| -*- coding: utf-8 -*- |
| Changes with Apache 2.5.1 |
| |
| *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if |
| the format can't match anyway. [Yann Ylavic] |
| |
| *) mod_xml2enc: Update check to match MIME types matching |
| "+xml" rather than anything containing "xml", avoiding |
| corruption of Microsoft OOXML formats. PR 64339. |
| [Joseph Heenan <joseph.heenan fintechlabs.io>] |
| |
| *) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http, |
| allowing for (non-)Upgrade negotiation with the origin server. |
| [Yann Ylavic] |
| |
| *) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files |
| which include CA certificates; those CA certs are treated as if |
| configured with SSLProxyMachineCertificateChainFile. [Joe Orton] |
| |
| *) mpm_event: don't reset connections after lingering close, restoring prior |
| to 2.4.28 behaviour. [Yann Ylavic] |
| |
| *) mod_dav_fs: Improve logging output when failing to open files for |
| writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>] |
| |
| *) mod_proxy: Add optional third argument for ProxyRemote, which |
| configures Basic authentication credentials to pass to the remote |
| proxy. PR 37355. [Joe Orton] |
| |
| *) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies, |
| leading to Request Timeout (408). PR 63855. [Yann Ylavic] |
| |
| *) http: Allow unknown response status' lines returned in the form of |
| "HTTP/x.x xxx Status xxx". [Yann Ylavic] |
| |
| *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked |
| Transfer-Encoding from the client, spooling the request body when needed |
| to provide a Content-Length to the backend. PR 57087. [Yann Ylavic] |
| |
| *) mpm_event: kill connections in keepalive state only when there is no more |
| workers available, not when the maximum number of connections is reached, |
| restoring prior to 2.4.30 behaviour. [Yann Ylavic] |
| |
| *) mod_allowmethods: Allow methods to be added/removed with +/- prefix. PR64785. |
| [Marcel Montes <spiceman gmail.com>] |
| |
| *) mod_unique_id: Use base64url encoding for UNIQUE_ID variable, |
| avoiding the use of '@'. PR 57044. |
| [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>] |
| |
| *) core: add ReadBufferSize, FlushMaxThreshold and FlushMaxPipelined |
| directives. [Yann Ylavic] |
| |
| *) mod_md: lowered the required minimal libcurl version from 7.50 to 7.29 |
| as proposed by <alexander.gerasimov@codeit.pro>. |
| |
| *) mod_http2: Log requests and sent the configured error response in case of |
| early detected errors like too many or too long headers. |
| [Ruediger Pluem, Stefan Eissing] |
| |
| *) mod_proxy_uwsgi: Fix a crash when sending environment variables with no |
| value. PR 64598 [Ruediger Pluem] |
| |
| *) mod_cgi/mod_cgid: Avoid a second read from a CGI script after a |
| timeout, which effectively doubled the configured timeout setting. |
| PR 64709. [Joe Orton] |
| |
| *) core: handle headers when replying a 304 following RFC7234. |
| [Giovanni Bechis] |
| |
| *) mod_http2: remove support for abandoned http-wg draft |
| <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>. |
| [Stefan Eissing] |
| |
| *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard |
| protocol limit). [Yann Ylavic] |
| |
| *) mod_dav: Some DAV extensions, like CalDAV, specify both document |
| elements and property elements that need to be taken into account |
| when generating a property. The document element and property element |
| are made available in the dav_liveprop_elem structure under the |
| DAV_PROP_ELEMENT key in the resource pool. [Graham Leggett] |
| |
| *) mod_dav: Add utility functions dav_validate_root_ns(), |
| dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and |
| dav_find_attr() so that other modules get to play too. |
| [Graham Leggett] |
| |
| *) mod_http2: |
| Fixes <https://github.com/icing/mod_h2/issues/200>: |
| "LimitRequestFields 0" now disables the limit, as documented. |
| Fixes <https://github.com/icing/mod_h2/issues/201>: |
| Do not count repeated headers with same name against the field |
| count limit. The are merged internally, as if sent in a single HTTP/1 line. |
| [Stefan Eissing] |
| |
| *) mod_http2: Avoid segfaults in case of handling certain responses for |
| already aborted connections. [Stefan Eissing, Ruediger Pluem] |
| |
| *) core: Remove support for the Content-MD5 header, removed in RFC7231. |
| Functions ap_md5digest() and ap_md5contextTo64() removed, and |
| ContentDigest directive. [Graham Leggett] |
| |
| *) mod_dav: Allow other DAV modules to use dav_get_resource(). |
| [Graham Leggett] |
| |
| *) mpm_common: remove ap_mpm_unregister_poll_callback() and |
| mpm_unregister_poll_callback hook. [Yann Ylavic] |
| |
| *) mod_proxy_http: add asynchronous handling of Upgrade(d) protocols, |
| where idle connections are returned to the MPM and rescheduled on |
| another thread when ready. [Yann Ylavic] |
| |
| *) mod_dav: Add method_precondition hook. WebDAV extensions define |
| conditions that must exist before a WebDAV method can be executed. |
| This hook allows a WebDAV extension to verify these preconditions. |
| [Graham Leggett] |
| |
| *) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other |
| modules apart from versioning implementations to handle the REPORT method. |
| [Graham Leggett] |
| |
| *) Add dav_get_provider(), dav_open_lockdb() and dav_close_lockdb() mod_dav.h. |
| [Graham Leggett] |
| |
| *) "[mod_dav_fs etag handling] should really honor the FileETag setting". |
| - It now does. |
| - Add "Digest" to FileETag directive, allowing a strong ETag to be |
| generated using a file digest. |
| - Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over |
| ETag generation. |
| - Add concept of "binary notes" to request_rec, allowing packed bit flags |
| to be added to a request. |
| - First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force |
| the ETag to a strong ETag to comply with RFC requirements, such as those |
| mandated by various WebDAV extensions. |
| [Graham Leggett] |
| |
| *) mod_ssl: Fix a race condition and possible crash when using a proxy client |
| certificate (SSLProxyMachineCertificateFile). |
| [Armin Abfalterer <a.abfalterer gmail.com>] |
| |
| *) mod_proxy: recognize parameters from ProxyPassMatch workers with dollar |
| substitution, such that they apply to the backend connection. Note that |
| connection reuse is disabled by default to avoid compatibility issues. |
| [Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere] |
| |
| *) mod_proxy_http: remove proxy-sendchunked and proxy-sendchunks |
