Changes with Apache 2.4.41
*) SECURITY: CVE-2019-10081 (cve.mitre.org)
mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
could lead to an overwrite of memory in the pushing request's pool,
leading to crashes. The memory copied is that of the configured push
link header values, not data supplied by the client.
*) SECURITY: CVE-2019-9517 (cve.mitre.org)
mod_http2: a malicious client could perform a DoS attack by flooding
a connection with requests and basically never reading responses
on the TCP connection. Depending on h2 worker dimensioning, it was
possible to block those with relatively few connections.
*) SECURITY: CVE-2019-10098 (cve.mitre.org)
rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
matches and substitutions with encoded line break characters.
*) SECURITY: CVE-2019-10092 (cve.mitre.org)
Remove HTML-escaped URLs from canned error responses to prevent misleading
text/links being displayed via crafted links.
*) SECURITY: CVE-2019-10097 (cve.mitre.org)
mod_remoteip: Fix stack buffer overflow and NULL pointer deference
when reading the PROXY protocol header.
*) SECURITY: CVE-2019-10082 (cve.mitre.org)
mod_http2: Using fuzzed network input, the http/2 session
handling could be made to read memory after being freed,
during connection shutdown.
*) mod_proxy_balancer: Improve balancer-manager protection against
XSS/XSRF attacks from trusted users.
*) mod_session: Introduce SessionExpiryUpdateInterval which allows to
configure the session/cookie expiry's update interval.
*) modules/filters: Fix broken compilation when using old GCC (<4.2.x).
*) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
configured for a domain managed by mod_md.
The mod_brotli module provides the BROTLI_COMPRESS output filter that
allows output from your server to be compressed using the brotli
compression format before being sent to the client over the network.
Changes with Apache 2.4.39
*) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
connection is recycled/reused to avoid a possible crash with some SSLProxy
configurations in <Location> or <Proxy> context.
*) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
*) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
*) mod_socache_redis: Support for Redis as socache storage provider.
*) core: new configuration option 'MergeSlashes on|off' that controls handling of
multiple, consecutive slash ('/') characters in the path component of the request URL.
*) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.
*) mod_http2: new configuration directive: `H2Padding numbits` to control
padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
controlling the range of padding bytes added to a frame. The actual number
added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE
frames equally. The default continues to be 0, e.g. no padding.
*) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2
has no more need for it. Optional functions are still declared but no longer implemented.
While previous mod_proxy_http2 will work with this, it is recommeneded to run the matching
versions of both modules.
*) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which
resolve bug 63170. The proxy module does now a single h2 request on the (reused)
connection and returns.
*) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status
to trigger immediate shutdown of backend connections. This is now always signalled
by mod_http2 when the the session is being released.
proxy_http2 now only sends a PING frame to the backend when there is not already one
in flight.
*) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite
loop when encountering certain errors on the backend connection.
*) mod_http2: Configuration directives H2Push and H2Upgrade can now be specified per
Location/Directory, e.g. disabling PUSH for a specific set of resources.
*) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.
*) http: Fix possible empty response with mod_ratelimit for HEAD requests.
*) mod_cache_socache: Avoid reallocations and be safe with outgoing data
lifetime.
*) MPMs unix: bind the bucket number of each child to its slot number, for a
more efficient per bucket maintenance.
*) mod_auth_digest: Fix a race condition. Authentication with valid
credentials could be refused in case of concurrent accesses from
different users.
*) mod_http2: enable re-use of slave connections again. Fixed slave connection
keepalives counter.
*) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.
*) mod_proxy_wstunnel: Fix websocket proxy over UDS.
*) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
configuration (SSLFIPS on) and not active by default in OpenSSL.
Changes with Apache 2.4.38
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowing
sessions to be reused.
*) SECURITY: CVE-2018-17189 (cve.mitre.org)
mod_http2: fixes a DoS attack vector. By sending slow request bodies
to resources not consuming them, httpd cleanup code occupies a server
thread unnecessarily. This was changed to an immediate stream reset
which discards all stream state and incoming data.
*) SECURITY: CVE-2019-0190 (cve.mitre.org)
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later.
*) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
*) mod_negotiation: Treat LanguagePriority as case-insensitive to match
AddLanguage behavior and HTTP specification.
*) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
have been fixed.
*) mod_setenvif: We can have expressions that become true if a regex pattern
in the expression does NOT match. In this case val is NULL
and we should just set the value for the environment variable
like in the pattern case.
*) mod_session: Always decode session attributes early.
*) core: Incorrect values for environment variables are substituted when
multiple environment variables are specified in a directive.
*) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
this type of map is present in the configuration.
*) mod_dav: Fix invalid Location header when a resource is created by
passing an absolute URI on the request line
*) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
*) mod_ssl: clear *SSL errors before loading certificates and checking
afterwards. Otherwise errors are reported when other SSL using modules
are in play.
*) mod_ssl: Fix the error code returned in an error path of
'ssl_io_filter_handshake()'. This messes-up error handling performed
in 'ssl_io_filter_error()'
*) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
authz provider so "Require ssl" works correctly in HTTP/2.
*) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
redirects, subsequent ProxyPassReverse statements, whether they are
relative or absolute, may fail.
*) mod_lua: Now marked as a stable module
Changes with Apache 2.4.37
*) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1.
*) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
when client certificates are available from the original handshake
but were originally not verified and should get verified now.
This is a regression in 2.4.36 (unreleased).
*) mod_ssl: Correctly merge configurations that have client certificates set
by SSLProxyMachineCertificate{File|Path}.
Changes with Apache 2.4.36
*) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
responses. Regression introduced in 2.4.35.
*) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
body of the response.
*) mod_http2: adding defensive code for stream EOS handling, in case the request handler
missed to signal it the normal way (eos buckets).
*) ab: Add client certificate support.
*) ab: Disable printing temp key for OpenSSL before
version 1.0.2. SSL_get_server_tmp_key is not available
there.
*) mod_ssl: Fix a regression that the configuration settings for verify mode
and verify depth were taken from the frontend connection in case of
connections by the proxy to the backend.
*) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
before signals handling to avoid lifetime issues on restart or shutdown.
*) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has
behavioural changes compared to v1.2 and earlier; client and
configuration changes should be expected. SSLCipherSuite is
enhanced for TLSv1.3 ciphers, but applies at vhost level only.
*) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
should be accepted after the authorization scheme. \t are also tolerated.
*) mod_proxy_hcheck: Fix issues with interval determination.
*) mod_proxy_hcheck: Fix issues with TCP health checks.
*) mod_proxy_hcheck: take balancer's SSLProxy* directives into account.
*) mod_status, mod_echo: Fix the display of client addresses.
They were truncated to 31 characters which is not enough for IPv6 addresses.
This is done by deprecating the use of the 'client' field and using
the new 'client64' field in worker_score.
Changes with Apache 2.4.35
*) http: Enforce consistently no response body with both 204 and 304
statuses.
*) mod_status: Cumulate CPU time of exited child processes in the
"cu" and "cs" values. Add CPU time of the parent process to the
"c" and "s" values.
*) mod_proxy: Improve the balancer member data shown in mod_status when
"ProxyStatus" is "On": add "busy" count and show byte counts in
auto mode always in units of kilobytes.
*) mod_status: Add cumulated response duration time in milliseconds.
*) mod_status: Complete the data shown for async MPMs in "auto" mode.
Added number of processes, number of stopping processes and number
of busy and idle workers.
*) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
introduced in 2.4.34.
*) mod_proxy: Remove load order and link dependency between mod_lbmethod_*
modules and mod_proxy.
*) Allow the argument to <IfFile>, <IfDefine>, <IfSection>, <IfDirective>,
and <IfModule> to be quoted. This is primarily for the benefit of
<IfFile>.
*) mod_watchdog: Correct some log messages.
*) mod_md: When the last domain name from an MD is moved to another one,
that now empty MD gets moved to the store archive.
*) mod_ssl: Fix merging of SSLOCSPOverrideResponder.
*) mod_proxy_balancer: Restore compatibility with APR 1.4.
Apache 2.4.34
*) SECURITY: CVE-2018-8011 (cve.mitre.org)
mod_md: DoS via Coredumps on specially crafted requests
*) SECURITY: CVE-2018-1333 (cve.mitre.org)
mod_http2: DoS for HTTP/2 connections by specially crafted requests
*) Introduce zh-cn and zh-tw (simplified and traditional Chinese) error
document translations.
*) event: avoid possible race conditions with modules on the child pool.
*) mod_proxy: Fix a corner case where the ProxyPassReverseCookieDomain or
ProxyPassReverseCookiePath directive could fail to update correctly
'domain=' or 'path=' in the 'Set-Cookie' header.
*) mod_ratelimit: fix behavior when proxing content.
*) core: Re-allow '_' (underscore) in hostnames.
*) mod_authz_core: If several parameters are used in a AuthzProviderAlias
directive, if these parameters are not enclosed in quotation mark, only
the first one is handled. The other ones are silently ignored.
Add a message to warn about such a spurious configuration.
*) mod_md: improvements and bugfixes
- MDNotifyCmd now takes additional parameter that are passed on to the called command.
- ACME challenges have better checks for interference with other modules
- ACME challenges are only handled for domains managed by the module, allowing
other ACME clients to operate for other domains in the server.
- better libressl integration
*) mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'.
*) logging: Some early logging-related startup messages could be lost
when using syslog for the global ErrorLog.
*) mod_cache: Handle case of an invalid Expires header value RFC compliant
like the case of an Expires time in the past: allow to overwrite the
non-caching decision using CacheStoreExpired and respect Cache-Control
"max-age" and "s-maxage".
*) mod_xml2enc: Fix forwarding of error metadata/responses.
*) mod_proxy_http: Fix response header thrown away after the previous one
was considered too large and truncated.
*) core: Add and handle AP_GETLINE_NOSPC_EOL flag for ap_getline() family
of functions to consume the end of line when the buffer is exhausted.
*) mod_proxy_http: Add new worker parameter 'responsefieldsize' to
allow maximum HTTP response header size to be increased past 8192
bytes.
*) mod_ssl: Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf
of a certificate chain.
*) http: Fix small memory leak per request when handling persistent
connections.
*) mod_proxy_html: Fix variable interpolation and memory allocation failure
in ProxyHTMLURLMap.
*) mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.
*) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
zero out what had been initialized as the connection-level port.
*) core: In ONE_PROCESS/debug mode, cleanup everything when exiting.
*) mod_proxy_balancer: Add hot spare member type and corresponding flag (R).
Hot spare members are used as drop-in replacements for unusable workers
in the same load balancer set. This differs from hot standbys which are
only used when all workers in a set are unusable.
*) suexec: Add --enable-suexec-capabilites support on Linux, to use
setuid/setgid capability bits rather than a setuid root binary.
*) suexec: Add support for logging to syslog as an alternative to
logging to a file; use --without-suexec-logfile --with-suexec-syslog.
*) mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling
which broke some rare but previously-working configs.
*) core, log: improve sanity checks for the ErrorLog's syslog config, and
explicitly allow only lowercase 'syslog' settings.
*) mod_http2: accurate reporting of h2 data input/output per request via
mod_logio. Fixes an issue where output sizes where counted n-times on
reused slave connections.
*) mod_http2: Fix unnecessary timeout waits in case streams are aborted.
*) mod_http2: restoring the v1.10.16 keepalive timeout behaviour of mod_http2.
*) mod_proxy: Do not restrict the maximum pool size for backend connections
any longer by the maximum number of threads per process and use a better
default if mod_http2 is loaded.
*) mod_slotmem_shm: Add generation number to shm filename to fix races
with graceful restarts.
*) core: Preserve the original HTTP request method in the '%<m' LogFormat
when an path-based ErrorDocument is used.
*) mod_remoteip: make proxy-protocol work on slave connections, e.g. in
HTTP/2 requests.
*) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
regression introduced in 2.4.30.
*) mod_md: Fix compilation with OpenSSL before version 1.0.2.
*) mod_dumpio: do nothing below log level TRACE7.
*) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
*) core: On ECBDIC platforms, some errors related to oversized headers
may be misreported or be logged as ASCII escapes.
*) mod_ssl: Fix cmake-based build.
*) core: Add <IfFile>, <IfDirective> and <IfSection> conditional
section containers.
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
Changes with Apache 2.4.33
*) core: Fix request timeout logging and possible crash for error_log hooks.
*) mod_slomem_shm: Fix failure to create balancers's slotmems in Windows MPM,
where children processes need to attach them instead since they are owned
by the parent process already.
*) ab: try all destination socket addresses returned by
apr_sockaddr_info_get instead of failing on first one when not available.
Needed for instance if localhost resolves to both ::1 and 127.0.0.1
e.g. if both are in /etc/hosts.
*) ab: Use only one connection to determine working destination socket
address.
*) ab: LibreSSL doesn't have or require Windows applink.c.
*) htpasswd/htdigest: Disable support for bcrypt on EBCDIC platforms.
apr-util's bcrypt implementation doesn't tolerate EBCDIC.
*) htpasswd/htdbm: report the right limit when get_password() overflows.
*) htpasswd: Don't fail in -v mode if password file is unwritable.
*) htpasswd: don't point to (unused) stack memory on output
to make static analysers happy.
Changes with Apache 2.4.32
*) mod_access_compat: Fail if a comment is found in an Allow or Deny
directive.
*) mod_authz_host: Ignore comments after "Require host", logging a
warning, or logging an error if the line is otherwise empty.
*) rotatelogs: Fix expansion of %Z in localtime (-l) mode, and fix
Y2K38 bug.
*) mod_ssl: Support SSL DN raw variable extraction without conversion
to UTF-8, using _RAW suffix on variable names.
*) ab: Fix https:// connection failures (regression in 2.4.30); fix
crash generating CSV output for large -n.
Changes with Apache 2.4.31
*) mod_proxy_fcgi: Add the support for mod_proxy's flushpackets and flushwait
parameters.
*) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
improper merging of the cache lock in vhost config.
*) mpm_event: Do lingering close in worker(s).
*) mpm_queue: Put fdqueue code in common for MPMs event and worker.
Changes with Apache 2.4.30
*) SECURITY: CVE-2017-15710 (cve.mitre.org)
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
*) CVE-2018-1283 (cve.mitre.org)
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
*) SECURITY: CVE-2018-1303 (cve.mitre.org)
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
*) CVE-2018-1301 (cve.mitre.org)
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
*) mod_authnz_ldap: Fix language long names detection as short name.
*) mod_proxy: Worker schemes and hostnames which are too large are no
longer fatal errors; it is logged and the truncated values are stored.
*) CVE-2017-15715 (cve.mitre.org)
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
*) SECURITY: CVE-2018-1312 (cve.mitre.org)
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers.
*) mod_proxy: Allow setting options to globally defined balancer from
ProxyPass used in VirtualHost. Balancers are now merged using the new
merge_balancers method which merges the balancers options.
*) logresolve: Fix incorrect behavior or segfault if -c flag is used
Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259
*) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
Add ability for PROXY protocol processing to be optional to donated code.
See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
*) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
allowing per backend TLS configuration.
*) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module.
*) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
depend on the number of restarts (non-Unix systems) and preserve shared
*) CVE-2018-1302 (cve.mitre.org)
mod_http2: Potential crash w/ mod_http2.
names as much as possible on configuration changes for SHMs and persisted
files.
*) mod_http2: obsolete code removed, no more events on beam pool destruction,
discourage content encoders on http2-status response (where they do not work).
*) mpm_event: Let the listener thread do its maintenance job on resources
shortage.
*) mpm_event: Wakeup the listener to re-enable listening sockets.
*) mod_ssl: The SSLCompression directive will now give an error if used
with an OpenSSL build which does not support any compression methods.
*) mpm_event,worker: Mask signals for threads created by modules in child
init, so that they don't receive (implicitely) the ones meant for the MPM.
*) mod_md: new experimental, module for managing domains across virtual hosts,
implementing the Let's Encrypt ACMEv1 protocol to signup and renew
certificates. Please read the modules documentation for further instructions
on how to use it.
*) mod_proxy_html: skip documents shorter than 4 bytes
*) core, mpm_event: Avoid a small memory leak of the scoreboard handle, for
the lifetime of the connection, each time it is processed by MPM event.
*) mpm_event: Update scoreboard status for KeepAlive state.
*) mod_ldap: Fix a case where a full LDAP cache would continually fail to
purge old entries and log AH01323.
*) mpm_event: close connections not reported as handled by any module to
avoid losing track of them and leaking scoreboard entries.
*) core: A signal received while stopping could have crashed the main
process.
*) mod_ssl: support for mod_md added.
*) mod_proxy_html: process parsed comments immediately.
Fixes bug (seen in the wild when used with IBM's HTTPD bundle)
where parsed comments may be lost.
*) mod_proxy_html: introduce doctype for HTML 5
*) mod_proxy_html: fix typo-bug processing "strict" vs "transitional"
HTML/XHTML.
*) mpm_event: avoid a very unlikely race condition between the listener and
the workers when the latter fails to add a connection to the pollset.
*) core: silently ignore a not existent file path when IncludeOptional
is used.
*) mod_macro: fix usability of globally defined macros in .htaccess files.
*) mod_rewrite, core: add the Vary header when a condition evaluates to true
and the related RewriteRule is used in a Directory context
(triggering an internal redirect).
*) ab: Make the TLS layer aware that the underlying socket is nonblocking,
and use/handle POLLOUT where needed to avoid busy IOs and recover write
errors when appropriate.
*) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
read was incomplete (the SSL case can cause the next poll() to timeout
since data are buffered already).
*) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain
information retrievals on null bucket beams where it makes sense.
The actual fix as been done by "pkglint -F */*/buildlink3.mk", and was
reviewed manually.
There are some .include lines that still are indented with zero spaces
although the surrounding .if is indented. This is existing practice.
Changes with Apache 2.4.29
*) mod_unique_id: Use output of the PRNG rather than IP address and
pid, avoiding sleep() call and possible DNS issues at startup,
plus improving randomness for IPv6-only hosts.
*) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
is used in a condition that evaluates to true.
*) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
beams that could lead to assertion failure in edge cases.
*) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
in 2.4.28.
*) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
*) mod_rewrite: Add support for starting External Rewriting Programs
as non-root user on UNIX systems by specifying username and group
name as third argument of RewriteMap directive.
*) core: Rewrite the Content-Length filter to avoid excessive memory
consumption. Chunked responses will be generated in more cases
than in previous releases.
*) mod_ssl: Fix SessionTicket callback return value, which does seem to
matter with OpenSSL 1.1.
Changes with Apache 2.4.28
*) SECURITY: CVE-2017-9798 (cve.mitre.org)
Corrupted or freed memory access. <Limit[Except]> must now be used in the
main configuration file (httpd.conf) to register HTTP methods before the
.htaccess files.
*) event: Avoid possible blocking in the listener thread when shutting down
connections.
*) mod_speling: Don't embed referer data in a link in error page.
*) htdigest: prevent a buffer overflow when a string exceeds the allowed max
length in a password file.
*) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
*) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
*) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
's' (second) and 'hr' (hour!) time suffixes.
*) mod_http2: Fix for stalling when more than 32KB are written to a
suspended stream.
*) build: allow configuration without APR sources.
*) mod_ssl, ab: Fix compatibility with LibreSSL.
*) core/log: Support use of optional "tag" in syslog entries.
*) mod_proxy: Fix ProxyAddHeaders merging.
*) core: Disallow multiple Listen on the same IP:port when listener buckets
are configured (ListenCoresBucketsRatio > 0), consistently with the single
bucket case (default), thus avoiding the leak of the corresponding socket
descriptors on graceful restart.
*) event: Avoid listener periodic wake ups by using the pollset wake-ability
when available.
*) mod_proxy_wstunnel: Fix detection of unresponded request which could have
led to spurious HTTP 502 error messages sent on upgrade connections.
*) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
global variable when using Lua 5.2 or later. This was exported as a
side effect from luaL_register, which is no longer supported as of
Lua 5.2 which deprecates pollution of the global namespace.
*) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
The server will continue to run, but HTTP/2 will no longer be negotiated.
*) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
default ProxyFCGIBackendType, fixing a regression with PHP-FPM.
*) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
*) mod_http2: Simplify ready queue, less memory and better performance. Update
mod_http2 version to 1.10.7.
*) Allow single-char field names inadvertently disallowed in 2.4.25.
*) htpasswd / htdigest: Do not apply the strict permissions of the temporary
passwd file to a possibly existing passwd file.
*) core: Avoid duplicate HEAD in Allow header.
This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
*) HTTP/2 support no longer tagged as "experimental" but is instead considered
fully production ready.
*) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
the session in continuous check for state changes that never happen.
*) mod_mime: Fix error checking for quoted pairs.
*) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
protocols.
*) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
a possible crash if a signal is caught during (graceful) restart.
*) core: Deprecate ap_get_basic_auth_pw() and add
ap_get_basic_auth_components().
*) mod_rewrite: When a substitution is a fully qualified URL, and the
scheme/host/port matches the current virtual host, stop interpreting the
path component as a local path just because the first component of the
path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
to revert to previous behavior.
*) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
platforms.
*) ab: enable option processing for setting a custom HTTP method also for
non-SSL builds.
*) core: EBCDIC fixes for interim responses with additional headers.
*) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
to ssl_io_filter_error().
*) mod_env: when processing a 'SetEnv' directive, warn if the environment
variable name includes a '='. It is likely a configuration error.
*) Evaluate nested If/ElseIf/Else configuration blocks.
*) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
allow spaces in backreferences to be encoded as %20 instead of '+'.
*) mod_rewrite: Add the possibility to limit the escaping to specific
characters in backreferences by listing them in the B flag.
*) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
systems.
*) mod_http2: fail requests without ERROR log in case we need to read interim
responses and see only garbage. This can happen if proxied servers send
data where none should be, e.g. a body for a HEAD request.
more...
SUBST_SED.confs+= -e "s|logs/|${VARBASE}/log/httpd/|g"
SUBST_SED.confs+= -e 's|/var/log/httpd/foo\.log|logs/foo.log/|g'
The first one only applied to an instrucion in the comment at the top of
the configuration file and made it meaningless.
The second one has been useless.
MASTER_SITES= site1 \
site2
style continuation lines to be simple repeated
MASTER_SITES+= site1
MASTER_SITES+= site2
lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
This release fixes several security problems, some of them are already
handled in pkgsrc. Please refer CHANGES file in detail.
*) SECURITY: CVE-2016-8740 (cve.mitre.org)
mod_http2: Mitigate DoS memory exhaustion via endless
CONTINUATION frames.
[Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State
University, Stefan Eissing]
*) SECURITY: CVE-2016-5387 (cve.mitre.org)
core: Mitigate [f]cgi "httpoxy" issues.
[Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
*) SECURITY: CVE-2016-2161 (cve.mitre.org)
mod_auth_digest: Prevent segfaults during client entry allocation when
the shared memory space is exhausted.
[Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion]
*) SECURITY: CVE-2016-0736 (cve.mitre.org)
mod_session_crypto: Authenticate the session data/cookie with a
MAC (SipHash) to prevent deciphering or tampering with a padding
oracle attack. [Yann Ylavic, Colm MacCarthaigh]
*) SECURITY: CVE-2016-8743 (cve.mitre.org)
Enforce HTTP request grammar corresponding to RFC7230 for request lines
and request headers, to prevent response splitting and cache pollution by
malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
(NOTE: Versions 2.4.22 and 2.4.21 were not released.)
Changes from 2.4.20 are too many to write here, please refer CHANGES file.
And Apache 2.4.23 fixes CVE-2016-4979; X509 Client certificate based
authentication can be bypassed when HTTP/2 is used.
When updating this package, make sure that no strings like
"PR 12345" are in the commit message. Upstream likes
to reference their own PRs this way, but this ends up
in NetBSD GNATS.
*) core: Do not read .htaccess if AllowOverride and AllowOverrideList
are "None". PR 58528.
*) mod_proxy_express: Fix possible use of DB handle after close. PR 59230.
*) core/util_script: relax alphanumeric filter of enviroment variable names
on Windows to allow '(' and ')' for passing PROGRAMFILES(X86) et.al.
unadulterated in 64 bit versions of Windows. PR 46751.
*) mod_http2: incrementing keepalives on each request started so that logging
%k gives increasing numbers per master http2 connection.
New documented variables in env, usable in custom log formats: H2_PUSH,
H2_PUSHED, H2_PUSHED_ON, H2_STREAM_ID and H2_STREAM_TAG.
*) mod_http2: more efficient passing of response bodies with less contention
and file bucket forwarding.
*) mod_http2: fix for missing score board updates on request count, fix for
memory leak on slave connection reuse.
*) mod_http2: Fix build on Windows from dsp files.
