-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGES
6993 lines (5102 loc) · 305 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
-*- coding: utf-8 -*-
Changes with Apache 2.4.49
*) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
[Stefan Eissing]
*) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
*) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
"ProxyPassInterpolateEnv On" are configured. PR 65549.
[Joel Self <joelself gmail.com>]
*) mpm_event: Fix children processes possibly not stopped on graceful
restart. PR 63169. [Joel Self <joelself gmail.com>]
*) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
protocols from mod_proxy_http, and a timeout triggering falsely when
using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
upgrade= setting. PRs 65521 and 65519. [Yann Ylavic]
*) mod_unique_id: Reduce the time window where duplicates may be generated
PR 65159
[Christophe Jaillet]
*) mpm_prefork: Block signals for child_init hooks to prevent potential
threads created from there to catch MPM's signals.
[Ruediger Pluem, Yann Ylavic]
*) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159" added in 2.4.47.
This causes issue on Windows.
[Christophe Jaillet]
*) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic]
*) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
*) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
[Yann Ylavic]
*) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
*) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
with others when their URLs contain a '$' substitution. PR 65419 + 65429.
[Yann Ylavic]
*) mod_dav: Add method_precondition hook. WebDAV extensions define
conditions that must exist before a WebDAV method can be executed.
This hook allows a WebDAV extension to verify these preconditions.
[Graham Leggett]
*) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
modules apart from versioning implementations to handle the REPORT method.
[Graham Leggett]
*) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
dav_get_resource() to mod_dav.h. [Graham Leggett]
*) core: fix ap_escape_quotes substitution logic. [Eric Covener]
*) Easy patches: synch 2.4.x and trunk
- mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
- mod_ldap: log and abort locking errors.
- mod_ldap: style fix for r1831165
- mod_ldap: build break fix for r1831165
- mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
- mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
- mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
- mod_rewrite: Save a few cycles.
- mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
- core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
[Christophe Jaillet]
*) core/mpm: add hook 'child_stopping` that gets called when the MPM is
stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
[Yann Ylavic, Stefan Eissing]
*) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
balancer-manager, which can lead to a crash. [Yann Ylavic]
*) mpm_event: Fix graceful stop/restart of children processes if connections
are in lingering close for too long. [Yann Ylavic]
*) mod_md: fixed a potential null pointer dereference if ACME/OCSP
server returned 2xx responses without content type. Reported by chuangwen.
[chuangwen, Stefan Eissing]
*) mod_md:
- Domain names in `<MDomain ...>` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
[Stefan Eissing]
*) Add CPING to health check logic. [Jean-Frederic Clere]
*) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
*) core, h2: common ap_parse_request_line() and ap_check_request_header()
code. [Yann Ylavic]
*) core: Add StrictHostCheck to allow unconfigured hostnames to be
rejected. [Eric Covener]
*) htcacheclean: Improve help messages. [Christophe Jaillet]
Changes with Apache 2.4.48
*) SECURITY: CVE-2021-31618 (cve.mitre.org)
mod_http2: Fix a potential NULL pointer dereference [Ivan Zhakov]
*) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
fallback to mod_proxy_http for WebSocket upgrade and tunneling.
[Yann Ylavic]
*) mod_proxy: Fix flushing of THRESHOLD_MIN_WRITE data while tunneling.
BZ 65294. [Yann Ylavic]
*) core: Fix a regression that stripped the ETag header from 304 responses.
PR 61820 [Ruediger Pluem, Roy T. Fielding]
*) core: Adding SSL related inquiry functions to the server API.
These function are always available, even when no module providing
SSL is loaded. They provide their own "shadowing" implementation for
the optional functions of similar name that mod_ssl and impersonators
of mod_ssl provide.
This enables loading of several SSL providing modules when all but
one of them registers itself into the new hooks. Two old-style SSL
modules will not work, as they replace the others optional functions
with their own.
Modules using the old-style optional functions will continue to work
as core supplies its own versions of those.
The following has been added so far:
- ap_ssl_conn_is_ssl() to query if a connection is using SSL.
- ap_ssl_var_lookup() to query SSL related variables for a
server/connection/request.
- Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules
providing SSL can install their own value supplying functions.
- ap_ssl_add_cert_files() to enable other modules like mod_md to provide
certificate and keys for an SSL module like mod_ssl.
- ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to
provide a fallback certificate in case no 'proper' certificate is
available for an SSL module like mod_ssl.
