Update apache24 to 2.4.46 (Apache HTTPD 2.4.46). It fixes several
security problems:
CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header
CVE-2020-11984: mod_uwsgi buffer overlow
CVE-2020-11985: CWE-345: Insufficient verification of data authenticity
CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header
pkgsrc changes: reduce warnings by SUBST_* processing.
Changes with Apache 2.4.46
*) mod_proxy_fcgi: Fix build warnings for Windows platform
[Eric Covener, Christophe Jaillet]
Changes with Apache 2.4.45
*) mod_http2: remove support for abandoned http-wg draft
<https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
[Stefan Eissing]
Changes with Apache 2.4.44
*) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
protocol limit). [Yann Ylavic]
*) mod_http2:
Fixes <https://github.com/icing/mod_h2/issues/200>:
"LimitRequestFields 0" now disables the limit, as documented.
Fixes <https://github.com/icing/mod_h2/issues/201>:
Do not count repeated headers with same name against the field
count limit. The are merged internally, as if sent in a single HTTP/1 line.
[Stefan Eissing]
*) mod_http2: Avoid segfaults in case of handling certain responses for
already aborted connections. [Stefan Eissing, Ruediger Pluem]
*) mod_http2: The module now handles master/secondary connections and has marked
methods according to use. [Stefan Eissing]
*) core: Drop an invalid Last-Modified header value coming
from a FCGI/CGI script instead of replacing it with Unix epoch.
[Yann Ylavic, Luca Toscano]
*) Add support for strict content-length parsing through addition of
ap_parse_strict_length() [Yann Ylavic]
*) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
evaluates to false. PR64365. [Michael König <mail ikoenig.net>]
*) mod_proxy_http: flush spooled request body in one go to avoid
leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]
*) mod_ssl: Fix a race condition and possible crash when using a proxy client
certificate (SSLProxyMachineCertificateFile).
[Armin Abfalterer <a.abfalterer gmail.com>]
*) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]
*) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
PR64330 [Stefan Eissing]
*) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
was configured with a handshake timeout. Fixes gitub issue #196.
[Stefan Eissing]
*) mod_proxy_http2: the "ping" proxy parameter
(see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
when checking the liveliness of a new or reused h2 connection to the backend.
With short durations, this makes load-balancing more responsive. The module
will hold back requests until ping conditions are met, using features of the
HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
*) core: httpd is no longer linked against -lsystemd if mod_systemd
is enabled (and built as a DSO). [Rainer Jung]
*) mod_proxy_http2: respect ProxyTimeout settings on backend connections
while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
Changes with Apache 2.4.43
*) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
Changes with Apache 2.4.42
*) mod_proxy_http: Fix the forwarding of requests with content body when a
balancer member is unavailable; the retry on the next member was issued
with an empty body (regression introduced in 2.4.41). PR63891.
[Yann Ylavic]
*) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
identifier under load, see <https://github.com/icing/mod_h2/issues/195>.
[Michael Kaufmann, Stefan Eissing]
*) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
PR64140. [Renier Velazco <renier.velazco upr.edu>]
*) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
PR64172.
*) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
to allow customization of the usertrack cookie. PR64077.
[Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]
*) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
AJP13 authentication. PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]
*) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
[Eric Covener, Yann Ylavic]
*) Add a config layout for OpenWRT. [Graham Leggett]
*) Add support for cross compiling to apxs. If apxs is being executed from
somewhere other than its target location, add that prefix to includes and
library directories. Without this, apxs would fail to find config_vars.mk
and exit. [Graham Leggett]
*) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
[Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
*) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
[Graham Leggett]
*) mod_ssl: Support use of private keys and certificates from an
OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
[Anderson Sasaki <ansasaki redhat.com>, Joe Orton]
*) mod_md:
- Prefer MDContactEmail directive to ServerAdmin for registration. New directive
thanks to Timothe Litt (@tlhackque).
- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
check all matching virtual hosts for protocol support. Thanks to @mkauf.
- Corrected a check when OCSP stapling was configured for hosts
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
- Softening the restrictions where mod_md configuration directives may appear. This should
allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
you wanted in the first place, is another matter.
[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
*) test: Added continuous testing with Travis CI.
This tests various scenarios on Ubuntu with the full test suite.