| handling, the defaut behaviour being now to stream the request body |
| using Content-Length when the length is known and fall back to chunked |
| Transfer-Encoding otherwise (unless proxy-sendcl is set thus requiring |
| that the request body be spooled to memory or filesystem). [Yann Ylavic] |
| |
| *) mod_ldap: Avoid performance overhead of APR-util rebind cache for |
| OpenLDAP 2.2+. PR 64414. [Joe Orton] |
| |
| *) mod_proxy_http: flush spooled request body in one go to avoid |
| leaking (or long lived) temporary file. PR 64452. [Yann Ylavic] |
| |
| *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression |
| evaluates to false. PR64365. [Michael König <mail ikoenig.net>] |
| |
| *) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response |
| and switched protocol forwarding. [Yann Ylavic] |
| |
| *) mod_ssl: The "ssl_var_lookup" optional function API now takes a |
| const char *name argument and returns a const char * string |
| value. The pool argument must now be non-NULL. [Joe Orton] |
| |
| *) mod_ssl: With OpenSSL 1.1.1 and later, SSLRandomSeed is now |
| ignored. OpenSSL must be configured with a suitable entropy |
| source, or mod_ssl will fail to start up. [Joe Orton] |
| |
| *) mod_ssl: With OpenSSL 1.1.1 and later, client-initiated |
| renegotiation in TLSv1.2 and earlier is blocked at SSL library |
| level (with a TLS warning alert sent), rather than by aborting |
| the connection inside mod_ssl. [Joe Orton] |
| |
| *) core: Add optional "options=" argument to Listen. Supported |
| keywords are "freebind", "reuseport" and "v6only". PR 61865. |
| [Jan Kaluza, Lubos Uhliarik <luhliari redhat.com>, Joe Orton] |
| |
| *) config: Allow for environment variable substitution with default value, |
| for when the variable is not defined, using format ${VAR?=default value}. |
| [Yann Ylavic] |
| |
| *) htcacheclean: Empty directories in CacheRoot are still present even after |
| using "-t". PR64313 [Petros Marios Prokopiou <pprokopi redhat.com>, |
| Ruediger Pluem, Jean-Frederic Clere] |
| |
| *) mod_reqtimeout: Cannot override default Virtualhost's mod_reqtimeout. |
| PR64295 [Jean-Frederic Clere] |
| |
| *) mod_proxy: Allow ProxyErrorOverride to be restricted to specific status |
| codes. PR63628. [Martin Drößler <mail martindroessler.de>] |
| |
| *) configtest: Issue a warning for non-existent directories in <Directory> config |
| sections. PR63079. [Stephane Blondon <stephane.blondon gmail.com>]. |
| |
| *) mod_proxy_http: Fix random memory-corruption in case of an error while |
| reading a response from the backend. |
| PR 64234 [Ruediger Pluem, Barnim Dzwillo <dzwillo@strato.de>] |
| |
| *) core: Use a temporary file when writing the pid file, avoiding |
| startup failure if an empty pidfile is left over from a |
| previous crashed or aborted invocation of httpd. PR 63140. |
| [Nicolas Carrier <carrier.nicolas0 gmail.com>, Joe Orton] |
| |
| *) mod_http2: Fixes issue where mod_unique_id would generate non-unique request |
| identifier under load, see <https://github.com/icing/mod_h2/issues/195>. |
| [Michael Kaufmann, Stefan Eissing] |
| |
| *) mod_session_cookie: Add SessionCookieMaxAge to allow the mod_session |
| cookie to be sent as a "session cookie" with no expiration even when the |
| SessionMaxAge will be enforced on the server. PR56040 [Eric Covener] |
| |
| *) mod_session: Fix an issue that blocked new sessions being created after |
| session expiration or other session errors. PR56052 [Eric Covener] |
| |
| *) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}. |
| PR64140. [Renier Velazco <renier.velazco upr.edu>] |
| |
| *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic] |
| |
| *) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info". |
| PR64172. |
| |
| *) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure |
| to allow customization of the usertrack cookie. PR64077. |
| [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener] |
| |
| *) mpm_event: avoid possible KeepAlveTimeout off by -100 ms. |
| [Eric Covener, Yann Ylavic] |
| |
| *) mod_md: |
| - Prefer MDContactEmail directive to ServerAdmin for registration. New directive |
| thanks to Timothe Litt (@tlhackque). |
| - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now |
| check all matching virtual hosts for protocol support. Thanks to @mkauf. |
| - Corrected a check when OCSP stapling was configured for hosts |
| where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm). |
| - Softening the restrictions where mod_md configuration directives may appear. This should |
| allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration |
| you wanted in the first place, is another matter. |
| [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque), |
| Michal Karm Babacek (@Karm), Stefan Eissing (@icing)] |
| |
| *) core: ap_method_mask_t type added for method bitmasks, changed |
| from apr_int64_t and used for the method_mask field in |
| ap_method_list_t, AP_METHOD_BIT, allowed field of request_rec, |
| limited field of cmd_parms. PR 63885. [Joe Orton] |
| |
| *) mod_ssl: Do not keep connections to OCSP responders alive when doing |
| OCSP requests. PR 64135. [Ruediger Pluem] |
| |
| *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github |
| issue mod_md#172 (https://github.com/icing/mod_md/issues/172). |
| [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing] |
| |
| *) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a |
| SameSite attribute. [Eric Covener] |
| |
| *) Update DOCTYPE tags in server-generated HTML. PR62989. |
| [Andra Farkas <deepbluemistake gmail.com>, Giovanni Bechis <giovanni paclan.it>] |
| |
| *) mod_setenvif: Passing an env-variable parameter of "--early" in non-perdir |
| context runs directives from this module before `RequestHeader ... early` |
| are evaluated. This allows results of SetEnvIf conditionals to be used |
| to modify request headers in early mode. [Eric Covener] |
| |
| *) config: Speed up graceful restarts by using pre-hashed command table. PR 64066. |
| [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski] |
| |
| *) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table, |
| r:notes_table, r:subprocess_env_table as read-only native table alternatives |
| that can be iterated over. [Eric Covener] |
| |
| *) configure: Add manualdir and proxycachedir to the APR_ENABLE_LAYOUT macro call. |
| [Graham Leggett] |
| |
| *) Add support for cross compiling to apxs. If apxs is being executed from somewhere |
| other than its target location, add that prefix to includes and library directories. |