- ap_ssl_answer_challenge() to enable other modules like mod_md to
provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge
for the ACME protocol for an SSL module like mod_ssl. The function
and its hook provide PEM encoded data instead of file names.
- Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and
'ssl_answer_challenge' where modules like mod_md can provide providers
to the above mentioned functions.
- These functions reside in the new 'http_ssl.h' header file.
[Stefan Eissing]
*) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. This
allows modules to access and provide OCSP response data without being tied
of each other. The data is exchanged in standard, portable formats (PEM encoded
certificates and DER encoded responses), so that the actual SSL/crypto
implementations used by the modules are independant of each other.
Registration and retrieval happen in the context of a server (server_rec)
which modules may use to decide if they are configured for this or not.
The area of changes:
1. core: defines 2 functions in include/http_ssl.h, so that modules may
register a certificate, together with its issuer certificate for OCSP
response provisioning and ask for current response data (DER bytes) later.
Also, 2 hooks are defined that allow modules to implement this OCSP
provisioning.
2. mod_ssl uses the new functions, in addition to what it did already, to
register its certificates this way. If no one is interested in providing
OCSP, it falls back to its own (if configured) stapling implementation.
3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
on configuration, it will accept registrations of its own certificates only,
all certificates or none.
[Stefan Eissing]
*) mod_md: v2.4.0 with improvements and bugfixes
- MDPrivateKeys allows the specification of several types. Beside "RSA" plus
optional key lengths elliptic curves can be configured. This means you can
have multiple certificates for a Managed Domain with different key types.
With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA
certificate and all modern client will use the shorter ECDSA, while older
client will get the RSA certificate.
Many thanks to @tlhackque who pushed and helped on this.
- Support added for MDomains consisting of a wildcard. Configuring
```MDomain *.host.net``` will match all virtual hosts matching that pattern
and obtain one certificate for it (assuming you have 'dns-01' challenge
support configured). Addresses #239.
- Removed support for ACMEv1 servers. The only known installation used to
be Let's Encrypt which has disabled that version more than a year ago for
new accounts.
- Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the
```renewing``` call to ```MDMessageCmd``` that can deny a certificate
renewal attempt. This is useful in clustered installations, as
discussed in #233).
- New event ```challenge-setup:<type>:<domain>```, triggered when the
challenge data for a domain has been created. This is invoked before the
ACME server is told to check for it. The type is one of the ACME challenge
types. This is invoked for every DNS name in a MDomain.
- The max delay for retries has been raised to daily (this is like all
retries jittered somewhat to avoid repeats at fixed time of day).
- Certain error codes reported by the ACME server that indicate a problem
with the configured data now immediately switch to daily retries. For
example: if the ACME server rejects a contact email or a domain name,
frequent retries will most likely not solve the problem. But daily retries
still make sense as there might be an error at the server and un-supervised
certificate renewal is the goal. Refs #222.
- Test case and work around for domain names > 64 octets. Fixes #227.
When the first DNS name of an MD is longer than 63 octets, the certificate
request will not contain a CN field, but leave it up to the CA to choose one.
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
fails the request if none is found. But it is really up to the CA (and what
browsers/libs accept here) and may change over the years. That is why
the decision is best made at the CA.
- Retry delays now have a random +/-[0-50]% modification applied to let
retries from several servers spread out more, should they have been
restarted at the same time of day.
- Fixed several places where the 'badNonce' return code from an ACME server
was not handled correctly. The test server 'pebble' simulates this behaviour
by default and helps nicely in verifying this behaviour. Thanks, pebble!
- Set the default `MDActivationDelay` to 0. This was confusing to users that
new certificates were deemed not usably before a day of delay. When clocks are
correct, using a new certificate right away should not pose a problem.
- When handling ACME authorization resources, the module no longer requires
the server to return a "Location" header, as was necessary in ACMEv1.
Fixes #216.
- Fixed a theoretical uninitialized read when testing for JSON error responses
from the ACME CA. Reported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>.
- ACME problem reports from CAs that include parameters in the Content-Type
header are handled correctly. (Previously, the problem text would not be
reported and retries could exceed CA limits.)
- Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
Previously, an empty JSON object was sent - which apparently LE accepted,
but others reject.
[Stefan Eissing, @tlhackque, Andreas Ulm]
Changes with Apache 2.4.47
*) SECURITY: CVE-2021-30641 (cve.mitre.org)
Unexpected <Location> section matching with 'MergeSlashes OFF'
*) SECURITY: CVE-2020-35452 (cve.mitre.org)
mod_auth_digest: possible stack overflow by one nul byte while validating
the Digest nonce. [Yann Ylavic]
*) SECURITY: CVE-2021-26691 (cve.mitre.org)
mod_session: Fix possible crash due to NULL pointer dereference, which
could be used to cause a Denial of Service with a malicious backend
server and SessionHeader. [Yann Ylavic]
*) SECURITY: CVE-2021-26690 (cve.mitre.org)
mod_session: Fix possible crash due to NULL pointer dereference, which
could be used to cause a Denial of Service. [Yann Ylavic]
*) SECURITY: CVE-2020-13950 (cve.mitre.org)
mod_proxy_http: Fix possible crash due to NULL pointer dereference, which
could be used to cause a Denial of Service. [Yann Ylavic]
*) SECURITY: CVE-2020-13938 (cve.mitre.org)
Windows: Prevent local users from stopping the httpd process [Ivan Zhakov]
*) SECURITY: CVE-2019-17567 (cve.mitre.org)
mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end
negotiation. [Yann Ylavic]
*) mod_dav_fs: Improve logging output when failing to open files for
writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>]
*) mod_http2: Fixed a race condition that could lead to streams being
aborted (RST to the client), although a response had been produced.
[Stefan Eissing]
*) mod_lua: Add support to Lua 5.4 [Joe Orton, Giovanni Bechis, Ruediger Pluem]
*) MPM event/worker: Fix possible crash in child process on early signal
delivery. PR 64533. [Ruediger Pluem]
*) mod_http2: sync with github standalone version 1.15.17
- Log requests and sent the configured error response in case of early detected
errors like too many or too long headers. [Ruediger Pluem]
- new option 'H2OutputBuffering on/off' which controls the buffering of stream output.
The default is on, which is the behaviour of older mod-h2 versions. When off, all
bytes are made available immediately to the main connection for sending them
out to the client. This fixes interop issues with certain flavours of gRPC, see
also <https://github.com/icing/mod_h2/issues/207>.
[Stefan Eissing]
*) mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159
[Jonas Müntener <jonas.muentener ergon.ch>, Christophe Jaillet]
*) "[mod_dav_fs etag handling] should really honor the FileETag setting".
- It now does.
- Add "Digest" to FileETag directive, allowing a strong ETag to be
generated using a file digest.
- Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over
ETag generation.
- Add concept of "binary notes" to request_rec, allowing packed bit flags
to be added to a request.
- First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force
the ETag to a strong ETag to comply with RFC requirements, such as those
mandated by various WebDAV extensions.
[Graham Leggett]
*) mod_proxy_http: Fix a possibly crash when the origin connection gets
interrupted before completion. PR 64234.
[Barnim Dzwillo <dzwillo strato.de>, Ruediger Pluem]
*) mod_ssl: Do not keep connections to OCSP responders alive when doing
OCSP requests. PR 64135. [Ruediger Pluem]
*) mod_ssl: Improve the coalescing filter to buffer into larger TLS
records, and avoid revealing the HTTP header size via TLS record
boundaries (for common response generators).
[Joe Orton, Ruediger Pluem]
*) mod_proxy_hcheck: Don't pile up health checks if the previous one did
not finish before hcinterval. PR 63010. [Yann Ylavic]
*) mod_session: Improve session parsing. [Yann Yalvic]
*) mod_authnz_ldap: Prevent authentications with empty passwords for the
initial bind to fail with status 500. [Ruediger Pluem]
*) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
Transfer-Encoding from the client, spooling the request body when needed
to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
*) mod_proxy: Improve tunneling loop to support half closed connections and
pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
*) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
allowing for (non-)Upgrade negotiation with the origin server.
[Yann Ylavic]
*) mod_proxy: Allow ProxyErrorOverride to be restricted to specific status
codes. PR63628. [Martin Drößler <mail martindroessler.de>]
*) core: Add ReadBufferSize, FlushMaxThreshold and FlushMaxPipelined
directives. [Yann Ylavic]
*) core: Ensure that aborted connections are logged as such. PR 62823
[Arnaud Grandville <contact@grandville.net>]
*) http: Allow unknown response status' lines returned in the form of
"HTTP/x.x xxx Status xxx". [Yann Ylavic]
*) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies,
leading to Request Timeout (408). PR 63855. [Yann Ylavic]
*) core: Remove headers on 304 Not Modified as specified by RFC7234, as
opposed to passing an explicit subset of headers. PR 61820.
[Giovanni Bechis]
*) mpm_event: Don't reset connections after lingering close, restoring prior
to 2.4.28 behaviour. [Yann Ylavic]
*) mpm_event: Kill connections in keepalive state only when there is no more
workers available, not when the maximum number of connections is reached,
restoring prior to 2.4.30 behaviour. [Yann Ylavic]
*) mod_unique_id: Use base64url encoding for UNIQUE_ID variable,
avoiding the use of '@'. PR 57044.
[Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>]
*) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a
SameSite attribute. [Eric Covener]
*) mod_proxy: Add proxy check_trans hook. This allows proxy
modules to decline request handling at early stage.
*) mod_proxy_wstunnel: Decline requests without an Upgrade
header so ws/wss can be enabled overlapping with later
http/https.
*) mod_http2: Log requests and sent the configured error response in case of
early detected errors like too many or too long headers.
[Ruediger Pluem, Stefan Eissing]
*) mod_md: Lowered the required minimal libcurl version from 7.50 to 7.29
as proposed by <alexander.gerasimov codeit.pro>. [Stefan Eissing]
*) mod_ssl: Fix request body buffering with PHA in TLSv1.3. [Joe Orton]
*) mod_proxy_uwsgi: Fix a crash when sending environment variables with no
value. PR 64598 [Ruediger Pluem]
*) mod_proxy: Recognize parameters from ProxyPassMatch workers with dollar
substitution, such that they apply to the backend connection. Note that
connection reuse is disabled by default to avoid compatibility issues.
[Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere]
Changes with Apache 2.4.46
*) SECURITY: CVE-2020-11984 (cve.mitre.org)
mod_proxy_uwsgi: Malicious request may result in information disclosure
or RCE of existing file on the server running under a malicious process
environment. [Yann Ylavic]
*) SECURITY: CVE-2020-11993 (cve.mitre.org)
mod_http2: when throttling connection requests, log statements
where possibly made that result in concurrent, unsafe use of
a memory pool. [Stefan Eissing]
*) SECURITY: CVE-2020-9490 (cve.mitre.org)
mod_http2: a specially crafted value for the 'Cache-Digest' header
request would result in a crash when the server actually tries
to HTTP/2 PUSH a resource afterwards. [Stefan Eissing]
*) mod_proxy_fcgi: Fix missing APLOGNO macro argument
[Eric Covener, Christophe Jaillet]
Changes with Apache 2.4.45
*) mod_http2: remove support for abandoned http-wg draft
<https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
[Stefan Eissing]
Changes with Apache 2.4.44
*) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
protocol limit). [Yann Ylavic]
*) mod_http2:
Fixes <https://github.com/icing/mod_h2/issues/200>:
"LimitRequestFields 0" now disables the limit, as documented.
Fixes <https://github.com/icing/mod_h2/issues/201>:
Do not count repeated headers with same name against the field
count limit. The are merged internally, as if sent in a single HTTP/1 line.
[Stefan Eissing]
*) mod_http2: Avoid segfaults in case of handling certain responses for
already aborted connections. [Stefan Eissing, Ruediger Pluem]
*) mod_http2: The module now handles master/secondary connections and has marked
methods according to use. [Stefan Eissing]
*) core: Drop an invalid Last-Modified header value coming
from a FCGI/CGI script instead of replacing it with Unix epoch.
[Yann Ylavic, Luca Toscano]
*) Add support for strict content-length parsing through addition of
ap_parse_strict_length() [Yann Ylavic]
*) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
evaluates to false. PR64365. [Michael König <mail ikoenig.net>]
*) mod_proxy_http: flush spooled request body in one go to avoid
leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]
*) mod_ssl: Fix a race condition and possible crash when using a proxy client
certificate (SSLProxyMachineCertificateFile).
[Armin Abfalterer <a.abfalterer gmail.com>]
*) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]
*) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
PR64330 [Stefan Eissing]
*) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
was configured with a handshake timeout. Fixes gitub issue #196.
[Stefan Eissing]
*) mod_proxy_http2: the "ping" proxy parameter
(see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
when checking the liveliness of a new or reused h2 connection to the backend.
With short durations, this makes load-balancing more responsive. The module
will hold back requests until ping conditions are met, using features of the
HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
*) core: httpd is no longer linked against -lsystemd if mod_systemd
is enabled (and built as a DSO). [Rainer Jung]
*) mod_proxy_http2: respect ProxyTimeout settings on backend connections
while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
Changes with Apache 2.4.43
*) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
Changes with Apache 2.4.42
*) SECURITY: CVE-2020-1934 (cve.mitre.org)
mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
server. [Eric Covener]
*) SECURITY: CVE-2020-1927 (cve.mitre.org)
rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
matches and substitutions with encoded line break characters.
The fix for CVE-2019-10098 was not effective. [Ruediger Pluem]
*) mod_proxy_http: Fix the forwarding of requests with content body when a
balancer member is unavailable; the retry on the next member was issued
with an empty body (regression introduced in 2.4.41). PR63891.
[Yann Ylavic]
*) core: Use a temporary file when writing the pid file, avoiding
startup failure if an empty pidfile is left over from a
previous crashed or aborted invocation of httpd. PR 63140.
[Nicolas Carrier <carrier.nicolas0 gmail.com>, Joe Orton]
*) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
identifier under load, see <https://github.com/icing/mod_h2/issues/195>.
[Michael Kaufmann, Stefan Eissing]
*) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
PR64140. [Renier Velazco <renier.velazco upr.edu>]
*) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
PR64172.
*) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
to allow customization of the usertrack cookie. PR64077.
[Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]
*) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
AJP13 authentication. PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]
*) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
[Eric Covener, Yann Ylavic]
*) Add a config layout for OpenWRT. [Graham Leggett]
*) Add support for cross compiling to apxs. If apxs is being executed from
somewhere other than its target location, add that prefix to includes and
library directories. Without this, apxs would fail to find config_vars.mk
and exit. [Graham Leggett]
*) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
[Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
*) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
[Graham Leggett]
*) mod_ssl: Support use of private keys and certificates from an
OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
[Anderson Sasaki <ansasaki redhat.com>, Joe Orton]
*) mod_md:
- Prefer MDContactEmail directive to ServerAdmin for registration. New directive
thanks to Timothe Litt (@tlhackque).
- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
check all matching virtual hosts for protocol support. Thanks to @mkauf.
- Corrected a check when OCSP stapling was configured for hosts
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
- Softening the restrictions where mod_md configuration directives may appear. This should
allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
you wanted in the first place, is another matter.
[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
*) test: Added continuous testing with Travis CI.
This tests various scenarios on Ubuntu with the full test suite.
Architectures tested: amd64, s390x, ppc64le, arm64
The tests pass successfully.
[Luca Toscano, Joe Orton, Mike Rumph, and others]
*) core: Be stricter in parsing of Transfer-Encoding headers.
[ZeddYu <zeddyu.lu gmail.com>, Eric Covener]
*) mod_ssl: negotiate the TLS protocol version per name based vhost
configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
SSLProtocol (from the first vhost declared on the IP:port) is now only
relevant if no SSLProtocol is declared for the vhost or globally,
otherwise the vhost or global value apply. [Yann Ylavic]
*) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
output. PR 64096. [Joe Orton]
*) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
[Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]
*) mod_systemd: New module providing integration with systemd. [Jan Kaluza]
*) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
r:notes_table, r:subprocess_env_table as read-only native table alternatives
that can be iterated over. [Eric Covener]
*) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
[Yann Ylavic, Stefan Eissing]
*) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
r.headers_out, etc) to remove the key from the table. PR63971.
[Eric Covener]
*) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
always `on`, regardless of configuration. Found and reported by
<Armin.Abfalterer@united-security-providers.ch> and
<Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]
*) mod_http2: Multiple field length violations in the same request no longer cause
several log entries to be written. [@mkauf]
*) mod_ssl: OCSP does not apply to proxy mode. PR 63679.
[Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]
*) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
[Jim Jagielski]
*) mod_authn_socache: Increase the maximum length of strings that can be cached by
the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>]
*) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
[Ruediger Pluem, Eric Covener]
*) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
valid (For example, testing for a file on a flash drive that is not mounted)
[Christophe Jaillet]
*) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
means 'foo' is "not acceptable". PR 58158 [Chistophe Jaillet]
*) mod_md v2.2.3:
- Configuring MDCAChallenges replaces any previous existing challenge configuration. It
had been additive before which was not the intended behaviour. [@mkauf]
- Fixing order of ACME challenges used when nothing else configured. Code now behaves as
documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
- Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
- Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
"transfer-encoding" to POST requests. This failed in direct communication with
Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]
*) mod_md: Adding the several new features.
The module offers an implementation of OCSP Stapling that can replace fully or
for a limited set of domains the existing one from mod_ssl. OCSP handling
is part of mod_md's monitoring and message notifications. If can be used
for sites that do not have ACME certificates.
The url for a CTLog Monitor can be configured. It is used in the server-status
to link to the external status page of a certificate.
The MDMessageCmd is called with argument "installed" when a new certificate
has been activated on server restart/reload. This allows for processing of
the new certificate, for example to applications that require it in different
locations or formats.
[Stefan Eissing]
*) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
Changes with Apache 2.4.41
*) SECURITY: CVE-2019-10097 (cve.mitre.org)
mod_remoteip: Fix stack buffer overflow and NULL pointer deference
when reading the PROXY protocol header. [Joe Orton,
Daniel McCarney <cpu letsencrypt.org>]
*) SECURITY: CVE-2019-9517 (cve.mitre.org)
mod_http2: a malicious client could perform a DoS attack by flooding
a connection with requests and basically never reading responses
on the TCP connection. Depending on h2 worker dimensioning, it was
possible to block those with relatively few connections. [Stefan Eissing]
*) SECURITY: CVE-2019-10098 (cve.mitre.org)
rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
matches and substitutions with encoded line break characters.
[Yann Ylavic]
*) SECURITY: CVE-2019-10092 (cve.mitre.org)
Remove HTML-escaped URLs from canned error responses to prevent misleading
text/links being displayed via crafted links. [Eric Covener]
*) SECURITY: CVE-2019-10082 (cve.mitre.org)
mod_http2: Using fuzzed network input, the http/2 session
handling could be made to read memory after being freed,
during connection shutdown. [Stefan Eissing]
*) SECURITY: CVE-2019-10081 (cve.mitre.org)
mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
could lead to an overwrite of memory in the pushing request's pool,
leading to crashes. The memory copied is that of the configured push
link header values, not data supplied by the client. [Stefan Eissing]
*) mod_proxy_balancer: Improve balancer-manager protection against
XSS/XSRF attacks from trusted users. [Joe Orton,
Niels Heinen <heinenn google.com>]
*) mod_session: Introduce SessionExpiryUpdateInterval which allows to
configure the session/cookie expiry's update interval. PR 57300.
[Paul Spangler <paul.spangler ni.com>]
*) modules/filters: Fix broken compilation when using old GCC (<4.2.x).
PR 63633. [Rainer Jung, Joe Orton]
*) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
configured for a domain managed by mod_md. [Stefan Eissing]
Changes with Apache 2.4.40
*) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via
RegexDefaultOptions -DOTALL [Yann Ylavic]
*) core: Remove request details from built-in error documents [Eric Covener]
*) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on
merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]
*) mod_http2: fixed a bug that prevented proper stream cleanup when connection
throttling was in place. Stream resets by clients on streams initiated by them
are counted as possible trigger for throttling. [Stefan Eissing]
*) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing
more to write with streams ongoing (flow control block). The timeout waiting
for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not
Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]
*) mod_proxy_balancer: Load balancer required byrequests when bytraffic chosen.
PR 62372. [Jim Jagielski]
*) mod_proxy_hcheck: Create the configuration for mod_proxy_hcheck
when used in BalancerMember. PR 60757. [Jean-Frederic Clere]
*) mod_proxy_hcheck: Mute extremely frequent debug message. [Yann Ylavic]
*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for
adding certificates and keys to a virtual host. An additional hook allows
answering special TLS connections as used in ACME challenges.
Adding 2 new hooks for init/get of OCSP stapling status information when
other modules want to provide those. Falls back to own implementation with
same behaviour as before.
[Stefan Eissing]
*) mod_md: new features
- protocol
- supports the ACMEv2 protocol. It is the default and will be used on the next
certificate renewal, unless another "MDCertificateAuthority" is configured
- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see
announcement by Let's Encrypt:
https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
- challenges
- new challenge method 'tls-alpn-01' implemented
- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer
- supports command configuration to setup/teardown 'dns-01' challenges
- supports wildcard certificates when dns challenges are configured
- status information and monitoring
- a domain exposes its status at https://<domain>/.httpd/certificate-status
- Managed Domains are now in Apache's 'server-status' page
- A new handler 'md-status' exposes verbose status information in JSON format
- new directives
- "MDCertificateFile" and "MDCertificateKeyFile" to configure a
Managed Domain that uses static files. Auto-renewal is turned off for those.
- "MDMessageCmd" that is invoked on several events: 'renewed', 'expiring' and
'errored'.
- "MDWarnWindow" directive to configure when expiration warnings shall be issued.
[Stefan Eissing]
*) mod_mime_magic: Fix possible corruption of returned strings.
[Christophe Jaillet]
*) Default "conf/magic": Fix pattern for "audio/x-wav" for WAV files,
remove "audio/unknown" pattern for other RIFF files.
[Àngel Ollé Blázquez <aollebla redhat.com>]
*) mod_proxy_http2: fixing a potential NULL pointer use in logging.
[Christophe Jaillet, Dr Silvio Cesare InfoSect]
*) mod_dav: Reduce the amount of memory needed when doing PROPFIND's on large
collections by improving the memory management. [Joe Orton, Ruediger Pluem]
*) mod_proxy_http2: adding support for handling trailers in both directions.
PR 63502. [Stefan Eissing]
*) mod_proxy_http: forward 100-continue, and minimize race conditions when
reusing backend connections. PR 60330. [Yann Ylavic, Jean-Frederic Clere]
*) mod_proxy_balancer: Fix some HTML syntax issues. [Christophe Jaillet]
*) When using mod_status with the Event MPM, report the number of requests
associated with an active connection in the "ACC" field. Previously
zero was always reported with this MPM. PR60647. [Eric Covener]
*) mod_http2: remove the no longer existing h2_ngn_shed.c from Cmake.
[Stefan Eissing]
*) mod_proxy/ssl: Proxy SSL client certificate configuration and other proxy
SSL configurations broken inside <Proxy> context. PR 63430.
[Ruediger Pluem, Yann Ylavic]
*) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.
PR 61857. [Markus Gausling <markusgausling googlemail.com>, Yann Ylavic]
*) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39.
PR 63325. [Yann Ylavic]
*) mod_info: Fix output of server settings for PIPE_BUF in mod_info in
the rare case that PIPE_BUF is defined. [Rainer Jung]
*) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]
Changes with Apache 2.4.39
*) SECURITY: CVE-2019-0197 (cve.mitre.org)
mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
request from http/1.1 to http/2 that was not the first request on a
connection could lead to a misconfiguration and crash. Servers that
never enabled the h2 protocol or only enabled it for https: and
did not set "H2Upgrade on" are unaffected by this issue.
[Stefan Eissing]
*) SECURITY: CVE-2019-0196 (cve.mitre.org)
mod_http2: using fuzzed network input, the http/2 request
handling could be made to access freed memory in string
comparison when determining the method of a request and
thus process the request incorrectly. [Stefan Eissing]
*) SECURITY: CVE-2019-0211 (cve.mitre.org)
MPMs unix: Fix a local privilege escalation vulnerability by not
maintaining each child's listener bucket number in the scoreboard,
preventing unprivileged code like scripts run by/on the server (e.g. via
mod_php) from modifying it persistently to abuse the privileged main
process. [Charles Fol <folcharles gmail.com>, Yann Ylavic]
*) SECURITY: CVE-2019-0217 (cve.mitre.org)
mod_auth_digest: Fix a race condition checking user credentials which
could allow a user with valid credentials to impersonate another,
under a threaded MPM. PR 63124. [Simon Kappel <simon.kappel axis.com>]
*) SECURITY: CVE-2019-0215 (cve.mitre.org)
mod_ssl: Fix access control bypass for per-location/per-dir client
certificate verification in TLSv1.3.
*) SECURITY: CVE-2019-0220 (cve.mitre.org)
Merge consecutive slashes in URL's. Opt-out with
`MergeSlashes OFF`. [Eric Covener]
*) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
connection is recycled/reused to avoid a possible crash with some SSLProxy
configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]
*) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
PR 55348
*) mod_socache_redis: Support for Redis as socache storage provider.
*) core: new configuration option 'MergeSlashes on|off' that controls handling of
multiple, consecutive slash ('/') characters in the path component of the request URL.
[Eric Covener]
*) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.
Fixed. [Michael Kaufmann]
*) mod_http2: new configuration directive: `H2Padding numbits` to control
padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
controlling the range of padding bytes added to a frame. The actual number
added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE
frames equally. The default continues to be 0, e.g. no padding. [Stefan Eissing]
*) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2
has no more need for it. Optional functions are still declared but no longer implemented.
While previous mod_proxy_http2 will work with this, it is recommended to run the matching
versions of both modules. [Stefan Eissing]
*) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which
resolve PR63170. The proxy module does now a single h2 request on the (reused)
connection and returns. [Stefan Eissing]
*) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status
to trigger immediate shutdown of backend connections. This is now always signalled
by mod_http2 when the the session is being released.
proxy_http2 now only sends a PING frame to the backend when there is not already one
in flight. [Stefan Eissing]
*) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite
loop when encountering certain errors on the backend connection.
See <https://bz.apache.org/bugzilla/show_bug.cgi?id=63170>. [Stefan Eissing]
*) mod_http2: Configuration directives H2Push and H2Upgrade can now be specified per
Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]
*) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.
Fixes <https://github.com/icing/mod_h2/issues/167>. [Michael Kaufmann]
*) http: Fix possible empty response with mod_ratelimit for HEAD requests.
PR 63192. [Yann Ylavic]
*) mod_cache_socache: Avoid reallocations and be safe with outgoing data
lifetime. [Yann Ylavic]
*) mod_http2: enable re-use of slave connections again. Fixed slave connection
keepalives counter. [Stefan Eissing]
*) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.
PR 61310. [Yann Ylavic]
*) core: Split out the ability to parse wildcard files and directories
from the Include/IncludeOptional directives into a generic set of
functions ap_dir_nofnmatch() and ap_dir_fnmatch(). [Graham Leggett]
*) mod_proxy_wstunnel: Fix websocket proxy over UDS.
PR 62932 <pavel dcmsys.com>
*) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
configuration (SSLFIPS on) and not active by default in OpenSSL.
PR 63136. [Yann Ylavic]
Changes with Apache 2.4.38
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowing
sessions to be reused. [Hank Ibell]
*) SECURITY: CVE-2018-17189 (cve.mitre.org)
mod_http2: fixes a DoS attack vector. By sending slow request bodies
to resources not consuming them, httpd cleanup code occupies a server
thread unnecessarily. This was changed to an immediate stream reset
which discards all stream state and incoming data. [Stefan Eissing]
*) SECURITY: CVE-2019-0190 (cve.mitre.org)
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later. PR 63052. [Joe Orton]
*) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
PR 63052 [Joe Orton]
*) mod_negotiation: Treat LanguagePriority as case-insensitive to match
AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]
*) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
have been fixed. [Michael Kaufmann, Stefan Eissing]
*) mod_setenvif: We can have expressions that become true if a regex pattern
in the expression does NOT match. In this case val is NULL
and we should just set the value for the environment variable
like in the pattern case. [Ruediger Pluem]
*) mod_session: Always decode session attributes early. [Hank Ibell]
*) core: Incorrect values for environment variables are substituted when
multiple environment variables are specified in a directive. [Hank Ibell]
*) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
this type of map is present in the configuration. PR62311.
[Hank Ibell <hwibell gmail.com>]
*) mod_dav: Fix invalid Location header when a resource is created by
passing an absolute URI on the request line [Jim Jagielski]
*) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
[Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]
*) mod_ssl: clear *SSL errors before loading certificates and checking
afterwards. Otherwise errors are reported when other SSL using modules
are in play. Fixes PR 62880. [Michael Kaufmann]
*) mod_ssl: Fix the error code returned in an error path of
'ssl_io_filter_handshake()'. This messes-up error handling performed
in 'ssl_io_filter_error()' [Yann Ylavic]
*) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
authz provider so "Require ssl" works correctly in HTTP/2.
PR 61519, 62654. [Joe Orton, Stefan Eissing]
*) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
redirects, subsequent ProxyPassReverse statements, whether they are
relative or absolute, may fail. PR 60408. [Peter Haworth <pmh1wheel gmail.com>]
*) mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1]
Changes with Apache 2.4.37
*) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1. [Rainer Jung]
*) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
when client certificates are available from the original handshake
but were originally not verified and should get verified now.
This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]