Architectures tested: amd64, s390x, ppc64le, arm64
The tests pass successfully.
[Luca Toscano, Joe Orton, Mike Rumph, and others]
*) core: Be stricter in parsing of Transfer-Encoding headers.
[ZeddYu <zeddyu.lu gmail.com>, Eric Covener]
*) mod_ssl: negotiate the TLS protocol version per name based vhost
configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
SSLProtocol (from the first vhost declared on the IP:port) is now only
relevant if no SSLProtocol is declared for the vhost or globally,
otherwise the vhost or global value apply. [Yann Ylavic]
*) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
output. PR 64096. [Joe Orton]
*) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
[Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]
*) mod_systemd: New module providing integration with systemd. [Jan Kaluza]
*) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
r:notes_table, r:subprocess_env_table as read-only native table alternatives
that can be iterated over. [Eric Covener]
*) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
[Yann Ylavic, Stefan Eissing]
*) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
r.headers_out, etc) to remove the key from the table. PR63971.
[Eric Covener]
*) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
always `on`, regardless of configuration. Found and reported by
<Armin.Abfalterer@united-security-providers.ch> and
<Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]
*) mod_http2: Multiple field length violations in the same request no longer cause
several log entries to be written. [@mkauf]
*) mod_ssl: OCSP does not apply to proxy mode. PR 63679.
[Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]
*) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
[Jim Jagielski]
*) mod_authn_socache: Increase the maximum length of strings that can be cached by
the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>]
*) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
[Ruediger Pluem, Eric Covener]
*) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
valid (For example, testing for a file on a flash drive that is not mounted)
[Christophe Jaillet]
*) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
means 'foo' is "not acceptable". PR 58158 [Chistophe Jaillet]
*) mod_md v2.2.3:
- Configuring MDCAChallenges replaces any previous existing challenge configuration. It
had been additive before which was not the intended behaviour. [@mkauf]
- Fixing order of ACME challenges used when nothing else configured. Code now behaves as
documented for `MDCAChallenges`. Fixes#156. Thanks again to @mkauf for finding this.
- Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
- Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
"transfer-encoding" to POST requests. This failed in directy communication with
Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]
*) mod_md: Adding the several new features.
The module offers an implementation of OCSP Stapling that can replace fully or
for a limited set of domains the existing one from mod_ssl. OCSP handling
is part of mod_md's monitoring and message notifications. If can be used
for sites that do not have ACME certificates.
The url for a CTLog Monitor can be configured. It is used in the server-status
to link to the external status page of a certicate.
The MDMessageCmd is called with argument "installed" when a new certificate
has been activated on server restart/reload. This allows for processing of
the new certificate, for example to applications that require it in different
locations or formats.
[Stefan Eissing]
*) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
Changes with Apache 2.4.41
*) SECURITY: CVE-2019-10081 (cve.mitre.org)
mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
could lead to an overwrite of memory in the pushing request's pool,
leading to crashes. The memory copied is that of the configured push
link header values, not data supplied by the client.
*) SECURITY: CVE-2019-9517 (cve.mitre.org)
mod_http2: a malicious client could perform a DoS attack by flooding
a connection with requests and basically never reading responses
on the TCP connection. Depending on h2 worker dimensioning, it was
possible to block those with relatively few connections.
*) SECURITY: CVE-2019-10098 (cve.mitre.org)
rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
matches and substitutions with encoded line break characters.
*) SECURITY: CVE-2019-10092 (cve.mitre.org)
Remove HTML-escaped URLs from canned error responses to prevent misleading
text/links being displayed via crafted links.
*) SECURITY: CVE-2019-10097 (cve.mitre.org)
mod_remoteip: Fix stack buffer overflow and NULL pointer deference
when reading the PROXY protocol header.
*) SECURITY: CVE-2019-10082 (cve.mitre.org)
mod_http2: Using fuzzed network input, the http/2 session
handling could be made to read memory after being freed,
during connection shutdown.
*) mod_proxy_balancer: Improve balancer-manager protection against
XSS/XSRF attacks from trusted users.
*) mod_session: Introduce SessionExpiryUpdateInterval which allows to
configure the session/cookie expiry's update interval.
*) modules/filters: Fix broken compilation when using old GCC (<4.2.x).
*) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
configured for a domain managed by mod_md.