| Without this, apxs would fail to find config_vars.mk and exit. [Graham Leggett] |
| |
| *) Add a config layout for OpenWRT. [Graham Leggett] |
| |
| *) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection. |
| [Yann Ylavic, Stefan Eissing] |
| |
| *) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env, |
| r.headers_out, etc) to remove the key from the table. PR63971. |
| [Eric Covener] |
| |
| *) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the |
| ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct` |
| always `on`, regardless of configuration. Found and reported by |
| <Armin.Abfalterer@united-security-providers.ch> and |
| <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing] |
| |
| *) mod_http2: Multiple field length violations in the same request no longer cause |
| several log entries to be written. [@mkauf] |
| |
| *) mod_md: v2.2.4 from github, Fixes a compile time issue with OpenSSL 1.0.2 in |
| the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01" |
| is configured explicitly (related to #133). [@mkauf, Stefan Eissing] |
| |
| *) mod_ssl: Support logging private key material for use with |
| wireshark via log file given by SSLKEYLOGFILE environment |
| variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton] |
| |
| *) mod_proxy: Improve tunneling loop to support half closed connections and |
| pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic] |
| |
| *) mod_proxy: Add proxy check_trans hook for proxy modules to possibly |
| decline request handling at early stage. [Yann Ylavic] |
| |
| *) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in |
| proxy_util. [Yann Ylavic] |
| |
| *) mod_proxy_http: Fix the forwarding of requests with content body when a |
| balancer member is unavailable; the retry on the next member was issued |
| with an empty body (regression introduced in 2.4.41). [Yann Ylavic] |
| |
| *) mod_ssl: negotiate the TLS protocol version per name based vhost |
| configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's |
| SSLProtocol (from the first vhost declared on the IP:port) is now only |
| relevant if no SSLProtocol is declared for the vhost or globally, |
| otherwise the vhost or global value apply. [Yann Ylavic] |
| |
| *) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies, |
| leading to Request Timeout (408). PR 63855. [Yann Ylavic] |
| |
| *) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which |
| means 'foo' is "not acceptable". PR 58158 [Chistophe Jaillet] |
| |
| *) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503 |
| [Ruediger Pluem, Eric Covener] |
| |
| *) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not |
| valid (For example, testing for a file on a flash drive that is not mounted) |
| [Christophe Jaillet] |
| |
| *) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS |
| protection. PR63688. [Armin Abfalterer <a.abfalterer gmail.com>] |
| |
| *) mod_authn_socache: Increase the maximum length of strings that can be cached by |
| the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>] |
| |
| *) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration |
| for a domain managed by mod_md caused a startup error. This happened when mod_md installed |
| its fallback certificate, before it got the first real certificate from Lets Encrypt. |
| [Stefan Eissing] |
| |
| *) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via |
| RegexDefaultOptions -DOTALL [Yann Ylavic] |
| |
| *) core: Remove request details from built-in error documents [Eric Covener] |
| |
| *) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on |
| merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann] |
| |
| *) mod_http2: fixed a bug that prevented proper stream cleanup when connection |
| throttling was in place. Stream resets by clients on streams initiated by them |
| are counted as possible trigger for throttling. [Stefan Eissing] |
| |
| *) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing |
| more to write with streams ongoing (flow control block). The timeout waiting |
| for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not |
| Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing] |
| |
| *) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for |
| adding certificates and keys to a virtual host. An additional hook allows |
| answering special TLS connections as used in ACME challenges. |
| Adding 2 new hooks for init/get of OCSP stapling status information when |
| other modules want to provide those. Falls back to own implementation with |
| same behaviour as before. |
| [Stefan Eissing] |
| |
| *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+. |
| [Graham Leggett] |
| |
| *) mod_proxy_http2: adding support for handling trailers in both directions. PR 63502. |
| [Stefan Eissing] |
| |
| *) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39. |
| PR 63325. [Yann Ylavic] |
| |
| *) mod_ldap: Avoid potential crashes in util_ldap_cache_module_kill() or other |
| LDAP related functions during graceful restart of a busy server. PR63305. |
| [Martin Fúsek <mfusek newps.cz>] |
| |
| *) mod_cache: Fix parsing of quoted Cache-Control token arguments. |
| PR 63288. [Yann Ylavic] |
| |
| *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in |
| spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing] |
| |
| *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure. |
| [Michael Kaufmann <mail michael-kaufmann.ch>] |
| |
| *) Merge consecutive slashes in URL's. Opt-out with `MergeSlashes OFF`. |
| [Eric Covener] |
| |
| *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend |
| connection is recycled/reused to avoid a possible crash with some SSLProxy |
| configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic] |
| |
| *) mod_mime: Add `MimeOptions` directive to allow Content-Type or all metadata |
| detection to use only the last (right-most) file extension or to be |
| disabled per-dir. [Eric Covener] |
| |
| *) MPMs unix: bind the bucket number of each child to its slot number, for a |
| more efficient per bucket maintenance. [Yann Ylavic] |
| |
| *) http: Fix possible empty response with mod_ratelimit for HEAD requests. |
| PR 63192. [Yann Ylavic] |
| |
| *) mod_cache_socache: Avoid reallocations and be safe with outgoing data |
| lifetime. [Yann Ylavic] |
| |
| *) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts. |
| PR 61310. [Yann Ylavic] |
| |
| *) mod_auth_digest: Fix a race condition. Authentication with valid credentials could be |
| refused in case of concurrent accesses from different users. |
| PR 63124 [Simon Kappel <simon.kappel axis.com>] |
| |
| *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by |
| configuration (SSLFIPS on) and not active by default in OpenSSL. |
| PR 63136. [Yann Ylavic] |
| |
| *) mod_ssl: give mod_md the chance to override certificate after ALPN protocol |
| negotiation. [Stefan Eissing] |
| |
| *) mod_proxy_wstunnel: Fix websocket proxy over UDS. |
| PR 62932 <pavel dcmsys.com> |
| |
| *) mod_negociation: LanguagePriority should be case-insensitive in order to |
| match AddLanguage behavior. PR 39730 [Christophe Jaillet] |
| |
| *) mod_session: Always decode session attributes early. [Hank Ibell] |
| |
| *) core: Incorrect values for environment variables are substituted when |
| multiple environment variables are specified in a directive. [Hank Ibell] |
| |
| *) core: Split out the ability to parse wildcard files and directories |
| from the Include/IncludeOptional directives into a generic set of |
| functions ap_dir_nofnmatch() and ap_dir_fnmatch(). [Graham Leggett] |
| |
| *) mod_ssl: Fix mod_authz provider for "require ssl" directive to check correctly |
| on HTTP/2 connections. Fixes PR 62654. [Stefan Eissing] |
| |
| *) mod_ssl: clear *SSL errors before loading certificates and checking |
| afterwards. Otherwise errors are reported when other SSL using modules |
| are in play. Fixes PR 62880. [Michael Kaufmann] |
| |
| *) core: Ensure that aborted connections are logged as such. PR 62823 |
| [Arnaud Grandville <contact@grandville.net>] |
| |
| *) mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when |
| there are still idle threads available. When there are less idle threads than |
| MinSpareThreads, issue new one-time message AH10159. Matches worker MPM. |
| [Eric Covener] |
| |
| *) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the |
| body of the response. [Jim Jagielski] |
| |
| *) mod_session_cookie: avoid duplicate Set-Cookie header in the response. |
| [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano] |
| |
| *) mod_dav_fs: Set a default DAVLockDB within the state directory. |
| [Joe Orton] |
| |
| *) core: Add DefaultStateDir and layout-specific state directory |
| created at "make install". [Joe Orton] |
| |
| *) ab: Add client certificate support. [Graham Leggett] |
| |
| *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499 |
| [Dominik Stillhard <dominik.stillhard united-security-providers.ch>] |
| |
| *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and |
| before signals handling to avoid lifetime issues on restart or shutdown. |
| PR 62658. [Yann Ylavic] |
| |
| *) core: Add StrictHostCheck to allow ucnonfigured hostnames to be |
| rejected. [Eric Covener] |
| |
| *) mod_status: Cumulate CPU time of exited child processes in the |
| "cu" and "cs" values. Add CPU time of the parent process to the |
| "c" and "s" values. |
| [Rainer Jung] |
| |
| *) mod_status: Add cumulated response duration time in milliseconds. |
| [Rainer Jung] |
| |
| *) mod_status: Complete the data shown for async MPMs in "auto" mode. |
| Added number of processes, number of stopping processes and number |
| of busy and idle workers. [Rainer Jung] |
| |
| *) mod_proxy: Improve the balancer member data shown in mod_status when |
| "ProxyStatus" is "On": add "busy" count and show byte counts in auto |
| mode always in units of kilobytes. [Rainer Jung] |
| |
| *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative |
| redirects, subsequent ProxyPassReverse statements, whether they are |
| relative or absolute, may fail. PR 60408. [Peter Haworth <pmh1wheel gmail.com>] |
| |
| *) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression |
| introduced in 2.4.34. PR 62568. [Yann Ylavic] |
| |
| *) mod_proxy_http: forward 100-continue, and minimize race conditions when |
| reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere] |
| |
| *) mod_proxy: Remove load order and link dependency between mod_lbmethod_* |
| modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe] |
| |
| *) mod_md: more robust handling of http-01 challenges and hands-off when module |
| should not be involved, e.g. challenge setup by another ACME client. [Stefan Eissing] |
| |
| *) ru, zh-cn and zh-tw translations of errordocs have been added. |
| Contributed by Alexander Gaganashvili and CodeingBoy |
| |
| *) mod_userdir: If several directories are given in a UserDir directive, only files |
| in the first existing one are checked. If the file is not found there, the |
| other possible directories are not checked. The doc clearly states that they |
| will be checked one by one, until a match is found or an external redirect is |
| performed. PR 59636. |
| [Christophe Jaillet] |
| |
| *) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when |
| this type of map is present in the configuration. PR62311. |
| [Hank Ibell <hwibell gmail.com>] |
| |
| *) mod_ldap: Abort on LDAP locking errors. [Eric Covener] |
| |
| *) mod_ssl: Support loading certificates and private keys from the |
| PKCS#11 OpenSSL engine. [Anderson Sasaki <ansasaki redhat.com>, |
| Joe Orton] |
| |
| *) http: LimitRequestBody applies to proxied requests. [Yann Ylavic] |
| |
| *) mod_logio: Add LogIOTrackTTFU and %^FU logformat to log the time |
| difference between request start and last request body byte read (finished upload). |
| [Rainer Jung] |
| |
| *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre4, other libs may |
| need more sugar). SSL(Proxy)CipherSuite now has an optional first parameter for the |
| protocol the ciphers are for. |
| Directive "SSLVerifyClient" now triggers certificate retrieval from the client (this |
| is not fully tested - but fails in similar fashion as in TLSv1.2 in my setups). |
| Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols, |
| as this would need to trigger the master connection thread - which we do not support |
| right now. |
| Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite" |
| does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and |
| TLSv1.2 or lower ciphers are not relevant, as cipher suites are completely separate. |
| This means there is a bit if a world split when simultaneously having TLSv1.2 and TLSv1.3 |
| connections to the same server. |
| [Yann Ylavic, Stefan Eissing] |
| |
| *) mod_ssl: proper checks for libressl 2.07/8 and its TLSv1_3 support, see PR 62236. |
| [Bernard Spil <brnrd@freebsd.org>] |
| |
| *) mod_cgi: Add CGIScriptTimeout to make mod_cgi's timeout per-directory and |
| independent of the core Timeout directive. PR 62229. |
| [Hank Ibell <hwibell gmail.com>] |
| |
| *) mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies, |
| just the basic "modern", "intermediate" and "old" as specified by Mozilla security. |
| [Stefan Eissing] |
| |
| *) mod_md: fixes error in renew window calculation that may lead to mod_md running |
| watchdog in a tight loop until actual renewal becomes necessary. [Stefan Eissing] |
| |
| *) mod_md: /.well-known/acme-challenge requests that cannot be answered for hostnames |
| outside the configured MDs are free to be answered by other handlers. This allows |
| co-existance between mod_md and other ACME clients on the same server (implements PR62189). |
| [Stefan Eissing, Arkadiusz Miskiewicz <arekm@maven.pl>] |
| |
| *) core: Create a conn_config_t structure to hold an extendable core config rather |
| than consuming the whole pointer with the connection socket. [Graham Leggett] |
| |
| *) core: adding AP_DECLARE for ap_parse_vhost_addrs() and minor bump mmn. Resolves |
| building mod_ssl on Windows. [Stefan Eissing, Gregg Smith] |
| |
| *) core: adding defines to allow interworking with honggfuzz without |
| further patches. [Stefan Eissing, Robert Swiecki] |
| |
| *) mod_headers: 'RequestHeader set|edit|edit_r Content-Type X' could |
| inadvertently modify the Content-Type _response_ header. Applies to |
| Content-Type only and likely to only affect static file responses. |
| [Eric Covener] |
| |
| *) mod_cgi: Improve AH01215 messages to make it more clear that the message is |
| the CGI scripts stderr output. PR 61980. [Hank Ibell <hwibell gmail.com>] |
| |
| *) mod_headers: Allow 'Header unset Content-Type' to remove the Content-Type |
| header. PR 61983. [Hank Ibell <hwibell gmail.com>] |
| |
| *) mod_md v1.1.8: new configuration directive "MDBaseServer on|off" to allow/inhibit |
| management of the base server domains outside VirtualHosts. By default, this is "off", |
| e.g. mod_md will not manage certificates or perform https: redirections on the |
| base server. [Stefan Eissing] |
| |
| *) core: Add "AcceptErrorsNonFatal" to allow ECONNREFUSED, ECONNABORTED, and |
| ECONNRESET during the client accept() to not trigger graceful shutdown of |
| the child process. [Eric Covener] |
| |
| *) mod_md v1.1.7: |
| - MDMustStaple was unable to create the necessary OpenSSL OBJ identifier on some platforms, |
| possibly because this fails if the OID is already configured in ```openssl.cnf```, see |
| [here](https://github.com/openssl/openssl/issues/2795). |
| - Two memory leaks in cert issuer and alt-names lookup eliminated by Yann Ylavic. |
| - Changing MDMustStaple triggers certificate renewal. |
| - More verbosity when *not* handing out certificates, e.g. mod_ssl asks, but mod_md has no |
| idea what it is talking about. Some people report misbehaviour here. |
| - Re-enabled support for md_get_credentials() function that was used in older mod_ssl |
| patch, so that people with old patched servers get a chance to upgrade. |
| [Stefan Eissing, Yann Ylavic] |
| |
| *) mod_substitute: Allow expressions in the substitution, prefixed with expr= |
| [Eric Covener] |
| |
| *) mod_md: fixed mem pool usage for auto-added server names. Added |
| error logging of exact ACME response when challenges failed. |
| [Stefan Eissing] |
| |
| *) mod_md: reverses most of v1.0.5 optimization of post_config init, so that |
| mod_ssl can ask for certiticates without crashing. [Stefan Eissing] |
| |
| *) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules. |
| PR 61857. [Yann Ylavic] |
| |
| *) mod_proxy_html: fix handling of <meta http-equiv> elements. |
| PR 58121. [Nick Kew] |
| |
| *) mod_md: fixed backward compatibility to old <ManagedDomain configuration. |
| Add higher level WARNING log when initial request to ACME server fails, mentioning |
| some advice. [Stefan Eissing] |
| |
| *) mod_md: name change in configuration directives. The old names are still working |
| in this version, so you can safely upgrade. They will give warnings in the log and |
| will disappear in the immediate future. ManagedDomain is now MDomain, |
| <ManagedDomain> is now <MDomainSet>. [Stefan Eissing] |
| |
| *) mod_ssl: renamed section <SSLPolicy to <SSLPolicyDefine. Fixed behaviour |
| for new server config merge flag. Denying global, only once used directives |
| inside a SSLPolicyDefine. [Stefan Eissing] |
| |
| *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces |
| should be accepted after the authorization scheme. \t are also tolerated. |
| [Christophe Jaillet] |
| |
| *) core: Support zone/scope in IPv6 link-local addresses in Listen and |
| VirtualHost directives (requires APR 1.7.x or later). PR 59396. [Joe Orton] |
| |
| *) mod_md: v1.0.5, restricting post_config dry run to be more silent and performing |
| only necessary work for mod_ssl to be also happy with the configuration. |
| [Stefan Eissing] |
| |
| *) mod_md: v1.0.4, removed the 'a2md' utility command from build. Only used in github |
| testing. Avoid problems with our build system that had problems after the latest |
| changes to make a clean initial build. Remove the windows a2md.dsp therefore also. |
| [Stefan Eissing] |
| |
| *) mod_ssl: Fail with 403 if the username for FakeBasicAuth mode |
| includes a colon character. PR 52644. [Joe Orton] |
| |
| *) mod_md: v1.0.3, fixed various bugs in persisting job properties, so that status is |
| persisted across child process changes and staging is reset on reloads. Changed |
| MDCertificateAgreement url checks. As long as the CA reports that the account has |
| an agreement, no further checking is done. Existing accounts need no changes when |
| a new agreement comes out. [Stefan Eissing] |
| |
| *) mod_watchdog: Correct some log messages. [Rainer Jung] |
| |
| *) mod_noloris: complete build setup. [Rainer Jung] |
| |
| *) mod_md: fix static compilation. [Rainer Jung] |
| |
| *) mod_md: fix compilation of helper binary a2md. [Rainer Jung] |
| |
| *) core: fix pcre feature detection in configure when using pcre2. [Rainer Jung] |
| |
| Changes with Apache 2.5.0-alpha |
| |
| *) mod_md: v1.0.1, ServerName/Alias names from pure-http: virtual hosts are no longer |
| auto-added to a Managed Domain. Error counts of jobs are persisted. When the server |
| restarts (gracefully) any errored staging areas are purged to reset the signup/renewal |
| process. [Stefan Eissing] |
| |
| *) mod_md: v1.0.0, new config directive 'MDNotifyCmd' to hook in a program when Managed |
| Domains have obtained/renewed their certificates successfully. [Stefan Eissing] |
| |
| *) mod_md: v0.9.9, fix for applying challenge type based on available ports. [Stefan Eissing] |
| |
| *) mod_md: v0.9.7 |
| - Use of the new module flag |
| - Removed obsolete function from interface to mod_ssl. |
| - Fallback certificates has version set and no longer claims to be a CA. (re issue #32) |
| - MDRequireHttps now happens before any Redirect. |
| [Stefan Eissing] |
| |
| *) mod_ssl: unshare SSLSrvConfigRec instances between base server and virtual hosts. This avoids |
| overwrites of later initializattions (vhost_id), selective disables by "SSLEngine addr-list" |
| and certificate/key pickup from mod_md. [Stefan Eissing] |
| |
| *) mod_md: v0.9.6: a "MDRequireHttps permanent" configured domain automatically sends out |
| HSTS (rfc 6797) headers in https: responses. [Stefan Eissing] |
| |
| *) mod_ssl: adding ssl_policies.h[.in] for policy cipher/protocol definitions. Use |
| update_policies.py to update manually from Mozilla JSON definitions at |
| https://statics.tls.security.mozilla.org/server-side-tls-conf.json |
| [Stefan Eissing] |
| |
| *) mod_md: v0.9.5: |
| - New directive (srly: what do you expect at this point?) "MDMustStaple on|off" to control if |
| new certificates are requested with the OCSP Must Staple extension. |
| - Known limitation: when the server is configured to ditch and restart child processes, for example |
| after a certain number of connections/requests, the mod_md watchdog instance might migrate |
| to a new child process. Since not all its state is persisted, some messages might appear a |
| second time in the logs. |
| - Adding checks when 'MDRequireHttps' is used. It is considered an error when 'MDPortMap 443:-' |
| is used - which negates that a https: port exists. Also, a warning is logged if no |
| VirtualHost can be found for a Managed Domain that has port 443 (or the mapped one) in |
| its address list. |
| - New directive 'MDRequireHttps' for redirecting http: traffic to a Managed Domain, permanently |
| or temporarily. |
| - Fix for using a fallback certificate on initial signup of a Managed Domain. Requires also |
| a changed mod_ssl patch (v5) to take effect. |
| - compatibility with libressl |
| [Stefan Eissing] |
| |
| *) mod_md: v0.9.2: new directive 'MDHttpProxy' to define a proxy for outgoing connection, |
| some minor bugfixes, twiddle the build system to avoid non-pic code generation. |
| [Stefan Eissing] |
| |
| *) mod_md: v0.9.1: |
| - various fixes in MDRenewWindow handling when specifying percent. Serialization changed. If |
| someone already used percent configurations, it is advised to change these to a new value, |
| reload and change back to the wanted ones. |
| - various fixes in handling of MDPrivateKeys when specifying 2048 bits (the default) explicitly. |
| - mod_md version removed from top level md_store.json file. The store has its own format version |
| to facilitate upgrades. |
| [Stefan Eissing] |
| |
| *) mod_md: v0.9.0: |
| Certificate provisioning from Let's Encrypt (and other ACME CAs) for mod_ssl virtual hosts. |
| [Stefan Eissing] |
| |
| *) mod_ssl: add SSLPolicy (define/use) and SSLProxyPolicy directives plus documentation. Add |
| core definitions for policies 'modern', 'intermediate' and 'old', as defined by Mozilla |
| in <https://wiki.mozilla.org/Security/Server_Side_TLS>. [Stefan Eissing] |
| |
| *) mod_md: new module for managing domains across VirtualHosts with ACME protocol |
| implementation for automated certificate signup and renewal. Default CA is |
| the test area of Let's Encrypt right now, so certificates root will not be valid. |
| Will be switched to the real service endpoint rather soon. If you need it now, |
| configure 'MDCertificateAuthority https://acme-v01.api.letsencrypt.org/directory'. |
| [Stefan Eissing] |
| |
| *) mod_rewrite: Add 'RewriteOptions LongURLOptimization' to free memory |
| from each set of unmatched rewrite conditions. |
| [Eric Covener] |
| |
| *) Allow the argument to <IfFile>, <IfDefine>, <IfSection>, <IfDirective>, |
| and <IfModule> to be quoted. This is primarily for the benefit of |
| <IfFile>. [Eric Covener] |
| |
| *) Introduce request taint checking framework to prevent privilege |
| hijacking through .htaccess. [Nick Kew] |
| |
| *) Add <IfDirective> and <IfSection> directives. [Joe Orton] |
| |
| *) When using mod_status with the Event MPM, report the number of requests |
| associated with an active connection in the "ACC" field. Previously |
| zero was always reported with this MPM. PR60647. [Eric Covener] |
| |
| *) mod_proxy_wstunnel: Reliably run before mod_proxy_http. |
| [Eric Covener] |
| |
| *) http: Allow unknown response status' lines returned in the form of |
| "HTTP/x.x xxx Status xxx". [Yann Ylavic] |
| |
| *) core: Add <IfFile> configuration section to allow any file on disk to be |
| used as a conditional. [Edward Lu, Eric Covener] |
| |
| *) mod_crypto: Add the all purpose crypto filters with support for HLS. |
| [Graham Leggett] |
| |
| *) core: Drop an invalid Last-Modified header value coming |
| from a FCGI/CGI script instead of replacing it with Unix epoch. |
| Warn the users about Last-Modified header value replacements |
| and violations of the RFC. |
| [Yann Ylavic, Luca Toscano, William Rowe, Jacob Champion] |
| |
| *) mod_dav: Allow other modules to become providers and add ACLs |
| to the DAV response. |
| [Jari Urpalainen <jari.urpalainen nokia.com>, Graham Leggett] |
| |
| *) mod_dav: Add dav_begin_multistatus, dav_send_one_response, |
| dav_finish_multistatus, dav_send_multistatus, dav_handle_err, |
| dav_failed_proppatch, dav_success_proppatch to mod_dav.h. |
| [Jari Urpalainen <jari.urpalainen nokia.com>, Graham Leggett] |
| |
| *) core: explicitly exclude 'h2' from protocols announced via an Upgrade: |
| header as commanded by http-wg. [Stefan Eissing] |
| |
| *) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy |
| AJP13 authentication. PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>] |
| |
| *) mpm: Generalise the ap_mpm_register_socket functions to accept pipes |
| or sockets. [Graham Leggett] |
| |
| *) core: Extend support for setting aside data from the network input filter |
| to any connection or request input filter. [Graham Leggett] |
| |
| *) core: Split ap_create_request() from ap_read_request(). [Graham Leggett] |
| |
| *) mod_auth_digest: Fix compatibility with expression-based Authname. PR59039. |
| [Eric Covener] |
| |
| *) mpm: Add a complete_connection hook that confirms whether an MPM is allowed |
| to leave the WRITE_COMPLETION phase. Move filter code out of the MPMs. |
| [Graham Leggett] |
| |
| *) mod_cache: Consider Cache-Control: s-maxage in expiration |
| calculations. [Eric Covener] |
| |
| *) mod_cache: Allow caching of responses with an Expires header |
| in the past that also has Cache-Control: max-age or s-maxage. |
| PR55156. [Eric Covener] |
| |
| *) mod_session: Introduce SessionExpiryUpdateInterval which allows to |
| configure the session/cookie expiry's update interval. PR 57300. |
| [Paul Spangler <paul.spangler ni.com>] |
| |
| *) core: Extend support for asynchronous write completion from the |
| network filter to any connection or request filter. [Graham Leggett] |
| |
| *) mod_auth_digest: remove AuthDigestEnableQueryStringHack which is no |
| more documented since dec 2012 (r1415960). [Christophe Jaillet] |
| |
| *) mod_charset_lite: On EBCDIC platforms, make sure mod_charset_lite runs |
| after other resource-level filters. [Eric Covener] |
| |
| *) http: Don't remove the Content-Length of zero from a HEAD response if |
| it comes from an origin server, module or script. [Yann Ylavic] |
| |
| *) http: Add support for RFC2324/RFC7168. [Graham Leggett] |
| |
| *) mod_authn_core: Add expression support to AuthName and AuthType. |
| [Graham Leggett] |
| |
| *) suexec: Filter out the HTTP_PROXY environment variable because it is |
| treated as alias for http_proxy by some programs. [Stefan Fritsch] |
| |
| *) mod_proxy_http: Don't establish or reuse a backend connection before pre- |
| fetching the request body, so to minimize the delay between it is supposed |
| to be alive and the first bytes sent: this is a best effort to prevent the |
| backend from closing because of idle or keepalive timeout in the meantime. |
| Also, handle a new "proxy-flushall" environment variable which allows to |
| flush any forwarded body data immediately. PR 56541+37920. [Yann Ylavic] |
| |
| *) core: Define and UnDefine are no longer permitted in |
| directory context. Previously they would always be evaluated |
| as the configuration was read without regard for the directory |
| context. [Eric Covener] |
| |
| *) config: For directives that do not expect any arguments, enforce |
| that none are specified in the configuration file. |
| [Joachim Zobel <jzobel heute-morgen.de>, Eric Covener] |
| |
| *) mod_rewrite: Improve 'bad flag delimeters' startup error by showing |
| how the input was tokenized. PR 56528. [Edward Lu <Chaosed0 gmail.com>] |
| |
| *) mod_proxy: Don't put non balancer-member workers in error state by |
| default for connection or 500/503 errors, and honor status=+I for |
| any error. PR 48388. [Yann Ylavic] |
| |
| *) ap_expr: Add filemod function for checking file modification dates |
| [Daniel Gruno] |
| |
| *) mod_authnz_ldap: Resolve crashes with LDAP authz and non-LDAP authn since |
| r1608202. [Eric Covener] |
| |
| *) apreq: Content-Length header should be always interpreted as a decimal. |
| Leading 0 could be erroneously considered as an octal value. PR 56598. |
| [Chris Card <ctcard hotmail com>] |
| |
| *) mod_proxy: Now allow for 191 character worker names, with non-fatal |
| errors if name is truncated. PR53218. [Jim Jagielski] |
| |
| *) mod_ssl: Add optional function "ssl_get_tls_cb" to allow support |
| for channel bindings. [Simo Sorce <simo redhat.com>] |
| |
| *) mod_proxy_wstunnel: Concurrent websockets messages could be |
| lost or delayed with ProxyWebsocketAsync enabled. |
| [Edward Lu <Chaosed0 gmail.com>] |
| |
| *) core, mod_info: Add compiled and loaded PCRE versions to version |
| number display. [Rainer Jung] |
| |
| *) mod_authnz_ldap: Return LDAP connections to the pool before the handler |
| is run, instead of waiting until the end of the request. [Eric Covener] |
| |
| *) mod_proxy_html: support automatic detection of doctype and processing |
| of FPIs. PR56285 [Micha Lenk <micha lenk info>, Nick Kew] |
| |
| *) core: Add ap_mpm_resume_suspended() API to allow a suspended connection |
| to resume. PR56333 |
| [Artem <artemciy gmail.com>, Edward Lu <Chaosed0 gmail.com>] |
| |
| *) core: Add ap_mpm_register_socket_callback_timeout() API. [Eric Covener] |
| |
| *) mod_proxy_wstunnel: Honor ProxyWebsocketIdleTimeout in asynchronous |
| processing mode. [Eric Covener] |
| |
| *) mod_authnz_ldap: Fail explicitly when the filter is too long. Remove |
| unnecessary apr_pstrdup() and strlen(). [Graham Leggett] |
| |
| *) Add the ldap-search option to mod_authnz_ldap, allowing authorization |
| to be based on arbitrary expressions that do not include the username. |
| [Graham Leggett] |
| |
| *) Add the ldap function to the expression API, allowing LDAP filters and |
| distinguished names based on expressions to be escaped correctly to |
| guard against LDAP injection. [Graham Leggett] |
| |
| *) Add module mod_ssl_ct, which provides an implementation of Certificate |
| Transparency (RFC 6962) for httpd. [Jeff Trawick] |
| |
| *) mod_proxy_wstunnel: Avoid sending error responses down an upgraded |
| websockets connection as it is being close down. [Eric Covener] |
| |
| *) mod_proxy_wstunnel: Allow the administrator to cap the amount |
| of time a synchronous websockets connection stays idle with |
| ProxyWebsocketIdleTimeout. [Eric Covener] |
| |
| *) mod_proxy_wstunnel: Change to opt-in for asynchronous support, adding |
| directives ProxyWebsocketAsync and ProxyWebsocketAsyncDelay. |
| [Eric Covener] |
| |
| *) mod_proxy_wstunnel: Stop leaking websockets backend connections under |
| event MPM (trunk-only). [Eric Covener] |
| |
| *) mod_proxy_http: Add detach_backend hook (potentially usable |
| in other proxy scheme handlers). [Jeff Trawick] |
| |
| *) mod_deflate: Add DeflateAlterETag to control how the ETag |
| is modified. The 'NoChange' parameter mimics 2.2.x behavior. |
| PR 45023, PR 39727. [Eric Covener] |
| |
| *) mod_dir: Default to 2.2-like behavior and skip execution when method is |
| neither GET nor POST, such as for DAV requests. PR 54914. [Chris Darroch] |
| |
| *) mod_rewrite: Rename the handler that does per-directory internal |
| redirects to "rewrite-redirect-handler" from "redirect-handler" so |
| it is less ambiguous and less likely to be reused. [Eric Covener] |
| |
| *) mod_rewrite: Protect against looping with the [N] flag by enforcing a |
| default limit of 10000 iterations, and allowing each rule to change its |
| limit. [Eric Covener] |
| |
| *) mod_ssl: Fix config merging of SSLOCSPEnable and SSLOCSPOverrideResponder. |
| [Jeff Trawick] |
| |
| *) Add HttpContentLengthHeadZero and HttpExpectStrict directives. |
| [Yehuda Sadeh <yehuda inktank com>, Justin Erenkrantz] |
| |
| *) mod_ssl: Add -t -DDUMP_CA_CERTS option which dumps the filenames of all |
| configured SSL CA certificates to stdout the same way as DUMP_CERTS does. |
| [Jan Kaluza] |
| |
| *) mod_ssl: Don't flush when an EOS is received. Prepares mod_ssl |
| to support write completion. [Graham Leggett] |
| |
| *) core: Add parse_errorlog_arg callback to ap_errorlog_provider |
| to allow providers to check the ErrorLog argument. [Jan Kaluza] |
| |
| *) mod_cgid: Use the servers Timeout for each read from a CGI script, |
| allow override with new CGIDRequestTimeout directive. PR43494 |
| [Eric Covener, Toshikuni Fukaya <toshikuni-fukaya cybozu co jp>] |
| |
| *) core: ensure any abnormal exit is reported to stderr if it's a tty. |
| PR 55670 [Nick Kew] |
| |
| *) mod_lua: Let the Inter-VM get/set functions work with a global |
| shared memory pool instead of a per-process pool. [Daniel Gruno] |
| |
| *) ldap: Support ldaps when using the Microsoft LDAP SDK. |
| PR 54626. [Jean-Frederic Clere] |
| |
| *) mod_authnz_ldap: Change default value of AuthLDAPMaxSubGroupDepth to 0 |
| to avoid performance problems when subgroups aren't in use. [Eric Covener] |
| |
| *) mod_syslog: New module implementing syslog ap_error_log provider. |
| Previously, this code was part of core, now it's in separate module. |
| [Jan Kaluza] |
| |
| *) core: Add ap_errorlog_provider to make ErrorLog logging modular. Move |
| syslog support from core to new mod_syslog. [Jan Kaluza] |
| |
| *) mod_status, mod_echo: Fix the display of client addresses. |
| They were truncated to 31 characters which is not enough for IPv6 addresses. |
| This is done by deprecating the use of the 'client' field and using |
| the new 'client64' field in worker_score. |
| PR 54848 [Bernhard Schmidt <berni birkenwald de>, Jim Jagielski] |
| |
| *) core: merge AllowEncodedSlashes from the base configuration into |
| virtual hosts. [Eric Covener] |
| |
| *) AIX: Install DSO's with "cp" instead of "install" in instdso.sh |
| [Eric Covener] |
| |
| *) mod_ldap: Don't keep retrying if a new LDAP connection times out. |
| [Eric Covener] |
| |
| *) mod_deflate: permit compilation of mod_deflate against a zlib that has |
| been configured with -D Z_PREFIX, which redefines the token "deflate". |
| [Eric Covener] |
| |
| *) mod_auth_digest: Use the secret when generating nonces in all cases and |
| not only when AuthName is used in .htaccess files (this change may cause |
| problems if used with round robin load balancers). Don't regenerate the |
| secret on graceful restarts. PR 54637 [Stefan Fritsch] |
| |
| *) core: Stop the HTTP_IN filter from attempting to write error buckets |
| to the output filters, which is bogus in the proxy case. Create a |
| clean mapping from APR codes to HTTP status codes, and use it where |
| needed. [Graham Leggett] |
| |
| *) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981 |
| [Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez |
| <alejandro.alvarez.ayllon cern.ch>] |
| |
| *) mod_ldap: LDAP connections used for authentication were not respecting |
| LDAPConnectionPoolTimeout. PR 54587 |
| |
| *) core: Add option to add valgrind support. Use it to reduce false positive |
| warnings in mod_ssl. [Stefan Fritsch] |
| |
| *) mod_authn_file, mod_authn_dbd, mod_authn_dbm, mod_authn_socache: |
| Cache the result of the most recent password hash verification for every |
| keep-alive connection. This saves some expensive calculations. |
| [Stefan Fritsch] |
| |
| *) http: Remove support for Request-Range header sent by Navigator 2-3 and |
| MSIE 3. [Stefan Fritsch] |
| |
| *) core, http: Extend HttpProtocol with an option to enforce stricter HTTP |
| conformance or to only log the found problems. [Stefan Fritsch] |
| |
| *) EventOpt MPM |
| |
| *) core: Add LogLevelOverride directive that allows to override the |
| loglevel for clients from certain IPs. This also works for things |
| like the SSL handshake where <If> LogLevel ... </If> is evaluated |
| too late. [Stefan Fritsch] |
| |
| *) core: Add new directive Warning to issue warnings from a configuration |
| file. Both Warning and Error now generate a timestamped log message. |
| [Fabien Coelho] |
| |
| *) ap_expr: Add SERVER_PROTOCOL_VERSION, ..._MAJOR, and ..._MINOR |
| variables. [Stefan Fritsch] |
| |
| *) core: New directive HttpProtocol which allows to disable HTTP/0.9 |
| support. [Stefan Fritsch] |
| |
| *) mod_allowhandlers: New module to forbid specific handlers for specific |
| directories. [Stefan Fritsch] |
| |
| *) mod_systemd: New module, for integration with systemd on Linux. |
| [Jan Kaluza <jkaluza redhat.com>] |
| |
| *) WinNT MPM: Store pid and generation for each thread in scoreboard |
| to allow tracking of threads from exiting children via mod_status |
| or other such mechanisms. [Jeff Trawick] |
| |
| *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR: |
| - APIs: ap_log_pid(), ap_remove_pid, ap_read_pid() |
| - mod_cache: thundering herd lock directory |
| - mod_lbmethod_heartbeat, mod_heartmonitor: heartbeat storage file |
| - mod_ldap: shared memory cache |
| - mod_socache_shmcb, mod_socache_dbm: shared memory or dbm for cache |
| [Jeff Trawick] |
| |
| *) mod_ssl: Add support for TLS Next Protocol Negotiation. PR 52210. |
| [Matthew Steele <mdsteele google.com>] |
| |
| *) cross-compile: allow to provide CC_FOR_BUILD so that gen_test_char will |
| be compiled by the build compiler instead of the host compiler. |
| Also set CC_FOR_BUILD to 'cc' when cross-compilation is detected. |
| PR 51257. [Guenter Knauf] |
| |
| *) core: In maintainer mode, replace apr_palloc with a version that |
| initializes the allocated memory with non-zero values, except if |
| AP_DEBUG_NO_ALLOC_POISON is defined. [Stefan Fritsch] |
| |
| *) mod_policy: Add a new testing module to help server administrators |
| enforce a configurable level of protocol compliance on their |
| servers and application servers behind theirs. [Graham Leggett] |
| |
| *) mod_firehose: Add a new debugging module able to record traffic |
| passing through the server in such a way that connections and/or |
| requests be reconstructed and replayed. [Graham Leggett] |
| |
| *) mod_noloris |
| |
| *) APREQ |
| |
| *) Simple MPM |
| |
| *) mod_serf |
| |
| [Apache 2.5.0-dev includes those bug fixes and changes with the |
| Apache 2.4.xx tree as documented below, except as noted.] |
| |
| Changes with Apache 2.4.x and later: |
| |
| *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup |
| |
| Changes with Apache 2.2.x and later: |
| |
| *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup |
| |
| Changes with Apache 2.0.x and later: |
| |
| *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup |