccess if not configured anywhere
+ in httpd.conf, and introduce an AuthnCacheEnable directive.
+ PR 51991 [Nick Kew]
+
+ *) mod_xml2enc: new (formerly third-party) module supporting
+ internationalisation for filters via smart charset sniffing
+ and conversion. [Nick Kew]
+
+ *) mod_proxy_html: new (formerly third-party) module to fix up
+ HTML links in a reverse proxy situation, where a backend
+ generates URLs that are not resolvable by Clients. [Nick Kew]
+
+Changes with Apache 2.3.14
+
+ *) mod_proxy_ajp: Improve trace logging. [Rainer Jung]
+
+ *) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets.
+ [Rainer Jung]
+
+ *) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse,
+ e.g. to reverse proxy "Location: https://other-internal-server/login"
+ [Nick Kew]
+
+ *) prefork, worker, event: Make sure crashes are logged to the error log if
+ httpd has already detached from the console. [Stefan Fritsch]
+
+ *) prefork, worker, event: Reduce period during startup/restart where a
+ successive signal may be lost. PR 43696. [Arun Bhalla <arun shme net>]
+
+ *) mod_allowmethods: Correct Merging of "reset" and do not allow an
+ empty parameter list for the AllowMethods directive. [Rainer Jung]
+
+ *) configure: Update selection of modules for 'all' and 'most'. 'all' will
+ now enable all modules except for example and test modules. Make the
+ selection for 'most' more useful (including ssl and proxy). Both 'all'
+ and 'most' will now disable modules if dependencies are missing instead
+ of aborting. If a specific module is requested with --enable-XXX=yes,
+ missing dependencies will still cause configure to exit with an error.
+ [Stefan Fritsch]
+
+ *) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done
+ in 2.3.13. [Stefan Fritsch]
+
+ *) core: For '*' or '_default_' vhosts, use a wildcard address of any
+ address family, rather than IPv4 only. [Joe Orton]
+
+ *) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable
+ include [ ] for literal IPv6 addresses, as mandated by RFC 3875.
+ PR 26005. [Stefan Fritsch]
+
+ *) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203.
+ [Nagae Hidetake <nagae eagan jp>]
+
+ *) core: Add more logging to ap_scan_script_header_err* functions. Add
+ ap_scan_script_header_err*_ex functions that take a module index for
+ logging.
+ mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the
+ new functions in order to make logging configurable per-module.
+ [Stefan Fritsch]
+
+ *) mod_dir: Add DirectoryIndexRedirect to send an external redirect to
+ the proper index. [Eric Covener]
+
+ *) mod_deflate: Don't try to compress requests with a zero sized body.
+ PR 51350. [Stefan Fritsch]
+
+ *) core: Fix startup on IPv6-only systems. PR 50592. [Joe Orton,
+ <root linkage white-void net>]
+
+ *) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX,
+ REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the
+ whitelist in suexec. PR 51499. [Graham Laverty <graham reg ca>,
+ Stefan Fritsch]
+
+ *) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch]
+
+ *) mod_log_debug: New module that allows to log custom messages at various
+ phases in the request processing. [Stefan Fritsch]
+
+ *) mod_ssl: Add some debug logging when loading server certificates.
+ PR 37912. [Nick Burch <nick burch alfresco com>]
+
+ *) configure: Support reallyall option also for --enable-mods-static.
+ [Rainer Jung]
+
+ *) mod_socache_dc: add --with-distcache to configure for choosing
+ the distcache installation directory. [Rainer Jung]
+
+ *) mod_socache_dc: use correct build variable MOD_SOCACHE_DC_LDADD
+ instead of MOD_SOCACHE_LDADD in build macro. [Rainer Jung]
+
+ *) mod_lua, mod_deflate: respect platform specific runpath linker
+ flag. [Rainer Jung]
+
+ *) configure: Only link the httpd binary against PCRE. No other support
+ binary needs PCRE. [Rainer Jung]
+
+ *) configure: tolerate dependency checking failures for modules if
+ they have been enabled implicitly. [Rainer Jung]
+
+ *) configure: Allow to specify module specific custom linker flags via
+ the MOD_XXX_LDADD variables. [Rainer Jung]
+
+Changes with Apache 2.3.13
+
+ *) ab: Support specifying the local address to use. PR 48930.
+ [Peter Schuller <scode spotify com>]
+
+ *) core: Add support to ErrorLogFormat for logging the system unique
+ thread id under Linux. [Stefan Fritsch]
+
+ *) event: New AsyncRequestWorkerFactor directive to influence how many
+ connections will be accepted per process. [Stefan Fritsch]
+
+ *) prefork, worker, event: Rename MaxClients to MaxRequestWorkers which
+ describes more accurately what it does. [Stefan Fritsch]
+
+ *) rotatelogs: Add -p argument to specify custom program to invoke
+ after a log rotation. PR 51285. [Sven Ulland <sveniu ifi.uio.no>,
+ Joe Orton]
+
+ *) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand]
+
+ *) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0.
+ PR 48215. [Kaspar Brand]
+
+ *) mod_status: Display information about asynchronous connections in the
+ server-status. PR 44377. [Stefan Fritsch]
+
+ *) mpm_event: If the number of connections of a process is very high, or if
+ all workers are busy, don't accept new connections in that process.
+ [Stefan Fritsch]
+
+ *) mpm_event: Process lingering close asynchronously instead of tying up
+ worker threads. [Jeff Trawick, Stefan Fritsch]
+
+ *) mpm_event: If MaxMemFree is set, limit the number of pools that is kept
+ around. [Stefan Fritsch]
+
+ *) mpm_event: Fix graceful restart aborting connections. PR 43359.
+ [Takashi Sato <takashi lans-tv com>]
+
+ *) mod_ssl: Disable AECDH ciphers in example config. PR 51363.
+ [Rob Stradling <rob comodo com>]
+
+ *) core: Introduce new function ap_get_conn_socket() to access the socket of
+ a connection. [Stefan Fritsch]
+
+ *) mod_data: Introduce a filter to support RFC2397 data URLs. [Graham
+ Leggett]
+
+ *) mod_userdir/mod_alias/mod_vhost_alias: Correctly set DOCUMENT_ROOT,
+ CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX. PR 26052. PR 46198.
+ [Stefan Fritsch]
+
+ *) core: Allow to override document_root on a per-request basis. Introduce
+ new context_document_root and context_prefix which provide information
+ about non-global URI-to-directory mappings (from e.g. mod_userdir or
+ mod_alias) to scripts. PR 49705. [Stefan Fritsch]
+
+ *) core: Add <ElseIf> and <Else> to complement <If> sections.
+ [Stefan Fritsch]
+
+ *) mod_ext_filter: Remove DebugLevel option in favor of per-module loglevel.
+ [Stefan Fritsch]
+
+ *) mod_include: Make the "#if expr" element use the new "ap_expr" expression
+ parser. The old parser can still be used by setting the new directive
+ SSILegacyExprParser. [Stefan Fritsch]
+
+ *) core: Add some features to ap_expr for use by mod_include: a restricted
+ mode that does not allow to bypass request access restrictions; new
+ variables DOCUMENT_URI (alias for REQUEST_URI), LAST_MODIFIED; -A as an
+ alias for -U; an additional data entry in ap_expr_eval_ctx_t for use by
+ the consumer; an extensible ap_expr_exec_ctx() API that allows to use that
+ data entry. [Stefan Fritsch]
+
+ *) mod_include: Merge directory configs instead of one SSI* config directive
+ causing all other per-directory SSI* config directives to be reset.
+ [Stefan Fritsch]
+
+ *) mod_charset_lite: Remove DebugLevel option in favour of per-module
+ loglevel. [Stefan Fritsch]
+
+ *) core: Add ap_regexec_len() function that works with non-null-terminated
+ strings. PR 51231. [Yehezkel Horowitz <horowity checkpoint com>]
+
+ *) mod_authnz_ldap: If the LDAP server returns constraint violation,
+ don't treat this as an error but as "auth denied". [Stefan Fritsch]
+
+ *) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO
+ for SCGI/FCGI. PR 50880, 50851. [Mark Montague <mark catseye.org>,
+ Jim Jagielski]
+
+ *) mod_cache: When content is served stale, and there is no means to
+ revalidate the content using ETag or Last-Modified, and we have
+ mandated no stale-on-error behaviour, stand down and don't cache.
+ Saves a cache write that will never be read.
+ [Graham Leggett]
+
+ *) mod_reqtimeout: Fix a timed out connection going into the keep-alive
+ state after a timeout when discarding a request body. PR 51103.
+ [Stefan Fritsch]
+
+ *) core: Add various file existence test operators to ap_expr.
+ [Stefan Fritsch]
+
+ *) mod_proxy_express: New mass reverse-proxy switch extension for
+ mod_proxy. [Jim Jagielski]
+
+ *) configure: Fix script error when configuring module set "reallyall".
+ [Rainer Jung]
+
+Changes with Apache 2.3.12
+
+ *) configure, core: Provide easier support for APR's hook probe
+ capability. [Jim Jagielski, Jeff Trawick]
+
+ *) Silence autoconf 2.68 warnings. [Rainer Jung]
+
+ *) mod_authnz_ldap: Resolve crash when LDAP is used for authorization only
+ [Scott Hill <shill genscape.com>]
+
+ *) support: Make sure check_forensic works with mod_unique_id loaded
+ [Joe Schaefer]
+
+ *) Add child_status hook for tracking creation/termination of MPM child
+ processes. Add end_generation hook for notification when the last
+ MPM child of a generation exits. [Jeff Trawick]
+
+ *) mod_ldap: Make LDAPSharedCacheSize 0 create a non-shared-memory cache per
+ process as opposed to disabling caching completely. This allows to use
+ the non-shared-memory cache as a workaround for the shared memory cache
+ not being available during graceful restarts. PR 48958. [Stefan Fritsch]
+
+ *) Add new ap_reserve_module_slots/ap_reserve_module_slots_directive API,
+ necessary if a module (like mod_perl) registers additional modules late
+ in the startup phase. [Stefan Fritsch]
+
+ *) core: Prevent segfault if DYNAMIC_MODULE_LIMIT is reached. PR 51072.
+ [Torsten Förtsch <torsten foertsch gmx net>]
+
+ *) WinNT MPM: Improve robustness under heavy load. [Jeff Trawick]
+
+ *) MinGW build improvements. PR 49535. [John Vandenberg
+ <jayvdb gmail.com>, Jeff Trawick]
+
+ *) core: Support module names with colons in loglevel configuration.
+ [Torsten Förtsch <torsten foertsch gmx net>]
+
+ *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
+ [Stefan Fritsch]
+
+ *) core: Abort if the MPM is changed across restart. [Jeff Trawick]
+
+ *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
+ [Peter Pramberger <peter pramberger.at>, Jim Jagielski]
+
+ *) mod_proxy_fcgi: Add support for 'ProxyErrorOverride on'. PR 50913.
+ [Mark Montague <mark catseye.org>, Jim Jagielski]
+
+ *) core: Change the APIs of ap_cfg_getline() and ap_cfg_getc() to return an
+ error code. Abort with a nice error message if a config line is too long.
+ Partial fix for PR 50824. [Stefan Fritsch]
+
+ *) mod_info: Dump config to stdout during startup if -DDUMP_CONFIG is
+ specified. PR 31956. [Stefan Fritsch]
+
+ *) Restore visibility of DEFAULT_PIDLOG to core and modules. MPM
+ helper function ap_remove_pid() added. [Jeff Trawick]
+
+ *) Enable DEFAULT_REL_RUNTIMEDIR on Windows and NetWare. [various]
+
+ *) Correct C++ incompatibility with http_log.h. [Stefan Fritsch, Jeff
+ Trawick]
+
+ *) mod_log_config: Prevent segfault. PR 50861. [Torsten Förtsch
+ <torsten.foertsch gmx.net>]
+
+ *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
+ in request URL path info but not decode them. Change behavior of option
+ "On" to decode the encoded slashes as 2.0 and 2.2 do. PR 35256,
+ PR 46830. [Dan Poirier]
+
+ *) mod_ssl: Check SNI hostname against Host header case-insensitively.
+ PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>]
+
+ *) mod_ldap: Add LDAPConnectionPoolTTL to give control over lifetime
+ of bound backend LDAP connections. PR47634 [Eric Covener]
+
+ *) mod_cache: Make CacheEnable and CacheDisable configurable per
+ directory in addition to per server, making them work from within
+ a LocationMatch. [Graham Leggett]
+
+ *) worker, event, prefork: Correct several issues when built as
+ DSOs; most notably, the scoreboard was reinitialized during graceful
+ restart, such that processes of the previous generation were not
+ observable. [Jeff Trawick]
+
+Changes with Apache 2.3.11
+
+ *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
+ Win32's cscript interpreter can only use a single quote as comment char.
+ [Guenter Knauf]
+
+ *) mod_proxy: balancer-manager now uses POST instead of GET.
+ [Jim Jagielski]
+
+ *) core: new util function: ap_parse_form_data(). Previously,
+ this capability was tucked away in mod_request. [Jim Jagielski]
+
+ *) core: new hook: ap_run_pre_read_request. [Jim Jagielski]
+
+ *) modules: Fix many modules that were not correctly initializing if they
+ were not active during server startup but got enabled later during a
+ graceful restart. [Stefan Fritsch]
+
+ *) core: Create new ap_state_query function that allows modules to determine
+ if the current configuration run is the initial one at server startup,
+ and if the server is started for testing/config dumping only.
+ [Stefan Fritsch]
+
+ *) mod_proxy: Runtime configuration of many parameters for existing
+ balancers via the balancer-manager. [Jim Jagielski]
+
+ *) mod_proxy: Runtime addition of new workers (BalancerMember) for existing
+ balancers via the balancer-manager. [Jim Jagielski]
+
+ *) mod_cache: When a bad Expires date is present, we need to behave as if
+ the Expires is in the past, not as if the Expires is missing. PR 16521.
+ [Co-Advisor <coad measurement-factory.com>]
+
+ *) mod_cache: We must ignore quoted-string values that appear in a
+ Cache-Control header. PR 50199. [Graham Leggett]
+
+ *) mod_dav: Revert change to send 501 error if unknown Content-* header is
+ received for a PUT request. PR 42978. [Stefan Fritsch]
+
+ *) mod_cache: Respect s-maxage as described by RFC2616 14.9.3, which must
+ take precedence if present. PR 35247. [Graham Leggett]
+
+ *) mod_ssl: Fix a possible startup failure if multiple SSL vhosts
+ are configured with the same ServerName and private key file.
+ [Masahiro Matsuya <mmatsuya redhat.com>, Joe Orton]
+
+ *) mod_socache_dc: Make module compile by fixing some typos.
+ PR 50735 [Mark Montague <mark catseye.org>]
+
+ *) prefork: Update MPM state in children during a graceful stop or
+ restart. PR 41743. [Andrew Punch <andrew.punch 247realmedia.com>]
+
+ *) mod_mime: Ignore leading dots when looking for mime extensions.
+ PR 50434 [Stefan Fritsch]
+
+ *) core: Add support to set variables with the 'Define' directive. The
+ variables that can then be used in the config using the ${VAR} syntax
+ known from envvar interpolation. [Stefan Fritsch]
+
+ *) mod_proxy_http: make adding of X-Forwarded-* headers configurable.
+ ProxyAddHeaders defaults to On. [Vincent Deffontaines]
+
+ *) mod_slotmem_shm: Increase memory alignment for slotmem data.
+ [Rainer Jung]
+
+ *) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout,
+ SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew.
+ [Kaspar Brand <httpd-dev.2011 velox.ch>]
+
+ *) mod_ssl: Revamp output buffering to reduce network overhead for
+ output fragmented into many buckets, such as chunked HTTP responses.
+ [Joe Orton]
+
+ *) core: Apply <If> sections to all requests, not only to file base requests.
+ Allow to use <If> inside <Directory>, <Location>, and <Files> sections.
+ The merging of <If> sections now happens after the merging of <Location>
+ sections, even if an <If> section is embedded inside a <Directory> or
+ <Files> section. [Stefan Fritsch]
+
+ *) mod_proxy: Refactor usage of shared data by dropping the scoreboard
+ and using slotmem. Create foundation for dynamic growth/changes of
+ members within a balancer. Remove BalancerNonce in favor of a
+ per-balancer 'nonce' parameter. [Jim Jagielski]
+
+ *) mod_status: Don't show slots which are disabled by MaxClients as open.
+ PR 47022 [Jordi Prats <jordi prats gmail com>, Stefan Fritsch]
+
+ *) mpm_prefork: Fix ap_mpm_query results for AP_MPMQ_MAX_DAEMONS and
+ AP_MPMQ_MAX_THREADS.
+
+ *) mod_authz_core: Fix bug in merging logic if user-based and non-user-based
+ authorization directives were mixed. [Stefan Fritsch]
+
+ *) mod_authn_socache: change directive name from AuthnCacheProvider
+ to AuthnCacheProvideFor. The term "provider" is overloaded in
+ this module, and we should avoid confusion between the provider
+ of a backend (AuthnCacheSOCache) and the authn provider(s) for
+ which this module provides cacheing (AuthnCacheProvideFor).
+ [Nick Kew]
+
+ *) mod_proxy_http: Allocate the fake backend request from a child pool
+ of the backend connection, instead of misusing the pool of the frontend
+ request. Fixes a thread safety issue where buckets set aside in the
+ backend connection leak into other threads, and then disappear when
+ the frontend request is cleaned up, in turn causing corrupted buckets
+ to make other threads spin. [Graham Leggett]
+
+ *) mod_ssl: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
+ to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
+ escape other special characters with backslashes. The old format can
+ still be used with the LegacyDNStringFormat argument to SSLOptions.
+
+ *) core, mod_rewrite: Make the REQUEST_SCHEME variable available to
+ scripts and mod_rewrite. [Stefan Fritsch]
+
+ *) mod_rewrite: Allow to use arbitrary boolean expressions (ap_expr) in
+ RewriteCond. [Stefan Fritsch]
+
+ *) mod_rewrite: Allow to unset environment variables using E=!VAR.
+ PR 49512. [Mark Drayton <mark markdrayton info>, Stefan Fritsch]
+
+ *) mod_headers: Restore the 2.3.8 and earlier default for the first
+ argument of the Header directive ("onsuccess"). [Eric Covener]
+
+ *) core: Disallow the mixing of relative and absolute Options PR 33708.
+ [Sönke Tesch <st kino-fahrplan.de>]
+
+ *) core: When exporting request headers to HTTP_* environment variables,
+ drop variables whose names contain invalid characters. Describe in the
+ docs how to restore the old behaviour. [Malte S. Stretz <mss apache org>]
+
+ *) core: When selecting an IP-based virtual host, favor an exact match for
+ the port over a wildcard (or omitted) port instead of favoring the one
+ that came first in the configuration file. [Eric Covener]
+
+ *) core: Overlapping virtual host address/port combinations now implicitly
+ enable name-based virtual hosting for that address. The NameVirtualHost
+ directive has no effect, and _default_ is interpreted the same as "*".
+ [Eric Covener]
+
+ *) core: In the absence of any Options directives, the default is now
+ "FollowSymlinks" instead of "All". [Igor Galić]
+
+ *) rotatelogs: Add -e option to write logs through to stdout for optional
+ further processing. [Graham Leggett]
+
+ *) mod_ssl: Correctly read full lines in input filter when the line is
+ incomplete during first read. PR 50481. [Ruediger Pluem]
+
+ *) mod_authz_core: Add AuthzSendForbiddenOnFailure directive to allow
+ sending '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if authorization
+ fails for an authenticated user. PR 40721. [Stefan Fritsch]
+
+Changes with Apache 2.3.10
+
+ *) mod_rewrite: Don't implicitly URL-escape the original query string
+ when no substitution has changed it. PR 50447. [Eric Covener]
+
+ *) core: Honor 'AcceptPathInfo OFF' during internal redirects,
+ such as per-directory mod_rewrite substitutions. PR 50349.
+ [Eric Covener]
+
+ *) mod_rewrite: Add 'RewriteOptions InheritBefore' to put the base
+ rules/conditions before the overridden rules/conditions. PR 39313.
+ [Jérôme Grandjanny <jerome.grandjanny cea.fr>]
+
+ *) mod_autoindex: add IndexIgnoreReset to reset the list of IndexIgnored
+ filenames in higher precedence configuration sections. PR 24243.
+ [Eric Covener]
+
+ *) mod_cgid: RLimit* directive support for mod_cgid. PR 42135
+ [Eric Covener]
+
+ *) core: Fail startup when the argument to ServerName looks like a glob
+ or a regular expression instead of a hostname (*?[]). PR 39863
+ [Rahul Nair <rahul.g.nair gmail.com>]
+
+ *) mod_userdir: Add merging of enable, disable, and filename arguments
+ to UserDir directive, leaving enable/disable of userlists unmerged.
+ PR 44076 [Eric Covener]
+
+ *) httpd: When no -k option is provided on the httpd command line, the server
+ was starting without checking for an existing pidfile. PR 50350
+ [Eric Covener]
+
+ *) mod_proxy: Put the worker in error state if the SSL handshake with the
+ backend fails. PR 50332.
+ [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
+
+ *) mod_cache_disk: Fix Windows build which was broken after renaming
+ the module. [Gregg L. Smith]
+
+Changes with Apache 2.3.9
+
+ *) SECURITY: CVE-2010-1623 (cve.mitre.org)
+ Fix a denial of service attack against mod_reqtimeout.
+ [Stefan Fritsch]
+
+ *) mod_headers: Change default first argument of Header directive
+ from "onsuccess" to "always". [Eric Covener]
+
+ *) mod_include: Add the onerror attribute to the include element,
+ allowing an URL to be specified to include on error. [Graham
+ Leggett]
+
+ *) mod_cache_disk: mod_disk_cache renamed to mod_cache_disk, to be
+ consistent with the naming of other modules. [Graham Leggett]
+
+ *) mod_setenvif: Add SetEnvIfExpr directive to set env var depending on
+ expression. [Stefan Fritsch]
+
+ *) mod_proxy: Fix ProxyPassInterpolateEnv directive. PR 50292.
+ [Stefan Fritsch]
+
+ *) suEXEC: Add Suexec directive to disable suEXEC without renaming the
+ binary (Suexec Off), or force startup failure if suEXEC is required
+ but not supported (Suexec On). Change SuexecUserGroup to fail
+ startup instead of just printing a warning if suEXEC is disabled.
+ [Jeff Trawick]
+
+ *) core: Add Error directive for aborting startup or htaccess processing
+ with a specified error message. [Jeff Trawick]
+
+ *) mod_rewrite: Fix the RewriteEngine directive to work within a
+ location. Previously, once RewriteEngine was switched on globally,
+ it was impossible to switch off. [Graham Leggett]
+
+ *) core, mod_include, mod_ssl: Move the expression parser derived from
+ mod_include back into mod_include. Replace ap_expr with a parser
+ derived from mod_ssl's parser. Make mod_ssl use the new parser. Rework
+ ap_expr's public interface and provide hooks for modules to add variables
+ and functions. [Stefan Fritsch]
+
+ *) core: Do the hook sorting earlier so that the hooks are properly sorted
+ for the pre_config hook and during parsing the config. [Stefan Fritsch]
+
+ *) core: In the absence of any AllowOverride directives, the default is now
+ "None" instead of "All". PR49823 [Eric Covener]
+
+ *) mod_proxy: Don't allow ProxyPass or ProxyPassReverse in
+ <Directory> or <Files>. PR47765 [Eric Covener]
+
+ *) prefork/worker/event MPMS: default value (when no directive is present)
+ of MaxConnectionsPerChild/MaxRequestsPerChild is changed to 0 from 10000
+ to match default configuration and manual. PR47782 [Eric Covener]
+
+ *) proxy_connect: Don't give up in the middle of a CONNECT tunnel
+ when the child process is starting to exit. PR50220. [Eric Covener]
+
+ *) mod_autoindex: Fix inheritance of mod_autoindex directives into
+ contexts that don't have any mod_autoindex directives. PR47766.
+ [Eric Covener]
+
+ *) mod_rewrite: Add END flag for RewriteRule to prevent further rounds
+ of rewrite processing when a per-directory substitution occurs.
+ [Eric Covener]
+
+ *) mod_ssl: Make sure to always log an error if loading of CA certificates
+ fails. PR 40312. [Paul Tiemann <issues apache org ourdetour com>]
+
+ *) mod_dav: Send 501 error if unknown Content-* header is received for a PUT
+ request (RFC 2616 9.6). PR 42978. [Stefan Fritsch]
+
+ *) mod_dav: Send 400 error if malformed Content-Range header is received for
+ a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
+
+ *) mod_proxy: Release the backend connection as soon as EOS is detected,
+ so the backend isn't forced to wait for the client to eventually
+ acknowledge the data. [Graham Leggett]
+
+ *) mod_proxy: Optimise ProxyPass within a Location so that it is stored
+ per-directory, and chosen during the location walk. Make ProxyPass
+ work correctly from within a LocationMatch. [Graham Leggett]
+
+ *) core: Fix segfault if per-module LogLevel is on virtual host
+ scope. PR 50117. [Stefan Fritsch]
+
+ *) mod_proxy: Move the ProxyErrorOverride directive to have per
+ directory scope. [Graham Leggett]
+
+ *) mod_allowmethods: New module to deny certain HTTP methods without
+ interfering with authentication/authorization. [Paul Querna,
+ Igor Galić, Stefan Fritsch]
+
+ *) mod_ssl: Log certificate information and improve error message if client
+ cert verification fails. PR 50093, PR 50094. [Lassi Tuura <lat cern ch>,
+ Stefan Fritsch]
+
+ *) htcacheclean: Teach htcacheclean to limit cache size by number of
+ inodes in addition to size of files. Prevents a cache disk from
+ running out of space when many small files are cached.
+ [Graham Leggett]
+
+ *) core: Rename MaxRequestsPerChild to MaxConnectionsPerChild, which
+ describes more accurately what the directive does. The old name
+ still works but logs a warning. [Stefan Fritsch]
+
+ *) mod_cache: Optionally serve stale data when a revalidation returns a
+ 5xx response, controlled by the CacheStaleOnError directive.
+ [Graham Leggett]
+
+ *) htcacheclean: Allow the listing of valid URLs within the cache, with
+ the option to list entry metadata such as sizes and times. [Graham
+ Leggett]
+
+ *) mod_cache: correctly parse quoted strings in cache headers.
+ PR 50199 [Nick Kew]
+
+ *) mod_cache: Allow control over the base URL of reverse proxied requests
+ using the CacheKeyBaseURL directive, so that the cache key can be
+ calculated from the endpoint URL instead of the server URL. [Graham
+ Leggett]
+
+ *) mod_cache: CacheLastModifiedFactor, CacheStoreNoStore, CacheStorePrivate,
+ CacheStoreExpired, CacheIgnoreNoLastMod, CacheDefaultExpire,
+ CacheMinExpire and CacheMaxExpire can be set per directory/location.
+ [Graham Leggett]
+
+ *) mod_disk_cache: CacheMaxFileSize, CacheMinFileSize, CacheReadSize and
+ CacheReadTime can be set per directory/location. [Graham Leggett]
+
+ *) core: Speed up config parsing if using a very large number of config
+ files. PR 50002 [andrew cloudaccess net]
+
+ *) mod_cache: Support the caching of HEAD requests. [Graham Leggett]
+
+ *) htcacheclean: Allow the option to round up file sizes to a given
+ block size, improving the accuracy of disk usage. [Graham Leggett]
+
+ *) mod_ssl: Add authz providers for use with mod_authz_core and its
+ RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL),
+ 'ssl-verify-client' (for use with 'SSLVerifyClient optional'), and
+ 'ssl-require' (expressions with same syntax as SSLRequire).
+ [Stefan Fritsch]
+
+ *) mod_ssl: Make the ssl expression parser thread-safe. It now requires
+ bison instead of yacc. [Stefan Fritsch]
+
+ *) mod_disk_cache: Change on-disk header file format to support the
+ link of the device/inode of the data file to the matching header
+ file, and to support the option of not writing a data file when
+ the data file is empty. [Graham Leggett]
+
+ *) core/mod_unique_id: Add generate_log_id hook to allow to use
+ the ID generated by mod_unique_id as error log ID for requests.
+ [Stefan Fritsch]
+
+ *) mod_cache: Make sure that we never allow a 304 Not Modified response
+ that we asked for to leak to the client should the 304 response be
+ uncacheable. PR45341 [Graham Leggett]
+
+ *) mod_cache: Add the cache_status hook to register the final cache
+ decision hit/miss/revalidate. Add optional support for an X-Cache
+ and/or an X-Cache-Detail header to add the cache status to the
+ response. PR48241 [Graham Leggett]
+
+ *) mod_authz_host: Add 'local' provider that matches connections originating
+ on the local host. PR 19938. [Stefan Fritsch]
+
+ *) Event MPM: Fix crash accessing pollset on worker thread when child
+ process is exiting. [Jeff Trawick]
+
+ *) core: For process invocation (cgi, fcgid, piped loggers and so forth)
+ pass the system library path (LD_LIBRARY_PATH or platform-specific
+ variables) along with the system PATH, by default. Both should be
+ overridden together as desired using PassEnv etc; see mod_env.
+ [William Rowe]
+
+ *) mod_cache: Introduce CacheStoreExpired, to allow administrators to
+ capture a stale backend response, perform If-Modified-Since requests
+ against the backend, and serving from the cache all 304 responses.
+ This restores pre-2.2.4 cache behavior. [William Rowe]
+
+ *) mod_rewrite: Introduce <=, >= string comparison operators, and integer
+ comparators -lt, -le, -eq, -ge, and -gt. To help bash users and drop
+ the ambiguity of the symlink test "-ltest", introduce -h or -L as
+ symlink test operators. [William Rowe]
+
+ *) mod_cache: Give the cache provider the opportunity to choose to cache
+ or not cache based on the buckets present in the brigade, such as the
+ presence of a FILE bucket.
+ [Graham Leggett]
+
+ *) mod_authz_core: Allow authz providers to check args while reading the
+ config and allow to cache parsed args. Move 'all' and 'env' authz
+ providers from mod_authz_host to mod_authz_core. Add 'method' authz
+ provider depending on the HTTP method. [Stefan Fritsch]
+
+ *) mod_include: Move the request_rec within mod_include to be
+ exposed within include_ctx_t. [Graham Leggett]
+
+ *) mod_include: Reinstate support for UTF-8 character sets by allowing a
+ variable being echoed or set to be decoded and then encoded as separate
+ steps. PR47686 [Graham Leggett]
+
+ *) mod_cache: Add a discrete commit_entity() provider function within the
+ mod_cache provider interface which is called to indicate to the
+ provider that caching is complete, giving the provider the opportunity
+ to commit temporary files permanently to the cache in an atomic
+ fashion. Replace the inconsistent use of error cleanups with a formal
+ set of pool cleanups attached to a subpool, which is destroyed on error.
+ [Graham Leggett]
+
+ *) mod_cache: Change the signature of the store_body() provider function
+ within the mod_cache provider interface to support an "in" brigade
+ and an "out" brigade instead of just a single input brigade. This
+ gives a cache provider the option to consume only part of the brigade
+ passed to it, rather than the whole brigade as was required before.
+ This fixes an out of memory and a request timeout condition that would
+ occur when the original document was a large file. Introduce
+ CacheReadSize and CacheReadTime directives to mod_disk_cache to control
+ the amount of data to attempt to cache at a time. [Graham Leggett]
+
+ *) core: Add ErrorLogFormat to allow configuring error log format, including
+ additional information that is logged once per connection or request. Add
+ error log IDs for connections and request to allow correlating error log
+ lines and the corresponding access log entry. [Stefan Fritsch]
+
+ *) core: Disable sendfile by default. [Stefan Fritsch]
+
+ *) mod_cache: Check the request to determine whether we are allowed
+ to return cached content at all, and respect a "Cache-Control:
+ no-cache" header from a client. Previously, "no-cache" would
+ behave like "max-age=0". [Graham Leggett]
+
+ *) mod_cache: Use a proper filter context to hold filter data instead
+ of misusing the per-request configuration. Fixes a segfault on trunk
+ when the normal handler is used. [Graham Leggett]
+
+ *) mod_cgid: Log a warning if the ScriptSock path is truncated because
+ it is too long. PR 49388. [Stefan Fritsch]
+
+ *) vhosts: Do not allow _default_ in NameVirtualHost, or mixing *
+ and non-* ports on NameVirtualHost, or multiple NameVirtualHost
+ directives for the same address:port, or NameVirtualHost
+ directives with no matching VirtualHosts, or multiple ip-based
+ VirtualHost sections for the same address:port. These were
+ previously accepted with a warning, but the behavior was
+ undefined. [Dan Poirier]
+
+ *) mod_remoteip: Fix a segfault when using mod_remoteip in conjunction with
+ Allow/Deny. PR 49838. [Andrew Skalski <voltara gmail.com>]
+
+ *) core: DirectoryMatch can now match on the end of line character ($),
+ and sub-directories of matched directories are no longer implicitly
+ matched. PR49809 [Eric Covener]
+
+ *) Regexps: introduce new higher-level regexp utility including parsing
+ and executing perl-style regexp ops (e.g s/foo/bar/i) and regexp memory
+ [Nick Kew]
+
+ *) Proxy: support setting source address. PR 29404
+ [Multiple contributors iterating through bugzilla,
+ Aron Ujvari <xanco nikhok.hu>, Aleksey Midenkov <asm uezku.kemsu.ru>,
+ <dan listening-station.net; trunk version Nick Kew]
+
+ *) HTTP protocol: return 400 not 503 if we have to abort due to malformed
+ chunked encoding. [Nick Kew]
+
+Changes with Apache 2.3.8
+
+ *) suexec: Support large log files. PR 45856. [Stefan Fritsch]
+
+ *) core: Abort with sensible error message if no or more than one MPM is
+ loaded. [Stefan Fritsch]
+
+ *) mod_proxy: Rename erroronstatus to failonstatus.