The mod_brotli module provides the BROTLI_COMPRESS output filter that
allows output from your server to be compressed using the brotli
compression format before being sent to the client over the network.
Changes with Apache 2.4.39
*) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
connection is recycled/reused to avoid a possible crash with some SSLProxy
configurations in <Location> or <Proxy> context.
*) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
*) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
*) mod_socache_redis: Support for Redis as socache storage provider.
*) core: new configuration option 'MergeSlashes on|off' that controls handling of
multiple, consecutive slash ('/') characters in the path component of the request URL.
*) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.
*) mod_http2: new configuration directive: `H2Padding numbits` to control
padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
controlling the range of padding bytes added to a frame. The actual number
added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE
frames equally. The default continues to be 0, e.g. no padding.
*) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2
has no more need for it. Optional functions are still declared but no longer implemented.
While previous mod_proxy_http2 will work with this, it is recommeneded to run the matching
versions of both modules.
*) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which
resolve bug 63170. The proxy module does now a single h2 request on the (reused)
connection and returns.
*) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status
to trigger immediate shutdown of backend connections. This is now always signalled
by mod_http2 when the the session is being released.
proxy_http2 now only sends a PING frame to the backend when there is not already one
in flight.
*) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite
loop when encountering certain errors on the backend connection.
*) mod_http2: Configuration directives H2Push and H2Upgrade can now be specified per
Location/Directory, e.g. disabling PUSH for a specific set of resources.
*) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.
*) http: Fix possible empty response with mod_ratelimit for HEAD requests.
*) mod_cache_socache: Avoid reallocations and be safe with outgoing data
lifetime.
*) MPMs unix: bind the bucket number of each child to its slot number, for a
more efficient per bucket maintenance.
*) mod_auth_digest: Fix a race condition. Authentication with valid
credentials could be refused in case of concurrent accesses from
different users.
*) mod_http2: enable re-use of slave connections again. Fixed slave connection
keepalives counter.
*) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.
*) mod_proxy_wstunnel: Fix websocket proxy over UDS.
*) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
configuration (SSLFIPS on) and not active by default in OpenSSL.
Changes with Apache 2.4.38
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowing
sessions to be reused.
*) SECURITY: CVE-2018-17189 (cve.mitre.org)
mod_http2: fixes a DoS attack vector. By sending slow request bodies
to resources not consuming them, httpd cleanup code occupies a server
thread unnecessarily. This was changed to an immediate stream reset
which discards all stream state and incoming data.
*) SECURITY: CVE-2019-0190 (cve.mitre.org)
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later.
*) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
*) mod_negotiation: Treat LanguagePriority as case-insensitive to match
AddLanguage behavior and HTTP specification.
*) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
have been fixed.
*) mod_setenvif: We can have expressions that become true if a regex pattern
in the expression does NOT match. In this case val is NULL
and we should just set the value for the environment variable
like in the pattern case.
*) mod_session: Always decode session attributes early.
*) core: Incorrect values for environment variables are substituted when
multiple environment variables are specified in a directive.
*) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
this type of map is present in the configuration.
*) mod_dav: Fix invalid Location header when a resource is created by
passing an absolute URI on the request line
*) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
*) mod_ssl: clear *SSL errors before loading certificates and checking
afterwards. Otherwise errors are reported when other SSL using modules
are in play.
*) mod_ssl: Fix the error code returned in an error path of
'ssl_io_filter_handshake()'. This messes-up error handling performed
in 'ssl_io_filter_error()'
*) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
authz provider so "Require ssl" works correctly in HTTP/2.
*) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
redirects, subsequent ProxyPassReverse statements, whether they are
relative or absolute, may fail.
*) mod_lua: Now marked as a stable module
Changes with Apache 2.4.37
*) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1.
*) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
when client certificates are available from the original handshake
but were originally not verified and should get verified now.
This is a regression in 2.4.36 (unreleased).
*) mod_ssl: Correctly merge configurations that have client certificates set
by SSLProxyMachineCertificate{File|Path}.
Changes with Apache 2.4.36
*) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
responses. Regression introduced in 2.4.35.
*) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
body of the response.
*) mod_http2: adding defensive code for stream EOS handling, in case the request handler
missed to signal it the normal way (eos buckets).
*) ab: Add client certificate support.
*) ab: Disable printing temp key for OpenSSL before
version 1.0.2. SSL_get_server_tmp_key is not available
there.
*) mod_ssl: Fix a regression that the configuration settings for verify mode
and verify depth were taken from the frontend connection in case of
connections by the proxy to the backend.
*) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
before signals handling to avoid lifetime issues on restart or shutdown.
*) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has
behavioural changes compared to v1.2 and earlier; client and
configuration changes should be expected. SSLCipherSuite is
enhanced for TLSv1.3 ciphers, but applies at vhost level only.
*) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
should be accepted after the authorization scheme. \t are also tolerated.
*) mod_proxy_hcheck: Fix issues with interval determination.
*) mod_proxy_hcheck: Fix issues with TCP health checks.
*) mod_proxy_hcheck: take balancer's SSLProxy* directives into account.
*) mod_status, mod_echo: Fix the display of client addresses.
They were truncated to 31 characters which is not enough for IPv6 addresses.
This is done by deprecating the use of the 'client' field and using
the new 'client64' field in worker_score.
Changes with Apache 2.4.35
*) http: Enforce consistently no response body with both 204 and 304
statuses.
*) mod_status: Cumulate CPU time of exited child processes in the
"cu" and "cs" values. Add CPU time of the parent process to the
"c" and "s" values.
*) mod_proxy: Improve the balancer member data shown in mod_status when
"ProxyStatus" is "On": add "busy" count and show byte counts in
auto mode always in units of kilobytes.
*) mod_status: Add cumulated response duration time in milliseconds.
*) mod_status: Complete the data shown for async MPMs in "auto" mode.
Added number of processes, number of stopping processes and number
of busy and idle workers.
*) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
introduced in 2.4.34.
*) mod_proxy: Remove load order and link dependency between mod_lbmethod_*
modules and mod_proxy.
*) Allow the argument to <IfFile>, <IfDefine>, <IfSection>, <IfDirective>,
and <IfModule> to be quoted. This is primarily for the benefit of
<IfFile>.
*) mod_watchdog: Correct some log messages.
*) mod_md: When the last domain name from an MD is moved to another one,
that now empty MD gets moved to the store archive.
*) mod_ssl: Fix merging of SSLOCSPOverrideResponder.
*) mod_proxy_balancer: Restore compatibility with APR 1.4.
Apache 2.4.34
*) SECURITY: CVE-2018-8011 (cve.mitre.org)
mod_md: DoS via Coredumps on specially crafted requests
*) SECURITY: CVE-2018-1333 (cve.mitre.org)
mod_http2: DoS for HTTP/2 connections by specially crafted requests
*) Introduce zh-cn and zh-tw (simplified and traditional Chinese) error
document translations.
*) event: avoid possible race conditions with modules on the child pool.
*) mod_proxy: Fix a corner case where the ProxyPassReverseCookieDomain or
ProxyPassReverseCookiePath directive could fail to update correctly
'domain=' or 'path=' in the 'Set-Cookie' header.
*) mod_ratelimit: fix behavior when proxing content.
*) core: Re-allow '_' (underscore) in hostnames.
*) mod_authz_core: If several parameters are used in a AuthzProviderAlias
directive, if these parameters are not enclosed in quotation mark, only
the first one is handled. The other ones are silently ignored.
Add a message to warn about such a spurious configuration.
*) mod_md: improvements and bugfixes
- MDNotifyCmd now takes additional parameter that are passed on to the called command.
- ACME challenges have better checks for interference with other modules
- ACME challenges are only handled for domains managed by the module, allowing
other ACME clients to operate for other domains in the server.
- better libressl integration
*) mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'.
*) logging: Some early logging-related startup messages could be lost
when using syslog for the global ErrorLog.
*) mod_cache: Handle case of an invalid Expires header value RFC compliant
like the case of an Expires time in the past: allow to overwrite the
non-caching decision using CacheStoreExpired and respect Cache-Control
"max-age" and "s-maxage".
*) mod_xml2enc: Fix forwarding of error metadata/responses.
*) mod_proxy_http: Fix response header thrown away after the previous one
was considered too large and truncated.
*) core: Add and handle AP_GETLINE_NOSPC_EOL flag for ap_getline() family
of functions to consume the end of line when the buffer is exhausted.
*) mod_proxy_http: Add new worker parameter 'responsefieldsize' to
allow maximum HTTP response header size to be increased past 8192
bytes.
*) mod_ssl: Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf
of a certificate chain.
*) http: Fix small memory leak per request when handling persistent
connections.
*) mod_proxy_html: Fix variable interpolation and memory allocation failure
in ProxyHTMLURLMap.
*) mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.
*) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
zero out what had been initialized as the connection-level port.
*) core: In ONE_PROCESS/debug mode, cleanup everything when exiting.
*) mod_proxy_balancer: Add hot spare member type and corresponding flag (R).
Hot spare members are used as drop-in replacements for unusable workers
in the same load balancer set. This differs from hot standbys which are
only used when all workers in a set are unusable.
*) suexec: Add --enable-suexec-capabilites support on Linux, to use
setuid/setgid capability bits rather than a setuid root binary.
*) suexec: Add support for logging to syslog as an alternative to
logging to a file; use --without-suexec-logfile --with-suexec-syslog.
*) mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling
which broke some rare but previously-working configs.
*) core, log: improve sanity checks for the ErrorLog's syslog config, and
explicitly allow only lowercase 'syslog' settings.
*) mod_http2: accurate reporting of h2 data input/output per request via
mod_logio. Fixes an issue where output sizes where counted n-times on
reused slave connections.
*) mod_http2: Fix unnecessary timeout waits in case streams are aborted.
*) mod_http2: restoring the v1.10.16 keepalive timeout behaviour of mod_http2.
*) mod_proxy: Do not restrict the maximum pool size for backend connections
any longer by the maximum number of threads per process and use a better
default if mod_http2 is loaded.
*) mod_slotmem_shm: Add generation number to shm filename to fix races
with graceful restarts.
*) core: Preserve the original HTTP request method in the '%<m' LogFormat
when an path-based ErrorDocument is used.
*) mod_remoteip: make proxy-protocol work on slave connections, e.g. in
HTTP/2 requests.
*) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
regression introduced in 2.4.30.
*) mod_md: Fix compilation with OpenSSL before version 1.0.2.
*) mod_dumpio: do nothing below log level TRACE7.
*) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
*) core: On ECBDIC platforms, some errors related to oversized headers
may be misreported or be logged as ASCII escapes.
*) mod_ssl: Fix cmake-based build.
*) core: Add <IfFile>, <IfDirective> and <IfSection> conditional
section containers.
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
Changes with Apache 2.4.33
*) core: Fix request timeout logging and possible crash for error_log hooks.
*) mod_slomem_shm: Fix failure to create balancers's slotmems in Windows MPM,
where children processes need to attach them instead since they are owned
by the parent process already.
*) ab: try all destination socket addresses returned by
apr_sockaddr_info_get instead of failing on first one when not available.
Needed for instance if localhost resolves to both ::1 and 127.0.0.1
e.g. if both are in /etc/hosts.
*) ab: Use only one connection to determine working destination socket
address.
*) ab: LibreSSL doesn't have or require Windows applink.c.
*) htpasswd/htdigest: Disable support for bcrypt on EBCDIC platforms.
apr-util's bcrypt implementation doesn't tolerate EBCDIC.
*) htpasswd/htdbm: report the right limit when get_password() overflows.
*) htpasswd: Don't fail in -v mode if password file is unwritable.
*) htpasswd: don't point to (unused) stack memory on output
to make static analysers happy.
Changes with Apache 2.4.32
*) mod_access_compat: Fail if a comment is found in an Allow or Deny
directive.
*) mod_authz_host: Ignore comments after "Require host", logging a
warning, or logging an error if the line is otherwise empty.
*) rotatelogs: Fix expansion of %Z in localtime (-l) mode, and fix
Y2K38 bug.
*) mod_ssl: Support SSL DN raw variable extraction without conversion
to UTF-8, using _RAW suffix on variable names.
*) ab: Fix https:// connection failures (regression in 2.4.30); fix
crash generating CSV output for large -n.
Changes with Apache 2.4.31
*) mod_proxy_fcgi: Add the support for mod_proxy's flushpackets and flushwait
parameters.
*) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
improper merging of the cache lock in vhost config.
*) mpm_event: Do lingering close in worker(s).
*) mpm_queue: Put fdqueue code in common for MPMs event and worker.
Changes with Apache 2.4.30
*) SECURITY: CVE-2017-15710 (cve.mitre.org)
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
*) CVE-2018-1283 (cve.mitre.org)
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
*) SECURITY: CVE-2018-1303 (cve.mitre.org)
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
*) CVE-2018-1301 (cve.mitre.org)
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
*) mod_authnz_ldap: Fix language long names detection as short name.
*) mod_proxy: Worker schemes and hostnames which are too large are no
longer fatal errors; it is logged and the truncated values are stored.
*) CVE-2017-15715 (cve.mitre.org)
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
*) SECURITY: CVE-2018-1312 (cve.mitre.org)
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers.
*) mod_proxy: Allow setting options to globally defined balancer from
ProxyPass used in VirtualHost. Balancers are now merged using the new
merge_balancers method which merges the balancers options.
*) logresolve: Fix incorrect behavior or segfault if -c flag is used
Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259
*) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
Add ability for PROXY protocol processing to be optional to donated code.
See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
*) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
allowing per backend TLS configuration.
*) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module.
*) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
depend on the number of restarts (non-Unix systems) and preserve shared
*) CVE-2018-1302 (cve.mitre.org)
mod_http2: Potential crash w/ mod_http2.
names as much as possible on configuration changes for SHMs and persisted
files.
*) mod_http2: obsolete code removed, no more events on beam pool destruction,
discourage content encoders on http2-status response (where they do not work).
*) mpm_event: Let the listener thread do its maintenance job on resources
shortage.
*) mpm_event: Wakeup the listener to re-enable listening sockets.
*) mod_ssl: The SSLCompression directive will now give an error if used
with an OpenSSL build which does not support any compression methods.
*) mpm_event,worker: Mask signals for threads created by modules in child
init, so that they don't receive (implicitely) the ones meant for the MPM.
*) mod_md: new experimental, module for managing domains across virtual hosts,
implementing the Let's Encrypt ACMEv1 protocol to signup and renew
certificates. Please read the modules documentation for further instructions
on how to use it.
*) mod_proxy_html: skip documents shorter than 4 bytes
*) core, mpm_event: Avoid a small memory leak of the scoreboard handle, for
the lifetime of the connection, each time it is processed by MPM event.
*) mpm_event: Update scoreboard status for KeepAlive state.
*) mod_ldap: Fix a case where a full LDAP cache would continually fail to
purge old entries and log AH01323.
*) mpm_event: close connections not reported as handled by any module to
avoid losing track of them and leaking scoreboard entries.
*) core: A signal received while stopping could have crashed the main
process.
*) mod_ssl: support for mod_md added.
*) mod_proxy_html: process parsed comments immediately.
Fixes bug (seen in the wild when used with IBM's HTTPD bundle)
where parsed comments may be lost.
*) mod_proxy_html: introduce doctype for HTML 5
*) mod_proxy_html: fix typo-bug processing "strict" vs "transitional"
HTML/XHTML.
*) mpm_event: avoid a very unlikely race condition between the listener and
the workers when the latter fails to add a connection to the pollset.
*) core: silently ignore a not existent file path when IncludeOptional
is used.
*) mod_macro: fix usability of globally defined macros in .htaccess files.
*) mod_rewrite, core: add the Vary header when a condition evaluates to true
and the related RewriteRule is used in a Directory context
(triggering an internal redirect).
*) ab: Make the TLS layer aware that the underlying socket is nonblocking,
and use/handle POLLOUT where needed to avoid busy IOs and recover write
errors when appropriate.
*) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
read was incomplete (the SSL case can cause the next poll() to timeout
since data are buffered already).
*) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain
information retrievals on null bucket beams where it makes sense.
The actual fix as been done by "pkglint -F */*/buildlink3.mk", and was
reviewed manually.
There are some .include lines that still are indented with zero spaces
although the surrounding .if is indented. This is existing practice.
Changes with Apache 2.4.29
*) mod_unique_id: Use output of the PRNG rather than IP address and
pid, avoiding sleep() call and possible DNS issues at startup,
plus improving randomness for IPv6-only hosts.
*) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
is used in a condition that evaluates to true.
*) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
beams that could lead to assertion failure in edge cases.
*) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
in 2.4.28.
*) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
*) mod_rewrite: Add support for starting External Rewriting Programs
as non-root user on UNIX systems by specifying username and group
name as third argument of RewriteMap directive.
*) core: Rewrite the Content-Length filter to avoid excessive memory
consumption. Chunked responses will be generated in more cases
than in previous releases.
*) mod_ssl: Fix SessionTicket callback return value, which does seem to
matter with OpenSSL 1.1.
Changes with Apache 2.4.28
*) SECURITY: CVE-2017-9798 (cve.mitre.org)
Corrupted or freed memory access. <Limit[Except]> must now be used in the
main configuration file (httpd.conf) to register HTTP methods before the
.htaccess files.
*) event: Avoid possible blocking in the listener thread when shutting down
connections.
*) mod_speling: Don't embed referer data in a link in error page.
*) htdigest: prevent a buffer overflow when a string exceeds the allowed max
length in a password file.
*) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
*) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
*) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
's' (second) and 'hr' (hour!) time suffixes.
*) mod_http2: Fix for stalling when more than 32KB are written to a
suspended stream.
*) build: allow configuration without APR sources.
*) mod_ssl, ab: Fix compatibility with LibreSSL.
*) core/log: Support use of optional "tag" in syslog entries.
*) mod_proxy: Fix ProxyAddHeaders merging.
*) core: Disallow multiple Listen on the same IP:port when listener buckets
are configured (ListenCoresBucketsRatio > 0), consistently with the single
bucket case (default), thus avoiding the leak of the corresponding socket
descriptors on graceful restart.
*) event: Avoid listener periodic wake ups by using the pollset wake-ability
when available.
*) mod_proxy_wstunnel: Fix detection of unresponded request which could have
led to spurious HTTP 502 error messages sent on upgrade connections.
*) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
global variable when using Lua 5.2 or later. This was exported as a
side effect from luaL_register, which is no longer supported as of
Lua 5.2 which deprecates pollution of the global namespace.
*) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
The server will continue to run, but HTTP/2 will no longer be negotiated.
*) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
default ProxyFCGIBackendType, fixing a regression with PHP-FPM.
*) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
*) mod_http2: Simplify ready queue, less memory and better performance. Update
mod_http2 version to 1.10.7.
*) Allow single-char field names inadvertently disallowed in 2.4.25.
*) htpasswd / htdigest: Do not apply the strict permissions of the temporary
passwd file to a possibly existing passwd file.
*) core: Avoid duplicate HEAD in Allow header.
This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
*) HTTP/2 support no longer tagged as "experimental" but is instead considered
fully production ready.
*) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
the session in continuous check for state changes that never happen.
*) mod_mime: Fix error checking for quoted pairs.
*) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
protocols.
*) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
a possible crash if a signal is caught during (graceful) restart.
*) core: Deprecate ap_get_basic_auth_pw() and add
ap_get_basic_auth_components().
*) mod_rewrite: When a substitution is a fully qualified URL, and the
scheme/host/port matches the current virtual host, stop interpreting the
path component as a local path just because the first component of the
path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
to revert to previous behavior.
*) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
platforms.
*) ab: enable option processing for setting a custom HTTP method also for
non-SSL builds.
*) core: EBCDIC fixes for interim responses with additional headers.
*) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
to ssl_io_filter_error().
*) mod_env: when processing a 'SetEnv' directive, warn if the environment
variable name includes a '='. It is likely a configuration error.
*) Evaluate nested If/ElseIf/Else configuration blocks.
*) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
allow spaces in backreferences to be encoded as %20 instead of '+'.
*) mod_rewrite: Add the possibility to limit the escaping to specific
characters in backreferences by listing them in the B flag.
*) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
systems.
*) mod_http2: fail requests without ERROR log in case we need to read interim
responses and see only garbage. This can happen if proxied servers send
data where none should be, e.g. a body for a HEAD request.
more...
SUBST_SED.confs+= -e "s|logs/|${VARBASE}/log/httpd/|g"
SUBST_SED.confs+= -e 's|/var/log/httpd/foo\.log|logs/foo.log/|g'
The first one only applied to an instrucion in the comment at the top of
the configuration file and made it meaningless.
The second one has been useless.
MASTER_SITES= site1 \
site2
style continuation lines to be simple repeated
MASTER_SITES+= site1
MASTER_SITES+= site2
lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
