From 34da2e78b72221e2ae7a801c718e826ec33e1959 Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Fri, 3 Dec 2021 16:09:47 +0000 Subject: Sync CHANGES entries. [skip ci]. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895558 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) (limited to 'CHANGES') diff --git a/CHANGES b/CHANGES index b2a3660b25..e88596fefd 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,105 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_proxy_connect: Honor the smallest of the backend or client timeout + while tunneling. [Yann Ylavic] + + * mod_http2: a regression in v1.15.24 of the modules was fixed that + could lead to httpd child processes not being terminated on a + graceful reload or when reaching MaxConnectionsPerChild. + When unprocessed h2 requests were queued at the time, these could stall. + See . + [@hansborr, @famzah, Stefan Eissing] + + *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO. + PR 65616. [Ruediger Pluem] + + *) mod_md: Fix memory leak in case of failures to load the private key. + PR 65620 [ Filipe Casal ] + + * mod_http2: the new pollset implementation is disabled when + compiling with an APR version less than 1.6. + + *) mod_autoindex: Add "IndexForbiddenReturn404" to return 404 instead of a + 403 when Options does not included "indexes". [Eric Covener] + + *) mod_dir: Add "NotFound" option to "DirectorySlash" directive to return + 404 instead of a DirectorySlash redirect. [Eric Covener] + + *) mod_md: adding v2.4.8 with the following changes + - Added support for ACME External Account Binding (EAB). + Use the new directive `MDExternalAccountBinding` to provide the + server with the value for key identifier and hmac as provided by + your CA. + While working on some servers, EAB handling is not uniform + across CAs. First tests with a Sectigo Certificate Manager in + demo mode are successful. But ZeroSSL, for example, seems to + regard EAB values as a one-time-use-only thing, which makes them + fail if you create a seconde account or retry the creation of the + first account with the same EAB. + - The directive 'MDCertificateAuthority' now checks if its parameter + is a http/https url or one of a set of known names. Those are + 'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test' + for now and they are not case-sensitive. + The default of LetsEncrypt is unchanged. + - `MDContactEmail` can now be specified inside a `` + section. + - Treating 401 HTTP status codes for orders like 403, since some ACME + servers seem to prefer that for accessing oders from other accounts. + - When retrieving certificate chains, try to read the repsonse even + if the HTTP Content-Type is unrecognized. + - Fixed a bug that reset the error counter of a certificate renewal + and prevented the increasing delays in further attempts. + - Fixed the renewal process giving up every time on an already existing + order with some invalid domains. Now, if such are seen in a previous + order, a new order is created for a clean start over again. + See + - Fixed a mixup in md-status handler when static certificate files + and renewal was configured at the same time. + + *) mod_http2: + - Fixed an issue since 1.15.24 that "Server" headers in proxied requests + were overwritten instead of preserved. [PR by @daum3ns] + - Added directove 'H2StreamTimeout' to configure a separate value for HTTP/2 + streams, overriding server's 'Timeout' configuration. [rpluem] + - HTTP/2 connections now use pollsets to monitor the status of the + ongoing streams and their main connection when host OS allows this. + - Removed work-arounds for older versions of libnghttp2 and checking + during configure that at least version 1.15.0 is present. + - The HTTP/2 connection state handler, based on an experiment and draft + at the IETF http working group (abandoned for some time), has been removed. + - H2SerializeHeaders no longer has an effect. A warning is logged when it is + set to "on". The switch enabled the internal writing of requests to be parsed + by the internal HTTP/1.1 protocol handler and was introduced to avoid + potential incompatibilities during the introduction of HTTP/2. + - Removed the abort/redo of tasks when mood swings lower the active limit. + [Ruediger Pluem, daum3ns, Stefan Eissing] + + *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by + a third-party module. PR 65627. + [acmondor , Yann Ylavic] + + *) mpm_event: Restart stopping of idle children after a load peak. PR 65626. + [Yann Ylavic, Ruediger Pluem] + + *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP + half-close forwarding when tunneling protocols. [Yann Ylavic] + + *) mod_tls: added mod_tls from abetterinternet, donated + by ISRG/Prossimo . + - adds font-/backend TLS (v1.2/v1.3) via the Rust rustls crate + and its rustls-ffi C binding . + - documentation at + (adding to Apache's manual TBD) + - build support for Apache httpd configure on *nix platforms, + rustls is linked statically into mod_tls. + + *) mod_md: values for External Account Binding (EAB) can + now also be configured to be read from a separate JSON + file. This allows to keep server configuration permissions + world readable without exposing secrets. + [Stefan Eissing] + *) core: Add ap_unescape_url_ex() for better decoding control, and deprecate unused AP_NORMALIZE_DROP_PARAMETERS flag. [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton] -- cgit v1.2.3