+ [Daniel Ruggeri <DRuggeri primary.net>]
+
+ *) mod_dav_fs: Fix broken "creationdate" property.
+ Regression in version 2.3.7. [Rainer Jung]
+
+Changes with Apache 2.3.7
+
+ *) SECURITY: CVE-2010-1452 (cve.mitre.org)
+ mod_dav, mod_cache, mod_session: Fix Handling of requests without a path
+ segment. PR 49246 [Mark Drayton, Jeff Trawick]
+
+ *) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076.
+ [Stefan Fritsch]
+
+ *) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639.
+ [Stefan Fritsch]
+
+ *) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers
+ via leveraging 100-Continue as the initial "request".
+ [Jim Jagielski]
+
+ *) core/mod_authz_core: Introduce new access_checker_ex hook that enables
+ mod_authz_core to bypass authentication if access should be allowed by
+ IP address/env var/... [Stefan Fritsch]
+
+ *) core: Introduce note_auth_failure hook to allow modules to add support
+ for additional auth types. This makes ap_note_auth_failure() work with
+ mod_auth_digest again. PR 48807. [Stefan Fritsch]
+
+ *) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew]
+
+ *) mod_authn_socache: new module [Nick Kew]
+
+ *) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]
+
+ *) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
+
+ *) mod_rewrite: Allow to set environment variables without explicitly
+ giving a value. [Rainer Jung]
+
+ *) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung]
+
+ *) mod_include: recognise "text/html; parameters" as text/html
+ PR 49616 [Andrey Chernov <ache nagual.pp.ru>]
+
+ *) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH
+ PR 43906 [Nick Kew]
+
+ *) Core: Extra robustness: don't try authz and segfault if authn
+ fails to set r->user. Log bug and return 500 instead.
+ PR 42995 [Nick Kew]
+
+ *) HTTP protocol filter: fix handling of longer chunk extensions
+ PR 49474 [<tee.bee gmx.de>]
+
+ *) Update SSL cipher suite and add example for SSLHonorCipherOrder.
+ [Lars Eilebrecht, Rainer Jung]
+
+ *) move AddOutputFilterByType from core to mod_filter. This should
+ fix nasty side-effects that happen when content_type is set
+ more than once in processing a request, and make it fully
+ compatible with dynamic and proxied contents. [Nick Kew]
+
+ *) mod_log_config: Implement logging for sub second timestamps and
+ request end time. [Rainer Jung]
+
+Changes with Apache 2.3.6
+
+ *) SECURITY: CVE-2009-3555 (cve.mitre.org)
+ mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
+ attack when compiled against OpenSSL version 0.9.8m or later. Introduces
+ the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
+ and offer unsafe legacy renegotiation with clients which do not yet
+ support the new secure renegotiation protocol, RFC 5746.
+ [Joe Orton, and with thanks to the OpenSSL Team]
+
+ *) SECURITY: CVE-2009-3555 (cve.mitre.org)
+ mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
+ by rejecting any client-initiated renegotiations. Forcibly disable
+ keepalive for the connection if there is any buffered data readable. Any
+ configuration which requires renegotiation for per-directory/location
+ access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
+ [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
+
+ *) SECURITY: CVE-2010-0408 (cve.mitre.org)
+ mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
+ when request headers indicate a request body is incoming; not a case of
+ HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
+
+ *) SECURITY: CVE-2010-0425 (cve.mitre.org)
+ mod_isapi: Do not unload an isapi .dll module until the request
+ processing is completed, avoiding orphaned callback pointers.
+ [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
+
+ *) core: Filter init functions are now run strictly once per request
+ before handler invocation. The init functions are no longer run
+ for connection filters. PR 49328. [Joe Orton]
+
+ *) core: Adjust the output filter chain correctly in an internal
+ redirect from a subrequest, preserving filters from the main
+ request as necessary. PR 17629. [Joe Orton]
+
+ *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
+ Response if they so choose to do so. Previously an attempt to cache a 206
+ was arbitrarily allowed if the response contained an Expires or
+ Cache-Control header, and arbitrarily denied if both headers were missing.
+ [Graham Leggett]
+
+ *) core: Add microsecond timestamp fractions, process id and thread id
+ to the error log. [Rainer Jung]
+
+ *) configure: The "most" module set gets build by default. [Rainer Jung]
+
+ *) configure: Building dynamic modules (DSO) by default. [Rainer Jung]
+
+ *) configure: Fix broken VPATH build when using included APR.
+ [Rainer Jung]
+
+ *) mod_session_crypto: Fix configure problem when building
+ with APR 2 and for VPATH builds with included APR.
+ [Rainer Jung]
+
+ *) mod_session_crypto: API compatibility with APR 2 crypto and
+ APR Util 1.x crypto. [Rainer Jung]
+
+ *) ab: Fix memory leak with -v2 and SSL. PR 49383.
+ [Pavel Kankovsky <peak argo troja mff cuni cz>]
+
+ *) core: Add per-module and per-directory loglevel configuration.
+ Add some more trace logging.
+ mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels.
+ mod_ssl: Replace LogLevelDebugDump with trace log levels.
+ mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info
+ and debug.
+ mod_dumpio: Replace DumpIOLogLevel with trace log levels.
+ [Stefan Fritsch]
+
+ *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
+ title page only) when any mod_ldap directives were used in VirtualHost
+ context. [Eric Covener]
+
+ *) mod_disk_cache: Decline the opportunity to cache if the response is
+ a 206 Partial Content. This stops a reverse proxied partial response
+ from becoming cached, and then being served in subsequent responses.
+ [Graham Leggett]
+
+ *) mod_deflate: avoid the risk of forwarding data before headers are set.
+ PR 49369 [Matthew Steele <mdsteele google.com>]
+
+ *) mod_authnz_ldap: Ensure nested groups are checked when the
+ top-level group doesn't have any direct non-group members
+ of attributes in AuthLDAPGroupAttribute. [Eric Covener]
+
+ *) mod_authnz_ldap: Search or Comparison during authorization phase
+ can use the credentials from the authentication phase
+ (AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser).
+ PR 48340 [Domenico Rotiroti, Eric Covener]
+
+ *) mod_authnz_ldap: Allow the initial DN search during authentication
+ to use the HTTP username/pass instead of an anonymous or hard-coded
+ LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern).
+ [Eric Covener]
+
+ *) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix
+ when this module is used for authorization. See AuthLDAPAuthorizePrefix.
+ PR 45584 [Eric Covener]
+
+ *) apxs -q: Stop filtering out ':' characters from the reported values.
+ PR 45343. [Bill Cole]
+
+ *) prefork MPM: Work around possible crashes on child exit in APR reslist
+ cleanup code. PR 43857. [Tom Donovan]
+
+ *) ab: fix number of requests sent by ab when keepalive is enabled. PR 48497.
+ [Bryn Dole <dole blekko.com>]
+
+ *) Log an error for failures to read a chunk-size, and return 408 instead of
+ 413 when this is due to a read timeout. This change also fixes some cases
+ of two error documents being sent in the response for the same scenario.
+ [Eric Covener] PR49167
+
+ *) mod_proxy_balancer: Add new directive BalancerNonce to allow admin
+ to control/set the nonce used in the balancer-manager application.
+ [Jim Jagielski]
+
+ *) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673.
+ [Stefan Fritsch]
+
+ *) Proxy balancer: support setting error status according to HTTP response
+ code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
+
+ *) htcacheclean: Introduce the ability to clean specific URLs from the
+ cache, if provided as an optional parameter on the command line.
+ [Graham Leggett]
+
+ *) core: Introduce the IncludeStrict directive, which explicitly fails
+ server startup if no files or directories match a wildcard path.
+ [Graham Leggett]
+
+ *) htcacheclean: Report additional statistics about entries deleted.
+ PR 48944. [Mark Drayton mark markdrayton.info]
+
+ *) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
+ builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
+ build of openssl is required for 'SSLFIPS on'. PR 46270.
+ [Dr Stephen Henson <steve openssl.org>, William Rowe]
+
+ *) mod_proxy_http: Log the port of the remote server in various messages.
+ PR 48812. [Igor Galić <i galic brainsware org>]
+
+ *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
+ connections and other protocol handlers (like mod_ftp). [Stefan Fritsch]
+
+ *) mod_proxy_ajp: Really regard the operation a success, when the client
+ aborted the connection. In addition adjust the log message if the client
+ aborted the connection. [Ruediger Pluem]
+
+ *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
+ allows insecure renegotiation with clients which do not yet
+ support the secure renegotiation protocol. [Joe Orton]
+
+ *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
+ is configured for client cert auth. PR 46952. [Joe Orton]
+
+ *) core: Only log a 408 if it is no keepalive timeout. PR 39785
+ [Ruediger Pluem, Mark Montague <markmont umich.edu>]
+
+ *) support/rotatelogs: Add -L option to create a link to the current
+ log file. PR 48761 [<lyndon orthanc.ca>, Dan Poirier]
+
+ *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory
+ setting only, matching most of the documentation and examples.
+ PR 46541 [Paul Reder, Eric Covener]
+
+ *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument
+ types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener]
+
+ *) mod_negotiation: Preserve query string over multiviews negotiation.
+ This buglet was fixed for type maps in 2.2.6, but the same issue
+ affected multiviews and was overlooked.
+ PR 33112 [Joergen Thomsen <apache jth.net>]
+
+ *) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert
+ when some are not password-protected. [Eric Covener]
+
+ *) Fix startup segfault when the Mutex directive is used but no loaded
+ modules use httpd mutexes. PR 48787. [Jeff Trawick]
+
+ *) Proxy: get the headers right in a HEAD request with
+ ProxyErrorOverride, by checking for an overridden error
+ before not after going into a catch-all code path.
+ PR 41646. [Nick Kew, Stuart Children]
+
+ *) support/rotatelogs: Support the simplest log rotation case, log
+ truncation. Useful when the log is being processed in real time
+ using a command like tail. [Graham Leggett]
+
+ *) support/htcacheclean: Teach it how to write a pid file (modelled on
+ httpd's writing of a pid file) so that it becomes possible to run
+ more than one instance of htcacheclean on the same machine.
+ [Graham Leggett]
+
+ *) Log command line on startup, so there's a record of command line
+ arguments like -f. PR 48752. [Dan Poirier]
+
+ *) Introduce mod_reflector, a handler capable of reflecting POSTed
+ request bodies back within the response through the output filter
+ stack. Can be used to turn an output filter into a web service.
+ [Graham Leggett]
+
+ *) mod_proxy_http: Make sure that when an ErrorDocument is served
+ from a reverse proxied URL, that the subrequest respects the status
+ of the original request. This brings the behaviour of proxy_handler
+ in line with default_handler. PR 47106. [Graham Leggett]
+
+ *) Support wildcards in both the directory and file components of
+ the path specified by the Include directive. [Graham Leggett]
+
+ *) mod_proxy, mod_proxy_http: Support remote https proxies
+ by using HTTP CONNECT. PR 19188.
+ [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
+
+ *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
+ [Philip M. Gollucci]
+
+ *) worker: Don't report server has reached MaxClients until it has.
+ Add message when server gets within MinSpareThreads of MaxClients.
+ PR 46996. [Dan Poirier]
+
+ *) mod_session: Session expiry was being initialised, but not updated
+ on each session save, resulting in timed out sessions when there
+ should not have been. Fixed. [Graham Leggett]
+
+ *) mod_log_config: Add the R option to log the handler used within the
+ request. [Christian Folini <christian.folini netnea com>]
+
+ *) mod_include: Allow fine control over the removal of Last-Modified and
+ ETag headers within the INCLUDES filter, making it possible to cache
+ responses if desired. Fix the default value of the SSIAccessEnable
+ directive. [Graham Leggett]
+
+ *) Add new UnDefine directive to undefine a variable. PR 35350.
+ [Stefan Fritsch]
+
+ *) Make ap_pregsub(), used by AliasMatch and friends, use the same syntax
+ for regex backreferences as mod_rewrite and mod_include: Remove the use
+ of '&' as an alias for '$0' and allow to escape any character with a
+ backslash. PR 48351. [Stefan Fritsch]
+
+ *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
+ password to UTF-8. PR 45318.
+ [Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
+
+ *) ab: Fix calculation of requests per second in HTML output. PR 48594.
+ [Stefan Fritsch]
+
+ *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
+ password now result in an informational level log entry instead of
+ warning level. [Eric Covener]
+
+Changes with Apache 2.3.5
+
+ *) SECURITY: CVE-2010-0434 (cve.mitre.org)
+ Ensure each subrequest has a shallow copy of headers_in so that the
+ parent request headers are not corrupted. Eliminates a problematic
+ optimization in the case of no request body. PR 48359
+ [Jake Scott, William Rowe, Ruediger Pluem]
+
+ *) Turn static function get_server_name_for_url() into public
+ ap_get_server_name_for_url() and use it where appropriate. This
+ fixes mod_rewrite generating invalid URLs for redirects to IPv6
+ literal addresses. [Stefan Fritsch]
+
+ *) mod_ldap: Introduce new config option LDAPTimeout to set the timeout
+ for LDAP operations like bind and search. [Stefan Fritsch]
+
+ *) mod_proxy, mod_proxy_ftp: Move ProxyFtpDirCharset from mod_proxy to
+ mod_proxy_ftp. [Takashi Sato]
+
+ *) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to
+ mod_proxy_connect. [Takashi Sato]
+
+ *) mod_cache: Do an exact match of the keys defined by
+ CacheIgnoreURLSessionIdentifiers against the querystring instead of
+ a partial match. PR 48401.
+ [Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem]
+
+ *) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung]
+
+ *) Core HTTP: disable keepalive when the Client has sent
+ Expect: 100-continue
+ but we respond directly with a non-100 response.
+ Keepalive here led to data from clients continuing being treated as
+ a new request.
+ PR 47087 [Nick Kew]
+
+ *) Core: reject NULLs in request line or request headers.
+ PR 43039 [Nick Kew]
+
+ *) Core: (re)-introduce -T commandline option to suppress documentroot
+ check at startup.
+ PR 41887 [Jan van den Berg <janvdberg gmail.com>]
+
+ *) mod_autoindex: support XHTML as equivalent to HTML in IndexOptions,
+ ScanHTMLTitles, ReadmeName, HeaderName
+ PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew]
+
+ *) Proxy: Fix ProxyPassReverse with relative URL
+ Derived (slightly erroneously) from PR 38864 [Nick Kew]
+
+ *) mod_headers: align Header Edit with Header Set when used on Content-Type
+ PR 48422 [Cyril Bonté <cyril.bonte free.fr>, Nick Kew>]
+
+ *) mod_headers: Enable multi-match-and-replace edit option
+ PR 46594 [Nick Kew]
+
+ *) mod_filter: enable it to act on non-200 responses.
+ PR 48377 [Nick Kew]
+
+Changes with Apache 2.3.4
+
+ *) Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex,
+ and WatchdogMutexPath with a single Mutex directive. Add APIs to
+ simplify setup and user customization of APR proc and global mutexes.
+ (See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
+ respected; set DEFAULT_REL_RUNTIMEDIR instead. [Jeff Trawick]
+
+ *) http_core: KeepAlive no longer accepts other than On|Off.
+ [Takashi Sato]
+
+ *) mod_dav: Remove errno from dav_error interface. Calls to dav_new_error()
+ and dav_new_error_tag() must be adjusted to add an apr_status_t parameter.
+ [Jeff Trawick]
+
+ *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
+ try other providers in the case of an LDAP bind failure.
+ PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
+
+ *) Build: fix --with-module to work as documented
+ PR 43881 [Gez Saunders <gez.saunders virgin.net>]
+
+Changes with Apache 2.3.3
+
+ *) SECURITY: CVE-2009-3095 (cve.mitre.org)
+ mod_proxy_ftp: sanity check authn credentials.
+ [Stefan Fritsch <sf fritsch.de>, Joe Orton]
+
+ *) SECURITY: CVE-2009-3094 (cve.mitre.org)
+ mod_proxy_ftp: NULL pointer dereference on error paths.
+ [Stefan Fritsch <sf fritsch.de>, Joe Orton]
+
+ *) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against
+ OpenSSL 1.0.0b3. [Vipul Gupta <vipul.gupta sun.com>, Sander Temme]
+
+ *) mod_dav: Include uri when logging a PUT error due to connection abort.
+ PR 38149. [Stefan Fritsch]
+
+ *) mod_dav: Return 409 instead of 500 for a LOCK request if the parent
+ resource does not exist or is not a collection. PR 43465. [Stefan Fritsch]
+
+ *) mod_dav_fs: Return 409 instead of 500 for Litmus test case copy_nodestcoll
+ (a COPY request where the parent of the destination resource does not
+ exist). PR 39299. [Stefan Fritsch]
+
+ *) mod_dav_fs: Don't delete the whole file if a PUT with content-range failed.
+ PR 42896. [Stefan Fritsch]
+
+ *) mod_dav_fs: Make PUT create files atomically and no longer destroy the
+ old file if the transfer aborted. PR 39815. [Paul Querna, Stefan Fritsch]
+
+ *) mod_dav_fs: Remove inode keyed locking as this conflicts with atomically
+ creating files. On systems with inode numbers, this is a format change of
+ the DavLockDB. The old DavLockDB must be deleted on upgrade.
+ [Stefan Fritsch]
+
+ *) mod_log_config: Make ${cookie}C correctly match whole cookie names
+ instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
+ Stefan Fritsch]
+
+ *) vhost: A purely-numeric Host: header should not be treated as a port.
+ PR 44979 [Nick Kew]
+
+ *) mod_ldap: Avoid 500 errors with "Unable to set LDAP_OPT_REFHOPLIMIT option to 5"
+ when built against openldap by using SDK LDAP_OPT_REFHOPLIMIT defaults unless
+ LDAPReferralHopLimit is explicitly configured.
+ [Eric Covener]
+
+ *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'.
+ [Eric Covener]
+
+ *) mod_ssl: Add support for OCSP Stapling. PR 43822.
+ [Dr Stephen Henson <shenson oss-institute.org>]
+
+ *) mod_socache_shmcb: Allow parens in file name if cache size is given.
+ Fixes SSLSessionCache directive mis-parsing parens in pathname.
+ PR 47945. [Stefan Fritsch]
+
+ *) htpasswd: Improve out of disk space handling. PR 30877. [Stefan Fritsch]
+
+ *) htpasswd: Use MD5 hash by default on all platforms. [Stefan Fritsch]
+
+ *) mod_sed: Reduce memory consumption when processing very long lines.
+ PR 48024 [Basant Kumar Kukreja <basant.kukreja sun.com>]
+
+ *) ab: Fix segfault in case the argument for -n is a very large number.
+ PR 47178. [Philipp Hagemeister <oss phihag.de>]
+
+ *) Allow ProxyPreserveHost to work in <Proxy> sections. PR 34901.
+ [Stefan Fritsch]
+
+ *) configure: Fix THREADED_MPMS so that mod_cgid is enabled again
+ for worker MPM. [Takashi Sato]
+
+ *) mod_dav: Provide a mechanism to obtain the request_rec and pathname
+ from the dav_resource. [Jari Urpalainen <jari.urpalainen nokia.com>,
+ Brian France <brian brianfrance.com>]
+
+ *) Build: Use install instead of cp if available on installing
+ modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com]
+
+ *) mod_cache: correctly consider s-maxage in cacheability
+ decisions. [Dan Poirier]
+
+ *) mod_logio/core: Report more accurate byte counts in mod_status if
+ mod_logio is loaded. PR 25656. [Stefan Fritsch]
+
+ *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
+ some cache entries and log a warning. Also increase the default
+ LDAPSharedCacheSize to 500000. This is a more realistic size suitable
+ for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
+ PR 46749. [Stefan Fritsch]
+
+ *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if
+ the request is a CONNECT request. [Bill Zajac <billz consultla.com>]
+
+ *) mod_cache: Teach CacheEnable and CacheDisable to work from within a
+ Location section, in line with how ProxyPass works. [Graham Leggett]
+
+ *) mod_reqtimeout: New module to set timeouts and minimum data rates for
+ receiving requests from the client. [Stefan Fritsch]
+
+ *) core: Fix potential memory leaks by making sure to not destroy
+ bucket brigades that have been created by earlier filters.
+ [Stefan Fritsch]
+
+ *) core, mod_deflate, mod_sed: Reduce memory usage by reusing bucket
+ brigades in several places. [Stefan Fritsch]
+
+ *) mod_cache: Fix uri_meets_conditions() so that CacheEnable will
+ match by scheme, or by a wildcarded hostname. PR 40169
+ [Peter Grandi <pg_asf asf.for.sabi.co.uk>, Graham Leggett]
+
+ *) suxec: Allow to log an error if exec fails by setting FD_CLOEXEC
+ on the log file instead of closing it. PR 10744. [Nicolas Rachinsky]
+
+ *) mod_mime: Make RemoveType override the info from TypesConfig.
+ PR 38330. [Stefan Fritsch]
+
+ *) mod_cache: Introduce the option to run the cache from within the
+ normal request handler, and to allow fine grained control over
+ where in the filter chain content is cached. Adds CacheQuickHandler
+ directive. [Graham Leggett]
+
+ *) core: Treat timeout reading request as 408 error, not 400.
+ Log 408 errors in access log as was done in Apache 1.3.x.
+ PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>,
+ Stefan Fritsch <sf fritsch.de>, Dan Poirier]
+
+ *) mod_ssl: Reintroduce SSL_CLIENT_S_DN, SSL_CLIENT_I_DN, SSL_SERVER_S_DN,
+ SSL_SERVER_I_DN back to the environment variables to be set by mod_ssl.
+ [Peter Sylvester <peter.sylvester edelweb.fr>]
+
+ *) mod_disk_cache: don't cache incomplete responses, per RFC 2616, 13.8.
+ PR15866. [Dan Poirier]
+
+ *) ab: ab segfaults in verbose mode on https sites
+ PR46393. [Ryan Niebur]
+
+ *) mod_dav: Allow other modules to become providers and add resource types
+ to the DAV response. [Jari Urpalainen <jari.urpalainen nokia.com>,
+ Brian France <brian brianfrance.com>]
+
+ *) mod_dav: Allow other modules to add things to the DAV or Allow headers
+ of an OPTIONS request. [Jari Urpalainen <jari.urpalainen nokia.com>,
+ Brian France <brian brianfrance.com>]
+
+ *) core: Lower memory usage of core output filter.
+ [Stefan Fritsch <sf sfritsch.de>]
+
+ *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and
+ LocationMatch sections. PR47754. [Dan Poirier]
+
+ *) mod_request: Make sure the KeptBodySize directive rejects values
+ that aren't valid numbers. [Graham Leggett]
+
+ *) mod_session_crypto: Sanity check should the potentially encrypted
+ session cookie be too short. [Graham Leggett]
+
+ *) mod_session.c: Prevent a segfault when session is added but not
+ configured. [Graham Leggett]
+
+ *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
+
+ *) mod_auth_digest: Fail server start when nonce count checking
+ is configured without shared memory, or md5-sess algorithm is
+ configured. [Dan Poirier]
+
+ *) mod_proxy_connect: The connect method doesn't work if the client is
+ connecting to the apache proxy through an ssl socket. Fixed.
+ PR29744. [Brad Boyer, Mark Cave-Ayland, Julian Gilbey, Fabrice Durand,
+ David Gence, Tim Dodge, Per Gunnar Hans, Emmanuel Elango,
+ Kevin Croft, Rudolf Cardinal]
+
+ *) mod_ssl: The error message when SSLCertificateFile is missing should
+ at least give the name or position of the problematic virtual host
+ definition. [Stefan Fritsch sf sfritsch.de]
+
+ *) mod_auth_digest: Fix null pointer when qop=none. [Dan Poirier]
+
+ *) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
+
+ *) mod_headers: generalise the envclause to support expression
+ evaluation with ap_expr parser [Nick Kew]
+
+ *) mod_cache: Introduce the thundering herd lock, a mechanism to keep
+ the flood of requests at bay that strike a backend webserver as
+ a cached entity goes stale. [Graham Leggett]
+
+ *) mod_auth_digest: Fix usage of shared memory and re-enable it.
+ PR 16057 [Dan Poirier]
+
+ *) Preserve Port information over internal redirects
+ PR 35999 [Jonas Ringh <jonas.ringh cixit.se>]
+
+ *) Proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
+ rather than BAD_GATEWAY or (especially) NOT_FOUND.
+ PR 46971 [evanc nortel.com]
+
+ *) Various modules: Do better checking of pollset operations in order to
+ avoid segmentation faults if they fail. PR 46467
+ [Stefan Fritsch <sf sfritsch.de>]
+
+ *) mod_autoindex: Correctly create an empty cell if the description
+ for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
+
+ *) ab: Fix broken error messages after resolver or connect() failures.
+ [Jeff Trawick]
+
+ *) SECURITY: CVE-2009-1890 (cve.mitre.org)
+ Fix a potential Denial-of-Service attack against mod_proxy in a
+ reverse proxy configuration, where a remote attacker can force a
+ proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
+
+ *) SECURITY: CVE-2009-1191 (cve.mitre.org)
+ mod_proxy_ajp: Avoid delivering content from a previous request which
+ failed to send a request body. PR 46949 [Ruediger Pluem]
+
+ *) htdbm: Fix possible buffer overflow if dbm database has very
+ long values. PR 30586 [Dan Poirier]
+
+ *) core: Return APR_EOF if request body is shorter than the length announced
+ by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>]
+
+ *) mod_suexec: correctly set suexec_enabled when httpd is run by a
+ non-root user and may have insufficient permissions.
+ PR 42175 [Jim Radford <radford blackbean.org>]
+
+ *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute
+ type. PR 45107. [Michael Ströder <michael stroeder.com>,
+ Peter Sylvester <peter.sylvester edelweb.fr>]
+
+ *) mod_proxy_http: fix case sensitivity checking transfer encoding
+ PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
+
+ *) mod_alias: ensure Redirect issues a valid URL.
+ PR 44020 [Håkon Stordahl <hakon stordahl.org>]
+
+ *) mod_dir: add FallbackResource directive, to enable admin to specify
+ an action to happen when a URL maps to no file, without resorting
+ to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew]
+
+ *) mod_cgid: Do not leak the listening Unix socket file descriptor to the
+ CGI process. PR 47335 [Kornél Pál <kornelpal gmail.com>]
+
+ *) mod_rewrite: Remove locking for writing to the rewritelog.
+ PR 46942 [Dan Poirier <poirier pobox.com>]
+
+ *) mod_alias: check sanity in Redirect arguments.
+ PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
+
+ *) mod_proxy_http: fix Host: header for literal IPv6 addresses.
+ PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
+
+ *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore
+ defined session identifiers encoded in the URL when caching.
+ [Ruediger Pluem]
+
+ *) mod_rewrite: Fix the error string returned by RewriteRule.
+ RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
+ argument of RewriteRule was not started with "[" or not ended with "]".
+ PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
+
+ *) Windows: Fix usage message.
+ [Rainer Jung]
+
+ *) apachectl: When passing through arguments to httpd in
+ non-SysV mode, use the "$@" syntax to preserve arguments.
+ [Eric Covener]
+
+ *) mod_dbd: add DBDInitSQL directive to enable SQL statements to
+ be run when a connection is opened. PR 46827
+ [Marko Kevac <mkevac gmail.com>]
+
+ *) mod_cgid: Improve handling of long AF_UNIX socket names (ScriptSock).
+ PR 47037. [Jeff Trawick]
+
+ *) mod_proxy_ajp: Check more strictly that the backend follows the AJP
+ protocol. [Mladen Turk]
+
+ *) mod_proxy_ajp: Forward remote port information by default.
+ [Rainer Jung]
+
+ *) Allow MPMs to be loaded dynamically, as with most other modules. Use
+ --enable-mpms-shared={list|"all"} to enable. This required changes to
+ the MPM interfaces. Removed: mpm.h, mpm_default.h (as an installed
+ header), APACHE_MPM_DIR, MPM_NAME, ap_threads_per_child,
+ ap_max_daemons_limit, ap_my_generation, etc. ap_mpm_query() can't be
+ called until after the register-hooks phase. [Jeff Trawick]
+
+ *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
+ to enable stricter checking of remote server certificates.
+ [Ruediger Pluem]
+
+ *) ab: Fix a 100% CPU loop on platforms where a failed non-blocking connect
+ returns EINPROGRESS and a subsequent poll() returns only POLLERR.
+ Observed on HP-UX. [Eric Covener]
+
+ *) Remove broken support for BeOS, TPF, and even older platforms such
+ as A/UX, Next, and Tandem. [Jeff Trawick]
+
+ *) mod_proxy_ftp: Add ProxyFtpListOnWildcard directive to allow files with
+ globbing characters to be retrieved instead of converted into a
+ directory listing. PR 46789 [Dan Poirier <poirier pobox.com>]
+
+ *) Provide ap_retained_data_create()/ap_retained_data_get() for preservation
+ of module state across unload/load. [Jeff Trawick]
+
+ *) mod_substitute: Fix a memory leak. PR 44948
+ [Dan Poirier <poirier pobox.com>]
+
+Changes with Apache 2.3.2
+
+ *) mod_mime_magic: Fix detection of compressed content. [Rainer Jung]
+
+ *) mod_negotiation: Escape paths of filenames in 406 responses to avoid
+ HTML injections and HTTP response splitting. PR 46837.
+ [Geoff Keating <geoffk apple.com>]
+
+ *) mod_ssl: add support for type-safe STACK constructs in OpenSSL
+ development HEAD. PR 45521. [Kaspar Brand, Sander Temme]
+
+ *) ab: Fix maintenance of the pollset to resolve EALREADY errors
+ with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris).
+ PR 44584. Use APR_POLLSET_NOCOPY for better performance with some
+ pollset implementations. [Jeff Trawick]
+
+ *) mod_disk_cache: The module now turns off sendfile support if
+ 'EnableSendfile off' is defined globally. [Lars Eilebrecht]
+
+ *) mod_deflate: Adjust content metadata before bailing out on 304
+ responses so that the metadata does not differ from 200 response.
+ [Roy T. Fielding]
+
+ *) mod_deflate: Fix creation of invalid Etag headers. We now make sure
+ that the Etag value is properly quoted when adding the gzip marker.
+ PR 39727, 45023. [Lars Eilebrecht, Roy T. Fielding]
+
+ *) Added 20x22 icons for ODF, SVG, and XML documents. PR 37185.
+ [Peter Harlow]
+
+ *) Disabled DefaultType directive and removed ap_default_type()
+ from core. We now exclude Content-Type from responses for which
+ a media type has not been configured via mime.types, AddType,
+ ForceType, or some other mechanism. PR 13986. [Roy T. Fielding]
+
+ *) mod_rewrite: Add IPV6 variable to RewriteCond
+ [Ryan Phillips <ryan-apache trolocsis.com>]
+
+ *) core: Enhance KeepAliveTimeout to support a value in milliseconds.
+ PR 46275. [Takashi Sato]
+
+ *) rotatelogs: Allow size units B, K, M, G and combination of
+ time and size based rotation. [Rainer Jung]
+
+ *) rotatelogs: Add flag for verbose (debug) output. [Rainer Jung]
+
+ *) mod_ssl: Fix merging of SSLRenegBufferSize directive. PR 46508
+ [<tlhackque yahoo.com>]
+
+ *) core: Translate the the status line to ASCII on EBCDIC platforms in
+ ap_send_interim_response() and for locally generated "100 Continue"
+ responses. [Eric Covener]
+
+ *) prefork: Fix child process hang during graceful restart/stop in
+ configurations with multiple listening sockets. PR 42829. [Joe Orton,
+ Jeff Trawick]
+
+ *) mod_session_crypto: Ensure that SessionCryptoDriver can only be
+ set in the global scope. [Graham Leggett]
+
+ *) mod_ext_filter: We need to detect failure to startup the filter
+ program (a mangled response is not acceptable). Fix to detect
+ failure, and offer configuration option either to abort or
+ to remove the filter and continue.
+ PR 41120 [Nick Kew]
+
+ *) mod_session_crypto: Rewrite the session_crypto module against the
+ apr_crypto API. [Graham Leggett]
+
+ *) mod_auth_form: Fix a pool lifetime issue, don't remove the subrequest
+ until the main request is cleaned up. [Graham Leggett]
+
+Changes with Apache 2.3.1
+
+ *) ap_slotmem: Add in new slot-based memory access API impl., including
+ 2 providers (mod_sharedmem and mod_plainmem) [Jim Jagielski,
+ Jean-Frederic Clere, Brian Akins <brian.akins turner.com>]
+
+ *) mod_include: support generating non-ASCII characters as entities in SSI
+ PR 25202 [Nick Kew]
+
+ *) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars
+ PR 25202 [Nick Kew]
+
+ *) mod_rewrite: fix "B" flag breakage by reverting r5589343
+ PR 45529 [Bob Ionescu <bobsiegen googlemail.com>]
+
+ *) CGI: return 504 (Gateway timeout) rather than 500 when a script
+ times out before returning status line/headers.
+ PR 42190 [Nick Kew]
+
+ *) mod_cgid: fix segfault problem on solaris.
+ PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>]
+
+ *) mod_proxy_scgi: Added. [André Malo]
+
+ *) mod_cache: Introduce 'no-cache' per-request environment variable
+ to prevent the saving of an otherwise cacheable response.
+ [Eric Covener]
+
+ *) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
+ way that per-directory rewrites append the previous notion of PATH_INFO
+ to each substitution before evaluating subsequent rules.
+ PR 38642 [Eric Covener]
+
+ *) mod_cgid: Do not add an empty argument when calling the CGI script.
+ PR 46380 [Ruediger Pluem]
+
+ *) scoreboard: Remove unused sb_type from process_score.
+ [Torsten Foertsch <torsten.foertsch gmx.net>, Chris Darroch]
+
+ *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the
+ size of the buffer used for the request-body where necessary
+ during a per-dir renegotiation. PR 39243. [Joe Orton]
+
+ *) mod_proxy_fdpass: New module to pass a client connection over to a separate
+ process that is reading from a unix daemon socket.
+
+ *) mod_ssl: Improve environment variable extraction to be more
+ efficient and to correctly handle DNs with duplicate tags.
+ PR 45975. [Joe Orton]
+
+ *) Remove the obsolete serial attribute from the RPM spec file. Compile
+ against the external pcre. Add missing binaries fcgistarter, and
+ mod_socache* and mod_session*. [Graham Leggett]
+
+Changes with Apache 2.3.0
+
+ *) mod_ratelimit: New module to do bandwidth rate limiting. [Paul Querna]
+
+ *) Remove X-Pad header which was added as a work around to a bug in
+ Netscape 2.x to 4.0b2. [Takashi Sato <takashi lans-tv.com>]
+
+ *) Add DTrace Statically Defined Tracing (SDT) probes.
+ [Theo Schlossnagle <jesus omniti.com>, Paul Querna]
+
+ *) mod_proxy_balancer: Move all load balancing implementations
+ as individual, self-contained mod_proxy submodules under
+ modules/proxy/balancers [Jim Jagielski]
+
+ *) Rename APIs to include ap_ prefix:
+ find_child_by_pid -> ap_find_child_by_pid
+ suck_in_APR -> ap_suck_in_APR
+ sys_privileges_handlers -> ap_sys_privileges_handlers
+ unixd_accept -> ap_unixd_accept
+ unixd_config -> ap_unixd_config
+ unixd_killpg -> ap_unixd_killpg
+ unixd_set_global_mutex_perms -> ap_unixd_set_global_mutex_perms
+ unixd_set_proc_mutex_perms -> ap_unixd_set_proc_mutex_perms
+ unixd_set_rlimit -> ap_unixd_set_rlimit
+ [Paul Querna]
+
+ *) mod_lbmethod_heartbeat: New module to load balance mod_proxy workers
+ based on heartbeats. [Paul Querna]
+
+ *) mod_heartmonitor: New module to collect heartbeats, and write out a file
+ so that other modules can load balance traffic as needed. [Paul Querna]
+
+ *) mod_heartbeat: New module to generate multicast heartbeats to know if a
+ server is online. [Paul Querna]
+
+ *) mod_buffer: Honour the flush bucket and flush the buffer in the
+ input filter. Make sure that metadata buckets are written to
+ the buffer, not to the final brigade. [Graham Leggett]
+
+ *) mod_buffer: Optimise the buffering of heap buckets when the heap
+ buckets stay exactly APR_BUCKET_BUFF_SIZE long. [Graham Leggett,
+ Ruediger Pluem]
+
+ *) mod_buffer: Optional support for buffering of the input and output
+ filter stacks. Can collapse many small buckets into fewer larger
+ buckets, and prevents excessively small chunks being sent over
+ the wire. [Graham Leggett]
+
+ *) mod_privileges: new module to make httpd on Solaris privileges-aware
+ and to enable different virtualhosts to run with different
+ privileges and Unix user/group IDs [Nick Kew]
+
+ *) mod_mem_cache: this module has been removed. [William Rowe]
+
+ *) authn/z: Remove mod_authn_default and mod_authz_default.
+ [Chris Darroch]
+
+ *) authz: Fix handling of authz configurations, make default authz
+ logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject,
+ and AuthzMergeRules directives with Match, <Match*>, and AuthzMerge
+ directives. [Chris Darroch]
+
+ *) mod_authn_core: Prevent crash when provider alias created to
+ provider which is not yet registered. [Chris Darroch]
+
+ *) mod_authn_core: Add AuthType of None to support disabling
+ authentication. [Chris Darroch]
+
+ *) core: Allow <Limit> and <LimitExcept> directives to nest, and
+ constrain their use to conform with that of other access control
+ and authorization directives. [Chris Darroch]
+
+ *) unixd: turn existing code into a module, and turn the set user/group
+ and chroot into a child_init function. [Nick Kew]
+
+ *) mod_dir: Support "DirectoryIndex disabled"
+ Suggested By André Warnier <aw ice-sa.com> [Eric Covener]
+
+ *) mod_ssl: Send Content-Type application/ocsp-request for POST requests to
+ OSCP responders. PR 46014 [Dr Stephen Henson <steve openssl.org>]
+
+ *) mod_authnz_ldap: don't return NULL-valued environment variables to
+ other modules. PR 39045 [Francois Pesce <francois.pesce gmail.com>]
+
+ *) Don't adjust case in pathname components that are not of interest
+ to mod_mime. Fixes mod_negotiation's use of such components.
+ PR 43250 [Basant Kumar Kukreja <basant.kukreja sun.com>]
+
+ *) Be tolerant in what you accept - accept slightly broken
+ status lines from a backend provided they include a valid status code.
+ PR 44995 [Rainer Jung <rainer.jung kippdata.de>]
+
+ *) New module mod_sed: filter Request/Response bodies through sed
+ [Basant Kumar Kukreja <basant.kukreja sun.com>]
+
+ *) mod_auth_form: Make sure that basic authentication is correctly
+ faked directly after login. [Graham Leggett]
+
+ *) mod_session_cookie, mod_session_dbd: Make sure cookies are set both
+ within the output headers and error output headers, so that the
+ session is maintained across redirects. [Graham Leggett]
+
+ *) mod_auth_form: Make sure the logged in user is populated correctly
+ after a form login. Fixes a missing REMOTE_USER variable directly
+ following a login. [Graham Leggett]
+
+ *) mod_session_cookie: Make sure that cookie attributes are correctly
+ included in the blank cookie when cookies are removed. This fixes an
+ inability to log out when using mod_auth_form. [Graham Leggett]
+
+ *) mod_session: Prevent a segfault when a CGI script sets a cookie with a
+ null value. [David Shane Holden <dpejesh apache.org>]
+
+ *) core, authn/z: Determine registered authn/z providers directly in
+ ap_setup_auth_internal(), which allows optional functions that just
+ wrapped ap_list_provider_names() to be removed from authn/z modules.
+ [Chris Darroch]
+
+ *) authn/z: Convert common provider version strings to macros.
+ [Chris Darroch]
+
+ *) core: When testing for slash-terminated configuration paths in
+ ap_location_walk(), don't look past the start of an empty string
+ such as that created by a <Location ""> directive.
+ [Chris Darroch]
+
+ *) core, mod_proxy: If a kept_body is present, it becomes safe for
+ subrequests to support message bodies. Make sure that safety
+ checks within the core and within the proxy are not triggered
+ when kept_body is present. This makes it possible to embed
+ proxied POST requests within mod_include. [Graham Leggett]
+
+ *) mod_auth_form: Make sure the input filter stack is properly set
+ up before reading the login form. Make sure the kept body filter
+ is correctly inserted to ensure the body can be read a second
+ time safely should the authn be successful. [Graham Leggett,
+ Ruediger Pluem]
+
+ *) mod_request: Insert the KEPT_BODY filter via the insert_filter
+ hook instead of during fixups. Add a safety check to ensure the
+ filters cannot be inserted more than once. [Graham Leggett,
+ Ruediger Pluem]
+
+ *) ap_cache_cacheable_headers_out() will (now) always
+ merge an error headers _before_ clearing them and _before_
+ merging in the actual entity headers and doing normal
+ hop-by-hop cleansing. [Dirk-Willem van Gulik].
+
+ *) cache: retire ap_cache_cacheable_hdrs_out() which was used
+ for both in- and out-put headers; and replace it by a single
+ ap_cache_cacheable_headers() wrapped in a in- and out-put
+ specific ap_cache_cacheable_headers_in()/out(). The latter
+ which will also merge error and ensure content-type. To keep
+ cache modules consistent with ease. This API change bumps
+ up the minor MM by one [Dirk-Willem van Gulik].
+
+ *) Move the KeptBodySize directive, kept_body filters and the
+ ap_parse_request_body function out of the http module and into a
+ new module called mod_request, reducing the size of the core.
+ [Graham Leggett]
+
+ *) mod_dbd: Handle integer configuration directive parameters with a
+ dedicated function.
+
+ *) Change the directives within the mod_session* modules to be valid
+ both inside and outside the location/directory sections, as
+ suggested by wrowe. [Graham Leggett]
+
+ *) mod_auth_form: Add a module capable of allowing end users to log
+ in using an HTML form, storing the credentials within mod_session.
+ [Graham Leggett]
+
+ *) Add a function to the http filters that is able to parse an HTML
+ form request with the type of application/x-www-form-urlencoded.
+ [Graham Leggett]
+
+ *) mod_session_crypto: Initialise SSL in the post config hook.
+ [Ruediger Pluem, Graham Leggett]
+
+ *) mod_session_dbd: Add a session implementation capable of storing
+ session information in a SQL database via the dbd interface. Useful
+ for sites where session privacy is important. [Graham Leggett]
+
+ *) mod_session_crypto: Add a session encoding implementation capable
+ of encrypting and decrypting sessions wherever they may be stored.
+ Introduces a level of privacy when sessions are stored on the
+ browser. [Graham Leggett]
+
+ *) mod_session_cookie: Add a session implementation capable of storing
+ session information within cookies on the browser. Useful for high
+ volume sites where server bound sessions are too resource intensive.
+ [Graham Leggett]
+
+ *) mod_session: Add a generic session interface to unify the different
+ attempts at saving persistent sessions across requests.
+ [Graham Leggett]
+
+ *) core, authn/z: Avoid calling access control hooks for internal requests
+ with configurations which match those of initial request. Revert to
+ original behaviour (call access control hooks for internal requests
+ with URIs different from initial request) if any access control hooks or
+ providers are not registered as permitting this optimization.
+ Introduce wrappers for access control hook and provider registration
+ which can accept additional mode and flag data. [Chris Darroch]
+
+ *) Introduced ap_expr API for expression evaluation.
+ This is adapted from mod_include, which is the first module
+ to use the new API.
+ [Nick Kew]
+
+ *) mod_authz_dbd: When redirecting after successful login/logout per
+ AuthzDBDRedirectQuery, do not report authorization failure, and use
+ first row returned by database query instead of last row.
+ [Chris Darroch]
+
+ *) mod_ldap: Correctly return all requested attribute values
+ when some attributes have a null value.
+ PR 44560 [Anders Kaseorg <anders kaseorg.com>]
+
+ *) core: check symlink ownership if both FollowSymlinks and
+ SymlinksIfOwnerMatch are set [Nick Kew]
+
+ *) core: fix origin checking in SymlinksIfOwnerMatch
+ PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>]
+
+ *) Activate mod_cache, mod_file_cache and mod_disk_cache as part of the
+ 'most' set for '--enable-modules' and '--enable-shared-mods'. Include
+ mod_mem_cache in 'all' as well. [Dirk-Willem van Gulik]
+
+ *) Also install mod_so.h, mod_rewrite.h and mod_cache.h; as these
+ contain public function declarations which are useful for
+ third party module authors. PR 42431 [Dirk-Willem van Gulik].
+
+ *) mod_dir, mod_negotiation: pass the output filter information
+ to newly created sub requests; as these are later on used
+ as true requests with an internal redirect. This allows for
+ mod_cache et.al. to trap the results of the redirect.
+ [Dirk-Willem van Gulik, Ruediger Pluem]
+
+ *) mod_ldap: Add support (taking advantage of the new APR capability)
+ for ldap rebind callback while chasing referrals. This allows direct
+ searches on LDAP servers (in particular MS Active Directory 2003+)
+ using referrals without the use of the global catalog.
+ PRs 26538, 40268, and 42557 [Paul J. Reder]
+
+ *) ApacheMonitor.exe: Introduce --kill argument for use by the
+ installer. This will permit the installation tool to remove
+ all running instances before attempting to remove the .exe.
+ [William Rowe]
+
+ *) mod_ssl: Add support for OCSP validation of client certificates.
+ PR 41123. [Marc Stern <marc.stern approach.be>, Joe Orton]
+
+ *) mod_serf: New module for Reverse Proxying. [Paul Querna]
+
+ *) core: Add the option to keep aside a request body up to a certain
+ size that would otherwise be discarded, to be consumed by filters
+ such as mod_include. When enabled for a directory, POST requests
+ to shtml files can be passed through to embedded scripts as POST
+ requests, rather being downgraded to GET requests. [Graham Leggett]
+
+ *) mod_ssl: Fix TLS upgrade (RFC 2817) support. PR 41231. [Joe Orton]
+
+ *) scoreboard: Correctly declare ap_time_process_request.
+ PR 43789 [Tom Donovan <Tom.Donovan acm.org>]
+
+ *) core; scoreboard: ap_get_scoreboard_worker(sbh) now takes the sbh member
+ from the connection rec, ap_get_scoreboard_worker(proc, thread) will now
+ provide the unusual legacy lookup. [William Rowe]
+
+ *) mpm winnt: fix null pointer dereference
+ PR 42572 [Davi Arnaut]
+
+ *) mod_authnz_ldap, mod_authn_dbd: Tidy up the code to expose authn
+ parameters to the environment. Improve portability to
+ EBCDIC machines by using apr_toupper(). [Martin Kraemer]
+
+ *) mod_ldap, mod_authnz_ldap: Add support for nested groups (i.e. the ability
+ to authorize an authenticated user via a "require ldap-group X" directive
+ where the user is not in group X, but is in a subgroup contained in X.
+ PR 42891 [Paul J. Reder]
+
+ *) mod_ssl: Add support for caching SSL Sessions in memcached. [Paul Querna]
+
+ *) apxs: Enhance -q flag to print all known variables and their values
+ when invoked without variable name(s).
+ [William Rowe, Sander Temme]
+
+ *) apxs: Eliminate run-time check for mod_so. PR 40653.
+ [David M. Lee <dmlee crossroads.com>]
+
+ *) beos MPM: Create pmain pool and run modules' child_init hooks when
+ entering ap_mpm_run(), then destroy pmain when exiting ap_mpm_run().
+ [Chris Darroch]
+
+ *) netware MPM: Destroy pmain pool when exiting ap_mpm_run() so that
+ cleanups registered in modules' child_init hooks are performed.
+ [Chris Darroch]
+
+ *) Fix issue which could cause error messages to be written to access logs
+ on Win32. PR 40476. [Tom Donovan <Tom.Donovan acm.org>]
+
+ *) The LockFile directive, which specifies the location of
+ the accept() mutex lockfile, is deprecated. Instead, the
+ AcceptMutex directive now takes an optional lockfile
+ location parameter, ala SSLMutex. [Jim Jagielski]
+
+ *) mod_authn_dbd: Export any additional columns queried in the SQL select
+ into the environment with the name AUTHENTICATE_<COLUMN>. This brings
+ mod_authn_dbd behaviour in line with mod_authnz_ldap. [Graham Leggett]
+
+ *) mod_dbd: Key the storage of prepared statements on the hex string
+ value of server_rec, rather than the server name, as the server name
+ may change (eg when the server name is set) at any time, causing
+ weird behaviour in modules dependent on mod_dbd. [Graham Leggett]
+
+ *) mod_proxy_fcgi: Added win32 build. [Mladen Turk]
+
+ *) sendfile_nonblocking() takes the _brigade_ as an argument, gets
+ the first bucket from the brigade, finds it not to be a FILE
+ bucket and barfs. The fix is to pass a bucket rather than a brigade.
+ [Niklas Edmundsson <nikke acc.umu.se>]
+
+ *) mod_rewrite: support rewritemap by SQL query [Nick Kew]
+
+ *) ap_get_server_version() has been removed. Third-party modules must
+ now use ap_get_server_banner() or ap_get_server_description().
+ [Jeff Trawick]
+
+ *) All MPMs: Introduce a check_config phase between pre_config and
+ open_logs, to allow modules to review interdependent configuration
+ directive values and adjust them while messages can still be logged
+ to the console. Handle relevant MPM directives during this phase
+ and format messages for both the console and the error log, as
+ appropriate. [Chris Darroch]
+
+ *) core: Do not allow internal redirects like the DirectoryIndex of mod_dir
+ to circumvent the symbolic link checks imposed by FollowSymLinks and
+ SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem, William Rowe]
+
+ *) New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ]
+ configures the I/O Dump of SSL traffic, when LogLevel is set to Debug.
+ The default is none as this is far greater debugging resolution than
+ the typical administrator is prepared to untangle. [William Rowe]
+
+ *) mod_disk_cache: If possible, check if the size of an object to cache is
+ within the configured boundaries before actually saving data.
+ [Niklas Edmundsson <nikke acc.umu.se>]
+
+ *) Worker and event MPMs: Remove improper scoreboard updates which were
+ performed in the event of a fork() failure. [Chris Darroch]
+
+ *) Add support for fcgi:// proxies to mod_rewrite.
+ [Markus Schiegl <ms schiegl.com>]
+
+ *) Remove incorrect comments from scoreboard.h regarding conditional
+ loading of worker_score structure with mod_status, and remove unused
+ definitions relating to old life_status field.
+ [Chris Darroch <chrisd pearsoncmg.com>]
+
+ *) Remove allocation of memory for unused array of lb_score pointers
+ in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>]
+
+ *) Add mod_proxy_fcgi, a FastCGI back end for mod_proxy.
+ [Garrett Rooney, Jim Jagielski, Paul Querna]
+
+ *) Event MPM: Fill in the scoreboard's tid field. PR 38736.
+ [Chris Darroch <chrisd pearsoncmg.com>]
+
+ *) mod_charset_lite: Remove Content-Length when output filter can
+ invalidate it. Warn when input filter can invalidate it.
+ [Jeff Trawick]
+
+ *) Authz: Add the new module mod_authn_core that will provide common
+ authn directives such as 'AuthType', 'AuthName'. Move the directives
+ 'AuthType' and 'AuthName' out of the core module and merge mod_authz_alias
+ into mod_authn_core. [Brad Nicholes]
+
+ *) Authz: Move the directives 'Order', 'Allow', 'Deny' and 'Satisfy'
+ into the new module mod_access_compat which can be loaded to provide
+ support for these directives.
+ [Brad Nicholes]
+
+ *) Authz: Move the 'Require' directive from the core module as well as
+ add the directives '<SatisfyAll>', '<SatisfyOne>', '<RequireAlias>'
+ and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR'
+ logic into the authorization processing. [Brad Nicholes]
+
+ *) Authz: Add the new module mod_authz_core which acts as the
+ authorization provider vector and contains common authz
+ directives. [Brad Nicholes]
+
+ *) Authz: Renamed mod_authz_dbm authz providers from 'group' and
+ 'file-group' to 'dbm-group' and 'dbm-file-group'. [Brad Nicholes]
+
+ *) Authz: Added the new authz providers 'env', 'ip', 'host', 'all' to handle
+ host-based access control provided by mod_authz_host and invoked
+ through the 'Require' directive. [Brad Nicholes]
+
+ *) Authz: Convert all of the authz modules from hook based to
+ provider based. [Brad Nicholes]
+
+ *) mod_cache: Add CacheMinExpire directive to set the minimum time in
+ seconds to cache a document.
+ [Brian Akins <brian.akins turner.com>, Ruediger Pluem]
+
+ *) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]
+
+ *) Fix typo in ProxyStatus syntax error message.
+ [Christophe Jaillet <christophe.jaillet wanadoo.fr>]
+
+ *) Asynchronous write completion for the Event MPM. [Brian Pane]
+
+ *) Added an End-Of-Request bucket type. The logging of a request and
+ the freeing of its pool are now done when the EOR bucket is destroyed.
+ This has the effect of delaying the logging until right after the last
+ of the response is sent; ap_core_output_filter() calls the access logger
+ indirectly when it destroys the EOR bucket. [Brian Pane]
+
+ *) Rewrite of logresolve support utility: IPv6 addresses are now supported
+ and the format of statistical output has changed. [Colm MacCarthaigh]
+
+ *) Rewrite of ap_coreoutput_filter to do nonblocking writes [Brian Pane]
+
+ *) Added new connection states for handler and write completion
+ [Brian Pane]
+
+ *) mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264.
+ [Justin Erenkrantz]
+
+ *) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive,
+ allowing string-valued client certificate attributes to be used for
+ access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1")
+ [Martin Kraemer, David Reid]
+
+ [Apache 2.3.0-dev includes those bug fixes and changes with the
+ Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup