Sync CHANGES entries. [skip ci].

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895558 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 99 insertions, 0 deletions

diff --git a/CHANGES b/CHANGES
index b2a3660b25..e88596fefd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,105 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_proxy_connect: Honor the smallest of the backend or client timeout
+     while tunneling.  [Yann Ylavic]
+
+  * mod_http2: a regression in v1.15.24 of the modules was fixed that
+    could lead to httpd child processes not being terminated on a
+    graceful reload or when reaching MaxConnectionsPerChild.
+    When unprocessed h2 requests were queued at the time, these could stall.
+    See <https://github.com/icing/mod_h2/issues/212>.
+    [@hansborr, @famzah, Stefan Eissing]
+
+  *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
+     PR 65616.  [Ruediger Pluem]
+
+  *) mod_md: Fix memory leak in case of failures to load the private key.
+     PR 65620 [ Filipe Casal <filipe.casal@trailofbits.com> ]
+
+  * mod_http2: the new pollset implementation is disabled when
+    compiling with an APR version less than 1.6.
+
+  *) mod_autoindex: Add "IndexForbiddenReturn404" to return 404 instead of a 
+     403 when Options does not included "indexes". [Eric Covener]
+
+  *) mod_dir: Add "NotFound" option to "DirectorySlash" directive to return 
+     404 instead of a DirectorySlash redirect. [Eric Covener]
+
+  *) mod_md: adding v2.4.8 with the following changes
+    - Added support for ACME External Account Binding (EAB).
+      Use the new directive `MDExternalAccountBinding` to provide the
+      server with the value for key identifier and hmac as provided by
+      your CA.
+      While working on some servers, EAB handling is not uniform
+      across CAs. First tests with a Sectigo Certificate Manager in
+      demo mode are successful. But ZeroSSL, for example, seems to
+      regard EAB values as a one-time-use-only thing, which makes them
+      fail if you create a seconde account or retry the creation of the
+      first account with the same EAB.
+    - The directive 'MDCertificateAuthority' now checks if its parameter
+      is a http/https url or one of a set of known names. Those are
+      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
+      for now and they are not case-sensitive.
+      The default of LetsEncrypt is unchanged.
+    - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
+      section.
+    - Treating 401 HTTP status codes for orders like 403, since some ACME
+      servers seem to prefer that for accessing oders from other accounts.
+    - When retrieving certificate chains, try to read the repsonse even
+      if the HTTP Content-Type is unrecognized.
+    - Fixed a bug that reset the error counter of a certificate renewal
+      and prevented the increasing delays in further attempts.
+    - Fixed the renewal process giving up every time on an already existing
+      order with some invalid domains. Now, if such are seen in a previous
+      order, a new order is created for a clean start over again.
+      See <https://github.com/icing/mod_md/issues/268>
+    - Fixed a mixup in md-status handler when static certificate files
+      and renewal was configured at the same time.
+
+  *) mod_http2:
+     - Fixed an issue since 1.15.24 that "Server" headers in proxied requests
+       were overwritten instead of preserved. [PR by @daum3ns]
+     - Added directove 'H2StreamTimeout' to configure a separate value for HTTP/2
+       streams, overriding server's 'Timeout' configuration. [rpluem]
+     - HTTP/2 connections now use pollsets to monitor the status of the
+       ongoing streams and their main connection when host OS allows this.
+     - Removed work-arounds for older versions of libnghttp2 and checking
+       during configure that at least version 1.15.0 is present.
+     - The HTTP/2 connection state handler, based on an experiment and draft
+       at the IETF http working group (abandoned for some time), has been removed.
+     - H2SerializeHeaders no longer has an effect. A warning is logged when it is
+       set to "on". The switch enabled the internal writing of requests to be parsed
+       by the internal HTTP/1.1 protocol handler and was introduced to avoid
+       potential incompatibilities during the introduction of HTTP/2.
+     - Removed the abort/redo of tasks when mood swings lower the active limit.
+     [Ruediger Pluem, daum3ns, Stefan Eissing]
+
+  *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
+     a third-party module.  PR 65627.
+     [acmondor <bz.apache.org acmondor.ca>, Yann Ylavic]
+
+  *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.
+     [Yann Ylavic, Ruediger Pluem]
+
+  *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
+     half-close forwarding when tunneling protocols.  [Yann Ylavic]
+
+  *) mod_tls: added mod_tls from abetterinternet, donated
+     by ISRG/Prossimo <https://github.com/abetterinternet/mod_tls>.
+     - adds font-/backend TLS (v1.2/v1.3) via the Rust rustls crate
+       and its rustls-ffi C binding <https://github.com/rustls/rustls-ffi>.
+     - documentation at <https://github.com/abetterinternet/mod_tls>
+       (adding to Apache's manual TBD)
+     - build support for Apache httpd configure on *nix platforms,
+       rustls is linked statically into mod_tls.
+
+  *) mod_md: values for External Account Binding (EAB) can
+     now also be configured to be read from a separate JSON
+     file. This allows to keep server configuration permissions
+     world readable without exposing secrets.
+     [Stefan Eissing]
+
   *) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
      unused AP_NORMALIZE_DROP_PARAMETERS flag.
      [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton]