"Fossies" - the Fresh Open Source Software Archive

Member "httpd-2.4.39/CHANGES" (20 Mar 2019, 270249 Bytes) of package /linux/www/httpd-2.4.39.tar.bz2:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "CHANGES": 2.4.38_vs_2.4.39.

    1                                                          -*- coding: utf-8 -*-
    2 Changes with Apache 2.4.39
    3 
    4   *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
    5      connection is recycled/reused to avoid a possible crash with some SSLProxy
    6      configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]
    7 
    8   *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
    9      [Michael Kaufmann <mail michael-kaufmann.ch>]
   10 
   11   *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
   12      PR 55348
   13 
   14   *) mod_socache_redis: Support for Redis as socache storage provider.
   15 
   16   *) core: new configuration option 'MergeSlashes on|off' that controls handling of
   17      multiple, consecutive slash ('/') characters in the path component of the request URL.
   18      [Eric Covener]
   19      
   20   *) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
   21      in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.
   22      Fixed. [Michael Kaufmann] 
   23 
   24   *) mod_http2: new configuration directive: `H2Padding numbits` to control 
   25      padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
   26      controlling the range of padding bytes added to a frame. The actual number
   27      added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE
   28      frames equally. The default continues to be 0, e.g. no padding. [Stefan Eissing] 
   29   
   30   *) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2
   31      has no more need for it. Optional functions are still declared but no longer implemented.
   32      While previous mod_proxy_http2 will work with this, it is recommeneded to run the matching
   33      versions of both modules. [Stefan Eissing]
   34   
   35   *) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which
   36      resolve PR63170. The proxy module does now a single h2 request on the (reused)
   37      connection and returns. [Stefan Eissing]
   38   
   39   *) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status 
   40      to trigger immediate shutdown of backend connections. This is now always signalled
   41      by mod_http2 when the the session is being released. 
   42      proxy_http2 now only sends a PING frame to the backend when there is not already one
   43      in flight. [Stefan Eissing]
   44 
   45   *) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite 
   46      loop when encountering certain errors on the backend connection. 
   47      See <https://bz.apache.org/bugzilla/show_bug.cgi?id=63170>. [Stefan Eissing]
   48 
   49   *) mod_http2: Configuration directives H2Push and H2Upgrade can now be specified per 
   50      Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]
   51 
   52   *) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
   53      terminate improperly and cause a HTTP/2 PROTOCOL_ERROR. 
   54      Fixes <https://github.com/icing/mod_h2/issues/167>. [Michael Kaufmann]
   55 
   56   *) http: Fix possible empty response with mod_ratelimit for HEAD requests.
   57      PR 63192. [Yann Ylavic]
   58 
   59   *) mod_cache_socache: Avoid reallocations and be safe with outgoing data
   60      lifetime. [Yann Ylavic]
   61 
   62   *) MPMs unix: bind the bucket number of each child to its slot number, for a
   63      more efficient per bucket maintenance. [Yann Ylavic]
   64 
   65   *) mod_auth_digest: Fix a race condition. Authentication with valid
   66      credentials could be refused in case of concurrent accesses from
   67      different users.  PR 63124.  [Simon Kappel <simon.kappel axis.com>]
   68 
   69   *) mod_http2: enable re-use of slave connections again. Fixed slave connection
   70      keepalives counter. [Stefan Eissing]
   71 
   72   *) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.
   73      PR 61310. [Yann Ylavic]
   74 
   75   *) mod_proxy_wstunnel: Fix websocket proxy over UDS.
   76      PR 62932 <pavel dcmsys.com>
   77 
   78   *) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
   79      configuration (SSLFIPS on) and not active by default in OpenSSL.
   80      PR 63136. [Yann Ylavic]
   81 
   82 Changes with Apache 2.4.38
   83 
   84   *) SECURITY: CVE-2018-17199 (cve.mitre.org)
   85      mod_session: mod_session_cookie does not respect expiry time allowing
   86      sessions to be reused.  [Hank Ibell]
   87 
   88   *) SECURITY: CVE-2018-17189 (cve.mitre.org)
   89      mod_http2: fixes a DoS attack vector. By sending slow request bodies
   90      to resources not consuming them, httpd cleanup code occupies a server
   91      thread unnecessarily. This was changed to an immediate stream reset
   92      which discards all stream state and incoming data.  [Stefan Eissing]
   93 
   94   *) SECURITY: CVE-2019-0190 (cve.mitre.org)
   95      mod_ssl: Fix infinite loop triggered by a client-initiated
   96      renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
   97      later.  PR 63052.  [Joe Orton]
   98 
   99   *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
  100      PR 63052 [Joe Orton]
  101 
  102   *) mod_negotiation: Treat LanguagePriority as case-insensitive to match
  103      AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]
  104   
  105   *) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
  106      have been fixed. [Michael Kaufmann, Stefan Eissing]
  107   
  108   *) mod_setenvif: We can have expressions that become true if a regex pattern
  109      in the expression does NOT match. In this case val is NULL
  110      and we should just set the value for the environment variable 
  111      like in the pattern case. [Ruediger Pluem]
  112 
  113   *) mod_session: Always decode session attributes early. [Hank Ibell]
  114 
  115   *) core: Incorrect values for environment variables are substituted when
  116      multiple environment variables are specified in a directive. [Hank Ibell]
  117 
  118   *) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
  119      this type of map is present in the configuration.  PR62311.  
  120      [Hank Ibell <hwibell gmail.com>]
  121 
  122   *) mod_dav: Fix invalid Location header when a resource is created by
  123      passing an absolute URI on the request line [Jim Jagielski]
  124 
  125   *) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
  126      [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]
  127 
  128   *) mod_ssl: clear *SSL errors before loading certificates and checking
  129      afterwards. Otherwise errors are reported when other SSL using modules
  130      are in play. Fixes PR 62880. [Michael Kaufmann]
  131 
  132   *) mod_ssl: Fix the error code returned in an error path of
  133      'ssl_io_filter_handshake()'. This messes-up error handling performed
  134      in 'ssl_io_filter_error()' [Yann Ylavic]
  135 
  136   *) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
  137      authz provider so "Require ssl" works correctly in HTTP/2.
  138      PR 61519, 62654.  [Joe Orton, Stefan Eissing]
  139 
  140   *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
  141      redirects, subsequent ProxyPassReverse statements, whether they are
  142      relative or absolute, may fail.  PR 60408.  [Peter Haworth <pmh1wheel gmail.com>]
  143   
  144   *) mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1]
  145 
  146 Changes with Apache 2.4.37
  147 
  148   *) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1. [Rainer Jung]
  149 
  150   *) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
  151      when client certificates are available from the original handshake
  152      but were originally not verified and should get verified now.
  153      This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]
  154 
  155   *) mod_ssl: Correctly merge configurations that have client certificates set
  156      by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]
  157 
  158 Changes with Apache 2.4.36
  159 
  160   *) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
  161      responses. Regression introduced in 2.4.35.
  162 
  163   *) mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
  164      body of the response. [Jim Jagielski]
  165 
  166   *) mpm_event: Stop issuing AH00484 "server reached MaxRequestWorkers..." when
  167      there are still idle threads available. When there are less idle threads than
  168      MinSpareThreads, issue new one-time message AH10159. Matches worker MPM.
  169      [Eric Covener]
  170 
  171   *) mod_http2: adding defensive code for stream EOS handling, in case the request handler
  172      missed to signal it the normal way (eos buckets). Addresses github issues 
  173      https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
  174      and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing] 
  175 
  176   *) ab: Add client certificate support.  PR 55774.  [Graham Leggett]
  177 
  178   *) ab: Disable printing temp key for OpenSSL before
  179      version 1.0.2. SSL_get_server_tmp_key is not available
  180      there. [Rainer Jung]
  181 
  182   *) mod_ssl: Fix a regression that the configuration settings for verify mode
  183      and verify depth were taken from the frontend connection in case of
  184      connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
  185 
  186   *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
  187      before signals handling to avoid lifetime issues on restart or shutdown.
  188      PR 62658. [Yann Ylavic]
  189 
  190   *) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3.  TLSv1.3 has
  191      behavioural changes compared to v1.2 and earlier; client and
  192      configuration changes should be expected.  SSLCipherSuite is
  193      enhanced for TLSv1.3 ciphers, but applies at vhost level only.
  194      [Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]
  195 
  196   *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
  197      should be accepted after the authorization scheme. \t are also tolerated.
  198      [Christophe Jaillet]
  199 
  200   *) mod_socache_redis: New socache submodule provider to allow use
  201      of Redis as storage backend. [Jim Jagielski]
  202 
  203   *) mod_proxy_hcheck: Fix issues with interval determination. PR 62318
  204      [Jim Jagielski]
  205 
  206   *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
  207      [Dominik Stillhard <dominik.stillhard united-security-providers.ch>]
  208 
  209   *) mod_proxy_hcheck: take balancer's SSLProxy* directives into account.
  210      [Jim Jagielski]
  211 
  212   *) mod_status, mod_echo: Fix the display of client addresses.
  213     They were truncated to 31 characters which is not enough for IPv6 addresses.
  214     This is done by deprecating the use of the 'client' field and using
  215     the new 'client64' field in worker_score.
  216     PR 54848 [Bernhard Schmidt <berni birkenwald de>, Jim Jagielski]
  217 
  218 Changes with Apache 2.4.35
  219 
  220   *) http: Enforce consistently no response body with both 204 and 304
  221      statuses.  [Yann Ylavic]
  222 
  223   *) mod_status: Cumulate CPU time of exited child processes in the
  224      "cu" and "cs" values. Add CPU time of the parent process to the
  225      "c" and "s" values.
  226      [Rainer Jung]
  227 
  228   *) mod_proxy: Improve the balancer member data shown in mod_status when
  229      "ProxyStatus" is "On": add "busy" count and show byte counts in
  230      auto mode always in units of kilobytes.  [Rainer Jung]
  231 
  232   *) mod_status: Add cumulated response duration time in milliseconds.
  233      [Rainer Jung]
  234 
  235   *) mod_status: Complete the data shown for async MPMs in "auto" mode.
  236      Added number of processes, number of stopping processes and number
  237      of busy and idle workers.  [Rainer Jung]
  238 
  239   *) mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
  240      introduced in 2.4.34.  PR 62568.  [Yann Ylavic]
  241 
  242   *) mod_proxy: Remove load order and link dependency between mod_lbmethod_*
  243      modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe]
  244 
  245   *) Allow the argument to <IfFile>, <IfDefine>, <IfSection>, <IfDirective>,
  246      and <IfModule> to be quoted.  This is primarily for the benefit of
  247      <IfFile>. [Eric Covener]
  248 
  249   *) mod_watchdog: Correct some log messages.  [Rainer Jung]
  250 
  251   *) mod_md: When the last domain name from an MD is moved to another one,
  252      that now empty MD gets moved to the store archive. PR 62572. 
  253      [Stefan Eissing]
  254 
  255   *) mod_ssl: Fix merging of SSLOCSPOverrideResponder.  [Jeff Trawick,
  256      [Frank Meier <frank meier ergon.ch>]
  257 
  258   *) mod_proxy_balancer: Restore compatibility with APR 1.4.  [Joe Orton]
  259 
  260 Changes with Apache 2.4.34
  261 
  262   *) SECURITY: CVE-2018-8011 (cve.mitre.org)
  263      mod_md: DoS via Coredumps on specially crafted requests
  264 
  265   *) SECURITY: CVE-2018-1333 (cve.mitre.org)
  266      mod_http2: DoS for HTTP/2 connections by specially crafted requests
  267 
  268   *) Introduce zh-cn and zh-tw (simplified and traditional Chinese) error
  269      document translations. [CodeingBoy, popcorner]
  270 
  271   *) event: avoid possible race conditions with modules on the child pool.
  272      [Stefan Fritsch]
  273 
  274   *) mod_proxy: Fix a corner case where the ProxyPassReverseCookieDomain or
  275      ProxyPassReverseCookiePath directive could fail to update correctly
  276      'domain=' or 'path=' in the 'Set-Cookie' header.  PR 61560.
  277      [Christophe Jaillet]
  278 
  279   *) mod_ratelimit: fix behavior when proxing content. PR 62362.
  280      [Luca Toscano, Yann Ylavic]
  281 
  282   *) core: Re-allow '_' (underscore) in hostnames.
  283      [Eric Covener]
  284 
  285   *) mod_authz_core: If several parameters are used in a AuthzProviderAlias
  286      directive, if these parameters are not enclosed in quotation mark, only
  287      the first one is handled. The other ones are silently ignored.
  288      Add a message to warn about such a spurious configuration.
  289      PR 62469 [Hank Ibell <hwibell gmail.com>, Christophe Jaillet]
  290 
  291   *) mod_md: improvements and bugfixes
  292      - MDNotifyCmd now takes additional parameter that are passed on to the called command.
  293      - ACME challenges have better checks for interference with other modules
  294      - ACME challenges are only handled for domains managed by the module, allowing
  295        other ACME clients to operate for other domains in the server.
  296      - better libressl integration
  297 
  298   *) mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'.
  299      PR 62480. [Lubos Uhliarik <luhliari redhat.com>}
  300 
  301   *) logging: Some early logging-related startup messages could be lost
  302      when using syslog for the global ErrorLog. [Eric Covener]
  303 
  304   *) mod_cache: Handle case of an invalid Expires header value RFC compliant
  305      like the case of an Expires time in the past: allow to overwrite the
  306      non-caching decision using CacheStoreExpired and respect Cache-Control
  307      "max-age" and "s-maxage".  [Rainer Jung]
  308 
  309   *) mod_xml2enc: Fix forwarding of error metadata/responses. PR 62180.
  310      [Micha Lenk <micha lenk.info>, Yann Ylavic]
  311 
  312   *) mod_proxy_http: Fix response header thrown away after the previous one
  313      was considered too large and truncated. PR 62196. [Yann Ylavic]
  314 
  315   *) core: Add and handle AP_GETLINE_NOSPC_EOL flag for ap_getline() family
  316      of functions to consume the end of line when the buffer is exhausted.
  317      PR 62198. [Yann Ylavic]
  318 
  319   *) mod_proxy_http: Add new worker parameter 'responsefieldsize' to
  320      allow maximum HTTP response header size to be increased past 8192
  321      bytes.  PR 62199.  [Hank Ibell <hwibell gmail.com>]
  322 
  323   *) mod_ssl: Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf
  324      of a certificate chain.  PR62112.
  325      [Ricardo Martin Camarero <rickyepoderi yahoo.es>]
  326 
  327   *) http: Fix small memory leak per request when handling persistent
  328      connections.  [Ruediger Pluem, Joe Orton]
  329 
  330   *) mod_proxy_html: Fix variable interpolation and memory allocation failure
  331      in ProxyHTMLURLMap.  [Ewald Dieterich <ewald mailbox.org>]
  332 
  333   *) mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.
  334      PR 62220.  [Chritophe Jaillet, Yann Ylavic]
  335 
  336   *) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
  337      zero out what had been initialized as the connection-level port.  PR59931.
  338      [Hank Ibell <hwibell gmail.com>]
  339 
  340   *) core: In ONE_PROCESS/debug mode, cleanup everything when exiting.
  341      [Yann Ylavic]
  342 
  343   *) mod_proxy_balancer: Add hot spare member type and corresponding flag (R).
  344      Hot spare members are used as drop-in replacements for unusable workers
  345      in the same load balancer set. This differs from hot standbys which are
  346      only used when all workers in a set are unusable. PR 61140. [Jim Riggs]
  347 
  348   *) suexec: Add --enable-suexec-capabilites support on Linux, to use
  349      setuid/setgid capability bits rather than a setuid root binary.
  350      [Joe Orton]
  351 
  352   *) suexec: Add support for logging to syslog as an alternative to
  353      logging to a file; use --without-suexec-logfile --with-suexec-syslog.
  354      [Joe Orton]
  355 
  356   *) mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling
  357      which broke some rare but previously-working configs.  [Joe Orton]
  358 
  359   *) core, log: improve sanity checks for the ErrorLog's syslog config, and
  360      explicitly allow only lowercase 'syslog' settings. PR 62102
  361      [Luca Toscano, Jim Riggs, Christophe Jaillet]
  362 
  363   *) mod_http2: accurate reporting of h2 data input/output per request via
  364      mod_logio. Fixes an issue where output sizes where counted n-times on
  365      reused slave connections.  [Stefan Eissing]
  366      See github issue: https://github.com/icing/mod_h2/issues/158
  367 
  368   *) mod_http2: Fix unnecessary timeout waits in case streams are aborted.
  369      [Stefan Eissing]
  370 
  371   *) mod_http2: restoring the v1.10.16 keepalive timeout behaviour of mod_http2.
  372      [Stefan Eissing]
  373 
  374   *) mod_proxy: Do not restrict the maximum pool size for backend connections
  375      any longer by the maximum number of threads per process and use a better
  376      default if mod_http2 is loaded.
  377      [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Gregg Smith]
  378 
  379   *) mod_slotmem_shm: Add generation number to shm filename to fix races
  380      with graceful restarts. PRs 62044 and 62308.  [Jim Jagielski, Yann Ylavic]
  381 
  382   *) core: Preserve the original HTTP request method in the '%<m' LogFormat
  383      when an path-based ErrorDocument is used.  PR 62186.
  384      [Micha Lenk <micha lenk.info>]
  385 
  386   *) mod_remoteip: make proxy-protocol work on slave connections, e.g. in
  387      HTTP/2 requests.  [Stefan Eissing]
  388      See also https://github.com/roadrunner2/mod-proxy-protocol/issues/6
  389 
  390   *) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
  391      regression introduced in 2.4.30. PR 62232. [Rainer Jung, Yann Ylavic]
  392 
  393   *) mod_md: Fix compilation with OpenSSL before version 1.0.2.  [Rainer Jung]
  394 
  395   *) mod_dumpio: do nothing below log level TRACE7.  [Yann Ylavic]
  396 
  397   *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
  398      [Eric Covener]
  399 
  400   *) core: On ECBDIC platforms, some errors related to oversized headers
  401      may be misreported or be logged as ASCII escapes.  PR 62200
  402      [Hank Ibell <hwibell gmail.com>]
  403 
  404   *) mod_ssl: Fix cmake-based build.  PR 62266.  [Rainer Jung]
  405 
  406   *) core: Add <IfFile>, <IfDirective> and <IfSection> conditional
  407      section containers.  [Eric Covener, Joe Orton]
  408 
  409 Changes with Apache 2.4.33
  410 
  411   *) core: Fix request timeout logging and possible crash for error_log hooks.
  412      [Yann Ylavic]
  413 
  414   *) mod_slomem_shm: Fix failure to create balancers's slotmems in Windows MPM,
  415      where children processes need to attach them instead since they are owned
  416      by the parent process already.  [Yann Ylavic]
  417 
  418   *) ab: try all destination socket addresses returned by
  419      apr_sockaddr_info_get instead of failing on first one when not available.
  420      Needed for instance if localhost resolves to both ::1 and 127.0.0.1
  421      e.g. if both are in /etc/hosts.  [Jan Kaluza]
  422 
  423   *) ab: Use only one connection to determine working destination socket
  424      address.  [Jan Kaluza]
  425 
  426   *) ab: LibreSSL doesn't have or require Windows applink.c.  [Gregg L. Smith]
  427 
  428   *) htpasswd/htdigest: Disable support for bcrypt on EBCDIC platforms.
  429      apr-util's bcrypt implementation doesn't tolerate EBCDIC.  [Eric Covener]
  430 
  431   *) htpasswd/htdbm: report the right limit when get_password() overflows.
  432      [Yann Ylavic]
  433 
  434   *) htpasswd: Don't fail in -v mode if password file is unwritable.
  435      PR 61631.  [Joe Orton]
  436 
  437   *) htpasswd: don't point to (unused) stack memory on output
  438      to make static analysers happy.  PR 60634.
  439      [Yann Ylavic, reported by shqking and Zhenwei Zou]
  440 
  441 Changes with Apache 2.4.32
  442 
  443   *) mod_access_compat: Fail if a comment is found in an Allow or Deny
  444      directive.  [Jan Kaluza]
  445 
  446   *) mod_authz_host: Ignore comments after "Require host", logging a
  447      warning, or logging an error if the line is otherwise empty.
  448      [Jan Kaluza, Joe Orton]
  449 
  450   *) rotatelogs: Fix expansion of %Z in localtime (-l) mode, and fix
  451      Y2K38 bug.  [Joe Orton]
  452 
  453   *) mod_ssl: Support SSL DN raw variable extraction without conversion
  454      to UTF-8, using _RAW suffix on variable names.  [Joe Orton]
  455 
  456   *) ab: Fix https:// connection failures (regression in 2.4.30); fix
  457      crash generating CSV output for large -n.  [Joe Orton, Jan Kaluza]
  458 
  459 Changes with Apache 2.4.31 (not released)
  460 
  461   *) mod_proxy_fcgi: Add the support for mod_proxy's flushpackets and flushwait
  462      parameters. [Luca Toscano, Ruediger Pluem, Yann Ylavic]
  463 
  464   *) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
  465      improper merging of the cache lock in vhost config.
  466      PR 43164 [Eric Covener]
  467 
  468   *) mpm_event: Do lingering close in worker(s).  [Yann Ylavic]
  469 
  470   *) mpm_queue: Put fdqueue code in common for MPMs event and worker.
  471      [Yann Ylavic]
  472 
  473 Changes with Apache 2.4.30 (not released)
  474 
  475   *) SECURITY: CVE-2017-15710 (cve.mitre.org)
  476      Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
  477      [Eric Covener, Luca Toscano, Yann Ylavic]
  478 
  479   *) SECURITY: CVE-2018-1283 (cve.mitre.org)
  480      mod_session: CGI-like applications that intend to read from mod_session's
  481      'SessionEnv ON' could be fooled into reading user-supplied data instead.
  482      [Yann Ylavic]
  483 
  484   *) SECURITY: CVE-2018-1303 (cve.mitre.org)
  485      mod_cache_socache: Fix request headers parsing to avoid a possible crash
  486      with specially crafted input data.  [Ruediger Pluem]
  487 
  488   *) SECURITY: CVE-2018-1301 (cve.mitre.org)
  489      core: Possible crash with excessively long HTTP request headers.
  490      Impractical to exploit with a production build and production LogLevel.
  491      [Yann Ylavic]
  492 
  493   *) SECURITY: CVE-2017-15715 (cve.mitre.org)
  494      core: Configure the regular expression engine to match '$' to the end of
  495      the input string only, excluding matching the end of any embedded
  496      newline characters. Behavior can be changed with new directive
  497      'RegexDefaultOptions'. [Yann Ylavic]
  498 
  499   *) SECURITY: CVE-2018-1312 (cve.mitre.org)
  500      mod_auth_digest: Fix generation of nonce values to prevent replay
  501      attacks across servers using a common Digest domain. This change
  502      may cause problems if used with round robin load balancers. PR 54637
  503      [Stefan Fritsch]
  504 
  505   *) SECURITY: CVE-2018-1302 (cve.mitre.org)
  506      mod_http2: Potential crash w/ mod_http2.
  507      [Stefan Eissing]
  508 
  509   *) mod_proxy: Worker schemes and hostnames which are too large are no
  510      longer fatal errors; it is logged and the truncated values are stored.
  511      [Jim Jagielski]
  512 
  513   *) mod_proxy: Allow setting options to globally defined balancer from
  514      ProxyPass used in VirtualHost. Balancers are now merged using the new
  515      merge_balancers method which merges the balancers options.  [Jan Kaluza]
  516 
  517   *) logresolve: Fix incorrect behavior or segfault if -c flag is used
  518      Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259
  519      [Stefan Fritsch]
  520 
  521   *) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
  522      Add ability for PROXY protocol processing to be optional to donated code.
  523      See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
  524      [Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri]
  525 
  526   *) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
  527      allowing per backend TLS configuration.  [Yann Ylavic]
  528 
  529   *) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module. [Roberto De Ioris,
  530      Jim Jagielski]
  531 
  532   *) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
  533      depend on the number of restarts (non-Unix systems) and preserve shared
  534      names as much as possible on configuration changes for SHMs and persisted
  535      files.  PR 62044.  [Yann Ylavic, Jim Jagielski]
  536 
  537   *) mod_http2: obsolete code removed, no more events on beam pool destruction,
  538      discourage content encoders on http2-status response (where they do not work).
  539      [Stefan Eissing]
  540 
  541   *) mpm_event: Let the listener thread do its maintenance job on resources
  542      shortage.  PR 61979.  [Yann Ylavic]
  543 
  544   *) mpm_event: Wakeup the listener to re-enable listening sockets.
  545      [Yann Ylavic]
  546 
  547   *) mod_ssl: The SSLCompression directive will now give an error if used
  548      with an OpenSSL build which does not support any compression methods.
  549      [Joe Orton]
  550 
  551   *) mpm_event,worker: Mask signals for threads created by modules in child
  552      init, so that they don't receive (implicitely) the ones meant for the MPM.
  553      PR 62009. [Armin Abfalterer <a.abfalterer gmail com>, Yann Ylavic]
  554 
  555   *) mod_md: new experimental, module for managing domains across virtual hosts,
  556      implementing the Let's Encrypt ACMEv1 protocol to signup and renew
  557      certificates. Please read the modules documentation for further instructions
  558      on how to use it. [Stefan Eissing]
  559 
  560   *) mod_proxy_html: skip documents shorter than 4 bytes
  561      PR 56286 [Micha Lenk <micha lenk info>]
  562 
  563   *) core, mpm_event: Avoid a small memory leak of the scoreboard handle, for
  564      the lifetime of the connection, each time it is processed by MPM event.
  565      [Yann Ylavic]
  566 
  567   *) mpm_event: Update scoreboard status for KeepAlive state.  [Yann Ylavic]
  568 
  569   *) mod_ldap: Fix a case where a full LDAP cache would continually fail to
  570      purge old entries and log AH01323. PR61891.
  571      [Hendrik Harms <hendrik.harms gmail.com>]
  572 
  573   *) mpm_event: close connections not reported as handled by any module to
  574      avoid losing track of them and leaking scoreboard entries.  PR 61551.
  575      [Yann Ylavic]
  576 
  577   *) core: A signal received while stopping could have crashed the main
  578      process.  PR 61558.  [Yann Ylavic]
  579 
  580   *) mod_ssl: support for mod_md added. [Stefan Eissing]
  581 
  582   *) mod_proxy_html: process parsed comments immediately.
  583      Fixes bug (seen in the wild when used with IBM's HTTPD bundle)
  584      where parsed comments may be lost. [Nick Kew]
  585 
  586   *) mod_proxy_html: introduce doctype for HTML 5 [Nick Kew]
  587 
  588   *) mod_proxy_html: fix typo-bug processing "strict" vs "transitional"
  589      HTML/XHTML.  PR 56457  [Nick Kew]
  590 
  591   *) mpm_event: avoid a very unlikely race condition between the listener and
  592      the workers when the latter fails to add a connection to the pollset.
  593      [Yann Ylavic]
  594 
  595   *) core: silently ignore a not existent file path when IncludeOptional
  596      is used. PR 57585. [Alberto Murillo Silva <powerbsd yahoo.com>, Luca Toscano]
  597 
  598   *) mod_macro: fix usability of globally defined macros in .htaccess files.
  599      PR 57525.  [Jose Kahan <jose w3.org>, Yann Ylavic]
  600 
  601   *) mod_rewrite, core: add the Vary header when a condition evaluates to true
  602      and the related RewriteRule is used in a Directory context
  603      (triggering an internal redirect). [Luca Toscano]
  604 
  605   *) ab: Make the TLS layer aware that the underlying socket is nonblocking,
  606      and use/handle POLLOUT where needed to avoid busy IOs and recover write
  607      errors when appropriate.  [Yann Ylavic]
  608 
  609   *) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
  610      read was incomplete (the SSL case can cause the next poll() to timeout
  611      since data are buffered already).  PR 61301 [Luca Toscano, Yann Ylavic]
  612 
  613   *) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain
  614      information retrievals on null bucket beams where it makes sense. [Stefan Eissing]
  615 
  616 Changes with Apache 2.4.29
  617 
  618   *) mod_unique_id: Use output of the PRNG rather than IP address and
  619      pid, avoiding sleep() call and possible DNS issues at startup,
  620      plus improving randomness for IPv6-only hosts.  [Jan Kaluza]
  621 
  622   *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
  623      is used in a condition that evaluates to true. PR 58231 [Luca Toscano, Yann Ylavic]
  624 
  625   *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
  626      beams that could lead to assertion failure in edge cases.
  627      [Stefan Eissing]
  628 
  629   *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
  630      in 2.4.28.  [Jim Jagielski]
  631 
  632   *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
  633      PR 61546.  [Lubos Uhliarik <luhliari redhat.com>]
  634 
  635   *) mod_rewrite: Add support for starting External Rewriting Programs
  636      as non-root user on UNIX systems by specifying username and group
  637      name as third argument of RewriteMap directive.  [Jan Kaluza]
  638 
  639   *) core: Rewrite the Content-Length filter to avoid excessive memory
  640      consumption. Chunked responses will be generated in more cases
  641      than in previous releases.  PR 61222.  [Joe Orton, Ruediger Pluem]
  642 
  643   *) mod_ssl: Fix SessionTicket callback return value, which does seem to
  644      matter with OpenSSL 1.1. [Yann Ylavic]
  645 
  646 Changes with Apache 2.4.28
  647 
  648   *) SECURITY: CVE-2017-9798 (cve.mitre.org)
  649      Corrupted or freed memory access. <Limit[Except]> must now be used in the
  650      main configuration file (httpd.conf) to register HTTP methods before the
  651      .htaccess files.  [Yann Ylavic]
  652 
  653   *) event: Avoid possible blocking in the listener thread when shutting down
  654      connections. PR 60956.  [Yann Ylavic]
  655 
  656   *) mod_speling: Don't embed referer data in a link in error page.
  657      PR 38923 [Nick Kew]
  658 
  659   *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
  660      length in a password file. PR 61511.
  661      [Luca Toscano, Hanno Böck <hanno hboeck de>]
  662 
  663   *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
  664      [Jim Jagielski]
  665 
  666   *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
  667      PR 61142.
  668 
  669   *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
  670      down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
  671      's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]
  672 
  673   *) mod_http2: Fix for stalling when more than 32KB are written to a
  674      suspended stream.  [Stefan Eissing]
  675 
  676   *) build: allow configuration without APR sources.  [Jacob Champion]
  677 
  678   *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
  679      [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
  680       Yann Ylavic]
  681 
  682   *) core/log: Support use of optional "tag" in syslog entries.
  683      PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]
  684 
  685   *) mod_proxy: Fix ProxyAddHeaders merging.  [Joe Orton]
  686 
  687   *) core: Disallow multiple Listen on the same IP:port when listener buckets
  688      are configured (ListenCoresBucketsRatio > 0), consistently with the single
  689      bucket case (default), thus avoiding the leak of the corresponding socket
  690      descriptors on graceful restart.  [Yann Ylavic]
  691 
  692   *) event: Avoid listener periodic wake ups by using the pollset wake-ability
  693      when available.  PR 57399.  [Yann Ylavic, Luca Toscano]
  694 
  695   *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
  696      led to spurious HTTP 502 error messages sent on upgrade connections.
  697      PR 61283.  [Yann Ylavic]
  698 
  699 Changes with Apache 2.4.27
  700 
  701   *) SECURITY: CVE-2017-9789 (cve.mitre.org)
  702      mod_http2: Read after free. When under stress, closing many connections,
  703      the HTTP/2 handling code would sometimes access memory after it has been
  704      freed, resulting in potentially erratic behaviour.
  705      [Stefan Eissing]
  706 
  707   *) SECURITY: CVE-2017-9788 (cve.mitre.org)
  708      mod_auth_digest: Uninitialized memory reflection.  The value placeholder
  709      in [Proxy-]Authorization headers type 'Digest' was not initialized or
  710      reset before or between successive key=value assignments.
  711      [William Rowe]
  712 
  713   *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
  714      global variable when using Lua 5.2 or later. This was exported as a
  715      side effect from luaL_register, which is no longer supported as of
  716      Lua 5.2 which deprecates pollution of the global namespace.
  717      [Rainer Jung]
  718 
  719   *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
  720      The server will continue to run, but HTTP/2 will no longer be negotiated.
  721      [Stefan Eissing]
  722 
  723   *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
  724      default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
  725      [Jacob Champion, Jim Jagielski]
  726 
  727   *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
  728      PR58188, PR60831, PR61245. [Rainer Jung]
  729 
  730   *) mod_http2: Simplify ready queue, less memory and better performance. Update
  731      mod_http2 version to 1.10.7. [Stefan Eissing]
  732 
  733   *) Allow single-char field names inadvertently disallowed in 2.4.25.
  734      PR 61220. [Yann Ylavic]
  735 
  736   *) htpasswd / htdigest: Do not apply the strict permissions of the temporary
  737      passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]
  738 
  739   *) core: Avoid duplicate HEAD in Allow header.
  740      This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
  741      PR 61207. [Christophe Jaillet]
  742 
  743 Changes with Apache 2.4.26
  744 
  745   *) SECURITY: CVE-2017-7679 (cve.mitre.org)
  746      mod_mime can read one byte past the end of a buffer when sending a
  747      malicious Content-Type response header.  [Yann Ylavic]
  748 
  749   *) SECURITY: CVE-2017-7668 (cve.mitre.org)
  750      The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
  751      bug in token list parsing, which allows ap_find_token() to search past
  752      the end of its input string. By maliciously crafting a sequence of
  753      request headers, an attacker may be able to cause a segmentation fault,
  754      or to force ap_find_token() to return an incorrect value.
  755      [Jacob Champion]
  756 
  757   *) SECURITY: CVE-2017-7659 (cve.mitre.org)
  758      A maliciously constructed HTTP/2 request could cause mod_http2 to
  759      dereference a NULL pointer and crash the server process.
  760 
  761   *) SECURITY: CVE-2017-3169 (cve.mitre.org)
  762      mod_ssl may dereference a NULL pointer when third-party modules call
  763      ap_hook_process_connection() during an HTTP request to an HTTPS port.
  764      [Yann Ylavic]
  765 
  766   *) SECURITY: CVE-2017-3167 (cve.mitre.org)
  767      Use of the ap_get_basic_auth_pw() by third-party modules outside of the
  768      authentication phase may lead to authentication requirements being
  769      bypassed.
  770      [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
  771 
  772   *) HTTP/2 support no longer tagged as "experimental" but is instead considered
  773      fully production ready.
  774 
  775   *) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
  776      the session in continuous check for state changes that never happen.
  777      [Stefan Eissing]
  778 
  779   *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
  780      protocols.  [Jean-Frederic Clere]
  781 
  782   *) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
  783      a possible crash if a signal is caught during (graceful) restart.
  784      PR 60487.  [Yann Ylavic]
  785 
  786   *) mod_rewrite: When a substitution is a fully qualified URL, and the
  787      scheme/host/port matches the current virtual host, stop interpreting the
  788      path component as a local path just because the first component of the
  789      path exists in the filesystem.  Adds RewriteOption "LegacyPrefixDocRoot"
  790      to revert to previous behavior. PR60009.
  791      [Hank Ibell <hwibell gmail.com>]
  792 
  793   *) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
  794      platforms. PR61124. [Hank Ibell <hwibell gmail.com>]
  795 
  796   *) ab: enable option processing for setting a custom HTTP method also for
  797      non-SSL builds.  [Rainer Jung]
  798 
  799   *) core: EBCDIC fixes for interim responses with additional headers.
  800      [Eric Covener]
  801 
  802   *) mod_env: when processing a 'SetEnv' directive, warn if the environment
  803      variable name includes a '='. It is likely a configuration error.
  804      PR 60249 [Christophe Jaillet]
  805 
  806   *) Evaluate nested If/ElseIf/Else configuration blocks.
  807      [Luca Toscano, Jacob Champion]
  808 
  809   *) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
  810      allow spaces in backreferences to be encoded as %20 instead of '+'.
  811      [Eric Covener]
  812 
  813   *) mod_rewrite: Add the possibility to limit the escaping to specific
  814      characters in backreferences by listing them in the B flag.
  815      [Eric Covener]
  816 
  817   *) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
  818      systems.  [Eric Covener]
  819 
  820   *) mod_http2: fail requests without ERROR log in case we need to read interim
  821      responses and see only garbage. This can happen if proxied servers send
  822      data where none should be, e.g. a body for a HEAD request. [Stefan Eissing]
  823 
  824   *) mod_proxy_http2: adding support for Reverse Proxy Request headers.
  825      [Stefan Eissing]
  826 
  827   *) mod_http2: fixed possible deadlock that could occur when connections were
  828      terminated early with ongoing streams. Fixed possible hanger with timeout
  829      on race when connection considers itself idle. [Stefan Eissing]
  830 
  831   *) mod_http2: MaxKeepAliveRequests now limits the number of times a
  832      slave connection gets reused. [Stefan Eissing]
  833 
  834   *) mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
  835      [Evgeny Kotkov]
  836 
  837   *) mod_proxy_http2: Fixed bug in re-attempting proxy requests after
  838      connection error. Reliability of reconnect handling improved.
  839      [Stefan Eissing]
  840 
  841   *) mod_http2: better performance, eliminated need for nested locks and
  842      thread privates. Moving request setups from the main connection to the
  843      worker threads. Increase number of spare connections kept.
  844      [Stefan Eissing]
  845 
  846   *) mod_http2: input buffering and dynamic flow windows for increased
  847      throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup
  848      in mod_http2 INFO log as feature 'DWINS'. [Stefan Eissing]
  849 
  850   *) mod_http2: h2 workers with improved scalability for better scheduling
  851      performance. There are H2MaxWorkers threads created at start and the
  852      number is kept constant for now. [Stefan Eissing]
  853 
  854   *) mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and
  855      just log a warning. [Stefan Eissing]
  856 
  857   *) mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date
  858      format from 2.2 in the Last Modified column. PR60846.
  859      [Hank Ibell <hwibell gmail.com>]
  860 
  861   *) core: Add %{REMOTE_PORT} to the expression parser. PR59938
  862      [Hank Ibell <hwibell gmail.com>]
  863 
  864   *) mod_cache: Fix a regression in 2.4.25 for the forward proxy case by
  865      computing and using the same entity key according to when the cache
  866      checks, loads and saves the request.
  867      PR 60577.  [Yann Ylavic]
  868 
  869   *) mod_proxy_hcheck: Don't validate timed out responses.  [Yann Ylavic]
  870 
  871   *) mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are
  872      in use (ProxyHCTPsize > 0).  PR 60071.  [Yann Ylavic, Jim Jagielski]
  873 
  874   *) core: %{DOCUMENT_URI} used in nested SSI expressions should point to the
  875      URI originally requsted by the user, not the nested documents URI. This
  876      restores the behavior of this variable to match the "legacy" SSI parser.
  877      PR60624. [Hank Ibell <hwibell gmail.com>]
  878 
  879   *) mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment
  880      variables just before invoking the FastCGI. [Eric Covener,
  881      Jacob Champion]
  882 
  883   *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
  884      a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
  885      default.  Add ProxyFCGIBackendType to allow the type of backend to be
  886      specified so these kinds of fixups can be restored without impacting
  887      FPM. PR60576 [Eric Covener, Jim Jagielski]
  888 
  889   *) mod_ssl: work around leaks on (graceful) restart. [Yann Ylavic]
  890 
  891   *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
  892 
  893   *) Don't set SO_REUSEPORT unless ListenCoresBucketsRatio is greater
  894      than zero.  [Eric Covener]
  895 
  896   *) mod_http2: moving session cleanup to pre_close hook to avoid races with
  897      modules already shut down and slave connections still operating.
  898      [Stefan Eissing]
  899 
  900   *) mod_lua: Support for Lua 5.3
  901 
  902   *) mod_proxy_http2: support for ProxyPreserverHost directive. [Stefan Eissing]
  903 
  904   *) mod_http2: fix for crash when running out of memory.
  905      [Robert Swiecki <robert swiecki.net>, Stefan Eissing]
  906 
  907   *) mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
  908      [Luca Toscano]
  909 
  910   *) mod_http2: not counting file buckets again stream max buffer limits.
  911      Effectively transfering static files in one step from slave to master
  912      connection. [Stefan Eissing]
  913 
  914   *) mod_http2: comforting ap_check_pipeline() on slave connections
  915      to facilitate reuse (see https://github.com/icing/mod_h2/issues/128).
  916      [Stefan Eissing, reported by Armin Abfalterer]
  917 
  918   *) mod_http2: http/2 streams now with state handling/transitions as defined
  919      in RFC7540. Stream cleanup/connection shutdown reworked to become easier
  920      to understand/maintain/debug. Added many asserts on state and cleanup
  921      transitions. [Stefan Eissing]
  922 
  923   *) mod_auth_digest: Use an anonymous shared memory segment by default,
  924      preventing startup failure after unclean shutdown.  PR 54622.
  925      [Jan Kaluza]
  926 
  927   *) mod_filter: Fix AddOutputFilterByType with non-content-level filters.
  928      PR 58856. [Micha Lenk <micha lenk.info>]
  929 
  930   *) mod_watchdog: Fix semaphore leak over restarts.  [Jim Jagielski]
  931 
  932   *) mod_http2: regression fix on PR 59348, on graceful restart, ongoing
  933      streams are finished normally before the final GOAWAY is sent.
  934      [Stefan Eissing, <slavko gmail.com>]
  935 
  936   *) mod_proxy: Allow the per-request environment variable "no-proxy" to
  937      be used as an alternative to ProxyPass /path !. This is primarily
  938      to set exceptions for ProxyPass specified in <Location> context.
  939      Use SetEnvIf, not SetEnv. PR 60458.  [Eric Covener]
  940 
  941   *) mod_http2: fixes PR60599, sending proper response for conditional requests
  942      answered by mod_cache. [Jeff Wheelhouse, Stefan Eissing]
  943 
  944   *) mod_http2: rework of stream resource cleanup to avoid a crash in a close
  945      of a lingering connection. Prohibit special file bucket beaming for
  946      shared buckets. Files sent in stream output now use the stream pool
  947      as read buffer, reducing memory footprint of connections.
  948      [Yann Ylavic, Stefan Eissing]
  949 
  950   *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
  951      modules add empty environment variables to the request. PR 60275.
  952      [<alex2grad AT gmail.com>]
  953 
  954   *) mod_http2: fix for possible page fault when stream is resumed during
  955      session shutdown. [sidney-j-r-m (github)]
  956 
  957   *) mod_http2: fix for h2 session ignoring new responses while already
  958      open streams continue to have data available. [Stefan Eissing]
  959 
  960   *) mod_http2: adding support for MergeTrailers directive. [Stefan Eissing]
  961 
  962   *) mod_http2: limiting DATA frame sizes by TLS record sizes in use on the
  963      connection. Flushing outgoing frames earlier. [Stefan Eissing]
  964 
  965   *) mod_http2: cleanup beamer registry on server reload.  PR 60510.
  966      [Pavel Mateja <pavel verotel.cz>, Stefan Eissing]
  967 
  968   *) mod_proxy_{ajp,fcgi}: Fix a possible crash when reusing an established
  969      backend connection, happening with LogLevel trace2 or higher configured,
  970      or at any log level with compilers not detected as C99 compliant (e.g.
  971      MSVC on Windows).  [Yann Ylavic]
  972 
  973   *) mod_ext_filter: Don't interfere with "error buckets" issued by other
  974      modules. PR 60375.  [Eric Covener, Lubos Uhliarik]
  975 
  976   *) mod_http2: fixes https://github.com/icing/mod_h2/issues/126 e.g. beam
  977      bucket lifetime handling when data is sent over temporary pools.
  978      [Stefan Eissing]
  979 
  980 Changes with Apache 2.4.25
  981 
  982   *) Fix some build issues related to various modules.
  983      [Rainer Jung]
  984 
  985 Changes with Apache 2.4.24 (not released)
  986 
  987   *) SECURITY: CVE-2016-8740 (cve.mitre.org)
  988      mod_http2: Mitigate DoS memory exhaustion via endless
  989      CONTINUATION frames.
  990      [Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State
  991      University, Stefan Eissing]
  992 
  993   *) SECURITY: CVE-2016-2161 (cve.mitre.org)
  994      mod_auth_digest: Prevent segfaults during client entry allocation when
  995      the shared memory space is exhausted.
  996      [Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion]
  997 
  998   *) SECURITY: CVE-2016-0736 (cve.mitre.org)
  999      mod_session_crypto: Authenticate the session data/cookie with a
 1000      MAC (SipHash) to prevent deciphering or tampering with a padding
 1001      oracle attack.  [Yann Ylavic, Colm MacCarthaigh]
 1002 
 1003   *) SECURITY: CVE-2016-8743 (cve.mitre.org)
 1004      Enforce HTTP request grammar corresponding to RFC7230 for request lines
 1005      and request headers, to prevent response splitting and cache pollution by
 1006      malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
 1007 
 1008   *) Validate HTTP response header grammar defined by RFC7230, resulting
 1009      in a 500 error in the event that invalid response header contents are
 1010      detected when serving the response, to avoid response splitting and cache
 1011      pollution by malicious clients, upstream servers or faulty modules.
 1012      [Stefan Fritsch, Eric Covener, Yann Ylavic]
 1013 
 1014   *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
 1015      [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
 1016 
 1017   *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
 1018      looping RewriteRules when the local path significantly exceeds
 1019      LimitRequestLine.  PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]
 1020 
 1021   *) mod_ratelimit: Allow for initial "burst" amount at full speed before
 1022      throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>,
 1023      Jim Jagielski]
 1024 
 1025   *) mod_socache_memcache: Provide memcache stats to mod_status.
 1026      [Jim Jagielski]
 1027 
 1028   *) mod_file_cache: mod_file_cache should be able to serve files that
 1029      haven't had a Content-Type set via e.g. mod_mime. [Eric Covener]
 1030 
 1031   *) http_filters: Fix potential looping in new check_headers() due to new
 1032      pattern of ap_die() from http header filter. Explicitly clear the
 1033      previous headers and body.
 1034 
 1035   *) core: Drop Content-Length header and message-body from HTTP 204 responses.
 1036      PR 51350 [Luca Toscano]
 1037 
 1038   *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is
 1039      configured in <Location>, like in 2.2. PR 60458.
 1040      [Eric Covener]
 1041 
 1042   *) mod_lua: Fix default value of LuaInherit directive. It should be
 1043      'parent-first' instead of 'none', as per documentation.  PR 60419
 1044      [Christophe Jaillet]
 1045 
 1046   *) core: New directive HttpProtocolOptions to control httpd enforcement
 1047      of various RFC7230 requirements. [Stefan Fritsch, William Rowe]
 1048 
 1049   *) core: Permit unencoded ';' characters to appear in proxy requests and
 1050      Location: response headers. Corresponds to modern browser behavior.
 1051      [William Rowe]
 1052 
 1053   *) core: ap_rgetline_core now pulls from r->proto_input_filters.
 1054 
 1055   *) core: Correctly parse an IPv6 literal host specification in an absolute
 1056      URL in the request line. [Stefan Fritsch]
 1057 
 1058   *) core: New directive RegisterHttpMethod for registering non-standard
 1059      HTTP methods. [Stefan Fritsch]
 1060 
 1061   *) mod_socache_memcache: Pass expiration time through to memcached. PR 55445.
 1062      [Faidon Liambotis <paravoid debian.org>, Joe Orton]
 1063 
 1064   *) mod_cache: Use the actual URI path and query-string for identifying the
 1065      cached entity (key), such that rewrites are taken into account when
 1066      running afterwards (CacheQuickHandler off).  PR 21935.  [Yann Ylavic]
 1067 
 1068   *) mod_http2: new directive 'H2EarlyHints' to enable sending of HTTP status
 1069      103 interim responses. Disabled by default. [Stefan Eissing]
 1070 
 1071   *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
 1072      in the client certificate chain.  PR 55786.  [Yann Ylavic]
 1073 
 1074   *) event: Allow to use the whole allocated scoreboard (up to ServerLimit
 1075      slots) to avoid scoreboard full errors when some processes are finishing
 1076      gracefully. Also, make gracefully finishing processes close all
 1077      keep-alive connections. PR 53555. [Stefan Fritsch]
 1078 
 1079   *) mpm_event: Don't take over scoreboard slots from gracefully finishing
 1080      threads. [Stefan Fritsch]
 1081 
 1082   *) mpm_event: Free memory earlier when shutting down processes.
 1083      [Stefan Fritsch]
 1084 
 1085   *) mod_status: Display the process slot number in the async connection
 1086      overview. [Stefan Fritsch]
 1087 
 1088   *) mod_dir: Responses that go through "FallbackResource" might appear to
 1089      hang due to unterminated chunked encoding. PR58292. [Eric Covener]
 1090 
 1091   *) mod_dav: Fix a potential cause of unbounded memory usage or incorrect
 1092      behavior in a routine that sends <DAV:response>'s to the output filters.
 1093      [Evgeny Kotkov]
 1094 
 1095   *) mod_http2: new directive 'H2PushResource' to enable early pushes before
 1096      processing of the main request starts. Resources are announced to the
 1097      client in Link headers on a 103 early hint response.
 1098      All responses with status code <400 are inspected for Link header and
 1099      trigger pushes accordingly. 304 still does prevent pushes.
 1100      'H2PushResource' can mark resources as 'critical' which gives them higher
 1101      priority than the main resource. This leads to preferred scheduling for
 1102      processing and, when content is available, will send it first. 'critical'
 1103      is also recognized on Link headers. [Stefan Eissing]
 1104 
 1105   *) mod_proxy_http2: uris in Link headers are now mapped back to a suitable
 1106      local url when available. Relative uris with an absolute path are mapped
 1107      as well. This makes reverse proxy mapping available for resources
 1108      announced in this header.
 1109      With 103 interim responses being forwarded to the main client connection,
 1110      this effectively allows early pushing of resources by a reverse proxied
 1111      backend server. [Stefan Eissing]
 1112 
 1113   *) mod_proxy_http2: adding support for newly proposed 103 status code.
 1114      [Stefan Eissing]
 1115 
 1116   *) mpm_unix: Apache fails to start if previously crashed then restarted with
 1117      the same PID (e.g. in container).  PR 60261.
 1118      [Val <valentin.bremond gmail.com>, Yann Ylavic]
 1119 
 1120   *) mod_http2: unannounced and multiple interim responses (status code < 200)
 1121      are parsed and forwarded to client until a final response arrives.
 1122      [Stefan Eissing]
 1123 
 1124   *) mod_proxy_http2: improved robustness when main connection is closed early
 1125      by resetting all ongoing streams against the backend.
 1126      [Stefan Eissing]
 1127 
 1128   *) mod_http2: allocators from slave connections are released earlier,
 1129      resulting in less overall memory use on busy, long lived connections.
 1130      [Stefan Eissing]
 1131 
 1132   *) mod_remoteip: Pick up where we left off during a subrequest rather
 1133      than running with the modified XFF but original TCP address.
 1134      PR 49839/PR 60251
 1135 
 1136   *) http: Respond with "408 Request Timeout" when a timeout occurs while
 1137      reading the request body.  [Yann Ylavic]
 1138 
 1139   *) mod_http2: connection shutdown revisited: corrected edge cases on
 1140      shutting down ongoing streams, changed log warnings to be less noisy
 1141      when waiting on long running tasks. [Stefan Eissing]
 1142 
 1143   *) mod_http2: changed all AP_DEBUG_ASSERT to ap_assert to have them
 1144      available also in normal deployments. [Stefan Eissing]
 1145 
 1146   *) mod_http2/mod_proxy_http2: 100-continue handling now properly implemented
 1147      up to the backend. Reused HTTP/2 proxy connections with more than a second
 1148      not used will block request bodies until a PING answer is received.
 1149      Requests headers are not delayed by this, since they are repeatable in
 1150      case of failure. This greatly increases robustness, especially with
 1151      busy server and/or low keepalive connections. [Stefan Eissing]
 1152 
 1153   *) mod_proxy_http2: fixed duplicate symbols with mod_http2.
 1154      [Stefan Eissing]
 1155 
 1156   *) mod_http2: rewrite of how responses and trailers are transferred between
 1157      master and slave connection. Reduction of internal states for tasks
 1158      and streams, stability. Heuristic id generation for slave connections
 1159      to better keep promise of connection ids unique at given point int time.
 1160      Fix for mod_cgid interop in high load situtations.
 1161      Fix for handling of incoming trailers when no request body is sent.
 1162      [Stefan Eissing]
 1163 
 1164   *) mod_http2: fix suspended handling for streams. Output could become
 1165      blocked in rare cases. [Stefan Eissing]
 1166 
 1167   *) mpm_winnt: Prevent a denial of service when the 'data' AcceptFilter is in
 1168      use by replacing it with the 'connect' filter. PR 59970. [Jacob Champion]
 1169 
 1170   *) mod_cgid: Resolve a case where a short CGI response causes a subsequent
 1171      CGI to be killed prematurely, resulting in a truncated subsequent
 1172      response. [Eric Covener]
 1173 
 1174   *) mod_proxy_hcheck: Set health check URI and expression correctly for health
 1175      check worker. PR 60038 [zdeno <zdeno@scnet.sk>]
 1176 
 1177   *) mod_http2: if configured with nghttp2 1.14.0 and onward, invalid request
 1178      headers will immediately reset the stream with a PROTOCOL error. Feature
 1179      logged by module on startup as 'INVHD' in info message.
 1180      [Stefan Eissing]
 1181 
 1182   *) mod_http2: fixed handling of stream buffers during shutdown.
 1183      [Stefan Eissing]
 1184 
 1185   *) mod_reqtimeout: Fix body timeout disabling for CONNECT requests to avoid
 1186      triggering mod_proxy_connect's AH01018 once the tunnel is established.
 1187      [Yann Ylavic]
 1188 
 1189   *) ab: Set the Server Name Indication (SNI) extension on outgoing TLS
 1190      connections (unless -I is specified), according to the Host header (if
 1191      any) or the requested URL's hostname otherwise.  [Yann Ylavic]
 1192 
 1193   *) mod_proxy_fcgi: avoid loops when ProxyErrorOverride is enabled
 1194      and the error documents are proxied. PR 55415. [Luca Toscano]
 1195 
 1196   *) mod_proxy_fcgi: read the whole FCGI response even when the content
 1197      has not been modified (HTTP 304) or in case of a precondition failure
 1198      (HTTP 412) to avoid subsequent bogus reads and confusing
 1199      error messages logged. [Luca Toscano]
 1200 
 1201   *) mod_http2: h2 status resource follows latest draft, see
 1202      http://www.ietf.org/id/draft-benfield-http2-debug-state-01.txt
 1203      [Stefan Eissing]
 1204 
 1205   *) mod_http2: handling graceful shutdown gracefully, e.g. handling existing
 1206      streams to the end. [Stefan Eissing]
 1207 
 1208   *) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data
 1209      available before the request is sent.  PR 57832.  [Yann Ylavic]
 1210 
 1211   *) mod_proxy_balancer: Prevent redirect loops between workers within a
 1212      balancer by limiting the number of redirects to the number balancer
 1213      members. PR 59864 [Ruediger Pluem]
 1214 
 1215   *) mod_proxy: Correctly consider error response codes by the backend when
 1216      processing failonstatus. PR 59869 [Ruediger Pluem]
 1217 
 1218   *) mod_dav: Add dav_get_provider_name() function to obtain the name
 1219      of the provider from mod_dav.  [Graham Leggett]
 1220 
 1221   *) mod_dav: Add support for childtags to dav_error.
 1222      [Jari Urpalainen <jari.urpalainen nokia.com>]
 1223 
 1224   *) mod_proxy_fcgi: Fix 2.4.23 breakage for mod_rewrite per-dir and query
 1225      string showing up in SCRIPT_FILENAME. PR59815
 1226 
 1227   *) mod_include: Fix a potential memory misuse while evaluating expressions.
 1228      PR59844. [Eric Covener]
 1229 
 1230   *) mod_http2: new H2CopyFiles directive that changes treatment of file
 1231      handles in responses. Necessary in order to fix broken lifetime handling
 1232      in modules such as mod_wsgi.
 1233 
 1234   *) mod_http2: removing timeouts on master connection while requests are
 1235      being processed. Requests may timeout, but the master only times out when
 1236      no more requests are active. [Stefan Eissing]
 1237 
 1238   *) mod_http2: fixes connection flush when answering SETTINGS without any
 1239      stream open. [Moto Ishizawa <@summerwind>, Stefan Eissing]
 1240 
 1241 Changes with Apache 2.4.23
 1242 
 1243   *) mod_ssl: reset client-verify state of ssl when aborting renegotiations.
 1244      [Erki Aring <erki@example.ee>, Stefan Eissing]
 1245 
 1246   *) mod_sed: Fix 'x' command processing. [Christophe Jaillet]
 1247 
 1248   *) configure: Fix ./configure edge-case failures around dependencies
 1249      of mod_proxy_hcheck. [William Rowe, Ruediger Pluem, Jeff Trawick]
 1250 
 1251 Changes with Apache 2.4.22
 1252 
 1253   *) mod_http2: fix for request abort when connections drops, introduced in
 1254      1.5.8
 1255 
 1256 Changes with Apache 2.4.21
 1257 
 1258   *) core: Added support for HTTP code 451. PR 58985.
 1259      [Yehuda Katz <yehuda ymkatz.net>, Jim Jagielski]
 1260 
 1261   *) ab: Use caseless matching for HTTP tokens (e.g. content-length). PR 59111.
 1262      [Yann Ylavic]
 1263 
 1264   *) mod_http2: more rigid error handling in DATA frame assembly, leading
 1265      to deterministic connection errors if assembly fails.
 1266      [Stefan Eissing, Pal Nilsen <https://github.com/maedox>]
 1267 
 1268   *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
 1269      failures under Visual Studio 2015 and other mismatched MSVCRT flavors.
 1270      PR59630 [Jan Ehrhardt <phpdev ehrhardt.nl>]
 1271 
 1272   *) mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive
 1273      to opt-in previous behaviour (2.2) with CRLs verification when checking
 1274      certificate(s) with no corresponding CRL.  [Yann Ylavic]
 1275 
 1276   *) mpm_event, mpm_worker: Fix computation of MinSpareThreads' lower bound
 1277      according the number of listeners buckets.  [Yann Ylavic]
 1278 
 1279   *) Add ap_cstr_casecmp[n]() - placeholder of apr_cstr_casecmp[n] functions
 1280      for case-insensitive C/POSIX-locale token comparison.
 1281      [Jim Jagielski, William Rowe, Yann Ylavic, Branko Čibej]
 1282 
 1283   *) mod_userdir: Constify and save a few bytes in the conf pool when
 1284      parsing the "UserDir" directive. [Christophe Jaillet]
 1285 
 1286   *) mod_cache: Fix (max-stale with no '=') and enforce (check
 1287      integers after '=') Cache-Control header parsing.
 1288      [Christophe Jaillet]
 1289 
 1290   *) core: Add -DDUMP_INCLUDES configtest option to show the tree
 1291      of Included configuration files.
 1292      [Jacob Champion <champion.pxi gmail.com>]
 1293 
 1294   *) mod_proxy_fcgi: Avoid passing a filename of proxy:fcgi:// as
 1295      SCRIPT_FILENAME to a FastCGI server. PR59618.
 1296      [Jacob Champion <champion.pxi gmail.com>]
 1297 
 1298   *) mod_dav: Add dav_get_provider_name() function to obtain the name
 1299      of the provider from mod_dav.
 1300      [Jari Urpalainen <jari.urpalainen nokia.com>]
 1301 
 1302   *) mod_proxy_http2: properly care for HTTP2 flow control of the frontend
 1303      connection is HTTP/1.1. [Patch supplied by Evgeny Kotkov]
 1304 
 1305   *) mod_http2: improved cleanup of connection/streams/tasks to always
 1306      have deterministic order regardless of event initiating it. Addresses
 1307      reported crashes due to memory read after free issues.
 1308      [Stefan Eissing]
 1309 
 1310   *) mod_ssl: Correct the interaction between SSLProxyCheckPeerCN and newer
 1311      SSLProxyCheckPeerName directives since release 2.4.5, such that disabling
 1312      either disables both, and that enabling either triggers the new, more
 1313      comprehensive SSLProxyCheckPeerName behavior. Only a single configuration
 1314      remains to enable the legacy behavior, which is to explicitly disable
 1315      SSLProxyCheckPeerName, and enable SSLProxyCheckPeerCN. [William Rowe]
 1316 
 1317   *) mod_include: add the <!--#comment ...> syntax in order to include comments
 1318      in a SSI file. [Christophe Jaillet based on a suggestion from Rob]
 1319 
 1320   *) mod_http2: improved event handling for suspended streams, responses
 1321      and window updates. [Stefan Eissing]
 1322 
 1323   *) mod_proxy_hcheck: Provide for dynamic background health
 1324      checks on reverse proxies associated with BalancerMember
 1325      workers. [Jim Jagielski]
 1326 
 1327   *) mod_http2: Fix async write issue that led to selection of wrong timeout
 1328      vs. keepalive timeout selection for idle sessions. [Stefan Eissing]
 1329 
 1330   *) mod_http2: checking LimitRequestLine, LimitRequestFields and
 1331      LimitRequestFieldSize configurated values for incoming streams. Returning
 1332      HTTP status 431 for too long/many headers fields and 414 for a too long
 1333      pseudo header. [Stefan Eissing]
 1334 
 1335   *) mod_http2: tracking conn_rec->current_thread on slave connections, so
 1336      that mod_lua finds the correct one. Fixes PR 59542. [Stefan Eissing]
 1337 
 1338   *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
 1339      urls. Part of the httpd mod_proxy framework, common settings apply.
 1340      Requests from the same HTTP/2 frontend connection against the same backend
 1341      are aggregated on a single connection.
 1342      [Stefan Eissing]
 1343 
 1344   *) mod_http2: slave connections have conn_rec->aborted flag set when a stream
 1345      has been reset by the client. [Stefan Eissing]
 1346 
 1347   *) mod_http2: merge of some 2.4.x adaptions re filters on slave connections.
 1348      Small fixes in bucket beams when forwarding file buckets. Output handling
 1349      on master connection uses less FLUSH and passes automatically when more
 1350      than half of H2StreamMaxMemSize bytes have accumulated.
 1351      Workaround for http: when forwarding partial file buckets to keep the
 1352      output filter from closing these too early. [Stefan Eissing]
 1353 
 1354   *) mod_http2: elimination of fixed master connection buffer for TLS
 1355      connections. New scratch bucket handling optimized for TLS write sizes.
 1356      File bucket data read directly into scratch buffers, avoiding one
 1357      copy. Non-TLS connections continue to pass buckets unchanged to the core
 1358      filters to allow sendfile() usage. [Stefan Eissing]
 1359 
 1360   *) mod_http2/mod_proxy_http2: h2_request.c is no longer shared between these
 1361      modules. This simplifies building on platforms such as Windows, as module
 1362      reference used in logging is now clear. [Stefan Eissing]
 1363 
 1364   *) Scoreboard: Fix a regression in 2.4.20 that causes wrong request data
 1365      to be displayed on the status page. PR 59333. [Yann Ylavic, William Rowe]
 1366 
 1367   *) mod_http2: fixed a bug that caused mod_proxy_http2 to be called for window
 1368      updates on requests it had already reported done. Added synchronization
 1369      on early connection/stream close that lets ongoing requests safely drain
 1370      their input filters.
 1371      [Stefan Eissing]
 1372 
 1373   *) mod_http2: scoreboard updates that summarize the h2 session (and replace
 1374      the last request information) will only happen when the session is idle or
 1375      in shutdown/done phase. [Stefan Eissing]
 1376 
 1377   *) mod_http2: new "bucket beam" technology to transport buckets across
 1378      threads without buffer copy. Delaying response start until flush or
 1379      enough body data has been accumulated. Overall significantly smaller
 1380      memory footprint. [Stefan Eissing]
 1381 
 1382   *) core: New CGIVar directive can configure REQUEST_URI to represent the
 1383      current URI being processed instead of always the original request.
 1384      [Jeff Trawick]
 1385 
 1386   *) scoreboard/status: Restore behavior of showing workers' previous Client,
 1387      VHost and Request values when idle, like in 2.4.18 and earlier.
 1388 
 1389   *) mod_http2: r->protocol changed to "HTTP/2.0" (was "HTTP/2") as this will
 1390      give expected syntax in CGI's SERVER_PROTOCOL is more compatible with
 1391      existing major/minor handling. Fixes PR 59313.
 1392 
 1393   *) mod_http2: disabling mmap for file buckets transport due to segmenation
 1394      faults when files change on the fly.
 1395 
 1396 Changes with Apache 2.4.20
 1397 
 1398   *) SECURITY: CVE-2016-1546 (cve.mitre.org)
 1399      mod_http2: restricting number of concurrent stream workers per connection
 1400      if client is slow.
 1401 
 1402   *) core: Do not read .htaccess if AllowOverride and AllowOverrideList
 1403      are "None". PR 58528.
 1404      [Michael Schlenker <msc contact.de, Ruediger Pluem, Daniel Ruggeri]
 1405 
 1406   *) mod_proxy_express: Fix possible use of DB handle after close.  PR 59230.
 1407      [Petr <pgajdos suse.cz>]
 1408 
 1409   *) core/util_script: relax alphanumeric filter of environment variable names
 1410      on Windows to allow '(' and ')' for passing PROGRAMFILES(X86) et.al.
 1411      unadulterated in 64 bit versions of Windows. PR 46751.
 1412      [John <john leineweb de>]
 1413 
 1414   *) mod_http2: incrementing keepalives on each request started so that logging
 1415      %k gives increasing numbers per master http2 connection.
 1416      New documented variables in env, usable in custom log formats: H2_PUSH,
 1417      H2_PUSHED, H2_PUSHED_ON, H2_STREAM_ID and H2_STREAM_TAG.
 1418      [Stefan Eissing]
 1419 
 1420   *) mod_http2: more efficient passing of response bodies with less contention
 1421      and file bucket forwarding. [Stefan Eissing]
 1422 
 1423   *) mod_http2: fix for missing score board updates on request count, fix for
 1424      memory leak on slave connection reuse. [Stefan Eissing]
 1425 
 1426   *) mod_http2: Fix build on Windows from dsp files.
 1427      [Stefan Eissing]
 1428 
 1429 Changes with Apache 2.4.19
 1430 
 1431   *) mod_ssl: Add missing Upgrade/Connection headers in case of TRACE or
 1432      OPTIONS * requests. PR 58688. [William Rowe]
 1433 
 1434   *) mod_include: Add variable DOCUMENT_ARGS, with the arguments to the
 1435      request for the SSI document.  [Jeff Trawick]
 1436 
 1437   *) mod_authz_host: Add a new "forward-dns" authorization type, not relying on
 1438      reverse DNS lookups.  [Fabien]
 1439 
 1440   *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
 1441      urls. Uses backend connections for concurrent requests if frontend
 1442      connection is http2 as well.
 1443      [Stefan Eissing]
 1444 
 1445   *) mod_ssl: Add hooks to allow other modules to perform processing at
 1446      several stages of initialization and connection handling.  See
 1447      mod_ssl_openssl.h.  [Jeff Trawick]
 1448 
 1449   *) mod_http2: disabling PUSH when client sends GOAWAY. Slave connections are
 1450      reused for several requests, improved performance and better memory use.
 1451      [Stefan Eissing]
 1452 
 1453   *) mod_rewrite: Don't implicitly URL-escape the original query string
 1454      when no substitution has changed it (like PR50447 but server context)
 1455      [Evgeny Kotkov <evgeny.kotkov visualsvn.com>]
 1456 
 1457   *) mod_http2: fixes problem with wrong lifetime of file buckets on main
 1458      connection. [Stefan Eissing]
 1459 
 1460   *) mod_http2: fixes incorrect denial of requests without :authority header.
 1461      [Stefan Eissing]
 1462 
 1463   *) mod_reqtimeout: Prevent long response times from triggering a timeout once
 1464      the request has been fully read.  PR 59045.  [Yann Ylavic]
 1465 
 1466   *) ap_expr: expression support for variable HTTP2=on|off. [Stefan Eissing]
 1467 
 1468   *) mod_http2: give control to async mpm for keepalive timeouts only when
 1469      no streams are open and even if only after 1 sec delay. Under load, event
 1470      mpm discards connections otherwise too quickly. [Stefan Eissing]
 1471 
 1472   *) mod_ssl: Don't lose track of the SSL context if an unlikely failure occurs
 1473      in ssl_init_ssl_connection().  [Graham Leggett]
 1474 
 1475   *) mod_rewrite: Add QSL|qslast flag to allow rewrites to files with
 1476      literal question marks in their names. PR 58777. [Eric Covener]
 1477 
 1478   *) event: use pre_connection hook to properly initialize connection state for
 1479      slave connections. use protocol_switch hook to initialize server config
 1480      early based on SNI selected vhost.
 1481      [Stefan Eissing]
 1482 
 1483   *) hostname: Test and log useragent_host per-request across various modules,
 1484      including the scoreboard, expression and rewrite engines, setenvif,
 1485      authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.
 1486      PR55348  [William Rowe]
 1487 
 1488   *) core: Track the useragent_host per-request when mod_remoteip or similar
 1489      modules track a per-request useragent_ip.  Modules should be updated
 1490      to inquire for ap_get_useragent_host() in place of ap_get_remote_host().
 1491      [William Rowe]
 1492 
 1493   *) core: fix a bug in <UnDefine ...> directive processing. When used, the last
 1494      <Define...>'ed variable was also withdrawn. PR 59019
 1495      [Christophe Jaillet]
 1496 
 1497   *) mod_http2: Accept-Encoding is, when present on the initiating request,
 1498      added to push promises. This lets compressed content work in pushes.
 1499      by the client. [Stefan Eissing]
 1500 
 1501   *) mod_http2: fixed possible read after free when streams were cancelled early
 1502      by the client. [Stefan Eissing]
 1503 
 1504   *) mod_http2: fixed possible deadlock during connection shutdown. Thanks to
 1505      @FrankStolle for reporting and getting the necessary data.
 1506      [Stefan Eissing]
 1507 
 1508   *) mod_http2: fixed apr_uint64_t formatting in a log statement to user proper
 1509      APR def, thanks to @Sp1l.
 1510 
 1511   *) mod_http2: number of worker threads allowed to a connection is adjusting
 1512      dynamically. Starting with 4, the number is doubled when streams can be
 1513      served without block on http/2 connection flow. The number is halfed, when
 1514      the server has to wait on client flow control grants.
 1515      This can happen with a maximum frequency of 5 times per second.
 1516      When a connection occupies too many workers, repeatable requests
 1517      (GET/HEAD/OPTIONS) are cancelled and placed back in the queue. Should that
 1518      not suffice and a stream is busy longer than the server timeout, the
 1519      connection will be aborted with error code ENHANCE_YOUR_CALM.
 1520      This does *not* limit the number of streams a client may open, rather the
 1521      number of server threads a connection might use.
 1522      [Stefan Eissing]
 1523 
 1524   *) mod_http2: allowing link header to specify multiple "rel" values,
 1525      space-separated inside a quoted string. Prohibiting push when Link
 1526      parameter "nopush" is present.
 1527      [Stefan Eissing]
 1528 
 1529   *) mod_http2: reworked connection state handling. Idle connections accept a
 1530      GOAWAY from the client without further reply. Otherwise the
 1531      module makes a best effort to send one last GOAWAY to the client.
 1532 
 1533   *) mod_http2: the values from standard directives Timeout and KeepAliveTimeout
 1534      properly are applied to http/2 connections.
 1535      [Stefan Eissing]
 1536 
 1537   *) mod_http2: idle connections are returned to async mpms. new hook
 1538      "pre_close_connection" used to send GOAWAY frame when not already done.
 1539      Setting event mpm server config "by hand" for the main connection to
 1540      the correct negotiated server.
 1541      [Stefan Eissing]
 1542 
 1543   *) mod_http2: keep-alive blocking reads are done with 1 second timeouts to
 1544      check for MPM stopping. Will announce early GOAWAY and finish processing
 1545      open streams, then close.
 1546      [Stefan Eissing]
 1547 
 1548   *) mod_http2: bytes read/written on slave connections are reported via the
 1549      optional mod_logio functions. Fixes PR 58871.
 1550 
 1551   *) prefork: Initialize the POD when running in ONE_PROCESS (or -X) mode to
 1552      avoid a crash.  [Jan Kaluza, Yann Ylavic]
 1553 
 1554   *) mod_ssl: When SSLVerify is disabled (NONE), don't force a renegotiation if
 1555      the SSLVerifyDepth applied with the default/handshaken vhost differs from
 1556      the one applicable with the finally selected vhost.  [Yann Ylavic]
 1557 
 1558   *) core: Ensure that httpd exits with an error status when the MPM fails
 1559      to run.  [Yann Ylavic]
 1560 
 1561   *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
 1562      [Jan Kaluza, Yann Ylavic]
 1563 
 1564   *) mod_ssl: Add SSLOCSPProxyURL to add the possibility to do all queries
 1565      to OCSP responders through a HTTP proxy. [Ruediger Pluem]
 1566 
 1567   *) mod_proxy: Play/restore the TLS-SNI on new backend connections which
 1568      had to be issued because the remote closed the previous/reusable one
 1569      during idle (keep-alive) time.  [Yann Ylavic]
 1570 
 1571   *) mod_cache_socache: Fix a possible cached entity body corruption when it
 1572      is received from an origin server in multiple batches and forwarded by
 1573      mod_proxy.  [Yann Ylavic]
 1574 
 1575   *) core: Add expression support to SetHandler.
 1576      [Eric Covener]
 1577 
 1578   *) mod_remoteip: Prevent an external proxy from presenting an internal
 1579      proxy. PR 55962. [Mike Rumph]
 1580 
 1581   *) core: Prevent a server crash in case of an invalid CONNECT request with
 1582      a custom error page for status code 400 that uses server side includes.
 1583      PR 58929 [Ruediger Pluem]
 1584 
 1585   *) mod_ssl: handle TIMEOUT on empty SSL input as non-fatal, returning
 1586      APR_TIMEUP and preserving connection state for later retry.
 1587      [Stefan Eissing]
 1588 
 1589   *) mod_ssl: Save some TLS record (application data) fragmentations by
 1590      including the last and subsequent suitable buckets when coalescing.
 1591      [Yann Ylavic]
 1592 
 1593   *) mod_proxy_fcgi: Suppress HTTP error 503 and message 01075,
 1594      "Error dispatching request", when the cause appears to be
 1595      due to the client closing the connection.
 1596      PR58118.  [Tobias Adolph <adolph lrz.de>]
 1597 
 1598   *) mod_cgid: Message AH02550, failure to flush a response to the client,
 1599      is now logged at TRACE1 level to match the underlying core output filter
 1600      severity.  [Eric Covener]
 1601 
 1602   *) mime.types: add common extension "m4a" for MPEG 4 Audio.
 1603      PR 57895 [Dylan Millikin <dylan.millikin gmail.com>]
 1604 
 1605   *) Added many log numbers to log statements that had none.
 1606      [Rainer Jung]
 1607 
 1608   *) mod_log_config: Add GlobalLog to allow a globally defined log to
 1609      be inherited by virtual hosts that define a CustomLog.
 1610      [Edward Lu]
 1611 
 1612   *) mod_http2: connections how keep a "push diary" where hashes of already
 1613      pushed resources are kept. See directive H2PushDiarySize for managing this.
 1614      Push diaries can be initialized by clients via the "Cache-Digest" request
 1615      header. This carries a base64url encoded. compressed Golomb set as described
 1616      in https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/
 1617      Introduced a status handler for HTTP/2 connections, giving various counters
 1618      and statistics about the current connection, plus its cache digest value
 1619      in a JSON record. Not a replacement for more HTTP/2 in the server status.
 1620      Configured as
 1621      <Location "/http2-status">
 1622          SetHandler http2-status
 1623      </Location>
 1624      [Stefan Eissing]
 1625 
 1626   *) mod_http2: Fixed flushing of last GOAWAY frame. Previously, that frame
 1627      did not always reach the client, causing some to fail the next request.
 1628      Fixed calculation of last stream id accepted as described in rfc7540.
 1629      Reading in KEEPALIVE state now correctly shown in scoreboard.
 1630      Fixed possible race in connection shutdown after review by Ylavic.
 1631      Fixed segfault on connection shutdown, callback ran into a semi dismantled session.
 1632      [Stefan Eissing]
 1633 
 1634   *) mod_http2: Added support for experimental accept-push-policy draft
 1635      (https://tools.ietf.org/html/draft-ruellan-http-accept-push-policy-00). Clients
 1636      may now influence server pushes by sending accept-push-policy headers.
 1637      [Stefan Eissing]
 1638 
 1639   *) mod_http2: new r->subprocess_env variables HTTP2 and H2PUSH, set to "on"
 1640      when available for request.
 1641      [Stefan Eissing]
 1642 
 1643   *) mod_http2: fixed bug in input window size calculation by moving chunked
 1644      request body encoding into later stage of processing. Fixes PR 58825.
 1645      [Stefan Eissing]
 1646 
 1647   *) core: new hook "pre_close_connection" which is run before the lingering
 1648      close of connections is started. This gives protocol handlers one last
 1649      chance to use a connection before it goes down.
 1650      [Stefan Eissing]
 1651 
 1652   *) mod_status/scoreboard: showing connection protocol in new column, new
 1653      ap_update_child_status methods for updating server/description. mod_ssl
 1654      sets vhost negotiated by servername directly.
 1655      [Stefan Eissing]
 1656 
 1657 Changes with Apache 2.4.18
 1658 
 1659   *) mod_ssl: for all ssl_engine_vars.c lookups, fall back to master connection
 1660      if conn_rec itself holds no valid SSLConnRec*. Fixes PR58666.
 1661      [Stefan Eissing]
 1662 
 1663   *) mod_http2: connection level window for flow control is set to protocol
 1664      maximum of 2GB-1, preventing window exhaustion when sending data on many
 1665      streams with higher cumulative window size.
 1666      Reducing write frequency unless push promises need to be flushed.
 1667      [Stefan Eissing]
 1668 
 1669   *) mod_http2: required minimum version of libnghttp2 is 1.2.1
 1670      [Stefan Eissing]
 1671 
 1672   *) mod_proxy_fdpass: Fix AH01153 error when using the default configuration.
 1673      In earlier version of httpd, you can explicitelly set the 'flusher' parameter
 1674      to 'flush' as a workaround. (i.e. flusher=flush)
 1675      Add documentation for the 'flusher' parameter when defining a proxy worker.
 1676      [Christophe Jaillet]
 1677 
 1678   *) mod_ssl: For the "SSLStaplingReturnResponderErrors off" case, make sure
 1679      to only staple responses with certificate status "good". [Kaspar Brand]
 1680 
 1681   *) mod_http2: new directive 'H2PushPriority' to allow priority specifications
 1682      on server pushed streams according to their content-type.
 1683      [Stefan Eissing]
 1684 
 1685   *) mod_http2: fixes crash on connection abort for a busy connection.
 1686      fixes crash on a request that did not produce any response.
 1687      [Stefan Eissing]
 1688 
 1689   *) mod_http2: trailers are sent after response body if set in request_rec
 1690      trailers_out before the end-of-request bucket is sent through the
 1691      output filters. [Stefan Eissing]
 1692 
 1693   *) mod_http2: incoming trailers (headers after request body) are properly
 1694      forwarded to the processing engine. [Stefan Eissing]
 1695 
 1696   *) mod_http2: new directive 'H2Push' to en-/disable HTTP/2 server
 1697      pushes a server/virtual host. Pushes are initiated by the presence
 1698      of 'Link:' headers with relation 'preload' on a response. [Stefan Eissing]
 1699 
 1700   *) mod_http2: write performance of http2 improved for larger resources,
 1701      especially static files. [Stefan Eissing]
 1702 
 1703   *) core: if the first HTTP/1.1 request on a connection goes to a server that
 1704      prefers different protocols, these protocols are announced in a Upgrade:
 1705      header on the response, mentioning the preferred protocols.
 1706      [Stefan Eissing]
 1707 
 1708   *) mod_http2: new directives 'H2TLSWarmUpSize' and 'H2TLSCoolDownSecs'
 1709      to control TLS record sizes during connection lifetime.
 1710      [Stefan Eissing]
 1711 
 1712   *) mod_http2: new directive 'H2ModernTLSOnly' to enforce security
 1713      requirements of RFC 7540 on TLS connections. [Stefan Eissing]
 1714 
 1715   *) core: add ap_get_protocol_upgrades() to retrieve the list of protocols
 1716      that a client could possibly upgrade to. Use in first request on a
 1717      connection to announce protocol choices. [Stefan Eissing]
 1718 
 1719   *) mod_http2: reworked deallocation on connection shutdown and worker
 1720      abort. Separate parent pool for all workers. worker threads are joined
 1721      on planned worker shutdown. [Yann Ylavic, Stefan Eissing]
 1722 
 1723   *) mod_ssl: when receiving requests for other virtual hosts than the handshake
 1724      server, the SSL parameters are checked for equality. With equal
 1725      configuration, requests are passed for processing. Any change will trigger
 1726      the old behaviour of "421 Misdirected Request".
 1727      SSL now remembers the cipher suite that was used for the last handshake.
 1728      This is compared against for any vhost/directory cipher specification.
 1729      Detailed examination of renegotiation is only done when these do not
 1730      match.
 1731      Renegotiation is 403ed when a master connection is present. Exact reason
 1732      is given additionally in a request note. [Stefan Eissing]
 1733 
 1734   *) mod_ssl: Make the output filter more friendly with deferred write and
 1735      response pipelining. [Yann Ylavic, Joe Orton]
 1736 
 1737   *) core: Fix scoreboard crash (SIGBUS) on hardware requiring strict 64bit
 1738      alignment (SPARC64, PPC64).  [Yann Ylavic]
 1739 
 1740   *) mod_cache: Accept HT (Horizontal Tab) when parsing cache related header
 1741      fields as described in RFC7230. [Christophe Jaillet]
 1742 
 1743   *) core/util_script: making REDIRECT_URL a full URL is now opt-in
 1744      via new 'QualifyRedirectURL' directive.
 1745 
 1746   *) core: Limit to ten the number of tolerated empty lines between request,
 1747      and consume them before the pipelining check to avoid possible response
 1748      delay when reading the next request without flushing.  [Yann Ylavic]
 1749 
 1750   *) mod_ssl: Extend expression parser registration to support ssl variables
 1751      in any expression using mod_rewrite syntax "%{SSL:VARNAME}" or function
 1752      syntax "ssl(VARNAME)". [Rainer Jung]
 1753 
 1754 Changes with Apache 2.4.17
 1755 
 1756   *) mod_http2: added donated HTTP/2 implementation via core module. Similar
 1757      configuration options to mod_ssl. [Stefan Eissing]
 1758 
 1759   *) mod_proxy: don't recyle backend announced "Connection: close" connections
 1760      to avoid reusing it should the close be effective after some new request
 1761      is ready to be sent.  [Yann Ylavic]
 1762 
 1763   *) mod_substitute: Allow to configure the patterns merge order with the new
 1764      SubstituteInheritBefore on|off directive.  PR 57641
 1765      [Marc.Stern <Marc.Stern approach.be>, Yann Ylavic, William Rowe]
 1766 
 1767   *) mod_proxy: Fix ProxySourceAddress binding failure with AH00938.
 1768      PR 56687.  [Arne de Bruijn <apache arbruijn.dds.nl>
 1769 
 1770   *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3,
 1771      and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
 1772      in accordance with RFC 7568. PR 58349, PR 57120. [Kaspar Brand]
 1773 
 1774   *) mod_ssl: append :!aNULL:!eNULL:!EXP to the cipher string settings,
 1775      instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
 1776      and later). Enables support for configuring the SUITEB* cipher
 1777      strings introduced in OpenSSL 1.0.2. PR 58213. [Kaspar Brand]
 1778 
 1779   *) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
 1780      of subjectAltName entries of type "otherName" into
 1781      SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
 1782      variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,
 1783      Kaspar Brand]
 1784 
 1785   *) mod_logio: Fix logging of %^FB (time to first byte) on the first request on
 1786      an SSL connection.  PR 58454.
 1787      [Konstantin J. Chernov <k.j.chernov gmail.com>]
 1788 
 1789   *) mod_cache: r->err_headers_out is not merged into
 1790      r->headers when mod_cache is enabled and the response
 1791      is cached for the first time. [Edward Lu]
 1792 
 1793   *) mod_slotmem_shm: Fix slots/SHM files names on restart for systems that
 1794      can't create new (clear) slots while previous children gracefully stopping
 1795      still use the old ones (e.g. Windows, OS2). mod_proxy_balancer failed to
 1796      restart whenever the number of configured balancers/members changed during
 1797      restart.  PR 58024.  [Yann Ylavic]
 1798 
 1799   *) core/util_script: make REDIRECT_URL a full URL.  PR 57785. [Nick Kew]
 1800 
 1801   *) MPMs: Support SO_REUSEPORT to create multiple duplicated listener
 1802      records for scalability. [Yingqi Lu <yingqi.lu@intel.com>,
 1803      Jeff Trawick, Jim Jagielski, Yann Ylavic]
 1804 
 1805   *) mod_alias: Introduce expression parser support for Alias, ScriptAlias
 1806      and Redirect. Limit Redirect expressions to directory (Location) context
 1807      and redirect statuses (implicit or explicit).
 1808      [Graham Leggett, Yann Ylavic, Ruediger Pluem]
 1809 
 1810   *) mod_proxy: Fix a race condition that caused a failed worker to be retried
 1811      before the retry period is over. [Ruediger Pluem]
 1812 
 1813   *) mod_autoindex: Allow autoindexes when neither mod_dir nor mod_mime are
 1814      loaded. [Eric Covener]
 1815 
 1816   *) mod_rewrite:  Allow cookies set by mod_rewrite to contain ':' by accepting
 1817      ';' as an alternate separator.  PR47241.
 1818      [<bugzilla schermesser com>, Eric Covener]
 1819 
 1820   *) apxs: Add HTTPD_VERSION and HTTPD_MMN to the variables available with
 1821      apxs -q. PR58202. [Daniel Shahaf <danielsh apache.org>]
 1822 
 1823   *) mod_rewrite: Avoid a crash when lacking correct DB access permissions
 1824      when using RewriteMap with MapType dbd or fastdbd.  [Christophe Jaillet]
 1825 
 1826   *) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions.
 1827      PR 57868. [Jose Kahan <jose w3.org>, Yann Ylavic]
 1828 
 1829   *) mod_socache_memcache: Add the 'MemcacheConnTTL' directive to control how
 1830      long to keep idle connections with the memcache server(s).
 1831      Change default value from 600 usec (!) to 15 sec. PR 58091
 1832      [Christophe Jaillet]
 1833 
 1834   *) mod_dir: Prevent the internal identifier "httpd/unix-directory" from
 1835      appearing as a Content-Type response header when requests for a directory
 1836      are rewritten by mod_rewrite. [Eric Covener]
 1837 
 1838 Changes with Apache 2.4.16
 1839 
 1840   *) http: Fix LimitRequestBody checks when there is no more bytes to read.
 1841      [Michael Kaufmann <mail michael-kaufmann.ch>]
 1842 
 1843   *) mod_alias: Revert expression parser support for Alias, ScriptAlias
 1844      and Redirect due to a regression (introduced in 2.4.13, not released).
 1845 
 1846   *) mod_reqtimeout: Don't let pipelining checks and keep-alive times interfere
 1847      with the timeouts computed for subsequent requests.  PR 56729.
 1848      [Eric Covener, Yann Ylavic]
 1849 
 1850   *) core: Avoid a possible truncation of the faulty header included in the
 1851      HTML response when LimitRequestFieldSize is reached.  [Yann Ylavic]
 1852 
 1853   *) mod_ldap: In some case, LDAP_NO_SUCH_ATTRIBUTE could be returned instead
 1854      of an error during a compare operation. [Eric Covener]
 1855 
 1856 Changes with Apache 2.4.15 (not released)
 1857 
 1858   *) mod_ext_filter, mod_charset_lite: Avoid inadvertent filtering of protocol
 1859      data during read of chunked request bodies. PR 58049.
 1860      [Edward Lu <Chaosed0 gmail.com>]
 1861 
 1862   *) mod_ldap: Stop leaking LDAP connections when 'LDAPConnectionPoolTTL 0'
 1863      is configured.  PR 58037.  [Ted Phelps <phelps gnusto.com>]
 1864 
 1865   *) core: Allow spaces after chunk-size for compatibility with implementations
 1866      using a pre-filled buffer.  [Yann Ylavic, Jeff Trawick]
 1867 
 1868   *) mod_ssl: Remove deprecated SSLCertificateChainFile warning.
 1869      [Yann Ylavic]
 1870 
 1871 Changes with Apache 2.4.14 (not released)
 1872 
 1873   *) SECURITY: CVE-2015-3183 (cve.mitre.org)
 1874      core: Fix chunk header parsing defect.
 1875      Remove apr_brigade_flatten(), buffering and duplicated code from
 1876      the HTTP_IN filter, parse chunks in a single pass with zero copy.
 1877      Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
 1878      authorized characters.  [Graham Leggett, Yann Ylavic]
 1879 
 1880   *) SECURITY: CVE-2015-3185 (cve.mitre.org)
 1881      Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
 1882      with new ap_some_authn_required and ap_force_authn hook.  [Ben Reser]
 1883 
 1884 Changes with Apache 2.4.13 (not released)
 1885 
 1886   *) SECURITY: CVE-2015-0253 (cve.mitre.org)
 1887      core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
 1888      with the INCLUDES filter active, introduced in 2.4.11. PR 57531.
 1889      [Yann Ylavic]
 1890 
 1891   *) SECURITY: CVE-2015-0228 (cve.mitre.org)
 1892      mod_lua: A maliciously crafted websockets PING after a script
 1893      calls r:wsupgrade() can cause a child process crash.
 1894      [Edward Lu <Chaosed0 gmail.com>]
 1895 
 1896   *) mod_proxy: Don't put the worker in error state for 500 or 503 errors
 1897      returned by the backend unless failonstatus is configured to.  PR 56925.
 1898      [Yann Ylavic]
 1899 
 1900   *) core: Don't lowercase the argument to SetHandler if it begins with
 1901      "proxy:unix". PR 57968. [Eric Covener]
 1902 
 1903   *) mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
 1904      the OCSP response for a different certificate.  mod_ssl has an additional
 1905      global mutex, "ssl-stapling-refresh".  PR 57131 (partial fix).
 1906      [Jeff Trawick]
 1907 
 1908   *) mod_authz_dbm: Fix crashes when "dbm-file-group" is used and
 1909      authz modules were loaded in the "wrong" order.  [Joe Orton]
 1910 
 1911   *) mod_authn_dbd, mod_authz_dbd, mod_session_dbd, mod_rewrite: Fix lifetime
 1912      of DB lookup entries independently of the selected DB engine.  PR 46421.
 1913      [Steven whitson <steven.whitson gmail com>, Jan Kaluza, Yann Ylavic].
 1914 
 1915   *) In alignment with RFC 7525, the default recommended SSLCipherSuite
 1916      and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
 1917      default recommended SSLProtocol and SSLProxyProtocol directives now
 1918      exclude SSLv3. Existing configurations must be adjusted by the
 1919      administrator. [William Rowe]
 1920 
 1921   *) mod_ssl: Add support for extracting subjectAltName entries of type
 1922      rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
 1923      environment variables. Also addresses PR 57207. [Kaspar Brand]
 1924 
 1925   *) dav_validate_request: avoid validating locks and ETags when there are
 1926      no If headers providing them on a resource we aren't modifying.
 1927      [Ben Reser]
 1928 
 1929   *) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
 1930      response header to be used by the application, for when the application
 1931      or framework is unable to return Location in the internal-redirect
 1932      form.  [Jeff Trawick]
 1933 
 1934   *) core: Cleanup the request soon/even if some output filter fails to
 1935      handle the EOR bucket.  [Yann Ylavic]
 1936 
 1937   *) mpm_event: Allow for timer events duplicates. [Jim Jagielski, Yann Ylavic]
 1938 
 1939   *) mod_proxy, mod_ssl, mod_cache_socache, mod_socache_*: Support machine
 1940      readable server-status produced when using the "?auto" query string.
 1941      [Rainer Jung]
 1942 
 1943   *) mod_status: Add more data to machine readable server-status produced
 1944      when using the "?auto" query string.  [Rainer Jung]
 1945 
 1946   *) mod_ssl: Check for the Entropy Gathering Daemon (EGD) availability at
 1947      configure time (RAND_egd), and complain if SSLRandomSeed requires using
 1948      it otherwise.  [Bernard Spil <pil.oss gmail com>, Stefan Sperling,
 1949      Kaspar Brand]
 1950 
 1951   *) mod_ssl: make sure to consistently output SSLCertificateChainFile
 1952      deprecation warnings, when encountered in a VirtualHost block.
 1953      [Falco Schwarz <hiding falco.me>]
 1954 
 1955   *) mod_log_config: Add "%{UNIT}T" format to output request duration in
 1956      seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
 1957      [Ben Reser, Rainer Jung]
 1958 
 1959   *) Allow FallbackResource to work when a directory is requested and
 1960      there is no autoindex nor DirectoryIndex.
 1961      [Jack <tjerk.meesters gmail.com>, Eric Covener]
 1962 
 1963   *) mod_proxy_wstunnel: Bypass the handler while the connection is not
 1964      upgraded to WebSocket, so that other modules can possibly take over
 1965      the leading HTTP requests.  [Yann Ylavic]
 1966 
 1967   *) mod_http: Fix incorrect If-Match handling. PR 57358
 1968      [Kunihiko Sakamoto <ksakamoto google.com>]
 1969 
 1970   *) mod_ssl: Add a warning if protocol given in SSLProtocol or SSLProxyProtocol
 1971      will override other parameters given in the same directive. This could be
 1972      a missing + or - prefix.  PR 52820 [Christophe Jaillet]
 1973 
 1974   *) core, modules: Avoid error response/document handling by the core if some
 1975      handler or input filter already did it while reading the request (causing
 1976      a double response body).  [Yann Ylavic]
 1977 
 1978   *) mod_proxy_ajp: Fix client connection errors handling and logged status
 1979      when it occurs.  PR 56823.  [Yann Ylavic]
 1980 
 1981   *) mod_proxy: Use the correct server name for SNI in case the backend
 1982      SSL connection itself is established via a proxy server.
 1983      PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
 1984 
 1985   *) mod_ssl: Fix possible crash when loading server certificate constraints.
 1986      PR 57694. [Paul Spangler <paul.spangler ni com>, Yann Ylavic]
 1987 
 1988   *) build: Don't load both mod_cgi and mod_cgid in the default configuration
 1989      if they're both built.  [olli hauer <ohauer gmx.de>]
 1990 
 1991   *) mod_logio: Add LogIOTrackTTFB and %^FB logformat to log the time
 1992      taken to start writing response headers. [Eric Covener]
 1993 
 1994   *) mod_ssl: Avoid compilation errors with LibreSSL related to
 1995      the use of ENGINE_CTRL_CHIL_SET_FORKCHECK.
 1996      [Stuart Henderson <sthen openbsd.org>]
 1997 
 1998   *) mod_proxy_http: Use the "Connection: close" header for requests to
 1999      backends not recycling connections (disablereuse), including the default
 2000      reverse and forward proxies.  [Yann Ylavic]
 2001 
 2002   *) mod_proxy: Add ap_connection_reusable() for checking if a connection
 2003      is reusable as of this point in processing.  [Jeff Trawick]
 2004 
 2005   *) mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad
 2006      Gateway) when no response is ever received from the backend.
 2007      [Jan Kaluza]
 2008 
 2009   *) core_filters: Restore/disable TCP_NOPUSH option after non-blocking
 2010      sendfile.  PR 53253.  [Yann Ylavic]
 2011 
 2012   *) mod_buffer: Forward flushed input data immediately and avoid (unlikely)
 2013      access to freed memory. [Yann Ylavic, Christophe Jaillet]
 2014 
 2015   *) core: Add CGIPassAuth directive to control whether HTTP authorization
 2016      headers are passed to scripts as CGI variables.  PR 56855.  [Jeff
 2017      Trawick]
 2018 
 2019   *) core: Initialize scoreboard's used optional functions on graceful restarts
 2020      to avoid a crash when relocation occurs.  PR 57177.  [Yann Ylavic]
 2021 
 2022   *) mod_dav: Avoid a potential integer underflow in the lock timeout value sent
 2023      back to a client. The answer to a LOCK request could be an extremly large
 2024      integer if the time needed to lock the resource was longer that the
 2025      requested timeout given in the LOCK request. In such a case, we now answer
 2026      "Second-0".  PR55420
 2027      [Christophe Jaillet]
 2028 
 2029   *) mod_cgid: Within the first minute of a server start or restart,
 2030      allow mod_cgid to retry connecting to its daemon process. Previously,
 2031      'No such file or directory: unable to connect to cgi daemon...' could
 2032      be logged without an actual retry. PR57685.
 2033      [Edward Lu <Chaosed0 gmail.com>]
 2034 
 2035   *) mod_proxy: Use the original (non absolute) form of the request-line's URI
 2036      for requests embedded in CONNECT payloads used to connect SSL backends via
 2037      a ProxyRemote forward-proxy.  PR 55892.  [Hendrik Harms <hendrik.harms
 2038      gmail com>, William Rowe, Yann Ylavic]
 2039 
 2040   *) http: Make ap_die() robust against any HTTP error code and not modify
 2041      response status (finally logged) when nothing is to be done. PR 56035.
 2042      [Yann Ylavic]
 2043 
 2044   *) mod_proxy_connect/wstunnel: If both client and backend sides get readable
 2045      at the same time, don't lose errors occurring while forwarding on the first
 2046      side when none occurs next on the other side, and abort.  [Yann Ylavic]
 2047 
 2048   *) mod_rewrite: Improve relative substitutions in per-directory/htaccess
 2049      context for directories found by mod_userdir and mod_alias.  These no
 2050      longer require RewriteBase to be specified. [Eric Covener]
 2051 
 2052   *) mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
 2053      finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
 2054      or force-proxy-request-1.0.  [Yann Ylavic]
 2055 
 2056   *) core: If explicitly configured, use the KeepaliveTimeout value of the
 2057      virtual host which handled the latest request on the connection, or by
 2058      default the one of the first virtual host bound to the same IP:port.
 2059      PR56226.  [Yann Ylavic]
 2060 
 2061   *) mod_lua: After a r:wsupgrade(), mod_lua was not properly
 2062      responding to a websockets PING but instead invoking the specified
 2063      script. PR57524. [Edward Lu <Chaosed0 gmail.com>]
 2064 
 2065   *) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
 2066      a combination of certificate serialNumber and issuer as defined by
 2067      CertificateExactMatch in RFC4523. [Graham Leggett]
 2068 
 2069   *) core: Add expression support to ErrorDocument. Switch from a fixed
 2070      sized 664 byte array per merge to a hash table. [Graham Leggett]
 2071 
 2072   *) ab: Add missing longest request (100%) to CSV export.
 2073      [Marcin Fabrykowski <bugzilla fabrykowski.pl>]
 2074 
 2075   *) mod_macro: Clear macros before initialization to avoid use-after-free
 2076      on startup or restart when the module is linked statically. PR 57525
 2077      [apache.org tech.futurequest.net, Yann Ylavic]
 2078 
 2079   *) mod_alias: Introduce expression parser support for Alias, ScriptAlias
 2080      and Redirect. [Graham Leggett]
 2081 
 2082   *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
 2083      PR 57100.  [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
 2084      Yann Ylavic]
 2085 
 2086   *) mpm_event: Avoid access to the scoreboard from the connection while
 2087      it is suspended (waiting for events).  [Eric Covener, Jeff Trawick]
 2088 
 2089   *) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument.
 2090      PR 57334.  [Yann Ylavic].
 2091 
 2092   *) mod_deflate: A misplaced check prevents limiting small bodies with the
 2093      new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic]
 2094 
 2095   *) mod_proxy_ajp: Forward SSL protocol name (SSLv3, TLSv1.1 etc.) as a
 2096      request attribute to the backend. Recent Tomcat versions will extract
 2097      it and provide it as a servlet request attribute named
 2098      "org.apache.tomcat.util.net.secure_protocol_version". [Rainer Jung]
 2099 
 2100   *) core: Optimize string concatenation in expression parser when evaluating
 2101      a string expression. [Rainer Jung]
 2102 
 2103   *) acinclude.m4: Generate #LoadModule directive in default httpd.conf for
 2104      every --enable-mpms-shared. PR 53882.  [olli hauer <ohauer gmx.de>,
 2105      Yann Ylavic]
 2106 
 2107   *) mod_authn_dbd: Fix the error message logged in case of error while querying
 2108      the database. This is associated to AH01656 and AH01661. [Christophe Jaillet]
 2109 
 2110   *) mod_authz_groupfile: Reduce the severity of AH01667 from ERROR to DEBUG,
 2111      because it may be evaluated inside <RequireAny>. PR55523. [Eric Covener]
 2112 
 2113   *) mod_ssl: Fix small memory leak during initialization when ECDH is used.
 2114      [Jan Kaluza]
 2115 
 2116 Changes with Apache 2.4.12
 2117 
 2118   *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
 2119      internationalization.  [William Rowe]
 2120 
 2121   *) mpm_winnt: Normalize the error and status messages emitted by service.c,
 2122      the service control interface for Windows.  [William Rowe]
 2123 
 2124   *) configure: Fix --enable-v4-mapped configuration on *BSD. PR 53824.
 2125      [ olli hauer <ohauer gmx.de>, Yann Ylavic ]
 2126 
 2127   *) Reverted <DirectoryMatch > behavior regression introduced in 2.4.11
 2128      (not released).
 2129 
 2130 Changes with Apache 2.4.11 (not released)
 2131 
 2132   *) SECURITY: CVE-2014-3583 (cve.mitre.org)
 2133      mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with
 2134      response headers' size above 8K.  [Yann Ylavic, Jeff Trawick]
 2135 
 2136   *) SECURITY: CVE-2014-3581 (cve.mitre.org)
 2137      mod_cache: Avoid a crash when Content-Type has an empty value.
 2138      PR 56924.  [Mark Montague <mark catseye.org>, Jan Kaluza]
 2139 
 2140   *) SECURITY: CVE-2014-8109 (cve.mitre.org)
 2141      mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
 2142      used in multiple Require directives with different arguments.
 2143      PR57204 [Edward Lu <Chaosed0 gmail.com>]
 2144 
 2145   *) SECURITY: CVE-2013-5704 (cve.mitre.org)
 2146      core: HTTP trailers could be used to replace HTTP headers
 2147      late during request processing, potentially undoing or
 2148      otherwise confusing modules that examined or modified
 2149      request headers earlier.  Adds "MergeTrailers" directive to restore
 2150      legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
 2151 
 2152   *) mod_ssl: New directive SSLSessionTickets (On|Off).
 2153      The directive controls the use of TLS session tickets (RFC 5077),
 2154      default value is "On" (unchanged behavior).
 2155      Session ticket creation uses a random key created during web
 2156      server startup and recreated during restarts. No other key
 2157      recreation mechanism is available currently. Therefore using session
 2158      tickets without restarting the web server with an appropriate frequency
 2159      (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
 2160 
 2161   *) mod_proxy_fcgi: Provide some basic alternate options for specifying
 2162      how PATH_INFO is passed to FastCGI backends by adding significance to
 2163      the value of proxy-fcgi-pathinfo. PR 55329. [Eric Covener]
 2164 
 2165   *) mod_proxy_fcgi: Enable UDS backends configured with SetHandler/RewriteRule
 2166      to opt-in to connection reuse and other Proxy options via explicitly
 2167      declared "proxy workers" (<Proxy unix:... enablereuse=on max=...)
 2168      [Eric Covener]
 2169 
 2170   *) mod_proxy: Add "enablereuse" option as the inverse of "disablereuse".
 2171      [Eric Covener]
 2172 
 2173   *) mod_proxy_fcgi: Enable opt-in to TCP connection reuse by explicitly
 2174      setting proxy option disablereuse=off. [Eric Covener] PR 57378.
 2175 
 2176   *) event: Update the internal "connection id" when requests
 2177      move from thread to thread. Reuse can confuse modules like
 2178      mod_cgid. PR 57435. [Michael Thorpe <mike gistnet.com>]
 2179 
 2180   *) mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME
 2181      passed to fastcgi backends. [Eric Covener]
 2182 
 2183   *) core: Configuration files with long lines and continuation characters
 2184      are not read properly. PR 55910. [Manuel Mausz <manuel-as mausz.at>]
 2185 
 2186   *) mod_include: the 'env' function was incorrectly handled as 'getenv' if the
 2187      leading 'e' was written in upper case in <!--#if expr="..." -->
 2188      statements. [Christophe Jaillet]
 2189 
 2190   *) split-logfile: Fix perl error:  'Can't use string ("example.org:80")
 2191      as a symbol ref while "strict refs"'. PR 56329.
 2192      [Holger Mauermann <mauermann gmail.com>]
 2193 
 2194   *) mod_proxy: Prevent ProxyPassReverse from doing a substitution when
 2195      the URL parameter interpolates to an empty string. PR 56603.
 2196      [<ajprout hotmail.com>]
 2197 
 2198   *) core: Fix -D[efined] or <Define>[d] variables lifetime across restarts.
 2199      PR 57328.  [Armin Abfalterer <a.abfalterer gmail.com>, Yann Ylavic].
 2200 
 2201   *) mod_proxy: Preserve original request headers even if they differ
 2202      from the ones to be forwarded to the backend. PR 45387.
 2203      [Yann Ylavic]
 2204 
 2205   *) mod_ssl: dump SSL IO/state for the write side of the connection(s),
 2206      like reads (level TRACE4). [Yann Ylavic]
 2207 
 2208   *) mod_proxy_fcgi: Ignore body data from backend for 304 responses. PR 57198.
 2209      [Jan Kaluza]
 2210 
 2211   *) mod_ssl: Do not crash when looking up SSL related variables during
 2212      expression evaluation on non SSL connections. PR 57070  [Ruediger Pluem]
 2213 
 2214   *) mod_proxy_ajp: Fix handling of the default port (8009) in the
 2215      ProxyPass and <Proxy> configurations.  PR 57259.  [Yann Ylavic]
 2216 
 2217   *) mpm_event: Avoid a possible use after free when notifying the end of
 2218      connection during lingering close.  PR 57268.  [Eric Covener, Yann Ylavic]
 2219 
 2220   *) mod_ssl: Fix recognition of OCSP stapling responses that are encoded
 2221      improperly or too large.  [Jeff Trawick]
 2222 
 2223   *) core: Add ap_log_data(), ap_log_rdata(), etc. for logging buffers.
 2224      [Jeff Trawick]
 2225 
 2226   *) mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an
 2227      error when parsing or forwarding the response fails. [Yann Ylavic]
 2228 
 2229   *) mod_ssl: Fix a memory leak in case of graceful restarts with OpenSSL >= 0.9.8e
 2230      PR 53435 [tadanori <tadanori2007 yahoo.com>, Sebastian Wiedenroth <wiedi frubar.net>]
 2231 
 2232   *) mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read
 2233      determine whether it is a normal close or a real error. PR 57168. [Yann
 2234      Ylavic]
 2235 
 2236   *) mod_proxy_wstunnel: abort backend connection on polling error to avoid
 2237      further processing.  [Yann Ylavic]
 2238 
 2239   *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
 2240      PR 57167 [Edward Lu <Chaosed0 gmail.com>]
 2241 
 2242   *) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC
 2243      systems. PR 57092 [Edward Lu <Chaosed0 gmail.com>]
 2244 
 2245   *) mod_cache: Avoid a 304 response to an unconditional requst when an AH00752
 2246      CacheLock error occurs during cache revalidation. [Eric Covener]
 2247 
 2248   *) mod_ssl: Move OCSP stapling information from a per-certificate store to
 2249      a per-server hash. PR 54357, PR 56919. [Alex Bligh <alex alex.org.uk>,
 2250      Yann Ylavic, Kaspar Brand]
 2251 
 2252   *) mod_cache_socache: Change average object size hint from 32 bytes to
 2253      2048 bytes.  [Rainer Jung]
 2254 
 2255   *) mod_cache_socache: Add cache status to server-status.  [Rainer Jung]
 2256 
 2257   *) event: Fix worker-listener deadlock in graceful restart.
 2258      PR 56960.
 2259 
 2260   *) Concat strings at compile time when possible. PR 53741.
 2261 
 2262   *) mod_substitute: Restrict configuration in .htaccess to
 2263      FileInfo as documented.  [Rainer Jung]
 2264 
 2265   *) mod_substitute: Make maximum line length configurable.  [Rainer Jung]
 2266 
 2267   *) mod_substitute: Fix line length limitation in case of regexp plus flatten.
 2268      [Rainer Jung]
 2269 
 2270   *) mod_proxy: Truncated character worker names are no longer fatal
 2271      errors. PR53218. [Jim Jagielski]
 2272 
 2273   *) mod_dav: Set r->status_line in dav_error_response. PR 55426.
 2274 
 2275   *) mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory.
 2276      [Yann Ylavic, Christophe Jaillet]
 2277 
 2278   *) http_protocol: fix logic in ap_method_list_(add|remove) in order:
 2279        - to correctly reset bits
 2280        - not to modify the 'method_mask' bitfield unnecessarily
 2281      [Christophe Jaillet]
 2282 
 2283   *) mod_slotmem_shm: Increase log level for some originally debug messages.
 2284      [Jim Jagielski]
 2285 
 2286   *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with
 2287      the wrong credentials when a backend connection is reused.
 2288      [Eric Covener]
 2289 
 2290   *) mod_macro: Add missing APLOGNO for some Warning log messages.
 2291      [Christophe Jaillet]
 2292 
 2293   *) mod_cache: Avoid sending 304 responses during failed revalidations
 2294      PR56881. [Eric Covener]
 2295 
 2296   *) mod_status: Honor client IP address using mod_remoteip. PR 55886.
 2297      [Jim Jagielski]
 2298 
 2299   *) cmake-based build for Windows: Fix incompatibility with cmake 2.8.12
 2300      and later.  PR 56615.  [Chuck Liu <cliu81 gmail.com>, Jeff Trawick]
 2301 
 2302   *) mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade
 2303      failed) messages from ERROR to TRACE1.  Other filters do not bother
 2304      re-reporting failures from lower level filters.  PR56832.  [Eric Covener]
 2305 
 2306   *) core: Avoid useless warning message when parsing a section guarded by
 2307      <IfDefine foo> if $(foo) is used within the section.
 2308      PR 56503 [Christophe Jaillet]
 2309 
 2310   *) mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the
 2311      application.  PR 56858.  [Manuel Mausz <manuel-asf mausz.at>]
 2312 
 2313   *) mod_proxy_http: Proxy responses with error status and
 2314      "ProxyErrorOverride On" hang until proxy timeout.
 2315      PR53420 [Rainer Jung]
 2316 
 2317   *) mod_log_config: Allow three character log formats to be registered. For
 2318      backwards compatibility, the first character of a three-character format
 2319      must be the '^' (caret) character.  [Eric Covener]
 2320 
 2321   *) mod_lua: Don't quote Expires and Path values. PR 56734.
 2322      [Keith Mashinter, <kmashint yahoo com>]
 2323 
 2324   *) mod_authz_core: Allow <AuthzProviderAlias>'es to be seen from auth
 2325      stanzas under virtual hosts. PR 56870. [Eric Covener]
 2326 
 2327 Changes with Apache 2.4.10
 2328 
 2329   *) SECURITY: CVE-2014-0117 (cve.mitre.org)
 2330      mod_proxy: Fix crash in Connection header handling which allowed a denial
 2331      of service attack against a reverse proxy with a threaded MPM.
 2332      [Ben Reser]
 2333 
 2334   *) SECURITY: CVE-2014-3523 (cve.mitre.org)
 2335      Fix a memory consumption denial of service in the WinNT MPM, used in all
 2336      Windows installations. Workaround: AcceptFilter <protocol> {none|connect}
 2337      [Jeff Trawick]
 2338 
 2339   *) SECURITY: CVE-2014-0226 (cve.mitre.org)
 2340      Fix a race condition in scoreboard handling, which could lead to
 2341      a heap buffer overflow.  [Joe Orton, Eric Covener]
 2342 
 2343   *) SECURITY: CVE-2014-0118 (cve.mitre.org)
 2344      mod_deflate: The DEFLATE input filter (inflates request bodies) now
 2345      limits the length and compression ratio of inflated request bodies to
 2346      avoid denial of service via highly compressed bodies.  See directives
 2347      DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
 2348      and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
 2349 
 2350   *) SECURITY: CVE-2014-0231 (cve.mitre.org)
 2351      mod_cgid: Fix a denial of service against CGI scripts that do
 2352      not consume stdin that could lead to lingering HTTPD child processes
 2353      filling up the scoreboard and eventually hanging the server.  By
 2354      default, the client I/O timeout (Timeout directive) now applies to
 2355      communication with scripts.  The CGIDScriptTimeout directive can be
 2356      used to set a different timeout for communication with scripts.
 2357      [Rainer Jung, Eric Covener, Yann Ylavic]
 2358 
 2359   *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
 2360      resumed by TLS session resumption (RFC 5077). [Rainer Jung]
 2361 
 2362   *) mod_deflate: Don't fail when flushing inflated data to the user-agent
 2363      and that coincides with the end of stream ("Zlib error flushing inflate
 2364      buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
 2365 
 2366   *) mod_proxy_ajp: Forward local IP address as a custom request attribute
 2367      like we already do for the remote port. [Rainer Jung]
 2368 
 2369   *) core: Include any error notes set by modules in the canned error
 2370      response for 403 errors.  [Jeff Trawick]
 2371 
 2372   *) mod_ssl: Set an error note for requests rejected due to
 2373      SSLStrictSNIVHostCheck.  [Jeff Trawick]
 2374 
 2375   *) mod_ssl: Fix issue with redirects to error documents when handling
 2376      SNI errors.  [Jeff Trawick]
 2377 
 2378   *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
 2379      larger keys and support up to 8192-bit keys.  [Ruediger Pluem,
 2380      Joe Orton]
 2381 
 2382   *) mod_dav: Fix improper encoding in PROPFIND responses.  PR 56480.
 2383      [Ben Reser]
 2384 
 2385   *) WinNT MPM: Improve error handling for termination events in child.
 2386      [Jeff Trawick]
 2387 
 2388   *) mod_proxy: When ping/pong is configured for a worker, don't send or
 2389      forward "100 Continue" (interim) response to the client if it does
 2390      not expect one. [Yann Ylavic]
 2391 
 2392   *) mod_ldap: Be more conservative with the last-used time for
 2393      LDAPConnectionPoolTTL. PR54587 [Eric Covener]
 2394 
 2395   *) mod_ldap: LDAP connections used for authn were not respecting
 2396      LDAPConnectionPoolTTL. PR54587 [Eric Covener]
 2397 
 2398   *) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.
 2399      [Jeff Trawick]
 2400 
 2401   *) event MPM: Fix possible crashes (third-party modules accessing c->sbh)
 2402      or occasional missed mod_status updates under load. PR 56639.
 2403      [Edward Lu <Chaosed0 gmail com>]
 2404 
 2405   *) mod_authnz_ldap: Support primitive LDAP servers do not accept
 2406      filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
 2407      filter "none" to be specified in AuthLDAPURL. [Eric Covener]
 2408 
 2409   *) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
 2410      [Lukas Bezdicka <social v3.sk>]
 2411 
 2412   *) mod_deflate: Handle Zlib header and validation bytes received in multiple
 2413      chunks. PR 46146. [Yann Ylavic]
 2414 
 2415   *) mod_proxy: Allow reverse-proxy to be set via explicit handler.
 2416      [ryo takatsuki <ryotakatsuki gmail com>]
 2417 
 2418   *) ab: support custom HTTP method with -m argument. PR 56604.
 2419      [Roman Jurkov <winfinit gmail.com>]
 2420 
 2421   *) mod_proxy_balancer: Correctly encode user provided data in management
 2422      interface. PR 56532 [Maksymilian, <max cert.cx>]
 2423 
 2424   *) mod_proxy: Don't limit the size of the connectable Unix Domain Socket
 2425      paths. [Graham Dumpleton, Christophe Jaillet, Yann Ylavic]
 2426 
 2427   *) mod_proxy_fcgi: Support iobuffersize parameter.  [Jeff Trawick]
 2428 
 2429   *) event: Send the SSL close notify alert when the KeepAliveTimeout
 2430      expires. PR54998. [Yann Ylavic]
 2431 
 2432   *) mod_ssl: Ensure that the SSL close notify alert is flushed to the client.
 2433      PR54998. [Tim Kosse <tim.kosse filezilla-project.org>, Yann Ylavic]
 2434 
 2435   *) mod_proxy: Shutdown (eg. SSL close notify) the backend connection before
 2436      closing. [Yann Ylavic]
 2437 
 2438   *) mod_auth_form: Add a debug message when the fields on a form are not
 2439      recognised. [Graham Leggett]
 2440 
 2441   *) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
 2442      response. PR 55547.  [Yann Ylavic]
 2443 
 2444   *) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
 2445      scheme. PR55320. [Alex Liu <alex.leo.ca gmail.com>]
 2446 
 2447   *) mod_socache_shmcb: Correct counting of expirations for status display.
 2448      Expirations happening during retrieval were not counted. [Rainer Jung]
 2449 
 2450   *) mod_cache: Retry unconditional request with the full URL (including the
 2451      query-string) when the origin server's 304 response does not match the
 2452      conditions used to revalidate the stale entry.  [Yann Ylavic].
 2453 
 2454   *) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
 2455      variables as a result of AliasMatch. [Eric Covener]
 2456 
 2457   *) mod_cache: Don't add cached/revalidated entity headers to a 304 response.
 2458      PR 55547.  [Yann Ylavic]
 2459 
 2460   *) mod_proxy_scgi: Support Unix sockets.  ap_proxy_port_of_scheme():
 2461      Support default SCGI port (4000).  [Jeff Trawick]
 2462 
 2463   *) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
 2464      is enabled.  [Eric Covener]
 2465 
 2466   *) mod_expires: don't add Expires header to error responses (4xx/5xx),
 2467      be they generated or forwarded. PR 55669.  [Yann Ylavic]
 2468 
 2469   *) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
 2470      (regression in 2.4.9 release) [Jeff Trawick]
 2471 
 2472   *) mod_authn_socache: Fix crash at startup in certain configurations.
 2473      PR 56371. (regression in 2.4.7) [Jan Kaluza]
 2474 
 2475   *) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
 2476      programs to the form used in releases up to 2.4.7, and emulate
 2477      a backwards-compatible behavior for existing setups. [Kaspar Brand]
 2478 
 2479   *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
 2480      OCSP requests should use a nonce to be checked against the responder's
 2481      one. PR 56233. [Yann Ylavic, Kaspar Brand]
 2482 
 2483   *) mod_ssl: "SSLEngine off" will now override a Listen-based default
 2484      and does disable mod_ssl for the vhost.  [Joe Orton]
 2485 
 2486   *) mod_lua: Enforce the max post size allowed via r:parsebody()
 2487      [Daniel Gruno]
 2488 
 2489   *) mod_lua: Use binary comparison to find boundaries for multipart
 2490      objects, as to not terminate our search prematurely when hitting
 2491      a NULL byte. [Daniel Gruno]
 2492 
 2493   *) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
 2494      versions before 0.9.8h and not specifying an SSLCertificateChainFile
 2495      (regression introduced with 2.4.8). PR 56410. [Kaspar Brand]
 2496 
 2497   *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
 2498      no longer send warning-level unrecognized_name(112) alerts,
 2499      and limit startup warnings to cases where an OpenSSL version
 2500      without TLS extension support is used. PR 56241. [Kaspar Brand]
 2501 
 2502   *) mod_proxy_html: Avoid some possible memory access violation in case of
 2503      specially crafted files, when the ProxyHTMLMeta directive is turned on.
 2504      Follow up of PR 56287 [Christophe Jaillet]
 2505 
 2506   *) mod_auth_form: Make sure the optional functions are loaded even when
 2507      the AuthFormProvider isn't specified. [Graham Leggett]
 2508 
 2509   *) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
 2510      (and logging garbled file names). PR 56306. [Kaspar Brand]
 2511 
 2512   *) mod_ssl: fix merging of global and vhost-level settings with the
 2513      SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
 2514      directives. PR 56353. [Kaspar Brand]
 2515 
 2516   *) mod_headers: Allow the "value" parameter of Header and RequestHeader to
 2517      contain an ap_expr expression if prefixed with "expr=". [Eric Covener]
 2518 
 2519   *) rotatelogs: Avoid creation of zombie processes when -p is used on
 2520      Unix platforms.  [Joe Orton]
 2521 
 2522   *) mod_authnz_fcgi: New module to enable FastCGI authorizer
 2523      applications to authenticate and/or authorize clients.
 2524      [Jeff Trawick]
 2525 
 2526   *) mod_proxy: Do not try to parse the regular expressions passed by
 2527      ProxyPassMatch as URL as they do not follow their syntax.
 2528      PR 56074. [Ruediger Pluem]
 2529 
 2530   *) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
 2531      under the Event MPM. PR56216.  [Frank Meier <frank meier ergon ch>]
 2532 
 2533   *) mod_proxy_fcgi: Fix sending of response without some HTTP headers
 2534      that might be set by filters.  PR 55558. [Jim Riggs <jim riggs.me>]
 2535 
 2536   *) mod_proxy_html: Do not delete the wrong data from HTML code when a
 2537      "http-equiv" meta tag specifies a Content-Type behind any other
 2538      "http-equiv" meta tag. PR 56287 [Micha Lenk <micha lenk info>]
 2539 
 2540   *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
 2541      differs. PR 55782.  [Yann Ylavic]
 2542 
 2543   *) Add suspend_connection and resume_connection hooks to notify modules
 2544      when the thread/connection relationship changes.  (Should be implemented
 2545      for any third-party async MPMs.)  [Jeff Trawick]
 2546 
 2547   *) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine
 2548      hangups from websockets origin servers. PR 56299
 2549      [Yann Ylavic, Edward Lu <Chaosed0 gmail com>, Eric Covener]
 2550 
 2551   *) mod_proxy_wstunnel: Don't pool backend websockets connections,
 2552      because we need to handshake every time. PR 55890.
 2553      [Eric Covener]
 2554 
 2555   *) mod_lua: Redesign how request record table access behaves,
 2556      in order to utilize the request record from within these tables.
 2557      [Daniel Gruno]
 2558 
 2559   *) mod_lua: Add r:wspeek for peeking at WebSocket frames. [Daniel Gruno]
 2560 
 2561   *) mod_lua: Log an error when the initial parsing of a Lua file fails.
 2562      [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
 2563 
 2564   *) mod_lua: Reformat and escape script error output.
 2565      [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
 2566 
 2567   *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
 2568      from causing response splitting.
 2569      [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
 2570 
 2571   *) mod_lua: Disallow newlines in table values inside the request_rec,
 2572      to prevent HTTP Response Splitting via tainted headers.
 2573      [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
 2574 
 2575   *) mod_lua: Remove the non-working early/late arguments for
 2576      LuaHookCheckUserID. [Daniel Gruno]
 2577 
 2578   *) mod_lua: Change IVM storage to use shm [Daniel Gruno]
 2579 
 2580   *) mod_lua: More verbose error logging when a handler function cannot be
 2581      found. [Daniel Gruno]
 2582 
 2583 Changes with Apache 2.4.9
 2584 
 2585   *) mod_ssl: Work around a bug in some older versions of OpenSSL that
 2586      would cause a crash in SSL_get_certificate for servers where the
 2587      certificate hadn't been sent. [Stephen Henson]
 2588 
 2589   *) mod_lua: Add a fixups hook that checks if the original request is intended
 2590      for LuaMapHandler. This fixes a bug where FallbackResource invalidates the
 2591      LuaMapHandler directive in certain cases by changing the URI before the map
 2592      handler code executes [Daniel Gruno, Daniel Ferradal <dferradal gmail com>].
 2593 
 2594 Changes with Apache 2.4.8 (not released)
 2595 
 2596   *) SECURITY: CVE-2014-0098 (cve.mitre.org)
 2597      Clean up cookie logging with fewer redundant string parsing passes.
 2598      Log only cookies with a value assignment. Prevents segfaults when
 2599      logging truncated cookies.
 2600      [William Rowe, Ruediger Pluem, Jim Jagielski]
 2601 
 2602   *) SECURITY: CVE-2013-6438 (cve.mitre.org)
 2603      mod_dav: Keep track of length of cdata properly when removing
 2604      leading spaces. Eliminates a potential denial of service from
 2605      specifically crafted DAV WRITE requests
 2606      [Amin Tora <Amin.Tora neustar.biz>]
 2607 
 2608   *) core: Support named groups and backreferences within the LocationMatch,
 2609      DirectoryMatch, FilesMatch and ProxyMatch directives. (Requires
 2610      non-ancient PCRE library) [Graham Leggett]
 2611 
 2612   *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
 2613      TE/CL conflicts. [Yann Ylavic, Jim Jagielski]
 2614 
 2615   *) core: Detect incomplete request and response bodies, log an error and
 2616      forward it to the underlying filters. PR 55475 [Yann Ylavic]
 2617 
 2618   *) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping
 2619      execution when a handler is already set. PR53929. [Eric Covener]
 2620 
 2621   *) mod_ssl: Do not perform SNI / Host header comparison in case of a
 2622      forward proxy request. [Ruediger Pluem]
 2623 
 2624   *) mod_ssl: Remove the hardcoded algorithm-type dependency for the
 2625      SSLCertificateFile and SSLCertificateKeyFile directives, to enable
 2626      future algorithm agility, and deprecate the SSLCertificateChainFile
 2627      directive (obsoleted by SSLCertificateFile). [Kaspar Brand]
 2628 
 2629   *) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
 2630      and IgnoreInherit to allow RewriteRules to be pushed from parent scopes
 2631      to child scopes without explicitly configuring each child scope.
 2632      PR56153.  [Edward Lu <Chaosed0 gmail com>]
 2633 
 2634   *) prefork: Fix long delays when doing a graceful restart.
 2635      PR 54852 [Jim Jagielski, Arkadiusz Miskiewicz <arekm maven pl>]
 2636 
 2637   *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
 2638      5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick]
 2639 
 2640   *) mod_proxy_wstunnel: Avoid busy loop on client errors, drop message
 2641      IDs 02445, 02446, and 02448 to TRACE1 from DEBUG. PR 56145.
 2642      [Joffroy Christen <joffroy.christen solvaxis com>, Eric Covener]
 2643 
 2644   *) mod_remoteip: Correct the trusted proxy match test. PR 54651.
 2645      [Yoshinori Ehara <yoshinori ehara gmail com>, Eugene L <eugenel amazon com>]
 2646 
 2647   *) mod_proxy_fcgi: Fix error message when an unexpected protocol version
 2648      number is received from the application.  PR 56110.  [Jeff Trawick]
 2649 
 2650   *) mod_remoteip: Use the correct IP addresses to populate the proxy_ips field.
 2651      PR 55972. [Mike Rumph]
 2652 
 2653   *) mod_lua: Update r:setcookie() to accept a table of options and add domain,
 2654      path and httponly to the list of options available to set.
 2655      PR 56128 [Edward Lu <Chaosed0 gmail com>, Daniel Gruno]
 2656 
 2657   *) mod_lua: Fix r:setcookie() to add, rather than replace,
 2658      the Set-Cookie header. PR56105
 2659      [Kevin J Walters <kjw ms com>, Edward Lu <Chaosed0 gmail com>]
 2660 
 2661   *) mod_lua: Allow for database results to be returned as a hash with
 2662      row-name/value pairs instead of just row-number/value. [Daniel Gruno]
 2663 
 2664   *) mod_rewrite: Add %{CONN_REMOTE_ADDR} as the non-useragent counterpart to
 2665      %{REMOTE_ADDR}. PR 56094. [Edward Lu <Chaosed0 gmail com>]
 2666 
 2667   *) WinNT MPM: If ap_run_pre_connection() fails or sets c->aborted, don't
 2668      save the socket for reuse by the next worker as if it were an
 2669      APR_SO_DISCONNECTED socket. Restores 2.2 behavior. [Eric Covener]
 2670 
 2671   *) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a URL
 2672      that was just rewritten by mod_rewrite. PR53929. [Eric Covener]
 2673 
 2674   *) mod_session: When we have a session we were unable to decode,
 2675      behave as if there was no session at all. [Thomas Eckert
 2676      <thomas.r.w.eckert gmail com>]
 2677 
 2678   *) mod_session: Fix problems interpreting the SessionInclude and
 2679      SessionExclude configuration. PR 56038. [Erik Pearson
 2680      <erik adaptations.com>]
 2681 
 2682   *) mod_authn_core: Allow <AuthnProviderAlias>'es to be seen from auth
 2683      stanzas under virtual hosts. PR 55622. [Eric Covener]
 2684 
 2685   *) mod_proxy_fcgi: Use apr_socket_timeout_get instead of hard-coded
 2686      30 seconds timeout. [Jan Kaluza]
 2687 
 2688   *) build: only search for modules (config*.m4) in known subdirectories, see
 2689      build/config-stubs. [Stefan Fritsch]
 2690 
 2691   *) mod_cache_disk: Fix potential hangs on Windows when using mod_cache_disk.
 2692      PR 55833. [Eric Covener]
 2693 
 2694   *) mod_ssl: Add support for OpenSSL configuration commands by introducing
 2695      the SSLOpenSSLConfCmd directive. [Stephen Henson, Kaspar Brand]
 2696 
 2697   *) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
 2698      is equivalent to <ProxyMatch wildcard-url>. [Christophe Jaillet]
 2699 
 2700   *) mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
 2701      mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
 2702      require directives. [Graham Leggett]
 2703 
 2704   *) mod_proxy_http: Core dumped under high load. PR 50335.
 2705      [Jan Kaluza <jkaluza redhat.com>]
 2706 
 2707   *) mod_socache_shmcb.c: Remove arbitrary restriction on shared memory size
 2708      previously limited to 64MB. [Jens Låås <jelaas gmail.com>]
 2709 
 2710   *) mod_lua: Use binary copy when dealing with uploads through r:parsebody()
 2711      to prevent truncating files. [Daniel Gruno]
 2712 
 2713 Changes with Apache 2.4.7
 2714 
 2715   *) SECURITY: CVE-2013-4352 (cve.mitre.org)
 2716      mod_cache: Fix a NULL pointer deference which allowed untrusted
 2717      origin servers to crash mod_cache in a forward proxy
 2718      configuration.  [Graham Leggett]
 2719 
 2720   *) APR 1.5.0 or later is now required for the event MPM.
 2721 
 2722   *) slotmem_shm: Error detection. [Jim Jagielski]
 2723 
 2724   *) event: Use skiplist data structure. [Jim Jagielski]
 2725 
 2726   *) event: Fail at startup with message AP02405 if the APR atomic
 2727      implementation is not compatible with the MPM.  [Jim Jagielski]
 2728 
 2729   *) mpm_unix: Add ap_mpm_podx_* implementation to avoid code duplication
 2730      and align w/ trunk. [Jim Jagielski]
 2731 
 2732   *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
 2733      directives.  [Mike Rumph <mike.rumph oracle.com>]
 2734 
 2735   *) mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars.
 2736      An individual envvar with an encoded length of more than 16K will be
 2737      omitted.  [Jeff Trawick]
 2738 
 2739   *) mod_proxy_fcgi: Handle reading protocol data that is split between
 2740      packets.  [Jeff Trawick]
 2741 
 2742   *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
 2743      allowing custom parameters to be configured via SSLCertificateFile,
 2744      and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
 2745      Unless custom parameters are configured, the standardized parameters
 2746      are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
 2747 
 2748   *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand]
 2749 
 2750   *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
 2751      keys, and unconditionally disable aNULL, eNULL and EXP ciphers
 2752      (not overridable via SSLCipherSuite). [Kaspar Brand]
 2753 
 2754   *) mod_proxy: Added support for unix domain sockets as the
 2755      backend server endpoint. This also introduces an unintended
 2756      incompatibility for third party modules using the mod_proxy
 2757      proxy_worker_shared structure, especially for balancer lbmethod
 2758      modules. [Jim Jagielski, Blaise Tarr <blaise tarr gmail com>]
 2759 
 2760   *) Add experimental cmake-based build system for Windows.  [Jeff Trawick,
 2761      Tom Donovan]
 2762 
 2763   *) event MPM: Fix possible crashes (third party modules accessing c->sbh)
 2764      or occasional missed mod_status updates for some keepalive requests
 2765      under load. [Eric Covener]
 2766 
 2767   *) mod_authn_socache: Support optional initialization arguments for
 2768      socache providers.  [Chris Darroch]
 2769 
 2770   *) mod_session: Reset the max-age on session save. PR 47476. [Alexey
 2771      Varlamov <alexey.v.varlamov gmail com>]
 2772 
 2773   *) mod_session: After parsing the value of the header specified by the
 2774      SessionHeader directive, remove the value from the response. PR 55279.
 2775      [Graham Leggett]
 2776 
 2777   *) mod_headers: Allow for format specifiers in the substitution string
 2778      when using Header edit. [Daniel Ruggeri]
 2779 
 2780   *) mod_dav: dav_resource->uri is treated as unencoded. This was an
 2781      unnecessary ABI changed introduced in 2.4.6. PR 55397.
 2782 
 2783   *) mod_dav: Don't require lock tokens for COPY source. PR 55306.
 2784 
 2785   *) core: Don't truncate output when sending is interrupted by a signal,
 2786      such as from an exiting CGI process. PR 55643. [Jeff Trawick]
 2787 
 2788   *) WinNT MPM: Exit the child if the parent process crashes or is terminated.
 2789      [Oracle Corporation]
 2790 
 2791   *) Windows: Correct failure to discard stderr in some error log
 2792      configurations.  (Error message AH00093)  [Jeff Trawick]
 2793 
 2794   *) mod_session_crypto: Allow using exec: calls to obtain session
 2795      encryption key.  [Daniel Ruggeri]
 2796 
 2797   *) core: Add missing Reason-Phrase in HTTP response headers.
 2798      PR 54946. [Rainer Jung]
 2799 
 2800   *) mod_rewrite: Make rewrite websocket-aware to allow proxying.
 2801      PR 55598. [Chris Harris <chris.harris kitware com>]
 2802 
 2803   *) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
 2804      instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]
 2805 
 2806   *) ab: Add wait time, fix processing time, and output write errors only if
 2807      they occurred. [Christophe Jaillet]
 2808 
 2809   *) worker MPM: Don't forcibly kill worker threads if the child process is
 2810      exiting gracefully.  [Oracle Corporation]
 2811 
 2812   *) core: apachectl -S prints wildcard name-based virtual hosts twice.
 2813      PR54948 [Eric Covener]
 2814 
 2815   *) mod_auth_basic: Add AuthBasicUseDigestAlgorithm directive to
 2816      allow migration of passwords from digest to basic authentication.
 2817      [Chris Darroch]
 2818 
 2819   *) ab: Add a new -l parameter in order not to check the length of the responses.
 2820      This can be useful with dynamic pages.
 2821      PR9945, PR27888, PR42040 [<ccikrs1 cranbrook edu>]
 2822 
 2823   *) Suppress formatting of startup messages written to the console when
 2824      ErrorLogFormat is used.  [Jeff Trawick]
 2825 
 2826   *) mod_auth_digest: Be more specific when the realm mismatches because the
 2827      realm has not been specified. [Graham Leggett]
 2828 
 2829   *) mod_proxy: Add a note in the balancer manager stating whether changes
 2830      will or will not be persisted and whether settings are inherited.
 2831      [Daniel Ruggeri, Jim Jagielski]
 2832 
 2833   *) core: Add util_fcgi.h and associated definitions and support
 2834      routines for FastCGI, based largely on mod_proxy_fcgi.
 2835      [Jeff Trawick]
 2836 
 2837   *) mod_headers: Add 'Header note header-name note-name' for copying a response
 2838      headers value into a note. [Eric Covener]
 2839 
 2840   *) mod_headers: Add 'setifempty' command to Header and RequestHeader.
 2841      [Eric Covener]
 2842 
 2843   *) mod_logio: new format-specifier %S (sum) which is the sum of received
 2844      and sent byte counts.
 2845      PR54015 [Christophe Jaillet]
 2846 
 2847   *) mod_deflate: Improve error detection when decompressing request bodies
 2848      with trailing garbage: handle case where trailing bytes are in
 2849      the same bucket. [Rainer Jung]
 2850 
 2851   *) mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663
 2852      from ERROR to DEBUG, since these modules do not know what mod_authz_core
 2853      is doing with their AUTHZ_DENIED return value. [Eric Covener]
 2854 
 2855   *) mod_ldap: add TRACE5 for LDAP retries. [Eric Covener]
 2856 
 2857   *) mod_ldap: retry on an LDAP timeout during authn. [Eric Covener]
 2858 
 2859   *) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP
 2860      SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK
 2861      default, sans rebind authentication callback.
 2862      [Jan Kaluza <kaluze AT redhat.com>]
 2863 
 2864   *) core: Log a message at TRACE1 when the client aborts a connection.
 2865      [Eric Covener]
 2866 
 2867   *) WinNT MPM: Don't crash during child process initialization if the
 2868      Listen protocol is unrecognized.  [Jeff Trawick]
 2869 
 2870   *) modules: Fix some compiler warnings. [Guenter Knauf]
 2871 
 2872   *) Sync 2.4 and trunk
 2873        - Avoid some memory allocation and work when TRACE1 is not activated
 2874        - fix typo in include guard
 2875        - indent
 2876        - No need to lower the string before removing the path, it is just
 2877          a waste of time...
 2878        - Save a few cycles
 2879      [Christophe Jaillet <christophe.jaillet wanadoo.fr>]
 2880 
 2881   *) mod_filter: Add "change=no" as a proto-flag to FilterProtocol
 2882      to remove a providers initial flags set at registration time.
 2883      [Eric Covener]
 2884 
 2885   *) core, mod_ssl: Enable the ability for a module to reverse the sense of
 2886      a poll event from a read to a write or vice versa. This is a step on
 2887      the way to allow mod_ssl taking full advantage of the event MPM.
 2888      [Graham Leggett]
 2889 
 2890   *) Makefile.win: Install proper pcre DLL file during debug build install.
 2891      PR 55235.  [Ben Reser <ben reser org>]
 2892 
 2893   *) mod_ldap: Fix a potential memory leak or corruption.  PR 54936.
 2894      [Zhenbo Xu <zhenbo1987 gmail com>]
 2895 
 2896   *) ab: Fix potential buffer overflows when processing the T and X
 2897      command-line options.  PR 55360.
 2898      [Mike Rumph <mike.rumph oracle.com>]
 2899 
 2900   *) fcgistarter: Specify SO_REUSEADDR to allow starting a server
 2901      with old connections in TIME_WAIT.  [Jeff Trawick]
 2902 
 2903   *) core: Add open_htaccess hook which, in conjunction with dirwalk_stat
 2904      and post_perdir_config (introduced in 2.4.5), allows mpm-itk to be
 2905      used without patches to httpd core. [Stefan Fritsch]
 2906 
 2907   *) support/htdbm: fix processing of -t command line switch. Regression
 2908      introduced in 2.4.4
 2909      PR 55264 [Jo Rhett <jrhett netconsonance com>]
 2910 
 2911   *) mod_lua: add websocket support via r:wsupgrade, r:wswrite, r:wsread
 2912      and r:wsping. [Daniel Gruno]
 2913 
 2914   *) mod_lua: add support for writing/reading cookies via r:getcookie and
 2915      r:setcookie. [Daniel Gruno]
 2916 
 2917   *) mod_lua: If the first yield() of a LuaOutputFilter returns a string, it should
 2918      be prefixed to the response as documented. [Eric Covener]
 2919      Note: Not present in 2.4.7 CHANGES
 2920 
 2921   *) mod_lua: Remove ETAG, Content-Length, and Content-MD5 when a LuaOutputFilter
 2922      is configured without mod_filter. [Eric Covener]
 2923      Note: Not present in 2.4.7 CHANGES
 2924 
 2925   *) mod_lua: Register LuaOutputFilter scripts as changing the content and
 2926      content-length by default, when run my mod_filter.  Previously,
 2927      growing or shrinking a response that started with Content-Length set
 2928      would require mod_filter and FilterProtocol change=yes. [Eric Covener]
 2929      Note: Not present in 2.4.7 CHANGES
 2930 
 2931   *) mod_lua: Return a 500 error if a LuaHook* script doesn't return a
 2932      numeric return code. [Eric Covener]
 2933      Note: Not present in 2.4.7 CHANGES
 2934 
 2935 Changes with Apache 2.4.6
 2936 
 2937   *) Revert a broken fix for PR54948 that was applied to 2.4.5 (which was
 2938      not released) and found post-2.4.5 tagging.
 2939 
 2940 Changes with Apache 2.4.5
 2941 
 2942   *) SECURITY: CVE-2013-1896 (cve.mitre.org)
 2943      mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
 2944      the source href (sent as part of the request body as XML) pointing to a
 2945      URI that is not configured for DAV will trigger a segfault. [Ben Reser
 2946      <ben reser.org>]
 2947 
 2948   *) SECURITY: CVE-2013-2249 (cve.mitre.org)
 2949      mod_session_dbd: Make sure that dirty flag is respected when saving
 2950      sessions, and ensure the session ID is changed each time the session
 2951      changes. This changes the format of the updatesession SQL statement.
 2952      Existing configurations must be changed.
 2953      [Takashi Sato, Graham Leggett]
 2954 
 2955   *) mod_auth_basic: Add a generic mechanism to fake basic authentication
 2956      using the ap_expr parser. AuthBasicFake allows the administrator to
 2957      construct their own username and password for basic authentication based
 2958      on their needs. [Graham Leggett]
 2959 
 2960   *) mpm_event: Check that AsyncRequestWorkerFactor is not negative. PR 54254.
 2961      [Jackie Zhang <jackie qq zhang gmail com>]
 2962 
 2963   *) mod_proxy: Ensure we don't attempt to amend a table we are iterating
 2964      through, ensuring that all headers listed by Connection are removed.
 2965      [Graham Leggett, Co-Advisor <coad measurement-factory.com>]
 2966 
 2967   *) mod_proxy_http: Make the proxy-interim-response environment variable
 2968      effective by formally overriding origin server behaviour. [Graham
 2969      Leggett, Co-Advisor <coad measurement-factory.com>]
 2970 
 2971   *) mod_proxy: Fix seg-faults when using the global pool on threaded
 2972      MPMs [Thomas Eckert <thomas.r.w.eckert gmail.com>, Graham Leggett,
 2973      Jim Jagielski]
 2974 
 2975   *) mod_deflate: Remove assumptions as to when an EOS bucket might arrive.
 2976      Gracefully step aside if the body size is zero. [Graham Leggett]
 2977 
 2978   *) mod_ssl: Fix possible truncation of OCSP responses when reading from the
 2979      server.  [Joe Orton]
 2980 
 2981   *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
 2982      on Linux kernel versions 3.x and above.  PR 55121.  [Bradley Heilbrun
 2983      <apache heilbrun.org>]
 2984 
 2985   *) mod_cache_socache: Make sure the CacheSocacheMaxSize directive is merged
 2986      correctly. [Jens Låås <jelaas gmail.com>]
 2987 
 2988   *) rotatelogs: add -n number-of-files option to rotate through a number
 2989      of fixed-name logfiles. [Eric Covener]
 2990 
 2991   *) mod_proxy: Support web-socket tunnels via mod_proxy_wstunnel.
 2992      [Jim Jagielski]
 2993 
 2994   *) mod_cache_socache: Use the name of the socache implementation when performing
 2995      a lookup rather than using the raw arguments. [Martin Ksellmann
 2996      <martin@ksellmann.de>]
 2997 
 2998   *) core: Add dirwalk_stat hook.  [Jeff Trawick]
 2999 
 3000   *) core: Add post_perdir_config hook.
 3001      [Steinar Gunderson <sgunderson bigfoot.com>]
 3002 
 3003   *) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
 3004      [Christophe Jaillet]
 3005 
 3006   *) mod_remoteip: close file in error path. [Christophe Jaillet]
 3007 
 3008   *) core: make the "default" parameter of the "ErrorDocument" option case
 3009      insensitive. PR 54419 [Tianyin Xu <tixu cs ucsd edu>]
 3010 
 3011   *) mod_proxy_html: make the "ProxyHTMLFixups" options case insensitive.
 3012      PR 54420 [Tianyin Xu <tixu cs ucsd edu>]
 3013 
 3014   *) mod_cache: Make option "CacheDisable" in mod_cache case insensitive.
 3015      PR 54462 [Tianyin Xu <tixu cs ucsd edu>]
 3016 
 3017   *) mod_cache: If a 304 response indicates an entity not currently cached, then
 3018      the cache MUST disregard the response and repeat the request without the
 3019      conditional. [Graham Leggett, Co-Advisor <coad measurement-factory.com>]
 3020 
 3021   *) mod_cache: Ensure that we don't attempt to replace a cached response
 3022      with an older response as per RFC2616 13.12. [Graham Leggett, Co-Advisor
 3023      <coad measurement-factory.com>]
 3024 
 3025   *) core, mod_cache: Ensure RFC2616 compliance in ap_meets_conditions()
 3026      with weak validation combined with If-Range and Range headers. Break
 3027      out explicit conditional header checks to be useable elsewhere in the
 3028      server. Ensure weak validation RFC compliance in the byteranges filter.
 3029      Ensure RFC validation compliance when serving cached entities. PR 16142
 3030      [Graham Leggett, Co-Advisor <coad measurement-factory.com>]
 3031 
 3032   *) core: Add the ability to do explicit matching on weak and strong ETags
 3033      as per RFC2616 Section 13.3.3. [Graham Leggett, Co-Advisor
 3034      <coad measurement-factory.com>]
 3035 
 3036   *) mod_cache: Ensure that updated responses to HEAD requests don't get
 3037      mistakenly paired with a previously cached body. Ensure that any existing
 3038      body is removed when a HEAD request is cached. [Graham Leggett,
 3039      Co-Advisor <coad measurement-factory.com>]
 3040 
 3041   *) mod_cache: Honour Cache-Control: no-store in a request. [Graham Leggett]
 3042 
 3043   *) mod_cache: Make sure that contradictory entity headers present in a 304
 3044      Not Modified response are caught and cause the entity to be removed.
 3045      [Graham Leggett]
 3046 
 3047   *) mod_cache: Make sure Vary processing handles multivalued Vary headers and
 3048      multivalued headers referred to via Vary. [Graham Leggett]
 3049 
 3050   *) mod_cache: When serving from cache, only the last header of a multivalued
 3051      header was taken into account. Fixed. Ensure that Warning headers are
 3052      correctly handled as per RFC2616. [Graham Leggett]
 3053 
 3054   *) mod_cache: Ignore response headers specified by no-cache=header and
 3055      private=header as specified by RFC2616 14.9.1 What is Cacheable. Ensure
 3056      that these headers are still processed when multiple Cache-Control
 3057      headers are present in the response. PR 54706 [Graham Leggett,
 3058      Yann Ylavic <ylavic.dev gmail.com>]
 3059 
 3060   *) mod_cache: Invalidate cached entities in response to RFC2616 Section
 3061      13.10 Invalidation After Updates or Deletions. PR 15868 [Graham
 3062      Leggett]
 3063 
 3064   *) mod_dav: Improve error handling in dav_method_put(), add new
 3065      dav_join_error() function.  PR 54145.  [Ben Reser <ben reser.org>]
 3066 
 3067   *) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
 3068      PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
 3069 
 3070   *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
 3071      property on a resource for which there is no dead property in the same
 3072      namespace httpd segfaults. PR 52559 [Diego Santa Cruz
 3073      <diego.santaCruz spinetix.com>]
 3074 
 3075   *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
 3076      result in a 412 Precondition Failed for a COPY operation. PR54610
 3077      [Timothy Wood <tjw omnigroup.com>]
 3078 
 3079   *) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
 3080      we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
 3081 
 3082   *) mod_deflate: Remove assumptions as to when an EOS bucket might arrive.
 3083      Gracefully step aside if the body size is zero. [Graham Leggett]
 3084 
 3085   *) 'AuthGroupFile' and 'AuthUserFile' do not accept anymore the optional
 3086      'standard' keyword . It was unused and not documented.
 3087      PR54463 [Tianyin Xu <tixu cs.ucsd.edu> and Christophe Jaillet]
 3088 
 3089   *) core: Do not over allocate memory within 'ap_rgetline_core' for
 3090      the common case. [Christophe Jaillet]
 3091 
 3092   *) core: speed up (for common cases) and reduce memory usage of
 3093      ap_escape_logitem(). This should save 70-100 bytes in the request
 3094      pool for a default config. [Christophe Jaillet]
 3095 
 3096   *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
 3097      [Timothy Wood <tjw omnigroup.com>]
 3098 
 3099   *) mod_proxy: Reject invalid values for Max-Forwards. [Graham Leggett,
 3100      Co-Advisor <coad measurement-factory.com>]
 3101 
 3102   *) mod_cache: RFC2616 14.9.3 The s-maxage directive also implies the
 3103      semantics of the proxy-revalidate directive. [Graham Leggett]
 3104 
 3105   *) mod_ssl: add support for subjectAltName-based host name checking
 3106      in proxy mode (SSLProxyCheckPeerName). PR 54030. [Kaspar Brand]
 3107 
 3108   *) core: Use the proper macro for HTTP/1.1. [Graham Leggett]
 3109 
 3110   *) event MPM: Provide error handling for ThreadStackSize. PR 54311
 3111      [Tianyin Xu <tixu cs.ucsd.edu>, Christophe Jaillet]
 3112 
 3113   *) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
 3114      PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
 3115 
 3116   *) core: Improve error message where client's request-line exceeds
 3117      LimitRequestLine. PR 54384 [Christophe Jaillet]
 3118 
 3119   *) mod_macro: New module that provides macros within configuration files.
 3120      [Fabien Coelho]
 3121 
 3122   *) mod_cache_socache: New cache implementation backed by mod_socache
 3123      that replaces mod_mem_cache known from httpd 2.2. [Graham
 3124      Leggett]
 3125 
 3126   *) htpasswd: Add -v option to verify a password. [Stefan Fritsch]
 3127 
 3128   *) mod_proxy: Add BalancerInherit and ProxyPassInherit to control
 3129      whether Proxy Balancers and Workers are inherited by vhosts
 3130      (default is On). [Jim Jagielski]
 3131 
 3132   *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
 3133      password.  [Daniel Ruggeri]
 3134 
 3135   *) Added balancer parameter failontimeout to allow server admin
 3136      to configure an IO timeout as an error in the balancer.
 3137      [Daniel Ruggeri]
 3138 
 3139   *) mod_auth_digest: Fix crashes if shm initialization failed. [Stefan
 3140      Fritsch]
 3141 
 3142   *) htpasswd, htdbm: Fix password generation. PR 54735. [Stefan Fritsch]
 3143 
 3144   *) core: Add workaround for gcc bug on sparc/64bit. PR 52900.
 3145      [Stefan Fritsch]
 3146 
 3147   *) mod_setenvif: Fix crash in case SetEnvif and SetEnvIfExpr are used
 3148      together. PR 54881. [Ruediger Pluem]
 3149 
 3150   *) htdigest: Fix buffer overflow when reading digest password file
 3151      with very long lines. PR 54893. [Rainer Jung]
 3152 
 3153   *) ap_expr: Add the ability to base64 encode and base64 decode
 3154      strings and to generate their SHA1 and MD5 hash.
 3155      [Graham Leggett, Stefan Fritsch]
 3156 
 3157   *) mod_log_config: Fix crash when logging request end time for a failed
 3158      request.  PR 54828 [Rainer Jung]
 3159 
 3160   *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
 3161      with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
 3162      [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
 3163 
 3164   *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
 3165      in the error log to debug level.  [William Rowe]
 3166 
 3167   *) mod_cache_disk: CacheMinFileSize and CacheMaxFileSize were always
 3168      using compiled in defaults of 1000000/1 respectively. [Eric Covener]
 3169 
 3170   *) mod_lbmethod_heartbeat, mod_heartmonitor: Respect DefaultRuntimeDir/
 3171      DEFAULT_REL_RUNTIMEDIR for the heartbeat storage file.  [Jeff Trawick]
 3172 
 3173   *) mod_include: Use new ap_expr for 'elif', like 'if',
 3174      if legacy parser is not specified.  PR 54548 [Tom Donovan]
 3175 
 3176   *) mod_lua: Add some new functions: r:htpassword(), r:mkdir(), r:mkrdir(),
 3177      r:rmdir(), r:touch(), r:get_direntries(), r.date_parse_rfc().
 3178      [Guenter Knauf]
 3179 
 3180   *) mod_lua: Add multipart form data handling. [Daniel Gruno]
 3181 
 3182   *) mod_lua: If a LuaMapHandler doesn't return any value, log a warning
 3183      and treat it as apache2.OK. [Eric Covener]
 3184 
 3185   *) mod_lua: Add bindings for apr_dbd/mod_dbd database access
 3186      [Daniel Gruno]
 3187 
 3188   *) mod_lua: Add LuaInputFilter/LuaOutputFilter for creating content
 3189      filters in Lua [Daniel Gruno]
 3190 
 3191   *) mod_lua: Allow scripts handled by the lua-script handler to return
 3192      a status code to the client (such as a 302 or a 500) [Daniel Gruno]
 3193 
 3194   *) mod_lua: Decline handling 'lua-script' if the file doesn't exist,
 3195      rather than throwing an internal server error. [Daniel Gruno]
 3196 
 3197   *) mod_lua: Add functions r:flush and r:sendfile as well as additional
 3198      request information to the request_rec structure. [Daniel Gruno]
 3199 
 3200   *) mod_lua: Add a server scope for Lua states, which creates a pool of
 3201      states with manageable minimum and maximum size. [Daniel Gruno]
 3202 
 3203   *) mod_lua: Add new directive, LuaMapHandler, for dynamically mapping
 3204      URIs to Lua scripts and functions using regular expressions.
 3205      [Daniel Gruno]
 3206 
 3207   *) mod_lua: Add new directive LuaCodeCache for controlling in-memory
 3208      caching of lua scripts. [Daniel Gruno]
 3209 
 3210 Changes with Apache 2.4.4
 3211 
 3212   *) SECURITY: CVE-2012-3499 (cve.mitre.org)
 3213      Various XSS flaws due to unescaped hostnames and URIs HTML output in
 3214      mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
 3215      [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
 3216 
 3217   *) SECURITY: CVE-2012-4558 (cve.mitre.org)
 3218      XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
 3219      Niels Heinen <heinenn google com>]
 3220 
 3221   *) mod_dir: Add support for the value 'disabled' in FallbackResource.
 3222      [Vincent Deffontaines]
 3223 
 3224   *) mod_proxy_connect: Don't keepalive the connection to the client if the
 3225      backend closes the connection. PR 54474. [Pavel Mateja <pavel netsafe cz>]
 3226 
 3227   *) mod_lua: Add bindings for mod_dbd/apr_dbd database access.
 3228      [Daniel Gruno]
 3229 
 3230   *) mod_proxy: Allow for persistence of local changes made via the
 3231      balancer-manager between graceful/normal restarts and power
 3232      cycles. [Jim Jagielski]
 3233 
 3234   *) mod_proxy: Fix startup crash with mis-defined balancers.
 3235      PR 52402. [Jim Jagielski]
 3236 
 3237   *) --with-module: Fix failure to integrate them into some existing
 3238      module directories.  PR 40097.  [Jeff Trawick]
 3239 
 3240   *) htcacheclean: Fix potential segfault if "-p" is omitted.  [Joe Orton]
 3241 
 3242   *) mod_proxy_http: Honour special value 0 (unlimited) of LimitRequestBody
 3243      PR 54435.  [Pavel Mateja <pavel netsafe.cz>]
 3244 
 3245   *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
 3246      [Rainer Jung]
 3247 
 3248   *) htcacheclean: Fix list options "-a" and "-A".
 3249      [Rainer Jung]
 3250 
 3251   *) mod_slotmem_shm: Fix mistaken reset of num_free for restored shm.
 3252      [Jim Jagielski]
 3253 
 3254   *) mod_proxy: non-existence of byrequests is not an immediate error.
 3255      [Jim Jagielski]
 3256 
 3257   *) mod_proxy_balancer: Improve output of balancer-manager (re: Drn,
 3258      Dis, Ign, Stby). PR 52478 [Danijel <dt-ng rbfh de>]
 3259 
 3260   *) configure: Fix processing of --disable-FEATURE for various features.
 3261      [Jeff Trawick]
 3262 
 3263   *) mod_dialup/mod_http: Prevent a crash in mod_dialup in case of internal
 3264      redirect. PR 52230.
 3265 
 3266   *) various modules, rotatelogs: Replace use of apr_file_write() with
 3267      apr_file_write_full() to prevent incomplete writes. PR 53131.
 3268      [Nicolas Viennot <apache viennot biz>, Stefan Fritsch]
 3269 
 3270   *) ab: Support socket timeout (-s timeout).
 3271      [Guido Serra <zeph fsfe org>]
 3272 
 3273   *) httxt2dbm: Correct length computation for the 'value' stored in the
 3274      DBM file. PR 47650 [jon buckybox com]
 3275 
 3276   *) core: Be more correct about rejecting directives that cannot work in <If>
 3277      sections. [Stefan Fritsch]
 3278 
 3279   *) core: Fix directives like LogLevel that need to know if they are invoked
 3280      at virtual host context or in Directory/Files/Location/If sections to
 3281      work properly in If sections that are not in a Directory/Files/Location.
 3282      [Stefan Fritsch]
 3283 
 3284   *) mod_xml2enc: Fix problems with charset conversion altering the
 3285      Content-Length. [Micha Lenk <micha lenk info>]
 3286 
 3287   *) ap_expr: Add req_novary function that allows HTTP header lookups
 3288      without adding the name to the Vary header. [Stefan Fritsch]
 3289 
 3290   *) mod_slotmem_*: Add in new fgrab() function which forces a grab and
 3291      slot allocation on a specified slot. Allow for clearing of inuse
 3292      array. [Jim Jagielski]
 3293 
 3294   *) mod_proxy_ftp: Fix segfaults on IPv4 requests to hosts with DNS
 3295      AAAA records. PR  40841. [Andrew Rucker Jones <arjones simultan
 3296      dyndns org>, <ast domdv de>, Jim Jagielski]
 3297 
 3298   *) mod_auth_form: Make sure that get_notes_auth() sets the user as does
 3299      get_form_auth() and get_session_auth(). Makes sure that REMOTE_USER
 3300      does not vanish during mod_include driven subrequests. [Graham
 3301      Leggett]
 3302 
 3303   *) mod_cache_disk: Resolve errors while revalidating disk-cached files on
 3304      Windows ("...rename tempfile to datafile failed..."). PR 38827
 3305      [Eric Covener]
 3306 
 3307   *) mod_proxy_balancer: Bring XML output up to date. [Jim Jagielski]
 3308 
 3309   *) htpasswd, htdbm: Optionally read passwords from stdin, as more
 3310      secure alternative to -b.  PR 40243. [Adomas Paltanavicius <adomas
 3311      paltanavicius gmail com>, Stefan Fritsch]
 3312 
 3313   *) htpasswd, htdbm: Add support for bcrypt algorithm (requires
 3314      apr-util 1.5 or higher). PR 49288. [Stefan Fritsch]
 3315 
 3316   *) htpasswd, htdbm: Put full 48bit of entropy into salt, improve
 3317      error handling. Add some of htpasswd's improvements to htdbm,
 3318      e.g. warn if password is truncated by crypt(). [Stefan Fritsch]
 3319 
 3320   *) mod_auth_form: Support the expr parser in the
 3321      AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and
 3322      AuthFormLogoutLocation directives. [Graham Leggett]
 3323 
 3324   *) mod_ssl: Add support for TLS-SRP (Secure Remote Password key exchange
 3325      for TLS, RFC 5054). PR 51075. [Quinn Slack <sqs cs stanford edu>,
 3326      Christophe Renou, Peter Sylvester]
 3327 
 3328   *) mod_rewrite: Stop mergeing RewriteBase down to subdirectories
 3329      unless new option 'RewriteOptions MergeBase' is configured.
 3330      PR 53963. [Eric Covener]
 3331 
 3332   *) mod_header: Allow for exposure of loadavg and server load using new
 3333      format specifiers %l, %i, %b [Jim Jagielski]
 3334 
 3335   *) core: Make ap_regcomp() return AP_REG_ESPACE if out of memory.  Make
 3336      ap_pregcomp() abort if out of memory. This raises the minimum PCRE
 3337      requirement to version 6.0. [Stefan Fritsch]
 3338 
 3339   *) mod_proxy: Add ability to configure the sticky session separator.
 3340      PR 53893. [<inu inusasha de>, Jim Jagielski]
 3341 
 3342   *) mod_dumpio: Correctly log large messages
 3343      PR 54179 [Marek Wianecki <mieszek2 interia pl>]
 3344 
 3345   *) core: Don't fail at startup with AH00554 when Include points to
 3346      a directory without any wildcard character. [Eric Covener]
 3347 
 3348   *) core: Fail startup if the argument to ServerTokens is unrecognized.
 3349      [Jackie Zhang  <jackie.qq.zhang gmail.com>]
 3350 
 3351   *) mod_log_forensic: Don't log a spurious "-" if a request has been rejected
 3352      before mod_log_forensic could attach its id to it. [Stefan Fritsch]
 3353 
 3354   *) rotatelogs: Omit the second argument for the first invocation of
 3355      a post-rotate program when -p is used, per the documentation.
 3356      [Joe Orton]
 3357 
 3358   *) mod_session_dbd: fix a segmentation fault in the function dbd_remove.
 3359      PR 53452. [<rebanerebane gmail com>, Reimo Rebane]
 3360 
 3361   *) core: Functions to provide server load values: ap_get_sload() and
 3362      ap_get_loadavg(). [Jim Jagielski, Jan Kaluza <jkaluza redhat.com>,
 3363      Jeff Trawick]
 3364 
 3365   *) mod_ldap: Fix regression in handling "server unavailable" errors on
 3366      Windows.  PR 54140.  [Eric Covener]
 3367 
 3368   *) syslog logging: Remove stray ", referer" at the end of some messages.
 3369      [Jeff Trawick]
 3370 
 3371   *) "Iterate" directives: Report an error if no arguments are provided.
 3372      [Jeff Trawick]
 3373 
 3374   *) mod_ssl: Change default for SSLCompression to off, as compression
 3375      causes security issues in most setups. (The so called "CRIME" attack).
 3376      [Stefan Fritsch]
 3377 
 3378   *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
 3379      to more accurately report the negotiated protocol. PR 53916.
 3380      [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
 3381 
 3382   *) core: ErrorDocument now works for requests without a Host header.
 3383      PR 48357.  [Jeff Trawick]
 3384 
 3385   *) prefork: Avoid logging harmless errors during graceful stop.
 3386      [Joe Orton, Jeff Trawick]
 3387 
 3388   *) mod_proxy: When concatting for PPR, avoid cases where we
 3389      concat ".../" and "/..." to create "...//..." [Jim Jagielski]
 3390 
 3391   *) mod_cache: Wrong content type and character set when
 3392      mod_cache serves stale content because of a proxy error.
 3393      PR 53539.  [Rainer Jung, Ruediger Pluem]
 3394 
 3395   *) mod_proxy_ajp: Fix crash in packet dump code when logging
 3396      with LogLevel trace7 or trace8.  PR 53730.  [Rainer Jung]
 3397 
 3398   *) httpd.conf: Removed the configuration directives setting a bad_DNT
 3399      environment introduced in 2.4.3. The actual directives are commented
 3400      out in the default conf file.
 3401 
 3402   *) core: Apply length limit when logging Status header values.
 3403      [Jeff Trawick, Chris Darroch]
 3404 
 3405   *) mod_proxy_balancer: The nonce is only derived from the UUID iff
 3406      not set via the 'nonce' balancer param. [Jim Jagielski]
 3407 
 3408   *) mod_ssl: Match wildcard SSL certificate names in proxy mode.
 3409      PR 53006.  [Joe Orton]
 3410 
 3411   *) Windows: Fix output of -M, -L, and similar command-line options
 3412      which display information about the server configuration.
 3413      [Jeff Trawick]
 3414 
 3415 Changes with Apache 2.4.3
 3416 
 3417   *) SECURITY: CVE-2012-3502  (cve.mitre.org)
 3418      mod_proxy_ajp, mod_proxy_http: Fix an issue in back end
 3419      connection closing which could lead to privacy issues due
 3420      to a response mixup. PR 53727. [Rainer Jung]
 3421 
 3422   *) SECURITY: CVE-2012-2687 (cve.mitre.org)
 3423      mod_negotiation: Escape filenames in variant list to prevent a
 3424      possible XSS for a site where untrusted users can upload files to
 3425      a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
 3426 
 3427   *) mod_authnz_ldap: Don't try a potentially expensive nested groups
 3428      search before exhausting all AuthLDAPGroupAttribute checks on the
 3429      current group. PR 52464 [Eric Covener]
 3430 
 3431   *) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
 3432      authorization provider in lua. [Stefan Fritsch]
 3433 
 3434   *) core: Be less strict when checking whether Content-Type is set to
 3435      "application/x-www-form-urlencoded" when parsing POST data,
 3436      or we risk losing data with an appended charset. PR 53698
 3437      [Petter Berntsen <petterb gmail.com>]
 3438 
 3439   *) httpd.conf: Added configuration directives to set a bad_DNT environment
 3440      variable based on User-Agent and to remove the DNT header field from
 3441      incoming requests when a match occurs. This currently has the effect of
 3442      removing DNT from requests by MSIE 10.0 because it deliberately violates
 3443      the current specification of DNT semantics for HTTP. [Roy T. Fielding]
 3444 
 3445   *) mod_socache_shmcb: Fix bus error due to a misalignment
 3446      in some 32 bit builds, especially on Solaris Sparc.
 3447      PR 53040.  [Rainer Jung]
 3448 
 3449   *) mod_cache: Set content type in case we return stale content.
 3450      [Ruediger Pluem]
 3451 
 3452   *) Windows: Fix SSL failures on windows with AcceptFilter https none.
 3453      PR 52476.  [Jeff Trawick]
 3454 
 3455   *) ab: Fix read failure when targeting SSL server.  [Jeff Trawick]
 3456 
 3457   *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
 3458      - mod_auth_digest: shared memory file
 3459      [Jeff Trawick]
 3460 
 3461   *) htpasswd: Use correct file mode for checking if file is writable.
 3462      PR 45923. [Stefan Fritsch]
 3463 
 3464   *) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T.
 3465      <mi apache aldan algebra com>]
 3466 
 3467   *) mod_ssl: Add new directive SSLCompression to disable TLS-level
 3468      compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
 3469 
 3470   *) mod_lua: Add a few missing request_rec fields. Rename remote_ip to
 3471      client_ip to match conn_rec. [Stefan Fritsch]
 3472 
 3473   *) mod_lua: Change prototype of vm_construct, to work around gcc bug which
 3474      causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>]
 3475 
 3476   *) mpm_event: Don't count connections in lingering close state when
 3477      calculating how many additional connections may be accepted.
 3478      [Stefan Fritsch]
 3479 
 3480   *) mod_ssl: If exiting during initialization because of a fatal error,
 3481      log a message to the main error log pointing to the appropriate
 3482      virtual host error log. [Stefan Fritsch]
 3483 
 3484   *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
 3485      one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]
 3486 
 3487   *) mod_proxy_balancer: Restore balancing after a failed worker has
 3488      recovered when using lbmethod_bybusyness.  PR 48735.  [Jeff Trawick]
 3489 
 3490   *) mod_setenvif: Compile some global regex only once during startup.
 3491      This should save some memory, especially with .htaccess.
 3492      [Stefan Fritsch]
 3493 
 3494   *) core: Add the port number to the vhost's name in the scoreboard.
 3495      [Stefan Fritsch]
 3496 
 3497   *) mod_proxy: Fix ProxyPassReverse for balancer configurations.
 3498      PR 45434.  [Joe Orton]
 3499 
 3500   *) mod_lua: Add the parsebody function for parsing POST data. PR 53064.
 3501      [Daniel Gruno]
 3502 
 3503   *) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS.
 3504      [Stefan Fritsch]
 3505 
 3506   *) mod_proxy: Fix memory leak or possible corruption in ProxyBlock
 3507      implementation.  [Ruediger Pluem, Joe Orton]
 3508 
 3509   *) mod_proxy: Check hostname from request URI against ProxyBlock list,
 3510      not forward proxy, if ProxyRemote* is configured.  [Joe Orton]
 3511 
 3512   *) mod_proxy_connect: Avoid DNS lookup on hostname from request URI
 3513      if ProxyRemote* is configured.  PR 43697.  [Joe Orton]
 3514 
 3515   *) mpm_event, mpm_worker: Remain active amidst prevalent child process
 3516      resource shortages.  [Jeff Trawick]
 3517 
 3518   *) Add "strict" and "warnings" pragmas to Perl scripts.  [Rich Bowen]
 3519 
 3520   *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
 3521      - core: the scoreboard (ScoreBoardFile), pid file (PidFile), and
 3522        mutexes (Mutex)
 3523      [Jim Jagielski]
 3524 
 3525   *) ab: Fix bind() errors.  [Joe Orton]
 3526 
 3527   *) mpm_event: Don't do a blocking write when starting a lingering close
 3528      from the listener thread. PR 52229. [Stefan Fritsch]
 3529 
 3530   *) mod_so: If a filename without slashes is specified for LoadFile or
 3531      LoadModule and the file cannot be found in the server root directory,
 3532      try to use the standard dlopen() search path. [Stefan Fritsch]
 3533 
 3534   *) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced
 3535      after child process resource shortages.  [Jeff Trawick]
 3536 
 3537   *) mpm_prefork: Reduce spawn rate after a child process exits due to
 3538      unexpected poll or accept failure.  [Jeff Trawick]
 3539 
 3540   *) core: Log value of Status header line in script responses rather
 3541      than the fixed header name.  [Chris Darroch]
 3542 
 3543   *) mod_ssl: Fix handling of empty response from OCSP server.
 3544      [Jim Meyering <meyering redhat.com>, Joe Orton]
 3545 
 3546   *) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch]
 3547 
 3548   *) mod_authz_core: If an expression in "Require expr" returns denied and
 3549      references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
 3550      [Stefan Fritsch]
 3551 
 3552   *) core: Always log if LimitRequestFieldSize triggers.  [Stefan Fritsch]
 3553 
 3554   *) mod_deflate: Skip compression if compression is enabled at SSL level.
 3555      [Stefan Fritsch]
 3556 
 3557   *) core: Add missing HTTP status codes registered with IANA.
 3558      [Julian Reschke <julian.reschke gmx.de>, Rainer Jung]
 3559 
 3560   *) mod_ldap: Treat the "server unavailable" condition as a transient
 3561      error with all LDAP SDKs.  [Filip Valder <filip.valder vsb.cz>]
 3562 
 3563   *) core: Fix spurious "not allowed here" error returned when the Options
 3564      directive is used in .htaccess and "AllowOverride Options" (with no
 3565      specific options restricted) is configured.  PR 53444. [Eric Covener]
 3566 
 3567   *) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
 3568      PR 53048. [Stefan Fritsch]
 3569 
 3570   *) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
 3571      PR 53104. [Greg Ames]
 3572 
 3573   *) mod_ext_filter: Fix error_log spam when input filters are configured.
 3574      [Joe Orton]
 3575 
 3576   *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
 3577 
 3578   *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
 3579      [Paul Wouters <pwouters redhat.com>, Joe Orton]
 3580 
 3581   *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
 3582      the chosen listener is configured for https. [Joe Orton]
 3583 
 3584   *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
 3585      forwarding to SSL backends. PR 53134.
 3586      [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
 3587 
 3588   *) mod_info: Display all registered providers. [Stefan Fritsch]
 3589 
 3590   *) mod_ssl: Send the error message for speaking http to an https port using
 3591      HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
 3592      using SNI. PR 50823. [Stefan Fritsch]
 3593 
 3594   *) core: Fix segfault in logging if r->useragent_addr or c->client_addr is
 3595      unset. PR 53265. [Stefan Fritsch]
 3596 
 3597   *) log_server_status: Bring Perl style forward to the present, use
 3598      standard modules, update for new format of server-status output.
 3599      PR 45424. [Richard Bowen, Dave Brondsema, and others]
 3600 
 3601   *) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups.
 3602      [Joe Orton, André Malo]
 3603 
 3604   *) core: Prevent "httpd -k restart" from killing server in presence of
 3605      config error. [Joe Orton]
 3606 
 3607   *) mod_proxy_fcgi: If there is an error reading the headers from the
 3608      backend, send an error to the client. PR 52879. [Stefan Fritsch]
 3609 
 3610 Changes with Apache 2.4.2
 3611 
 3612   *) SECURITY: CVE-2012-0883 (cve.mitre.org)
 3613      envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
 3614      current working directory to be searched for DSOs. [Stefan Fritsch]
 3615 
 3616   *) mod_slotmem_shm: Honor DefaultRuntimeDir [Jim Jagielski]
 3617 
 3618   *) mod_ssl: Fix crash with threaded MPMs due to race condition when
 3619      initializing EC temporary keys. [Stefan Fritsch]
 3620 
 3621   *) mod_rewrite: Fix RewriteCond integer checks to be parsed correctly.
 3622      PR 53023. [Axel Reinhold <apache freakout.de>, André Malo]
 3623 
 3624   *) mod_proxy: Add the forcerecovery balancer parameter that determines if
 3625      recovery for balancer workers is enforced. [Ruediger Pluem]
 3626 
 3627   *) Fix MPM DSO load failure on AIX.  [Jeff Trawick]
 3628 
 3629   *) mod_proxy: Correctly set up reverse proxy worker. PR 52935.
 3630      [Petter Berntsen <petterb gmail.com>]
 3631 
 3632   *) mod_sed: Don't define PATH_MAX to a potentially undefined value, causing
 3633      compile problems on GNU hurd. [Stefan Fritsch]
 3634 
 3635   *) core: Add ap_runtime_dir_relative() and DefaultRuntimeDir.
 3636      [Jeff Trawick]
 3637 
 3638   *) core: Fix breakage of Listen directives with MPMs that use a
 3639      per-directory config. PR 52904. [Stefan Fritsch]
 3640 
 3641   *) core: Disallow directives in AllowOverrideList which are only allowed
 3642      in VirtualHost or server context. These are usually not prepared to be
 3643      called in .htaccess files. [Stefan Fritsch]
 3644 
 3645   *) core: In AllowOverrideList, do not allow 'None' together with other
 3646      directives. PR 52823. [Stefan Fritsch]
 3647 
 3648   *) mod_slotmem_shm: Support DEFAULT_REL_RUNTIMEDIR for file-based shm.
 3649      [Jim Jagielski]
 3650 
 3651   *) core: Fix merging of AllowOverrideList and ContentDigest.
 3652      [Stefan Fritsch]
 3653 
 3654   *) mod_request: Fix validation of the KeptBodySize argument so it
 3655      doesn't always throw a configuration error. PR 52981 [Eric Covener]
 3656 
 3657   *) core: Add filesystem paths to access denied / access failed messages
 3658      AH00035 and AH00036. [Eric Covener]
 3659 
 3660   *) mod_dumpio: Properly handle errors from subsequent input filters.
 3661      PR 52914. [Stefan Fritsch]
 3662 
 3663   *) Unix MPMs: Fix small memory leak in parent process if connect()
 3664      failed when waking up children.  [Joe Orton]
 3665 
 3666   *) "DirectoryIndex disabled" now undoes DirectoryIndex settings in
 3667      the current configuration section, not just previous config sections.
 3668      PR 52845. [Eric Covener]
 3669 
 3670   *) mod_xml2enc: Fix broken handling of EOS buckets which could lead to
 3671      response headers not being sent. PR 52766. [Stefan Fritsch]
 3672 
 3673   *) mod_ssl: Properly free the GENERAL_NAMEs. PR 32652. [Kaspar Brand]
 3674 
 3675   *) core: Check during config test that directories for the access
 3676      logs actually exist. PR 29941. [Stefan Fritsch]
 3677 
 3678   *) mod_xml2enc, mod_proxy_html: Enable per-module loglevels.
 3679      [Stefan Fritsch]
 3680 
 3681   *) mod_filter: Fix segfault with AddOutputFilterByType. PR 52755.
 3682      [Stefan Fritsch]
 3683 
 3684   *) mod_session: Sessions are encoded as application/x-www-form-urlencoded
 3685      strings, however we do not handle the encoding of spaces properly.
 3686      Fixed. [Graham Leggett]
 3687 
 3688   *) Configuration: Example in comment should use a path consistent
 3689      with the default configuration. PR 52715.
 3690      [Rich Bowen, Jens Schleusener, Rainer Jung]
 3691 
 3692   *) Configuration: Switch documentation links from trunk to 2.4.
 3693      [Rainer Jung]
 3694 
 3695   *) configure: Fix out of tree build using apr and apr-util in srclib.
 3696      [Rainer Jung]
 3697 
 3698 Changes with Apache 2.4.1
 3699 
 3700   *) SECURITY: CVE-2012-0053 (cve.mitre.org)
 3701      Fix an issue in error responses that could expose "httpOnly" cookies
 3702      when no custom ErrorDocument is specified for status code 400.
 3703      [Eric Covener]
 3704 
 3705   *) mod_proxy_balancer: Fix crash on Windows. PR 52402 [Mladen Turk]
 3706 
 3707   *) core: Check during configtest that the directories for error logs exist.
 3708      PR 29941 [Stefan Fritsch]
 3709 
 3710   *) Core configuration: add AllowOverride option to treat syntax
 3711      errors in .htaccess as non-fatal. PR 52439 [Nick Kew, Jim Jagielski]
 3712 
 3713   *) core: Fix memory consumption in core output filter with streaming
 3714      bucket types like CGI or PIPE.  [Joe Orton, Stefan Fritsch]
 3715 
 3716   *) configure: Disable modules at configure time if a prerequisite module
 3717      is not enabled. PR 52487. [Stefan Fritsch]
 3718 
 3719   *) Rewrite and proxy now decline what they don't support rather
 3720      than fail the request. [Joe Orton]
 3721 
 3722   *) Fix building against external apr plus apr-util if apr is not installed
 3723      in a system default path. [Rainer Jung]
 3724 
 3725   *) Doxygen fixes and improvements. [Joe Orton, Igor Galić]
 3726 
 3727   *) core: Fix building against PCRE 8.30 by switching from the obsolete
 3728      pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]
 3729 
 3730 Changes with Apache 2.4.0
 3731 
 3732   *) SECURITY: CVE-2012-0031 (cve.mitre.org)
 3733      Fix scoreboard issue which could allow an unprivileged child process
 3734      to cause the parent to crash at shutdown rather than terminate
 3735      cleanly.  [Joe Orton]
 3736 
 3737   *) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch]
 3738 
 3739   *) SECURITY: CVE-2012-0021 (cve.mitre.org)
 3740      mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
 3741      string is in use and a client sends a nameless, valueless cookie, causing
 3742      a denial of service. The issue existed since version 2.2.17 and 2.3.3.
 3743      PR 52256.  [Rainer Canavan <rainer-apache 7val com>]
 3744 
 3745   *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
 3746      control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive.
 3747      [Kaspar Brand]
 3748 
 3749   *) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
 3750      or later, to improve binary compatibility with future OpenSSL releases.
 3751      [Kaspar Brand]
 3752 
 3753   *) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass,
 3754      but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime
 3755      behave identically in both cases. PR52342. [Graham Leggett]
 3756 
 3757   *) Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with
 3758      corresponding man pages. [Graham Leggett]
 3759 
 3760   *) Distinguish properly between the bindir and sbindir directories when
 3761      installing binaries. Previously all binaries were silently installed to
 3762      sbindir, whether they were system administration commands or not.
 3763      [Graham Leggett]
 3764 
 3765 Changes with Apache 2.3.16
 3766 
 3767   *) SECURITY: CVE-2011-4317 (cve.mitre.org)
 3768      Resolve additional cases of URL rewriting with ProxyPassMatch or
 3769      RewriteRule, where particular request-URIs could result in undesired
 3770      backend network exposure in some configurations.
 3771      [Joe Orton]
 3772 
 3773   *) core: Limit line length in .htaccess to 8K like in 2.2.x, to avoid
 3774      additional DoS potential. [Stefan Fritsch]
 3775 
 3776   *) core, all modules: Add unique tag to most error log messages. [Stefan
 3777      Fritsch]
 3778 
 3779   *) mod_socache_memcache: Change provider name from "mc" to "memcache" to
 3780      match module name. [Stefan Fritsch]
 3781 
 3782   *) mod_slotmem_shm: Change provider name from "shared" to "shm" to match
 3783      module name. [Stefan Fritsch]
 3784 
 3785   *) mod_ldap: Fix segfault with Solaris LDAP when enabling ldaps. This
 3786      requires an apr-util fix in which is available in apr-util >= 1.4.0.
 3787      PR 42682. [Stefan Fritsch]
 3788 
 3789   *) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible
 3790      for RewriteRules to be placed in .htaccess files that match the directory
 3791      with no trailing slash. PR 48304.
 3792      [Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>]
 3793 
 3794   *) mod_session_crypto: Add a SessionCryptoPassphraseFile directive so that
 3795      the administrator can hide the keys from the configuration. [Graham
 3796      Leggett]
 3797 
 3798   *) Introduce a per request version of the remote IP address, which can be
 3799      optionally modified by a module when the effective IP of the client
 3800      is not the same as the real IP of the client (such as a load balancer).
 3801      Introduce a per connection "peer_ip" and a per request "client_ip" to
 3802      distinguish between the raw IP address of the connection and the effective
 3803      IP address of the request. [Graham Leggett]
 3804 
 3805   *) ap_pass_brigade_fchk() function added. [Jim Jagielski]
 3806 
 3807   *) core: Pass ap_errorlog_info struct to error log hook. [Stefan Fritsch]
 3808 
 3809   *) mod_cache_disk: Make sure we check return codes on all writes and
 3810      attempts to close, and clean up after ourselves in these cases.
 3811      PR43589. [Graham Leggett]
 3812 
 3813   *) mod_cache_disk: Remove the unnecessary intermediate brigade while
 3814      writing to disk. Fixes a problem where mod_disk_cache was leaving
 3815      buckets in the intermediate brigade and not passing them to out on
 3816      exit. [Florian S. <f_los_ch yahoo.com>, Graham Leggett]
 3817 
 3818   *) mod_ssl: use a shorter setting for SSLCipherSuite in the default
 3819      default configuration file, and add some more information about
 3820      configuring a speed-optimized alternative.
 3821      [Kaspar Brand]
 3822 
 3823   *) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand]
 3824 
 3825   *) mod_lua: Stop losing track of all but the most specific LuaHook* directives
 3826      when multiple per-directory config sections are used.  Adds LuaInherit
 3827      directive to control how parent sections are merged.  [Eric Covener]
 3828 
 3829   *) Server directive display (-L): Include directives of DSOs.
 3830      [Jeff Trawick]
 3831 
 3832   *) mod_cache: Make sure we merge headers correctly when we handle a
 3833      non cacheable conditional response. PR52120. [Graham Leggett]
 3834 
 3835   *) Pre GA removal of components that will not be included:
 3836      - mod_noloris was superseded by mod_reqtimeout
 3837      - mod_serf
 3838      - mpm_simple
 3839      [Rainer Jung]
 3840 
 3841   *) core: Set MaxMemFree 2048 by default. [Stefan Fritsch]
 3842 
 3843   *) mpm_event: Fix assertion failure during very high load. [Stefan Fritsch]
 3844 
 3845   *) configure: Additional modules loaded by default: mod_headers.
 3846      Modules moved from module set "few" to "most" and no longer loaded
 3847      by default: mod_actions, mod_allowmethods, mod_auth_form, mod_buffer,
 3848      mod_cgi(d), mod_include, mod_negotiation, mod_ratelimit, mod_request,
 3849      mod_userdir. [Rainer Jung]
 3850 
 3851   *) mod_lua: Use the right lua scope when used as a hook. [Rainer Jung]
 3852 
 3853   *) configure: Only load the really imporant modules (i.e. those enabled by
 3854      the 'few' selection) by default. Don't handle modules enabled with
 3855      --enable-foo specially. [Stefan Fritsch]
 3856 
 3857   *) end-generation hook: Fix false notification of end-of-generation for
 3858      temporary intervals with no active MPM children.  [Jeff Trawick]
 3859 
 3860   *) mod_ssl: Add support for configuring persistent TLS session ticket
 3861      encryption/decryption keys (useful for clustered environments).
 3862      [Paul Querna, Kaspar Brand]
 3863 
 3864   *) mod_usertrack: Use random value instead of remote IP address.
 3865      [Stefan Fritsch]
 3866 
 3867 Changes with Apache 2.3.15
 3868 
 3869   *) SECURITY: CVE-2011-3348 (cve.mitre.org)
 3870      mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
 3871      recognized.  [Jean-Frederic Clere]
 3872 
 3873   *) SECURITY: CVE-2011-3192 (cve.mitre.org)
 3874      core: Fix handling of byte-range requests to use less memory, to avoid
 3875      denial of service. If the sum of all ranges in a request is larger than
 3876      the original file, ignore the ranges and send the complete file.
 3877      PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
 3878      <lowprio20 gmail.com>]
 3879 
 3880   *) SECURITY: CVE-2011-3607 (cve.mitre.org)
 3881      core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
 3882      with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]
 3883 
 3884   *) SECURITY: CVE-2011-3368 (cve.mitre.org)
 3885      Reject requests where the request-URI does not match the HTTP
 3886      specification, preventing unexpected expansion of target URLs in
 3887      some reverse proxy configurations.  [Joe Orton]
 3888 
 3889   *) configure: Load all modules in the generated default configuration
 3890      when using --enable-load-all-modules. [Rainer Jung]
 3891 
 3892   *) mod_reqtimeout: Change the default to set some reasonable timeout
 3893      values. [Stefan Fritsch]
 3894 
 3895   *) core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove
 3896      the inode. PR 49623. [Stefan Fritsch]
 3897 
 3898   *) mod_lua: Expose SSL variables via r:ssl_var_lookup().  [Eric Covener]
 3899 
 3900   *) mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName}
 3901      can now additionally be run as "early" or "late" relative to other modules.
 3902      [Eric Covener]
 3903 
 3904   *) configure: By default, only load those modules that are either required
 3905      or explicitly selected by a configure --enable-foo argument. The
 3906      LoadModule statements for modules enabled by --enable-mods-shared=most
 3907      and friends will be commented out. [Stefan Fritsch]
 3908 
 3909   *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and
 3910      LuaHookQuickHandler) from being configured in <Directory>, <Files>,
 3911      and htaccess where the configuration would have been ignored.
 3912      [Eric Covener]
 3913 
 3914   *) mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors
 3915      in LuaMapHandler scripts [Eric Covener]
 3916 
 3917   *) mod_log_debug: Rename optional argument from if= to expr=, to be more
 3918      in line with other config directives. [Stefan Fritsch]
 3919 
 3920   *) mod_headers: Require an expression to be specified with expr=, to be more
 3921      in line with other config directives. [Stefan Fritsch]
 3922 
 3923   *) mod_substitute: To prevent overboarding memory usage, limit line length
 3924      to 1MB. [Stefan Fritsch]
 3925 
 3926   *) mod_lua: Make the query string (r.args) writable. [Eric Covener]
 3927 
 3928   *) mod_include: Add support for application/x-www-form-urlencoded encoding
 3929      and decoding. [Graham Leggett]
 3930 
 3931   *) rotatelogs: Add -c option to force logfile creation in every rotation
 3932      interval, even if empty.  [Jan Kaluža <jkaluza redhat.com>]
 3933 
 3934   *) core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings.
 3935      [Stefan Fritsch]
 3936 
 3937   *) mod_session_crypto: Refactor to support the new apr_crypto API.
 3938      [Graham Leggett]
 3939 
 3940   *) http: Add missing Location header if local URL-path is used as
 3941      ErrorDocument for 30x. [Stefan Fritsch]
 3942 
 3943   *) mod_buffer: Make sure we step down for subrequests, but not for internal
 3944      redirects triggered by mod_rewrite. [Graham Leggett]
 3945 
 3946   *) mod_lua: add r:construct_url as a wrapper for ap_construct_url.
 3947      [Eric Covener]
 3948 
 3949   *) mod_remote_ip: Fix configuration of internal proxies. PR 49272.
 3950      [Jim Riggs <jim riggs me>]
 3951 
 3952   *) mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific
 3953      server IP endpoint and remote client IP upon connection.  [William Rowe]
 3954 
 3955   *) mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with
 3956      PeerExtList(). [Stefan Fritsch]
 3957 
 3958   *) mpm_prefork, mpm_worker, mpm_event: If a child is created just before
 3959      graceful restart and then exits because of a missing lock file, don't
 3960      shutdown the whole server. PR 39311. [Shawn Michael
 3961      <smichael rightnow com>]
 3962 
 3963   *) mpm_event: Check the return value from ap_run_create_connection.
 3964      PR 41194. [Davi Arnaut]
 3965 
 3966   *) mod_mime_magic: Add signatures for PNG and SWF to the example config.
 3967      PR 48352. [Jeremy Wagner-Kaiser <jwagner-kaiser adknowledge com>]
 3968 
 3969   *) core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items
 3970      from the parsed (or default) config. This is useful for init scripts that
 3971      need to setup temporary directories and permissions. [Stefan Fritsch]
 3972 
 3973   *) core, mod_actions, mod_asis: Downgrade error log messages which accompany
 3974      a 404 request status from loglevel error to info. PR 35768. [Stefan
 3975      Fritsch]
 3976 
 3977   *) core: Fix hook sorting with Perl modules. PR 45076. [Torsten Foertsch
 3978      <torsten foertsch gmx net>]
 3979 
 3980   *) core: Enforce LimitRequestFieldSize after multiple headers with the same
 3981      name have been merged. [Stefan Fritsch]
 3982 
 3983   *) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory
 3984      usage.  PR 51618. [Cristian Rodríguez <crrodriguez opensuse org>,
 3985      Stefan Fritsch]
 3986 
 3987   *) mod_ssl: At startup, when checking a server certificate whether it
 3988      matches the configured ServerName, also take dNSName entries in the
 3989      subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand]
 3990 
 3991   *) mod_substitute: Reduce memory usage and copying of data. PR 50559.
 3992      [Stefan Fritsch]
 3993 
 3994   *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
 3995      [Kaspar Brand]
 3996 
 3997   *) Add wrappers for malloc, calloc, realloc that check for out of memory
 3998      situations and use them in many places. PR 51568, PR 51569, PR 51571.
 3999      [Stefan Fritsch]
 4000 
 4001   *) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is
 4002      false but RLIMIT_* are defined.  PR51371. [Eric Covener]
 4003 
 4004   *) core: Correctly obey ServerName / ServerAlias if the Host header from the
 4005      request matches the VirtualHost address.
 4006      PR 51709. [Micha Lenk <micha lenk.info>]
 4007 
 4008   *) mod_unique_id: Use random number generator to initialize counter.
 4009      PR 45110. [Stefan Fritsch]
 4010 
 4011   *) core: Add convenience API for apr_random. [Stefan Fritsch]
 4012 
 4013   *) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control
 4014      the number of overlapping and reversing ranges (respectively) permitted
 4015      before returning the entire resource, with a default limit of 20.
 4016      [Jim Jagielski]
 4017 
 4018   *) mod_ldap: Optional function uldap_ssl_supported(r) always returned false
 4019      if called from a virtual host with mod_ldap directives in it.  Did not
 4020      affect mod_authnz_ldap's usage of mod_ldap.  [Eric Covener]
 4021 
 4022   *) mod_filter: Instead of dropping the Accept-Ranges header when a filter
 4023      registered with AP_FILTER_PROTO_NO_BYTERANGE is present,
 4024      set the header value to "none". [Eric Covener, Ruediger Pluem]
 4025 
 4026   *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'
 4027      in the case Ranges are being ignored with MaxRanges none.
 4028      [Eric Covener]
 4029 
 4030   *) mod_ssl: revamp CRL-based revocation checking when validating
 4031      certificates of clients or proxied servers. Completely delegate
 4032      CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck
 4033      directive for controlling the revocation checking mode. [Kaspar Brand]
 4034 
 4035   *) core: Add MaxRanges directive to control the number of ranges permitted
 4036      before returning the entire resource, with a default limit of 200.
 4037      [Eric Covener]
 4038 
 4039   *) mod_cache: Ensure that CacheDisable can correctly appear within
 4040      a LocationMatch. [Graham Leggett]
 4041 
 4042   *) mod_cache: Fix the moving of the CACHE filter, which erroneously
 4043      stood down if the original filter was not added by configuration.
 4044      [Graham Leggett]
 4045 
 4046   *) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]
 4047 
 4048   *) mod_authz_groupfile: Increase length limit of lines in the group file to
 4049      16MB. PR 43084. [Stefan Fritsch]
 4050 
 4051   *) core: Increase length limit of lines in the configuration file to 16MB.
 4052      PR 45888. PR 50824. [Stefan Fritsch]
 4053 
 4054   *) core: Add API for resizable buffers. [Stefan Fritsch]
 4055 
 4056   *) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have
 4057      LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such
 4058      as Tivoli Directory Server 6.3 and later. [Eric Covener]
 4059 
 4060   *) mod_ldap: Change default number of retries from 10 to 3, and add
 4061      an LDAPRetries and LDAPRetryDelay directives. [Eric Covener]
 4062 
 4063   *) mod_authnz_ldap: Don't retry during authentication, because this just
 4064      multiplies the ample retries already being done by mod_ldap. [Eric Covener]
 4065 
 4066   *) configure: Allow to explicitly disable modules even with module selection
 4067      'reallyall'. [Stefan Fritsch]
 4068 
 4069   *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the
 4070      RewriteEngine is disabled in server context, avoiding a crash while
 4071      referencing the invalid int: map at runtime. PR 50994.
 4072      [Ben Noordhuis <info noordhuis nl>]
 4073 
 4074   *) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]
 4075 
 4076   *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
 4077 
 4078   *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
 4079      [Kaspar Brand]
 4080 
 4081   *) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the
 4082      cookie is set when modules such as mod_rewrite trigger a redirect. Also
 4083      use r->err_headers_out for the cookie, for the same reason.  PR29755.
 4084      [Sami J. Mäkinen <sjm almamedia fi>, Eric Covener]
 4085 
 4086   *) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and
 4087      'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch]
 4088 
 4089   *) configure: Enable ldap modules in 'all' and 'most' selections if ldap
 4090      is compiled into apr-util. [Stefan Fritsch]
 4091 
 4092   *) core: Add ap_check_cmd_context()-check if a command is executed in
 4093      .htaccess file. [Stefan Fritsch]
 4094 
 4095   *) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590.
 4096      [Torsten Foertsch <torsten foertsch gmx net>]
 4097 
 4098   *) mod_authn_socache: Fix to work in .htaccess if not configured anywhere
 4099      in httpd.conf, and introduce an AuthnCacheEnable directive.
 4100      PR 51991 [Nick Kew]
 4101 
 4102   *) mod_xml2enc: new (formerly third-party) module supporting
 4103      internationalisation for filters via smart charset sniffing
 4104      and conversion. [Nick Kew]
 4105 
 4106   *) mod_proxy_html: new (formerly third-party) module to fix up
 4107      HTML links in a reverse proxy situation, where a backend
 4108      generates URLs that are not resolvable by Clients. [Nick Kew]
 4109 
 4110 Changes with Apache 2.3.14
 4111 
 4112   *) mod_proxy_ajp: Improve trace logging.  [Rainer Jung]
 4113 
 4114   *) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets.
 4115      [Rainer Jung]
 4116 
 4117   *) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse,
 4118      e.g. to reverse proxy "Location: https://other-internal-server/login"
 4119      [Nick Kew]
 4120 
 4121   *) prefork, worker, event: Make sure crashes are logged to the error log if
 4122      httpd has already detached from the console. [Stefan Fritsch]
 4123 
 4124   *) prefork, worker, event: Reduce period during startup/restart where a
 4125      successive signal may be lost. PR 43696. [Arun Bhalla <arun shme net>]
 4126 
 4127   *) mod_allowmethods: Correct Merging of "reset" and do not allow an
 4128      empty parameter list for the AllowMethods directive. [Rainer Jung]
 4129 
 4130   *) configure: Update selection of modules for 'all' and 'most'. 'all' will
 4131      now enable all modules except for example and test modules. Make the
 4132      selection for 'most' more useful (including ssl and proxy). Both 'all'
 4133      and 'most' will now disable modules if dependencies are missing instead
 4134      of aborting. If a specific module is requested with --enable-XXX=yes,
 4135      missing dependencies will still cause configure to exit with an error.
 4136      [Stefan Fritsch]
 4137 
 4138   *) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done
 4139      in 2.3.13. [Stefan Fritsch]
 4140 
 4141   *) core: For '*' or '_default_' vhosts, use a wildcard address of any
 4142      address family, rather than IPv4 only.  [Joe Orton]
 4143 
 4144   *) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable
 4145      include [ ] for literal IPv6 addresses, as mandated by RFC 3875.
 4146      PR 26005. [Stefan Fritsch]
 4147 
 4148   *) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203.
 4149      [Nagae Hidetake <nagae eagan jp>]
 4150 
 4151   *) core: Add more logging to ap_scan_script_header_err* functions. Add
 4152      ap_scan_script_header_err*_ex functions that take a module index for
 4153      logging.
 4154      mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the
 4155      new functions in order to make logging configurable per-module.
 4156      [Stefan Fritsch]
 4157 
 4158   *) mod_dir: Add DirectoryIndexRedirect to send an external redirect to
 4159      the proper index.  [Eric Covener]
 4160 
 4161   *) mod_deflate: Don't try to compress requests with a zero sized body.
 4162      PR 51350. [Stefan Fritsch]
 4163 
 4164   *) core: Fix startup on IPv6-only systems. PR 50592. [Joe Orton,
 4165      <root linkage white-void net>]
 4166 
 4167   *) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX,
 4168      REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the
 4169      whitelist in suexec. PR 51499. [Graham Laverty <graham reg ca>,
 4170      Stefan Fritsch]
 4171 
 4172   *) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch]
 4173 
 4174   *) mod_log_debug: New module that allows to log custom messages at various
 4175      phases in the request processing. [Stefan Fritsch]
 4176 
 4177   *) mod_ssl: Add some debug logging when loading server certificates.
 4178      PR 37912. [Nick Burch <nick burch alfresco com>]
 4179 
 4180   *) configure: Support reallyall option also for --enable-mods-static.
 4181      [Rainer Jung]
 4182 
 4183   *) mod_socache_dc: add --with-distcache to configure for choosing
 4184      the distcache installation directory. [Rainer Jung]
 4185 
 4186   *) mod_socache_dc: use correct build variable MOD_SOCACHE_DC_LDADD
 4187      instead of MOD_SOCACHE_LDADD in build macro. [Rainer Jung]
 4188 
 4189   *) mod_lua, mod_deflate: respect platform specific runpath linker
 4190      flag. [Rainer Jung]
 4191 
 4192   *) configure: Only link the httpd binary against PCRE. No other support
 4193      binary needs PCRE. [Rainer Jung]
 4194 
 4195   *) configure: tolerate dependency checking failures for modules if
 4196      they have been enabled implicitly. [Rainer Jung]
 4197 
 4198   *) configure: Allow to specify module specific custom linker flags via
 4199      the MOD_XXX_LDADD variables. [Rainer Jung]
 4200 
 4201 Changes with Apache 2.3.13
 4202 
 4203   *) ab: Support specifying the local address to use. PR 48930.
 4204      [Peter Schuller <scode spotify com>]
 4205 
 4206   *) core: Add support to ErrorLogFormat for logging the system unique
 4207      thread id under Linux. [Stefan Fritsch]
 4208 
 4209   *) event: New AsyncRequestWorkerFactor directive to influence how many
 4210      connections will be accepted per process. [Stefan Fritsch]
 4211 
 4212   *) prefork, worker, event: Rename MaxClients to MaxRequestWorkers which
 4213      describes more accurately what it does. [Stefan Fritsch]
 4214 
 4215   *) rotatelogs: Add -p argument to specify custom program to invoke
 4216      after a log rotation.  PR 51285. [Sven Ulland <sveniu ifi.uio.no>,
 4217      Joe Orton]
 4218 
 4219   *) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand]
 4220 
 4221   *) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0.
 4222      PR 48215. [Kaspar Brand]
 4223 
 4224   *) mod_status: Display information about asynchronous connections in the
 4225      server-status. PR 44377. [Stefan Fritsch]
 4226 
 4227   *) mpm_event: If the number of connections of a process is very high, or if
 4228      all workers are busy, don't accept new connections in that process.
 4229      [Stefan Fritsch]
 4230 
 4231   *) mpm_event: Process lingering close asynchronously instead of tying up
 4232      worker threads. [Jeff Trawick, Stefan Fritsch]
 4233 
 4234   *) mpm_event: If MaxMemFree is set, limit the number of pools that is kept
 4235      around. [Stefan Fritsch]
 4236 
 4237   *) mpm_event: Fix graceful restart aborting connections. PR 43359.
 4238      [Takashi Sato <takashi lans-tv com>]
 4239 
 4240   *) mod_ssl: Disable AECDH ciphers in example config. PR 51363.
 4241      [Rob Stradling <rob comodo com>]
 4242 
 4243   *) core: Introduce new function ap_get_conn_socket() to access the socket of
 4244      a connection. [Stefan Fritsch]
 4245 
 4246   *) mod_data: Introduce a filter to support RFC2397 data URLs. [Graham
 4247      Leggett]
 4248 
 4249   *) mod_userdir/mod_alias/mod_vhost_alias: Correctly set DOCUMENT_ROOT,
 4250      CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX. PR 26052. PR 46198.
 4251      [Stefan Fritsch]
 4252 
 4253   *) core: Allow to override document_root on a per-request basis. Introduce
 4254      new context_document_root and context_prefix which provide information
 4255      about non-global URI-to-directory mappings (from e.g. mod_userdir or
 4256      mod_alias) to scripts. PR 49705. [Stefan Fritsch]
 4257 
 4258   *) core: Add <ElseIf> and <Else> to complement <If> sections.
 4259      [Stefan Fritsch]
 4260 
 4261   *) mod_ext_filter: Remove DebugLevel option in favor of per-module loglevel.
 4262      [Stefan Fritsch]
 4263 
 4264   *) mod_include: Make the "#if expr" element use the new "ap_expr" expression
 4265      parser. The old parser can still be used by setting the new directive
 4266      SSILegacyExprParser. [Stefan Fritsch]
 4267 
 4268   *) core: Add some features to ap_expr for use by mod_include: a restricted
 4269      mode that does not allow to bypass request access restrictions; new
 4270      variables DOCUMENT_URI (alias for REQUEST_URI), LAST_MODIFIED; -A as an
 4271      alias for -U; an additional data entry in ap_expr_eval_ctx_t for use by
 4272      the consumer; an extensible ap_expr_exec_ctx() API that allows to use that
 4273      data entry. [Stefan Fritsch]
 4274 
 4275   *) mod_include: Merge directory configs instead of one SSI* config directive
 4276      causing all other per-directory SSI* config directives to be reset.
 4277      [Stefan Fritsch]
 4278 
 4279   *) mod_charset_lite: Remove DebugLevel option in favour of per-module
 4280      loglevel. [Stefan Fritsch]
 4281 
 4282   *) core: Add ap_regexec_len() function that works with non-null-terminated
 4283      strings. PR 51231. [Yehezkel Horowitz <horowity checkpoint com>]
 4284 
 4285   *) mod_authnz_ldap: If the LDAP server returns constraint violation,
 4286      don't treat this as an error but as "auth denied". [Stefan Fritsch]
 4287 
 4288   *) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO
 4289      for SCGI/FCGI. PR 50880, 50851. [Mark Montague <mark catseye.org>,
 4290      Jim Jagielski]
 4291 
 4292   *) mod_cache: When content is served stale, and there is no means to
 4293      revalidate the content using ETag or Last-Modified, and we have
 4294      mandated no stale-on-error behaviour, stand down and don't cache.
 4295      Saves a cache write that will never be read.
 4296      [Graham Leggett]
 4297 
 4298   *) mod_reqtimeout: Fix a timed out connection going into the keep-alive
 4299      state after a timeout when discarding a request body. PR 51103.
 4300      [Stefan Fritsch]
 4301 
 4302   *) core: Add various file existence test operators to ap_expr.
 4303      [Stefan Fritsch]
 4304 
 4305   *) mod_proxy_express: New mass reverse-proxy switch extension for
 4306      mod_proxy. [Jim Jagielski]
 4307 
 4308   *) configure: Fix script error when configuring module set "reallyall".
 4309      [Rainer Jung]
 4310 
 4311 Changes with Apache 2.3.12
 4312 
 4313   *) configure, core: Provide easier support for APR's hook probe
 4314      capability. [Jim Jagielski, Jeff Trawick]
 4315 
 4316   *) Silence autoconf 2.68 warnings.  [Rainer Jung]
 4317 
 4318   *) mod_authnz_ldap: Resolve crash when LDAP is used for authorization only
 4319      [Scott Hill <shill genscape.com>]
 4320 
 4321   *) support: Make sure check_forensic works with mod_unique_id loaded
 4322      [Joe Schaefer]
 4323 
 4324   *) Add child_status hook for tracking creation/termination of MPM child
 4325      processes.  Add end_generation hook for notification when the last
 4326      MPM child of a generation exits. [Jeff Trawick]
 4327 
 4328   *) mod_ldap: Make LDAPSharedCacheSize 0 create a non-shared-memory cache per
 4329      process as opposed to disabling caching completely. This allows to use
 4330      the non-shared-memory cache as a workaround for the shared memory cache
 4331      not being available during graceful restarts. PR 48958. [Stefan Fritsch]
 4332 
 4333   *) Add new ap_reserve_module_slots/ap_reserve_module_slots_directive API,
 4334      necessary if a module (like mod_perl) registers additional modules late
 4335      in the startup phase. [Stefan Fritsch]
 4336 
 4337   *) core: Prevent segfault if DYNAMIC_MODULE_LIMIT is reached. PR 51072.
 4338      [Torsten Förtsch <torsten foertsch gmx net>]
 4339 
 4340   *) WinNT MPM: Improve robustness under heavy load.  [Jeff Trawick]
 4341 
 4342   *) MinGW build improvements.  PR 49535.  [John Vandenberg
 4343      <jayvdb gmail.com>, Jeff Trawick]
 4344 
 4345   *) core: Support module names with colons in loglevel configuration.
 4346      [Torsten Förtsch <torsten foertsch gmx net>]
 4347 
 4348   *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
 4349      [Stefan Fritsch]
 4350 
 4351   *) core: Abort if the MPM is changed across restart.  [Jeff Trawick]
 4352 
 4353   *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
 4354      [Peter Pramberger <peter pramberger.at>, Jim Jagielski]
 4355 
 4356   *) mod_proxy_fcgi: Add support for 'ProxyErrorOverride on'. PR 50913.
 4357      [Mark Montague <mark catseye.org>, Jim Jagielski]
 4358 
 4359   *) core: Change the APIs of ap_cfg_getline() and ap_cfg_getc() to return an
 4360      error code. Abort with a nice error message if a config line is too long.
 4361      Partial fix for PR 50824. [Stefan Fritsch]
 4362 
 4363   *) mod_info: Dump config to stdout during startup if -DDUMP_CONFIG is
 4364      specified. PR 31956. [Stefan Fritsch]
 4365 
 4366   *) Restore visibility of DEFAULT_PIDLOG to core and modules.  MPM
 4367      helper function ap_remove_pid() added.  [Jeff Trawick]
 4368 
 4369   *) Enable DEFAULT_REL_RUNTIMEDIR on Windows and NetWare.  [various]
 4370 
 4371   *) Correct C++ incompatibility with http_log.h.  [Stefan Fritsch, Jeff
 4372      Trawick]
 4373 
 4374   *) mod_log_config: Prevent segfault. PR 50861. [Torsten Förtsch
 4375      <torsten.foertsch gmx.net>]
 4376 
 4377   *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
 4378      in request URL path info but not decode them. Change behavior of option
 4379      "On" to decode the encoded slashes as 2.0 and 2.2 do.  PR 35256,
 4380      PR 46830.  [Dan Poirier]
 4381 
 4382   *) mod_ssl: Check SNI hostname against Host header case-insensitively.
 4383      PR 49491.  [Mayank Agrawal <magrawal.08 gmail.com>]
 4384 
 4385   *) mod_ldap: Add LDAPConnectionPoolTTL to give control over lifetime
 4386      of bound backend LDAP connections.  PR47634 [Eric Covener]
 4387 
 4388   *) mod_cache: Make CacheEnable and CacheDisable configurable per
 4389      directory in addition to per server, making them work from within
 4390      a LocationMatch. [Graham Leggett]
 4391 
 4392   *) worker, event, prefork: Correct several issues when built as
 4393      DSOs; most notably, the scoreboard was reinitialized during graceful
 4394      restart, such that processes of the previous generation were not
 4395      observable.  [Jeff Trawick]
 4396 
 4397 Changes with Apache 2.3.11
 4398 
 4399   *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
 4400      Win32's cscript interpreter can only use a single quote as comment char.
 4401      [Guenter Knauf]
 4402 
 4403   *) mod_proxy: balancer-manager now uses POST instead of GET.
 4404      [Jim Jagielski]
 4405 
 4406   *) core: new util function: ap_parse_form_data(). Previously,
 4407      this capability was tucked away in mod_request. [Jim Jagielski]
 4408 
 4409   *) core: new hook: ap_run_pre_read_request. [Jim Jagielski]
 4410 
 4411   *) modules: Fix many modules that were not correctly initializing if they
 4412      were not active during server startup but got enabled later during a
 4413      graceful restart. [Stefan Fritsch]
 4414 
 4415   *) core: Create new ap_state_query function that allows modules to determine
 4416      if the current configuration run is the initial one at server startup,
 4417      and if the server is started for testing/config dumping only.
 4418      [Stefan Fritsch]
 4419 
 4420   *) mod_proxy: Runtime configuration of many parameters for existing
 4421      balancers via the balancer-manager. [Jim Jagielski]
 4422 
 4423   *) mod_proxy: Runtime addition of new workers (BalancerMember) for existing
 4424      balancers via the balancer-manager. [Jim Jagielski]
 4425 
 4426   *) mod_cache: When a bad Expires date is present, we need to behave as if
 4427      the Expires is in the past, not as if the Expires is missing. PR 16521.
 4428      [Co-Advisor <coad measurement-factory.com>]
 4429 
 4430   *) mod_cache: We must ignore quoted-string values that appear in a
 4431      Cache-Control header. PR 50199. [Graham Leggett]
 4432 
 4433   *) mod_dav: Revert change to send 501 error if unknown Content-* header is
 4434     received for a PUT request. PR 42978. [Stefan Fritsch]
 4435 
 4436   *) mod_cache: Respect s-maxage as described by RFC2616 14.9.3, which must
 4437      take precedence if present. PR 35247. [Graham Leggett]
 4438 
 4439   *) mod_ssl: Fix a possible startup failure if multiple SSL vhosts
 4440      are configured with the same ServerName and private key file.
 4441      [Masahiro Matsuya <mmatsuya redhat.com>, Joe Orton]
 4442 
 4443   *) mod_socache_dc: Make module compile by fixing some typos.
 4444      PR 50735 [Mark Montague <mark catseye.org>]
 4445 
 4446   *) prefork: Update MPM state in children during a graceful stop or
 4447      restart.  PR 41743.  [Andrew Punch <andrew.punch 247realmedia.com>]
 4448 
 4449   *) mod_mime: Ignore leading dots when looking for mime extensions.
 4450      PR 50434 [Stefan Fritsch]
 4451 
 4452   *) core: Add support to set variables with the 'Define' directive. The
 4453      variables that can then be used in the config using the ${VAR} syntax
 4454      known from envvar interpolation. [Stefan Fritsch]
 4455 
 4456   *) mod_proxy_http: make adding of X-Forwarded-* headers configurable.
 4457      ProxyAddHeaders defaults to On. [Vincent Deffontaines]
 4458 
 4459   *) mod_slotmem_shm: Increase memory alignment for slotmem data.
 4460      [Rainer Jung]
 4461 
 4462   *) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout,
 4463      SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew.
 4464      [Kaspar Brand <httpd-dev.2011 velox.ch>]
 4465 
 4466   *) mod_ssl: Revamp output buffering to reduce network overhead for
 4467      output fragmented into many buckets, such as chunked HTTP responses.
 4468      [Joe Orton]
 4469 
 4470   *) core: Apply <If> sections to all requests, not only to file base requests.
 4471      Allow to use <If> inside <Directory>, <Location>, and <Files> sections.
 4472      The merging of <If> sections now happens after the merging of <Location>
 4473      sections, even if an <If> section is embedded inside a <Directory> or
 4474      <Files> section.  [Stefan Fritsch]
 4475 
 4476   *) mod_proxy: Refactor usage of shared data by dropping the scoreboard
 4477      and using slotmem. Create foundation for dynamic growth/changes of
 4478      members within a balancer. Remove BalancerNonce in favor of a
 4479      per-balancer 'nonce' parameter. [Jim Jagielski]
 4480 
 4481   *) mod_status: Don't show slots which are disabled by MaxClients as open.
 4482      PR 47022 [Jordi Prats <jordi prats gmail com>, Stefan Fritsch]
 4483 
 4484   *) mpm_prefork: Fix ap_mpm_query results for AP_MPMQ_MAX_DAEMONS and
 4485      AP_MPMQ_MAX_THREADS.
 4486 
 4487   *) mod_authz_core: Fix bug in merging logic if user-based and non-user-based
 4488      authorization directives were mixed. [Stefan Fritsch]
 4489 
 4490   *) mod_authn_socache: change directive name from AuthnCacheProvider
 4491      to AuthnCacheProvideFor.  The term "provider" is overloaded in
 4492      this module, and we should avoid confusion between the provider
 4493      of a backend (AuthnCacheSOCache) and the authn provider(s) for
 4494      which this module provides cacheing (AuthnCacheProvideFor).
 4495      [Nick Kew]
 4496 
 4497   *) mod_proxy_http: Allocate the fake backend request from a child pool
 4498      of the backend connection, instead of misusing the pool of the frontend
 4499      request. Fixes a thread safety issue where buckets set aside in the
 4500      backend connection leak into other threads, and then disappear when
 4501      the frontend request is cleaned up, in turn causing corrupted buckets
 4502      to make other threads spin. [Graham Leggett]
 4503 
 4504   *) mod_ssl: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
 4505      to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
 4506      escape other special characters with backslashes. The old format can
 4507      still be used with the LegacyDNStringFormat argument to SSLOptions.
 4508 
 4509   *) core, mod_rewrite: Make the REQUEST_SCHEME variable available to
 4510      scripts and mod_rewrite. [Stefan Fritsch]
 4511 
 4512   *) mod_rewrite: Allow to use arbitrary boolean expressions (ap_expr) in
 4513      RewriteCond. [Stefan Fritsch]
 4514 
 4515   *) mod_rewrite: Allow to unset environment variables using E=!VAR.
 4516      PR 49512. [Mark Drayton <mark markdrayton info>, Stefan Fritsch]
 4517 
 4518   *) mod_headers: Restore the 2.3.8 and earlier default for the first
 4519      argument of the Header directive ("onsuccess").  [Eric Covener]
 4520 
 4521   *) core: Disallow the mixing of relative and absolute Options PR 33708.
 4522      [Sönke Tesch <st kino-fahrplan.de>]
 4523 
 4524   *) core: When exporting request headers to HTTP_* environment variables,
 4525      drop variables whose names contain invalid characters. Describe in the
 4526      docs how to restore the old behaviour. [Malte S. Stretz <mss apache org>]
 4527 
 4528   *) core: When selecting an IP-based virtual host, favor an exact match for
 4529      the port over a wildcard (or omitted) port instead of favoring the one
 4530      that came first in the configuration file. [Eric Covener]
 4531 
 4532   *) core: Overlapping virtual host address/port combinations  now implicitly
 4533      enable name-based virtual hosting for that address.  The NameVirtualHost
 4534      directive has no effect, and _default_ is interpreted the same as "*".
 4535      [Eric Covener]
 4536 
 4537   *) core: In the absence of any Options directives, the default is now
 4538      "FollowSymlinks" instead of "All".  [Igor Galić]
 4539 
 4540   *) rotatelogs: Add -e option to write logs through to stdout for optional
 4541      further processing. [Graham Leggett]
 4542 
 4543   *) mod_ssl: Correctly read full lines in input filter when the line is
 4544      incomplete during first read. PR 50481. [Ruediger Pluem]
 4545 
 4546   *) mod_authz_core: Add AuthzSendForbiddenOnFailure directive to allow
 4547      sending '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if authorization
 4548      fails for an authenticated user. PR 40721. [Stefan Fritsch]
 4549 
 4550 Changes with Apache 2.3.10
 4551 
 4552   *) mod_rewrite: Don't implicitly URL-escape the original query string
 4553      when no substitution has changed it. PR 50447. [Eric Covener]
 4554 
 4555   *) core: Honor 'AcceptPathInfo OFF' during internal redirects,
 4556      such as per-directory mod_rewrite substitutions.  PR 50349.
 4557      [Eric Covener]
 4558 
 4559   *) mod_rewrite: Add 'RewriteOptions InheritBefore' to put the base
 4560      rules/conditions before the overridden rules/conditions.  PR 39313.
 4561      [Jérôme Grandjanny <jerome.grandjanny cea.fr>]
 4562 
 4563   *) mod_autoindex: add IndexIgnoreReset to reset the list of IndexIgnored
 4564      filenames in higher precedence configuration sections.  PR 24243.
 4565      [Eric Covener]
 4566 
 4567   *) mod_cgid: RLimit* directive support for mod_cgid.  PR 42135
 4568      [Eric Covener]
 4569 
 4570   *) core: Fail startup when the argument to ServerName looks like a glob
 4571      or a regular expression instead of a hostname (*?[]).  PR 39863
 4572      [Rahul Nair <rahul.g.nair gmail.com>]
 4573 
 4574   *) mod_userdir: Add merging of enable, disable, and filename arguments
 4575      to UserDir directive, leaving enable/disable of userlists unmerged.
 4576      PR 44076 [Eric Covener]
 4577 
 4578   *) httpd: When no -k option is provided on the httpd command line, the server
 4579      was starting without checking for an existing pidfile.  PR 50350
 4580      [Eric Covener]
 4581 
 4582   *) mod_proxy: Put the worker in error state if the SSL handshake with the
 4583      backend fails. PR 50332.
 4584      [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
 4585 
 4586   *) mod_cache_disk: Fix Windows build which was broken after renaming
 4587      the module. [Gregg L. Smith]
 4588 
 4589 Changes with Apache 2.3.9
 4590 
 4591   *) SECURITY: CVE-2010-1623 (cve.mitre.org)
 4592      Fix a denial of service attack against mod_reqtimeout.
 4593      [Stefan Fritsch]
 4594 
 4595   *) mod_headers: Change default first argument of Header directive
 4596      from "onsuccess" to "always". [Eric Covener]
 4597 
 4598   *) mod_include: Add the onerror attribute to the include element,
 4599      allowing an URL to be specified to include on error. [Graham
 4600      Leggett]
 4601 
 4602   *) mod_cache_disk: mod_disk_cache renamed to mod_cache_disk, to be
 4603      consistent with the naming of other modules. [Graham Leggett]
 4604 
 4605   *) mod_setenvif: Add SetEnvIfExpr directive to set env var depending on
 4606      expression. [Stefan Fritsch]
 4607 
 4608   *) mod_proxy: Fix ProxyPassInterpolateEnv directive. PR 50292.
 4609      [Stefan Fritsch]
 4610 
 4611   *) suEXEC: Add Suexec directive to disable suEXEC without renaming the
 4612      binary (Suexec Off), or force startup failure if suEXEC is required
 4613      but not supported (Suexec On).  Change SuexecUserGroup to fail
 4614      startup instead of just printing a warning if suEXEC is disabled.
 4615      [Jeff Trawick]
 4616 
 4617   *) core: Add Error directive for aborting startup or htaccess processing
 4618      with a specified error message.  [Jeff Trawick]
 4619 
 4620   *) mod_rewrite: Fix the RewriteEngine directive to work within a
 4621      location. Previously, once RewriteEngine was switched on globally,
 4622      it was impossible to switch off. [Graham Leggett]
 4623 
 4624   *) core, mod_include, mod_ssl: Move the expression parser derived from
 4625      mod_include back into mod_include. Replace ap_expr with a parser
 4626      derived from mod_ssl's parser. Make mod_ssl use the new parser. Rework
 4627      ap_expr's public interface and provide hooks for modules to add variables
 4628      and functions. [Stefan Fritsch]
 4629 
 4630   *) core: Do the hook sorting earlier so that the hooks are properly sorted
 4631      for the pre_config hook and during parsing the config. [Stefan Fritsch]
 4632 
 4633   *) core: In the absence of any AllowOverride directives, the default is now
 4634      "None" instead of "All".  PR49823 [Eric Covener]
 4635 
 4636   *) mod_proxy: Don't allow ProxyPass or ProxyPassReverse in
 4637      <Directory> or <Files>. PR47765 [Eric Covener]
 4638 
 4639   *) prefork/worker/event MPMS: default value (when no directive is present)
 4640      of MaxConnectionsPerChild/MaxRequestsPerChild is changed to 0 from 10000
 4641      to match default configuration and manual. PR47782 [Eric Covener]
 4642 
 4643   *) proxy_connect: Don't give up in the middle of a CONNECT tunnel
 4644      when the child process is starting to exit.  PR50220. [Eric Covener]
 4645 
 4646   *) mod_autoindex: Fix inheritance of mod_autoindex directives into
 4647      contexts that don't have any mod_autoindex directives. PR47766.
 4648      [Eric Covener]
 4649 
 4650   *) mod_rewrite: Add END flag for RewriteRule to prevent further rounds
 4651      of rewrite processing when a per-directory substitution occurs.
 4652      [Eric Covener]
 4653 
 4654   *) mod_ssl: Make sure to always log an error if loading of CA certificates
 4655      fails. PR 40312. [Paul Tiemann <issues apache org ourdetour com>]
 4656 
 4657   *) mod_dav: Send 501 error if unknown Content-* header is received for a PUT
 4658      request (RFC 2616 9.6). PR 42978. [Stefan Fritsch]
 4659 
 4660   *) mod_dav: Send 400 error if malformed Content-Range header is received for
 4661      a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
 4662 
 4663   *) mod_proxy: Release the backend connection as soon as EOS is detected,
 4664      so the backend isn't forced to wait for the client to eventually
 4665      acknowledge the data. [Graham Leggett]
 4666 
 4667   *) mod_proxy: Optimise ProxyPass within a Location so that it is stored
 4668      per-directory, and chosen during the location walk. Make ProxyPass
 4669      work correctly from within a LocationMatch. [Graham Leggett]
 4670 
 4671   *) core: Fix segfault if per-module LogLevel is on virtual host
 4672      scope. PR 50117. [Stefan Fritsch]
 4673 
 4674   *) mod_proxy: Move the ProxyErrorOverride directive to have per
 4675      directory scope. [Graham Leggett]
 4676 
 4677   *) mod_allowmethods: New module to deny certain HTTP methods without
 4678      interfering with authentication/authorization. [Paul Querna,
 4679      Igor Galić, Stefan Fritsch]
 4680 
 4681   *) mod_ssl: Log certificate information and improve error message if client
 4682      cert verification fails. PR 50093, PR 50094. [Lassi Tuura <lat cern ch>,
 4683      Stefan Fritsch]
 4684 
 4685   *) htcacheclean: Teach htcacheclean to limit cache size by number of
 4686      inodes in addition to size of files. Prevents a cache disk from
 4687      running out of space when many small files are cached.
 4688      [Graham Leggett]
 4689 
 4690   *) core: Rename MaxRequestsPerChild to MaxConnectionsPerChild, which
 4691      describes more accurately what the directive does. The old name
 4692      still works but logs a warning. [Stefan Fritsch]
 4693 
 4694   *) mod_cache: Optionally serve stale data when a revalidation returns a
 4695      5xx response, controlled by the CacheStaleOnError directive.
 4696      [Graham Leggett]
 4697 
 4698   *) htcacheclean: Allow the listing of valid URLs within the cache, with
 4699      the option to list entry metadata such as sizes and times. [Graham
 4700      Leggett]
 4701 
 4702   *) mod_cache: correctly parse quoted strings in cache headers.
 4703      PR 50199 [Nick Kew]
 4704 
 4705   *) mod_cache: Allow control over the base URL of reverse proxied requests
 4706      using the CacheKeyBaseURL directive, so that the cache key can be
 4707      calculated from the endpoint URL instead of the server URL. [Graham
 4708      Leggett]
 4709 
 4710   *) mod_cache: CacheLastModifiedFactor, CacheStoreNoStore, CacheStorePrivate,
 4711      CacheStoreExpired, CacheIgnoreNoLastMod, CacheDefaultExpire,
 4712      CacheMinExpire and CacheMaxExpire can be set per directory/location.
 4713      [Graham Leggett]
 4714 
 4715   *) mod_disk_cache: CacheMaxFileSize, CacheMinFileSize, CacheReadSize and
 4716      CacheReadTime can be set per directory/location. [Graham Leggett]
 4717 
 4718   *) core: Speed up config parsing if using a very large number of config
 4719      files. PR 50002 [andrew cloudaccess net]
 4720 
 4721   *) mod_cache: Support the caching of HEAD requests. [Graham Leggett]
 4722 
 4723   *) htcacheclean: Allow the option to round up file sizes to a given
 4724      block size, improving the accuracy of disk usage. [Graham Leggett]
 4725 
 4726   *) mod_ssl: Add authz providers for use with mod_authz_core and its
 4727      RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL),
 4728      'ssl-verify-client' (for use with 'SSLVerifyClient optional'), and
 4729      'ssl-require' (expressions with same syntax as SSLRequire).
 4730      [Stefan Fritsch]
 4731 
 4732   *) mod_ssl: Make the ssl expression parser thread-safe. It now requires
 4733      bison instead of yacc. [Stefan Fritsch]
 4734 
 4735   *) mod_disk_cache: Change on-disk header file format to support the
 4736      link of the device/inode of the data file to the matching header
 4737      file, and to support the option of not writing a data file when
 4738      the data file is empty. [Graham Leggett]
 4739 
 4740   *) core/mod_unique_id: Add generate_log_id hook to allow to use
 4741      the ID generated by mod_unique_id as error log ID for requests.
 4742      [Stefan Fritsch]
 4743 
 4744   *) mod_cache: Make sure that we never allow a 304 Not Modified response
 4745      that we asked for to leak to the client should the 304 response be
 4746      uncacheable. PR45341 [Graham Leggett]
 4747 
 4748   *) mod_cache: Add the cache_status hook to register the final cache
 4749      decision hit/miss/revalidate. Add optional support for an X-Cache
 4750      and/or an X-Cache-Detail header to add the cache status to the
 4751      response. PR48241 [Graham Leggett]
 4752 
 4753   *) mod_authz_host: Add 'local' provider that matches connections originating
 4754      on the local host. PR 19938. [Stefan Fritsch]
 4755 
 4756   *) Event MPM: Fix crash accessing pollset on worker thread when child
 4757      process is exiting.  [Jeff Trawick]
 4758 
 4759   *) core: For process invocation (cgi, fcgid, piped loggers and so forth)
 4760      pass the system library path (LD_LIBRARY_PATH or platform-specific
 4761      variables) along with the system PATH, by default.  Both should be
 4762      overridden together as desired using PassEnv etc; see mod_env.
 4763      [William Rowe]
 4764 
 4765   *) mod_cache: Introduce CacheStoreExpired, to allow administrators to
 4766      capture a stale backend response, perform If-Modified-Since requests
 4767      against the backend, and serving from the cache all 304 responses.
 4768      This restores pre-2.2.4 cache behavior.  [William Rowe]
 4769 
 4770   *) mod_rewrite: Introduce <=, >= string comparison operators, and integer
 4771      comparators -lt, -le, -eq, -ge, and -gt.  To help bash users and drop
 4772      the ambiguity of the symlink test "-ltest", introduce -h or -L as
 4773      symlink test operators.  [William Rowe]
 4774 
 4775   *) mod_cache: Give the cache provider the opportunity to choose to cache
 4776      or not cache based on the buckets present in the brigade, such as the
 4777      presence of a FILE bucket.
 4778      [Graham Leggett]
 4779 
 4780   *) mod_authz_core: Allow authz providers to check args while reading the
 4781      config and allow to cache parsed args. Move 'all' and 'env' authz
 4782      providers from mod_authz_host to mod_authz_core. Add 'method' authz
 4783      provider depending on the HTTP method.  [Stefan Fritsch]
 4784 
 4785   *) mod_include: Move the request_rec within mod_include to be
 4786      exposed within include_ctx_t. [Graham Leggett]
 4787 
 4788   *) mod_include: Reinstate support for UTF-8 character sets by allowing a
 4789      variable being echoed or set to be decoded and then encoded as separate
 4790      steps. PR47686 [Graham Leggett]
 4791 
 4792   *) mod_cache: Add a discrete commit_entity() provider function within the
 4793      mod_cache provider interface which is called to indicate to the
 4794      provider that caching is complete, giving the provider the opportunity
 4795      to commit temporary files permanently to the cache in an atomic
 4796      fashion. Replace the inconsistent use of error cleanups with a formal
 4797      set of pool cleanups attached to a subpool, which is destroyed on error.
 4798      [Graham Leggett]
 4799 
 4800   *) mod_cache: Change the signature of the store_body() provider function
 4801      within the mod_cache provider interface to support an "in" brigade
 4802      and an "out" brigade instead of just a single input brigade. This
 4803      gives a cache provider the option to consume only part of the brigade
 4804      passed to it, rather than the whole brigade as was required before.
 4805      This fixes an out of memory and a request timeout condition that would
 4806      occur when the original document was a large file. Introduce
 4807      CacheReadSize and CacheReadTime directives to mod_disk_cache to control
 4808      the amount of data to attempt to cache at a time. [Graham Leggett]
 4809 
 4810   *) core: Add ErrorLogFormat to allow configuring error log format, including
 4811      additional information that is logged once per connection or request. Add
 4812      error log IDs for connections and request to allow correlating error log
 4813      lines and the corresponding access log entry. [Stefan Fritsch]
 4814 
 4815   *) core: Disable sendfile by default. [Stefan Fritsch]
 4816 
 4817   *) mod_cache: Check the request to determine whether we are allowed
 4818      to return cached content at all, and respect a "Cache-Control:
 4819      no-cache" header from a client. Previously, "no-cache" would
 4820      behave like "max-age=0". [Graham Leggett]
 4821 
 4822   *) mod_cache: Use a proper filter context to hold filter data instead
 4823      of misusing the per-request configuration. Fixes a segfault on trunk
 4824      when the normal handler is used. [Graham Leggett]
 4825 
 4826   *) mod_cgid: Log a warning if the ScriptSock path is truncated because
 4827      it is too long. PR 49388.  [Stefan Fritsch]
 4828 
 4829   *) vhosts: Do not allow _default_ in NameVirtualHost, or mixing *
 4830      and non-* ports on NameVirtualHost, or multiple NameVirtualHost
 4831      directives for the same address:port, or NameVirtualHost
 4832      directives with no matching VirtualHosts, or multiple ip-based
 4833      VirtualHost sections for the same address:port.  These were
 4834      previously accepted with a warning, but the behavior was
 4835      undefined.  [Dan Poirier]
 4836 
 4837   *) mod_remoteip: Fix a segfault when using mod_remoteip in conjunction with
 4838      Allow/Deny. PR 49838.  [Andrew Skalski <voltara gmail.com>]
 4839 
 4840   *) core: DirectoryMatch can now match on the end of line character ($),
 4841      and sub-directories of matched directories are no longer implicitly
 4842      matched.  PR49809 [Eric Covener]
 4843 
 4844   *) Regexps: introduce new higher-level regexp utility including parsing
 4845      and executing perl-style regexp ops (e.g s/foo/bar/i) and regexp memory
 4846      [Nick Kew]
 4847 
 4848   *) Proxy: support setting source address.  PR 29404
 4849      [Multiple contributors iterating through bugzilla,
 4850       Aron Ujvari <xanco nikhok.hu>, Aleksey Midenkov <asm uezku.kemsu.ru>,
 4851       <dan listening-station.net; trunk version Nick Kew]
 4852 
 4853   *) HTTP protocol: return 400 not 503 if we have to abort due to malformed
 4854      chunked encoding. [Nick Kew]
 4855 
 4856 Changes with Apache 2.3.8
 4857 
 4858   *) suexec: Support large log files. PR 45856. [Stefan Fritsch]
 4859 
 4860   *) core: Abort with sensible error message if no or more than one MPM is
 4861      loaded. [Stefan Fritsch]
 4862 
 4863   *) mod_proxy: Rename erroronstatus to failonstatus.
 4864      [Daniel Ruggeri <DRuggeri primary.net>]
 4865 
 4866   *) mod_dav_fs: Fix broken "creationdate" property.
 4867      Regression in version 2.3.7. [Rainer Jung]
 4868 
 4869 Changes with Apache 2.3.7
 4870 
 4871   *) SECURITY: CVE-2010-1452 (cve.mitre.org)
 4872      mod_dav, mod_cache, mod_session: Fix Handling of requests without a path
 4873      segment. PR 49246 [Mark Drayton, Jeff Trawick]
 4874 
 4875   *) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076.
 4876      [Stefan Fritsch]
 4877 
 4878   *) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639.
 4879      [Stefan Fritsch]
 4880 
 4881   *) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers
 4882      via leveraging 100-Continue as the initial "request".
 4883      [Jim Jagielski]
 4884 
 4885   *) core/mod_authz_core: Introduce new access_checker_ex hook that enables
 4886      mod_authz_core to bypass authentication if access should be allowed by
 4887      IP address/env var/... [Stefan Fritsch]
 4888 
 4889   *) core: Introduce note_auth_failure hook to allow modules to add support
 4890      for additional auth types. This makes ap_note_auth_failure() work with
 4891      mod_auth_digest again. PR 48807. [Stefan Fritsch]
 4892 
 4893   *) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew]
 4894 
 4895   *) mod_authn_socache: new module [Nick Kew]
 4896 
 4897   *) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]
 4898 
 4899   *) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
 4900 
 4901   *) mod_rewrite: Allow to set environment variables without explicitly
 4902      giving a value. [Rainer Jung]
 4903 
 4904   *) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung]
 4905 
 4906   *) mod_include: recognise "text/html; parameters" as text/html
 4907      PR 49616 [Andrey Chernov <ache nagual.pp.ru>]
 4908 
 4909   *) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH
 4910      PR 43906 [Nick Kew]
 4911 
 4912   *) Core: Extra robustness: don't try authz and segfault if authn
 4913      fails to set r->user.  Log bug and return 500 instead.
 4914      PR 42995 [Nick Kew]
 4915 
 4916   *) HTTP protocol filter: fix handling of longer chunk extensions
 4917      PR 49474 [<tee.bee gmx.de>]
 4918 
 4919   *) Update SSL cipher suite and add example for SSLHonorCipherOrder.
 4920      [Lars Eilebrecht, Rainer Jung]
 4921 
 4922   *) move AddOutputFilterByType from core to mod_filter.  This should
 4923      fix nasty side-effects that happen when content_type is set
 4924      more than once in processing a request, and make it fully
 4925      compatible with dynamic and proxied contents. [Nick Kew]
 4926 
 4927   *) mod_log_config: Implement logging for sub second timestamps and
 4928      request end time.  [Rainer Jung]
 4929 
 4930 Changes with Apache 2.3.6
 4931 
 4932   *) SECURITY: CVE-2009-3555 (cve.mitre.org)
 4933      mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
 4934      attack when compiled against OpenSSL version 0.9.8m or later. Introduces
 4935      the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
 4936      and offer unsafe legacy renegotiation with clients which do not yet
 4937      support the new secure renegotiation protocol, RFC 5746.
 4938      [Joe Orton, and with thanks to the OpenSSL Team]
 4939 
 4940   *) SECURITY: CVE-2009-3555 (cve.mitre.org)
 4941      mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
 4942      by rejecting any client-initiated renegotiations. Forcibly disable
 4943      keepalive for the connection if there is any buffered data readable. Any
 4944      configuration which requires renegotiation for per-directory/location
 4945      access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
 4946      [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
 4947 
 4948   *) SECURITY: CVE-2010-0408 (cve.mitre.org)
 4949      mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
 4950      when request headers indicate a request body is incoming; not a case of
 4951      HTTP_INTERNAL_SERVER_ERROR.  [Niku Toivola <niku.toivola sulake.com>]
 4952 
 4953   *) SECURITY: CVE-2010-0425 (cve.mitre.org)
 4954      mod_isapi: Do not unload an isapi .dll module until the request
 4955      processing is completed, avoiding orphaned callback pointers.
 4956      [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
 4957 
 4958   *) core: Filter init functions are now run strictly once per request
 4959      before handler invocation.  The init functions are no longer run
 4960      for connection filters.  PR 49328.  [Joe Orton]
 4961 
 4962   *) core: Adjust the output filter chain correctly in an internal
 4963      redirect from a subrequest, preserving filters from the main
 4964      request as necessary.  PR 17629.  [Joe Orton]
 4965 
 4966   *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
 4967      Response if they so choose to do so. Previously an attempt to cache a 206
 4968      was arbitrarily allowed if the response contained an Expires or
 4969      Cache-Control header, and arbitrarily denied if both headers were missing.
 4970      [Graham Leggett]
 4971 
 4972   *) core: Add microsecond timestamp fractions, process id and thread id
 4973      to the error log. [Rainer Jung]
 4974 
 4975   *) configure: The "most" module set gets build by default.  [Rainer Jung]
 4976 
 4977   *) configure: Building dynamic modules (DSO) by default.  [Rainer Jung]
 4978 
 4979   *) configure: Fix broken VPATH build when using included APR.
 4980      [Rainer Jung]
 4981 
 4982   *) mod_session_crypto: Fix configure problem when building
 4983      with APR 2 and for VPATH builds with included APR.
 4984      [Rainer Jung]
 4985 
 4986   *) mod_session_crypto: API compatibility with APR 2 crypto and
 4987      APR Util 1.x crypto. [Rainer Jung]
 4988 
 4989   *) ab: Fix memory leak with -v2 and SSL. PR 49383.
 4990      [Pavel Kankovsky <peak argo troja mff cuni cz>]
 4991 
 4992   *) core: Add per-module and per-directory loglevel configuration.
 4993            Add some more trace logging.
 4994      mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels.
 4995      mod_ssl: Replace LogLevelDebugDump with trace log levels.
 4996      mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info
 4997            and debug.
 4998      mod_dumpio:  Replace DumpIOLogLevel with trace log levels.
 4999      [Stefan Fritsch]
 5000 
 5001   *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
 5002      title page only) when any mod_ldap directives were used in VirtualHost
 5003      context.  [Eric Covener]
 5004 
 5005   *) mod_disk_cache: Decline the opportunity to cache if the response is
 5006      a 206 Partial Content. This stops a reverse proxied partial response
 5007      from becoming cached, and then being served in subsequent responses.
 5008      [Graham Leggett]
 5009 
 5010   *) mod_deflate: avoid the risk of forwarding data before headers are set.
 5011      PR 49369 [Matthew Steele <mdsteele google.com>]
 5012 
 5013   *) mod_authnz_ldap: Ensure nested groups are checked when the
 5014      top-level group doesn't have any direct non-group members
 5015      of attributes in AuthLDAPGroupAttribute. [Eric Covener]
 5016 
 5017   *) mod_authnz_ldap: Search or Comparison during authorization phase
 5018      can use the credentials from the authentication phase
 5019      (AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser).
 5020      PR 48340 [Domenico Rotiroti, Eric Covener]
 5021 
 5022   *) mod_authnz_ldap: Allow the initial DN search during authentication
 5023      to use the HTTP username/pass instead of an anonymous or hard-coded
 5024      LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern).
 5025      [Eric Covener]
 5026 
 5027   *) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix
 5028      when this module is used for authorization. See AuthLDAPAuthorizePrefix.
 5029      PR 45584 [Eric Covener]
 5030 
 5031   *) apxs -q: Stop filtering out ':' characters from the reported values.
 5032      PR 45343.  [Bill Cole]
 5033 
 5034   *) prefork MPM: Work around possible crashes on child exit in APR reslist
 5035      cleanup code.  PR 43857.  [Tom Donovan]
 5036 
 5037   *) ab: fix number of requests sent by ab when keepalive is enabled.  PR 48497.
 5038      [Bryn Dole <dole blekko.com>]
 5039 
 5040   *) Log an error for failures to read a chunk-size, and return 408 instead of
 5041      413 when this is due to a read timeout.  This change also fixes some cases
 5042      of two error documents being sent in the response for the same scenario.
 5043      [Eric Covener] PR49167
 5044 
 5045   *) mod_proxy_balancer: Add new directive BalancerNonce to allow admin
 5046      to control/set the nonce used in the balancer-manager application.
 5047      [Jim Jagielski]
 5048 
 5049   *) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673.
 5050      [Stefan Fritsch]
 5051 
 5052   *) Proxy balancer: support setting error status according to HTTP response
 5053      code from a backend.  PR 48939.  [Daniel Ruggeri <DRuggeri primary.net>]
 5054 
 5055   *) htcacheclean: Introduce the ability to clean specific URLs from the
 5056      cache, if provided as an optional parameter on the command line.
 5057      [Graham Leggett]
 5058 
 5059   *) core: Introduce the IncludeStrict directive, which explicitly fails
 5060      server startup if no files or directories match a wildcard path.
 5061      [Graham Leggett]
 5062 
 5063   *) htcacheclean: Report additional statistics about entries deleted.
 5064      PR 48944. [Mark Drayton mark markdrayton.info]
 5065 
 5066   *) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
 5067      builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
 5068      build of openssl is required for 'SSLFIPS on'.  PR 46270.
 5069      [Dr Stephen Henson <steve openssl.org>, William Rowe]
 5070 
 5071   *) mod_proxy_http: Log the port of the remote server in various messages.
 5072      PR 48812. [Igor Galić <i galic brainsware org>]
 5073 
 5074   *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
 5075      connections and other protocol handlers (like mod_ftp). [Stefan Fritsch]
 5076 
 5077   *) mod_proxy_ajp: Really regard the operation a success, when the client
 5078      aborted the connection. In addition adjust the log message if the client
 5079      aborted the connection. [Ruediger Pluem]
 5080 
 5081   *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
 5082      allows insecure renegotiation with clients which do not yet
 5083      support the secure renegotiation protocol.  [Joe Orton]
 5084 
 5085   *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
 5086      is configured for client cert auth. PR 46952.  [Joe Orton]
 5087 
 5088   *) core: Only log a 408 if it is no keepalive timeout. PR 39785
 5089      [Ruediger Pluem,  Mark Montague <markmont umich.edu>]
 5090 
 5091   *) support/rotatelogs: Add -L option to create a link to the current
 5092      log file.  PR 48761 [<lyndon orthanc.ca>, Dan Poirier]
 5093 
 5094   *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory
 5095      setting only, matching most of the documentation and examples.
 5096      PR 46541 [Paul Reder, Eric Covener]
 5097 
 5098   *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument
 5099      types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener]
 5100 
 5101   *) mod_negotiation: Preserve query string over multiviews negotiation.
 5102      This buglet was fixed for type maps in 2.2.6, but the same issue
 5103      affected multiviews and was overlooked.
 5104      PR 33112 [Joergen Thomsen <apache jth.net>]
 5105 
 5106   *) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert
 5107      when some are not password-protected. [Eric Covener]
 5108 
 5109   *) Fix startup segfault when the Mutex directive is used but no loaded
 5110      modules use httpd mutexes.  PR 48787.  [Jeff Trawick]
 5111 
 5112   *) Proxy: get the headers right in a HEAD request with
 5113      ProxyErrorOverride, by checking for an overridden error
 5114      before not after going into a catch-all code path.
 5115      PR 41646.  [Nick Kew, Stuart Children]
 5116 
 5117   *) support/rotatelogs: Support the simplest log rotation case, log
 5118      truncation. Useful when the log is being processed in real time
 5119      using a command like tail. [Graham Leggett]
 5120 
 5121   *) support/htcacheclean: Teach it how to write a pid file (modelled on
 5122      httpd's writing of a pid file) so that it becomes possible to run
 5123      more than one instance of htcacheclean on the same machine.
 5124      [Graham Leggett]
 5125 
 5126   *) Log command line on startup, so there's a record of command line
 5127      arguments like -f.  PR 48752.  [Dan Poirier]
 5128 
 5129   *) Introduce mod_reflector, a handler capable of reflecting POSTed
 5130      request bodies back within the response through the output filter
 5131      stack. Can be used to turn an output filter into a web service.
 5132      [Graham Leggett]
 5133 
 5134   *) mod_proxy_http: Make sure that when an ErrorDocument is served
 5135      from a reverse proxied URL, that the subrequest respects the status
 5136      of the original request. This brings the behaviour of proxy_handler
 5137      in line with default_handler. PR 47106. [Graham Leggett]
 5138 
 5139   *) Support wildcards in both the directory and file components of
 5140      the path specified by the Include directive. [Graham Leggett]
 5141 
 5142   *) mod_proxy, mod_proxy_http: Support remote https proxies
 5143      by using HTTP CONNECT.  PR 19188.
 5144      [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
 5145 
 5146   *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
 5147      [Philip M. Gollucci]
 5148 
 5149   *) worker: Don't report server has reached MaxClients until it has.
 5150      Add message when server gets within MinSpareThreads of MaxClients.
 5151      PR 46996.  [Dan Poirier]
 5152 
 5153   *) mod_session: Session expiry was being initialised, but not updated
 5154      on each session save, resulting in timed out sessions when there
 5155      should not have been. Fixed. [Graham Leggett]
 5156 
 5157   *) mod_log_config: Add the R option to log the handler used within the
 5158      request. [Christian Folini <christian.folini netnea com>]
 5159 
 5160   *) mod_include: Allow fine control over the removal of Last-Modified and
 5161      ETag headers within the INCLUDES filter, making it possible to cache
 5162      responses if desired. Fix the default value of the SSIAccessEnable
 5163      directive.  [Graham Leggett]
 5164 
 5165   *) Add new UnDefine directive to undefine a variable. PR 35350.
 5166      [Stefan Fritsch]
 5167 
 5168   *) Make ap_pregsub(), used by AliasMatch and friends, use the same syntax
 5169      for regex backreferences as mod_rewrite and mod_include: Remove the use
 5170      of '&' as an alias for '$0' and allow to escape any character with a
 5171      backslash. PR 48351. [Stefan Fritsch]
 5172 
 5173   *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
 5174      password to UTF-8. PR 45318.
 5175      [Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
 5176 
 5177   *) ab: Fix calculation of requests per second in HTML output. PR 48594.
 5178      [Stefan Fritsch]
 5179 
 5180   *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
 5181      password now result in an informational level log entry instead of
 5182      warning level.  [Eric Covener]
 5183 
 5184 Changes with Apache 2.3.5
 5185 
 5186   *) SECURITY: CVE-2010-0434 (cve.mitre.org)
 5187      Ensure each subrequest has a shallow copy of headers_in so that the
 5188      parent request headers are not corrupted.  Eliminates a problematic
 5189      optimization in the case of no request body.  PR 48359
 5190      [Jake Scott, William Rowe, Ruediger Pluem]
 5191 
 5192   *) Turn static function get_server_name_for_url() into public
 5193      ap_get_server_name_for_url() and use it where appropriate. This
 5194      fixes mod_rewrite generating invalid URLs for redirects to IPv6
 5195      literal addresses. [Stefan Fritsch]
 5196 
 5197   *) mod_ldap: Introduce new config option LDAPTimeout to set the timeout
 5198      for LDAP operations like bind and search. [Stefan Fritsch]
 5199 
 5200   *) mod_proxy, mod_proxy_ftp: Move ProxyFtpDirCharset from mod_proxy to
 5201      mod_proxy_ftp. [Takashi Sato]
 5202 
 5203   *) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to
 5204      mod_proxy_connect. [Takashi Sato]
 5205 
 5206   *) mod_cache: Do an exact match of the keys defined by
 5207      CacheIgnoreURLSessionIdentifiers against the querystring instead of
 5208      a partial match.  PR 48401.
 5209      [Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem]
 5210 
 5211   *) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung]
 5212 
 5213   *) Core HTTP: disable keepalive when the Client has sent
 5214      Expect: 100-continue
 5215      but we respond directly with a non-100 response.
 5216      Keepalive here led to data from clients continuing being treated as
 5217      a new request.
 5218      PR 47087 [Nick Kew]
 5219 
 5220   *) Core: reject NULLs in request line or request headers.
 5221      PR 43039 [Nick Kew]
 5222 
 5223   *) Core: (re)-introduce -T commandline option to suppress documentroot
 5224      check at startup.
 5225      PR 41887 [Jan van den Berg <janvdberg gmail.com>]
 5226 
 5227   *) mod_autoindex: support XHTML as equivalent to HTML in IndexOptions,
 5228                     ScanHTMLTitles, ReadmeName, HeaderName
 5229      PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew]
 5230 
 5231   *) Proxy: Fix ProxyPassReverse with relative URL
 5232      Derived (slightly erroneously) from PR 38864 [Nick Kew]
 5233 
 5234   *) mod_headers: align Header Edit with Header Set when used on Content-Type
 5235      PR 48422 [Cyril Bonté <cyril.bonte free.fr>, Nick Kew>]
 5236 
 5237   *) mod_headers: Enable multi-match-and-replace edit option
 5238      PR 46594 [Nick Kew]
 5239 
 5240   *) mod_filter: enable it to act on non-200 responses.
 5241      PR 48377 [Nick Kew]
 5242 
 5243 Changes with Apache 2.3.4
 5244 
 5245   *) Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex,
 5246      and WatchdogMutexPath with a single Mutex directive.  Add APIs to
 5247      simplify setup and user customization of APR proc and global mutexes.
 5248      (See util_mutex.h.)  Build-time setting DEFAULT_LOCKFILE is no longer
 5249      respected; set DEFAULT_REL_RUNTIMEDIR instead.  [Jeff Trawick]
 5250 
 5251   *) http_core: KeepAlive no longer accepts other than On|Off.
 5252      [Takashi Sato]
 5253 
 5254   *) mod_dav: Remove errno from dav_error interface.  Calls to dav_new_error()
 5255      and dav_new_error_tag() must be adjusted to add an apr_status_t parameter.
 5256      [Jeff Trawick]
 5257 
 5258   *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
 5259      try other providers in the case of an LDAP bind failure.
 5260      PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
 5261 
 5262   *) Build: fix --with-module to work as documented
 5263      PR 43881 [Gez Saunders <gez.saunders virgin.net>]
 5264 
 5265 Changes with Apache 2.3.3
 5266 
 5267   *) SECURITY: CVE-2009-3095 (cve.mitre.org)
 5268      mod_proxy_ftp: sanity check authn credentials.
 5269      [Stefan Fritsch <sf fritsch.de>, Joe Orton]
 5270 
 5271   *) SECURITY: CVE-2009-3094 (cve.mitre.org)
 5272      mod_proxy_ftp: NULL pointer dereference on error paths.
 5273      [Stefan Fritsch <sf fritsch.de>, Joe Orton]
 5274 
 5275   *) mod_ssl: enable support for ECC keys and ECDH ciphers.  Tested against
 5276      OpenSSL 1.0.0b3.  [Vipul Gupta <vipul.gupta sun.com>, Sander Temme]
 5277 
 5278   *) mod_dav: Include uri when logging a PUT error due to connection abort.
 5279      PR 38149. [Stefan Fritsch]
 5280 
 5281   *) mod_dav: Return 409 instead of 500 for a LOCK request if the parent
 5282      resource does not exist or is not a collection. PR 43465. [Stefan Fritsch]
 5283 
 5284   *) mod_dav_fs: Return 409 instead of 500 for Litmus test case copy_nodestcoll
 5285      (a COPY request where the parent of the destination resource does not
 5286      exist). PR 39299. [Stefan Fritsch]
 5287 
 5288   *) mod_dav_fs: Don't delete the whole file if a PUT with content-range failed.
 5289      PR 42896. [Stefan Fritsch]
 5290 
 5291   *) mod_dav_fs: Make PUT create files atomically and no longer destroy the
 5292      old file if the transfer aborted. PR 39815. [Paul Querna, Stefan Fritsch]
 5293 
 5294   *) mod_dav_fs: Remove inode keyed locking as this conflicts with atomically
 5295      creating files. On systems with inode numbers, this is a format change of
 5296      the DavLockDB. The old DavLockDB must be deleted on upgrade.
 5297      [Stefan Fritsch]
 5298 
 5299   *) mod_log_config: Make ${cookie}C correctly match whole cookie names
 5300      instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
 5301      Stefan Fritsch]
 5302 
 5303   *) vhost: A purely-numeric Host: header should not be treated as a port.
 5304      PR 44979 [Nick Kew]
 5305 
 5306   *) mod_ldap: Avoid 500 errors with "Unable to set LDAP_OPT_REFHOPLIMIT option to 5"
 5307      when built against openldap by using SDK LDAP_OPT_REFHOPLIMIT defaults unless
 5308      LDAPReferralHopLimit is explicitly configured.
 5309      [Eric Covener]
 5310 
 5311   *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'.
 5312      [Eric Covener]
 5313 
 5314   *) mod_ssl: Add support for OCSP Stapling.  PR 43822.
 5315      [Dr Stephen Henson <shenson oss-institute.org>]
 5316 
 5317   *) mod_socache_shmcb: Allow parens in file name if cache size is given.
 5318      Fixes SSLSessionCache directive mis-parsing parens in pathname.
 5319      PR 47945. [Stefan Fritsch]
 5320 
 5321   *) htpasswd: Improve out of disk space handling. PR 30877. [Stefan Fritsch]
 5322 
 5323   *) htpasswd: Use MD5 hash by default on all platforms. [Stefan Fritsch]
 5324 
 5325   *) mod_sed: Reduce memory consumption when processing very long lines.
 5326      PR 48024 [Basant Kumar Kukreja <basant.kukreja sun.com>]
 5327 
 5328   *) ab: Fix segfault in case the argument for -n is a very large number.
 5329      PR 47178. [Philipp Hagemeister <oss phihag.de>]
 5330 
 5331   *) Allow ProxyPreserveHost to work in <Proxy> sections. PR 34901.
 5332      [Stefan Fritsch]
 5333 
 5334   *) configure: Fix THREADED_MPMS so that mod_cgid is enabled again
 5335      for worker MPM. [Takashi Sato]
 5336 
 5337   *) mod_dav: Provide a mechanism to obtain the request_rec and pathname
 5338      from the dav_resource. [Jari Urpalainen <jari.urpalainen nokia.com>,
 5339      Brian France <brian brianfrance.com>]
 5340 
 5341   *) Build: Use install instead of cp if available on installing
 5342      modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com]
 5343 
 5344   *) mod_cache: correctly consider s-maxage in cacheability
 5345      decisions.  [Dan Poirier]
 5346 
 5347   *) mod_logio/core: Report more accurate byte counts in mod_status if
 5348      mod_logio is loaded. PR 25656. [Stefan Fritsch]
 5349 
 5350   *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
 5351      some cache entries and log a warning. Also increase the default
 5352      LDAPSharedCacheSize to 500000. This is a more realistic size suitable
 5353      for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
 5354      PR 46749. [Stefan Fritsch]
 5355 
 5356   *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if
 5357      the request is a CONNECT request. [Bill Zajac <billz consultla.com>]
 5358 
 5359   *) mod_cache: Teach CacheEnable and CacheDisable to work from within a
 5360      Location section, in line with how ProxyPass works. [Graham Leggett]
 5361 
 5362   *) mod_reqtimeout: New module to set timeouts and minimum data rates for
 5363      receiving requests from the client. [Stefan Fritsch]
 5364 
 5365   *) core: Fix potential memory leaks by making sure to not destroy
 5366      bucket brigades that have been created by earlier filters.
 5367      [Stefan Fritsch]
 5368 
 5369   *) core, mod_deflate, mod_sed: Reduce memory usage by reusing bucket
 5370      brigades in several places. [Stefan Fritsch]
 5371 
 5372   *) mod_cache: Fix uri_meets_conditions() so that CacheEnable will
 5373      match by scheme, or by a wildcarded hostname. PR 40169
 5374      [Peter Grandi <pg_asf asf.for.sabi.co.uk>, Graham Leggett]
 5375 
 5376   *) suxec: Allow to log an error if exec fails by setting FD_CLOEXEC
 5377      on the log file instead of closing it. PR 10744. [Nicolas Rachinsky]
 5378 
 5379   *) mod_mime: Make RemoveType override the info from TypesConfig.
 5380      PR 38330. [Stefan Fritsch]
 5381 
 5382   *) mod_cache: Introduce the option to run the cache from within the
 5383      normal request handler, and to allow fine grained control over
 5384      where in the filter chain content is cached. Adds CacheQuickHandler
 5385      directive.  [Graham Leggett]
 5386 
 5387   *) core: Treat timeout reading request as 408 error, not 400.
 5388      Log 408 errors in access log as was done in Apache 1.3.x.
 5389      PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>,
 5390      Stefan Fritsch <sf fritsch.de>, Dan Poirier]
 5391 
 5392   *) mod_ssl: Reintroduce SSL_CLIENT_S_DN, SSL_CLIENT_I_DN, SSL_SERVER_S_DN,
 5393      SSL_SERVER_I_DN back to the environment variables to be set by mod_ssl.
 5394      [Peter Sylvester <peter.sylvester edelweb.fr>]
 5395 
 5396   *) mod_disk_cache: don't cache incomplete responses, per RFC 2616, 13.8.
 5397      PR15866.  [Dan Poirier]
 5398 
 5399   *) ab: ab segfaults in verbose mode on https sites
 5400      PR46393.  [Ryan Niebur]
 5401 
 5402   *) mod_dav: Allow other modules to become providers and add resource types
 5403      to the DAV response. [Jari Urpalainen <jari.urpalainen nokia.com>,
 5404      Brian France <brian brianfrance.com>]
 5405 
 5406   *) mod_dav: Allow other modules to add things to the DAV or Allow headers
 5407      of an OPTIONS request. [Jari Urpalainen <jari.urpalainen nokia.com>,
 5408      Brian France <brian brianfrance.com>]
 5409 
 5410   *) core: Lower memory usage of core output filter.
 5411      [Stefan Fritsch <sf sfritsch.de>]
 5412 
 5413   *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and
 5414      LocationMatch sections.  PR47754. [Dan Poirier]
 5415 
 5416   *) mod_request: Make sure the KeptBodySize directive rejects values
 5417      that aren't valid numbers. [Graham Leggett]
 5418 
 5419   *) mod_session_crypto: Sanity check should the potentially encrypted
 5420      session cookie be too short. [Graham Leggett]
 5421 
 5422   *) mod_session.c: Prevent a segfault when session is added but not
 5423      configured. [Graham Leggett]
 5424 
 5425   *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
 5426 
 5427   *) mod_auth_digest: Fail server start when nonce count checking
 5428      is configured without shared memory, or md5-sess algorithm is
 5429      configured. [Dan Poirier]
 5430 
 5431   *) mod_proxy_connect: The connect method doesn't work if the client is
 5432      connecting to the apache proxy through an ssl socket. Fixed.
 5433      PR29744. [Brad Boyer, Mark Cave-Ayland, Julian Gilbey, Fabrice Durand,
 5434      David Gence, Tim Dodge, Per Gunnar Hans, Emmanuel Elango,
 5435      Kevin Croft, Rudolf Cardinal]
 5436 
 5437   *) mod_ssl: The error message when SSLCertificateFile is missing should
 5438      at least give the name or position of the problematic virtual host
 5439      definition. [Stefan Fritsch sf sfritsch.de]
 5440 
 5441   *) mod_auth_digest: Fix null pointer when qop=none. [Dan Poirier]
 5442 
 5443   *) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
 5444 
 5445   *) mod_headers: generalise the envclause to support expression
 5446      evaluation with ap_expr parser [Nick Kew]
 5447 
 5448   *) mod_cache: Introduce the thundering herd lock, a mechanism to keep
 5449      the flood of requests at bay that strike a backend webserver as
 5450      a cached entity goes stale. [Graham Leggett]
 5451 
 5452   *) mod_auth_digest: Fix usage of shared memory and re-enable it.
 5453      PR 16057 [Dan Poirier]
 5454 
 5455   *) Preserve Port information over internal redirects
 5456      PR 35999 [Jonas Ringh <jonas.ringh cixit.se>]
 5457 
 5458   *) Proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
 5459      rather than BAD_GATEWAY or (especially) NOT_FOUND.
 5460      PR 46971 [evanc nortel.com]
 5461 
 5462   *) Various modules: Do better checking of pollset operations in order to
 5463      avoid segmentation faults if they fail. PR 46467
 5464      [Stefan Fritsch <sf sfritsch.de>]
 5465 
 5466   *) mod_autoindex: Correctly create an empty cell if the description
 5467      for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
 5468 
 5469   *) ab: Fix broken error messages after resolver or connect() failures.
 5470      [Jeff Trawick]
 5471 
 5472   *) SECURITY: CVE-2009-1890 (cve.mitre.org)
 5473      Fix a potential Denial-of-Service attack against mod_proxy in a
 5474      reverse proxy configuration, where a remote attacker can force a
 5475      proxy process to consume CPU time indefinitely.  [Nick Kew, Joe Orton]
 5476 
 5477   *) SECURITY: CVE-2009-1191 (cve.mitre.org)
 5478      mod_proxy_ajp: Avoid delivering content from a previous request which
 5479      failed to send a request body. PR 46949 [Ruediger Pluem]
 5480 
 5481   *) htdbm: Fix possible buffer overflow if dbm database has very
 5482      long values.  PR 30586 [Dan Poirier]
 5483 
 5484   *) core: Return APR_EOF if request body is shorter than the length announced
 5485      by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>]
 5486 
 5487   *) mod_suexec: correctly set suexec_enabled when httpd is run by a
 5488      non-root user and may have insufficient permissions.
 5489      PR 42175 [Jim Radford <radford blackbean.org>]
 5490 
 5491   *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute
 5492      type.  PR 45107.  [Michael Ströder <michael stroeder.com>,
 5493      Peter Sylvester <peter.sylvester edelweb.fr>]
 5494 
 5495   *) mod_proxy_http: fix case sensitivity checking transfer encoding
 5496      PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
 5497 
 5498   *) mod_alias: ensure Redirect issues a valid URL.
 5499      PR 44020 [Håkon Stordahl <hakon stordahl.org>]
 5500 
 5501   *) mod_dir: add FallbackResource directive, to enable admin to specify
 5502      an action to happen when a URL maps to no file, without resorting
 5503      to ErrorDocument or mod_rewrite.  PR 47184 [Nick Kew]
 5504 
 5505   *) mod_cgid: Do not leak the listening Unix socket file descriptor to the
 5506      CGI process. PR 47335 [Kornél Pál <kornelpal gmail.com>]
 5507 
 5508   *) mod_rewrite: Remove locking for writing to the rewritelog.
 5509      PR 46942 [Dan Poirier <poirier pobox.com>]
 5510 
 5511   *) mod_alias: check sanity in Redirect arguments.
 5512      PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
 5513 
 5514   *) mod_proxy_http: fix Host: header for literal IPv6 addresses.
 5515      PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
 5516 
 5517   *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore
 5518      defined session identifiers encoded in the URL when caching.
 5519      [Ruediger Pluem]
 5520 
 5521   *) mod_rewrite: Fix the error string returned by RewriteRule.
 5522      RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
 5523      argument of RewriteRule was not started with "[" or not ended with "]".
 5524      PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
 5525 
 5526   *) Windows: Fix usage message.
 5527      [Rainer Jung]
 5528 
 5529   *) apachectl: When passing through arguments to httpd in
 5530      non-SysV mode, use the "$@" syntax to preserve arguments.
 5531      [Eric Covener]
 5532 
 5533   *) mod_dbd: add DBDInitSQL directive to enable SQL statements to
 5534      be run when a connection is opened.  PR 46827
 5535      [Marko Kevac <mkevac gmail.com>]
 5536 
 5537   *) mod_cgid: Improve handling of long AF_UNIX socket names (ScriptSock).
 5538      PR 47037.  [Jeff Trawick]
 5539 
 5540   *) mod_proxy_ajp: Check more strictly that the backend follows the AJP
 5541      protocol. [Mladen Turk]
 5542 
 5543   *) mod_proxy_ajp: Forward remote port information by default.
 5544      [Rainer Jung]
 5545 
 5546   *) Allow MPMs to be loaded dynamically, as with most other modules.  Use
 5547      --enable-mpms-shared={list|"all"} to enable.  This required changes to
 5548      the MPM interfaces.  Removed: mpm.h, mpm_default.h (as an installed
 5549      header), APACHE_MPM_DIR, MPM_NAME, ap_threads_per_child,
 5550      ap_max_daemons_limit, ap_my_generation, etc.  ap_mpm_query() can't be
 5551      called until after the register-hooks phase.  [Jeff Trawick]
 5552 
 5553   *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
 5554      to enable stricter checking of remote server certificates.
 5555      [Ruediger Pluem]
 5556 
 5557   *) ab: Fix a 100% CPU loop on platforms where a failed non-blocking connect
 5558      returns EINPROGRESS and a subsequent poll() returns only POLLERR.
 5559      Observed on HP-UX.  [Eric Covener]
 5560 
 5561   *) Remove broken support for BeOS, TPF, and even older platforms such
 5562      as A/UX, Next, and Tandem.  [Jeff Trawick]
 5563 
 5564   *) mod_proxy_ftp: Add ProxyFtpListOnWildcard directive to allow files with
 5565      globbing characters to be retrieved instead of converted into a
 5566      directory listing.  PR 46789 [Dan Poirier <poirier pobox.com>]
 5567 
 5568   *) Provide ap_retained_data_create()/ap_retained_data_get() for preservation
 5569      of module state across unload/load.  [Jeff Trawick]
 5570 
 5571   *) mod_substitute: Fix a memory leak. PR 44948
 5572      [Dan Poirier <poirier pobox.com>]
 5573 
 5574 Changes with Apache 2.3.2
 5575 
 5576   *) mod_mime_magic: Fix detection of compressed content. [Rainer Jung]
 5577 
 5578   *) mod_negotiation: Escape paths of filenames in 406 responses to avoid
 5579      HTML injections and HTTP response splitting.  PR 46837.
 5580      [Geoff Keating <geoffk apple.com>]
 5581 
 5582   *) mod_ssl: add support for type-safe STACK constructs in OpenSSL
 5583      development HEAD.  PR 45521.  [Kaspar Brand, Sander Temme]
 5584 
 5585   *) ab: Fix maintenance of the pollset to resolve EALREADY errors
 5586      with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris).
 5587      PR 44584.  Use APR_POLLSET_NOCOPY for better performance with some
 5588      pollset implementations.  [Jeff Trawick]
 5589 
 5590   *) mod_disk_cache: The module now turns off sendfile support if
 5591      'EnableSendfile off' is defined globally. [Lars Eilebrecht]
 5592 
 5593   *) mod_deflate: Adjust content metadata before bailing out on 304
 5594      responses so that the metadata does not differ from 200 response.
 5595      [Roy T. Fielding]
 5596 
 5597   *) mod_deflate: Fix creation of invalid Etag headers. We now make sure
 5598      that the Etag value is properly quoted when adding the gzip marker.
 5599      PR 39727, 45023. [Lars Eilebrecht, Roy T. Fielding]
 5600 
 5601   *) Added 20x22 icons for ODF, SVG, and XML documents.  PR 37185.
 5602      [Peter Harlow]
 5603 
 5604   *) Disabled DefaultType directive and removed ap_default_type()
 5605      from core.  We now exclude Content-Type from responses for which
 5606      a media type has not been configured via mime.types, AddType,
 5607      ForceType, or some other mechanism. PR 13986. [Roy T. Fielding]
 5608 
 5609   *) mod_rewrite: Add IPV6 variable to RewriteCond
 5610      [Ryan Phillips <ryan-apache trolocsis.com>]
 5611 
 5612   *) core: Enhance KeepAliveTimeout to support a value in milliseconds.
 5613      PR 46275. [Takashi Sato]
 5614 
 5615   *) rotatelogs: Allow size units B, K, M, G and combination of
 5616      time and size based rotation. [Rainer Jung]
 5617 
 5618   *) rotatelogs: Add flag for verbose (debug) output. [Rainer Jung]
 5619 
 5620   *) mod_ssl: Fix merging of SSLRenegBufferSize directive. PR 46508
 5621      [<tlhackque yahoo.com>]
 5622 
 5623   *) core: Translate the the status line to ASCII on EBCDIC platforms in
 5624      ap_send_interim_response() and for locally generated "100 Continue"
 5625      responses.  [Eric Covener]
 5626 
 5627   *) prefork: Fix child process hang during graceful restart/stop in
 5628      configurations with multiple listening sockets.  PR 42829.  [Joe Orton,
 5629      Jeff Trawick]
 5630 
 5631   *) mod_session_crypto: Ensure that SessionCryptoDriver can only be
 5632      set in the global scope. [Graham Leggett]
 5633 
 5634   *) mod_ext_filter: We need to detect failure to startup the filter
 5635      program (a mangled response is not acceptable).  Fix to detect
 5636      failure, and offer configuration option either to abort or
 5637      to remove the filter and continue.
 5638      PR 41120 [Nick Kew]
 5639 
 5640   *) mod_session_crypto: Rewrite the session_crypto module against the
 5641      apr_crypto API. [Graham Leggett]
 5642 
 5643   *) mod_auth_form: Fix a pool lifetime issue, don't remove the subrequest
 5644      until the main request is cleaned up. [Graham Leggett]
 5645 
 5646 Changes with Apache 2.3.1
 5647 
 5648   *) ap_slotmem: Add in new slot-based memory access API impl., including
 5649      2 providers (mod_sharedmem and mod_plainmem) [Jim Jagielski,
 5650      Jean-Frederic Clere, Brian Akins <brian.akins turner.com>]
 5651 
 5652   *) mod_include: support generating non-ASCII characters as entities in SSI
 5653      PR 25202 [Nick Kew]
 5654 
 5655   *) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars
 5656      PR 25202 [Nick Kew]
 5657 
 5658   *) mod_rewrite: fix "B" flag breakage by reverting r5589343
 5659     PR 45529 [Bob Ionescu <bobsiegen googlemail.com>]
 5660 
 5661   *) CGI: return 504 (Gateway timeout) rather than 500 when a script
 5662      times out before returning status line/headers.
 5663      PR 42190 [Nick Kew]
 5664 
 5665   *) mod_cgid: fix segfault problem on solaris.
 5666      PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>]
 5667 
 5668   *) mod_proxy_scgi: Added. [André Malo]
 5669 
 5670   *) mod_cache: Introduce 'no-cache' per-request environment variable
 5671      to prevent the saving of an otherwise cacheable response.
 5672      [Eric Covener]
 5673 
 5674   *) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
 5675      way that per-directory rewrites append the previous notion of PATH_INFO
 5676      to each substitution before evaluating subsequent rules.
 5677      PR 38642 [Eric Covener]
 5678 
 5679   *) mod_cgid: Do not add an empty argument when calling the CGI script.
 5680      PR 46380 [Ruediger Pluem]
 5681 
 5682   *) scoreboard: Remove unused sb_type from process_score.
 5683      [Torsten Foertsch <torsten.foertsch gmx.net>, Chris Darroch]
 5684 
 5685   *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the
 5686      size of the buffer used for the request-body where necessary
 5687      during a per-dir renegotiation.  PR 39243.  [Joe Orton]
 5688 
 5689   *) mod_proxy_fdpass: New module to pass a client connection over to a separate
 5690      process that is reading from a unix daemon socket.
 5691 
 5692   *) mod_ssl: Improve environment variable extraction to be more
 5693      efficient and to correctly handle DNs with duplicate tags.
 5694      PR 45975.  [Joe Orton]
 5695 
 5696   *) Remove the obsolete serial attribute from the RPM spec file. Compile
 5697      against the external pcre. Add missing binaries fcgistarter, and
 5698      mod_socache* and mod_session*. [Graham Leggett]
 5699 
 5700 Changes with Apache 2.3.0
 5701 
 5702   *) mod_ratelimit: New module to do bandwidth rate limiting. [Paul Querna]
 5703 
 5704   *) Remove X-Pad header which was added as a work around to a bug in
 5705      Netscape 2.x to 4.0b2. [Takashi Sato <takashi lans-tv.com>]
 5706 
 5707   *) Add DTrace Statically Defined Tracing (SDT) probes.
 5708     [Theo Schlossnagle <jesus omniti.com>, Paul Querna]
 5709 
 5710   *) mod_proxy_balancer: Move all load balancing implementations
 5711      as individual, self-contained mod_proxy submodules under
 5712      modules/proxy/balancers [Jim Jagielski]
 5713 
 5714   *) Rename APIs to include ap_ prefix:
 5715         find_child_by_pid -> ap_find_child_by_pid
 5716         suck_in_APR -> ap_suck_in_APR
 5717         sys_privileges_handlers -> ap_sys_privileges_handlers
 5718         unixd_accept -> ap_unixd_accept
 5719         unixd_config -> ap_unixd_config
 5720         unixd_killpg -> ap_unixd_killpg
 5721         unixd_set_global_mutex_perms -> ap_unixd_set_global_mutex_perms
 5722         unixd_set_proc_mutex_perms -> ap_unixd_set_proc_mutex_perms
 5723         unixd_set_rlimit -> ap_unixd_set_rlimit
 5724      [Paul Querna]
 5725 
 5726   *) mod_lbmethod_heartbeat: New module to load balance mod_proxy workers
 5727      based on heartbeats. [Paul Querna]
 5728 
 5729   *) mod_heartmonitor: New module to collect heartbeats, and write out a file
 5730      so that other modules can load balance traffic as needed. [Paul Querna]
 5731 
 5732   *) mod_heartbeat: New module to generate multicast heartbeats to know if a
 5733      server is online. [Paul Querna]
 5734 
 5735   *) mod_buffer: Honour the flush bucket and flush the buffer in the
 5736      input filter. Make sure that metadata buckets are written to
 5737      the buffer, not to the final brigade. [Graham Leggett]
 5738 
 5739   *) mod_buffer: Optimise the buffering of heap buckets when the heap
 5740      buckets stay exactly APR_BUCKET_BUFF_SIZE long. [Graham Leggett,
 5741      Ruediger Pluem]
 5742 
 5743   *) mod_buffer: Optional support for buffering of the input and output
 5744      filter stacks. Can collapse many small buckets into fewer larger
 5745      buckets, and prevents excessively small chunks being sent over
 5746      the wire. [Graham Leggett]
 5747 
 5748   *) mod_privileges: new module to make httpd on Solaris privileges-aware
 5749      and to enable different virtualhosts to run with different
 5750      privileges and Unix user/group IDs [Nick Kew]
 5751 
 5752   *) mod_mem_cache: this module has been removed. [William Rowe]
 5753 
 5754   *) authn/z: Remove mod_authn_default and mod_authz_default.
 5755      [Chris Darroch]
 5756 
 5757   *) authz: Fix handling of authz configurations, make default authz
 5758      logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject,
 5759      and AuthzMergeRules directives with Match, <Match*>, and AuthzMerge
 5760      directives.  [Chris Darroch]
 5761 
 5762   *) mod_authn_core: Prevent crash when provider alias created to
 5763      provider which is not yet registered.  [Chris Darroch]
 5764 
 5765   *) mod_authn_core: Add AuthType of None to support disabling
 5766      authentication.  [Chris Darroch]
 5767 
 5768   *) core: Allow <Limit> and <LimitExcept> directives to nest, and
 5769      constrain their use to conform with that of other access control
 5770      and authorization directives.  [Chris Darroch]
 5771 
 5772   *) unixd: turn existing code into a module, and turn the set user/group
 5773      and chroot into a child_init function. [Nick Kew]
 5774 
 5775   *) mod_dir: Support "DirectoryIndex disabled"
 5776      Suggested By André Warnier <aw ice-sa.com> [Eric Covener]
 5777 
 5778   *) mod_ssl: Send Content-Type application/ocsp-request for POST requests to
 5779      OSCP responders. PR 46014 [Dr Stephen Henson <steve openssl.org>]
 5780 
 5781   *) mod_authnz_ldap: don't return NULL-valued environment variables to
 5782      other modules.  PR 39045 [Francois Pesce <francois.pesce gmail.com>]
 5783 
 5784   *) Don't adjust case in pathname components that are not of interest
 5785      to mod_mime.  Fixes mod_negotiation's use of such components.
 5786      PR 43250 [Basant Kumar Kukreja <basant.kukreja sun.com>]
 5787 
 5788   *) Be tolerant in what you accept - accept slightly broken
 5789      status lines from a backend provided they include a valid status code.
 5790      PR 44995 [Rainer Jung <rainer.jung kippdata.de>]
 5791 
 5792   *) New module mod_sed: filter Request/Response bodies through sed
 5793      [Basant Kumar Kukreja <basant.kukreja sun.com>]
 5794 
 5795   *) mod_auth_form: Make sure that basic authentication is correctly
 5796      faked directly after login. [Graham Leggett]
 5797 
 5798   *) mod_session_cookie, mod_session_dbd: Make sure cookies are set both
 5799      within the output headers and error output headers, so that the
 5800      session is maintained across redirects. [Graham Leggett]
 5801 
 5802   *) mod_auth_form: Make sure the logged in user is populated correctly
 5803      after a form login. Fixes a missing REMOTE_USER variable directly
 5804      following a login. [Graham Leggett]
 5805 
 5806   *) mod_session_cookie: Make sure that cookie attributes are correctly
 5807      included in the blank cookie when cookies are removed. This fixes an
 5808      inability to log out when using mod_auth_form. [Graham Leggett]
 5809 
 5810   *) mod_session: Prevent a segfault when a CGI script sets a cookie with a
 5811      null value. [David Shane Holden <dpejesh apache.org>]
 5812 
 5813   *) core, authn/z: Determine registered authn/z providers directly in
 5814      ap_setup_auth_internal(), which allows optional functions that just
 5815      wrapped ap_list_provider_names() to be removed from authn/z modules.
 5816      [Chris Darroch]
 5817 
 5818   *) authn/z: Convert common provider version strings to macros.
 5819      [Chris Darroch]
 5820 
 5821   *) core: When testing for slash-terminated configuration paths in
 5822      ap_location_walk(), don't look past the start of an empty string
 5823      such as that created by a <Location ""> directive.
 5824      [Chris Darroch]
 5825 
 5826   *) core, mod_proxy: If a kept_body is present, it becomes safe for
 5827      subrequests to support message bodies. Make sure that safety
 5828      checks within the core and within the proxy are not triggered
 5829      when kept_body is present. This makes it possible to embed
 5830      proxied POST requests within mod_include. [Graham Leggett]
 5831 
 5832   *) mod_auth_form: Make sure the input filter stack is properly set
 5833      up before reading the login form. Make sure the kept body filter
 5834      is correctly inserted to ensure the body can be read a second
 5835      time safely should the authn be successful. [Graham Leggett,
 5836      Ruediger Pluem]
 5837 
 5838   *) mod_request: Insert the KEPT_BODY filter via the insert_filter
 5839      hook instead of during fixups. Add a safety check to ensure the
 5840      filters cannot be inserted more than once. [Graham Leggett,
 5841      Ruediger Pluem]
 5842 
 5843   *) ap_cache_cacheable_headers_out() will (now) always
 5844      merge an error headers _before_ clearing them and _before_
 5845      merging in the actual entity headers and doing normal
 5846      hop-by-hop cleansing. [Dirk-Willem van Gulik].
 5847 
 5848   *) cache: retire ap_cache_cacheable_hdrs_out() which was used
 5849      for both in- and out-put headers; and replace it by a single
 5850      ap_cache_cacheable_headers() wrapped in a in- and out-put
 5851      specific ap_cache_cacheable_headers_in()/out(). The latter
 5852      which will also merge error and ensure content-type. To keep
 5853      cache modules consistent with ease. This API change bumps
 5854      up the minor MM by one [Dirk-Willem van Gulik].
 5855 
 5856   *) Move the KeptBodySize directive, kept_body filters and the
 5857      ap_parse_request_body function out of the http module and into a
 5858      new module called mod_request, reducing the size of the core.
 5859      [Graham Leggett]
 5860 
 5861   *) mod_dbd: Handle integer configuration directive parameters with a
 5862      dedicated function.
 5863 
 5864   *) Change the directives within the mod_session* modules to be valid
 5865      both inside and outside the location/directory sections, as
 5866      suggested by wrowe. [Graham Leggett]
 5867 
 5868   *) mod_auth_form: Add a module capable of allowing end users to log
 5869      in using an HTML form, storing the credentials within mod_session.
 5870      [Graham Leggett]
 5871 
 5872   *) Add a function to the http filters that is able to parse an HTML
 5873      form request with the type of application/x-www-form-urlencoded.
 5874      [Graham Leggett]
 5875 
 5876   *) mod_session_crypto: Initialise SSL in the post config hook.
 5877      [Ruediger Pluem, Graham Leggett]
 5878 
 5879   *) mod_session_dbd: Add a session implementation capable of storing
 5880      session information in a SQL database via the dbd interface. Useful
 5881      for sites where session privacy is important. [Graham Leggett]
 5882 
 5883   *) mod_session_crypto: Add a session encoding implementation capable
 5884      of encrypting and decrypting sessions wherever they may be stored.
 5885      Introduces a level of privacy when sessions are stored on the
 5886      browser. [Graham Leggett]
 5887 
 5888   *) mod_session_cookie: Add a session implementation capable of storing
 5889      session information within cookies on the browser. Useful for high
 5890      volume sites where server bound sessions are too resource intensive.
 5891      [Graham Leggett]
 5892 
 5893   *) mod_session: Add a generic session interface to unify the different
 5894      attempts at saving persistent sessions across requests.
 5895      [Graham Leggett]
 5896 
 5897   *) core, authn/z: Avoid calling access control hooks for internal requests
 5898      with configurations which match those of initial request.  Revert to
 5899      original behaviour (call access control hooks for internal requests
 5900      with URIs different from initial request) if any access control hooks or
 5901      providers are not registered as permitting this optimization.
 5902      Introduce wrappers for access control hook and provider registration
 5903      which can accept additional mode and flag data.  [Chris Darroch]
 5904 
 5905   *) Introduced ap_expr API for expression evaluation.
 5906      This is adapted from mod_include, which is the first module
 5907      to use the new API.
 5908      [Nick Kew]
 5909 
 5910   *) mod_authz_dbd: When redirecting after successful login/logout per
 5911      AuthzDBDRedirectQuery, do not report authorization failure, and use
 5912      first row returned by database query instead of last row.
 5913      [Chris Darroch]
 5914 
 5915   *) mod_ldap: Correctly return all requested attribute values
 5916      when some attributes have a null value.
 5917      PR 44560 [Anders Kaseorg <anders kaseorg.com>]
 5918 
 5919   *) core: check symlink ownership if both FollowSymlinks and
 5920      SymlinksIfOwnerMatch are set [Nick Kew]
 5921 
 5922   *) core: fix origin checking in SymlinksIfOwnerMatch
 5923      PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>]
 5924 
 5925   *) Activate mod_cache, mod_file_cache and mod_disk_cache as part of the
 5926      'most' set for '--enable-modules' and '--enable-shared-mods'. Include
 5927      mod_mem_cache in 'all' as well. [Dirk-Willem van Gulik]
 5928 
 5929   *) Also install mod_so.h, mod_rewrite.h and mod_cache.h; as these
 5930      contain public function declarations which are useful for
 5931      third party module authors. PR 42431 [Dirk-Willem van Gulik].
 5932 
 5933   *) mod_dir, mod_negotiation: pass the output filter information
 5934      to newly created sub requests; as these are later on used
 5935      as true requests with an internal redirect. This allows for
 5936      mod_cache et.al. to trap the results of the redirect.
 5937      [Dirk-Willem van Gulik, Ruediger Pluem]
 5938 
 5939   *) mod_ldap: Add support (taking advantage of the new APR capability)
 5940      for ldap rebind callback while chasing referrals. This allows direct
 5941      searches on LDAP servers (in particular MS Active Directory 2003+)
 5942      using referrals without the use of the global catalog.
 5943      PRs 26538, 40268, and 42557 [Paul J. Reder]
 5944 
 5945   *) ApacheMonitor.exe: Introduce --kill argument for use by the
 5946      installer.  This will permit the installation tool to remove
 5947      all running instances before attempting to remove the .exe.
 5948      [William Rowe]
 5949 
 5950   *) mod_ssl: Add support for OCSP validation of client certificates.
 5951      PR 41123.  [Marc Stern <marc.stern approach.be>, Joe Orton]
 5952 
 5953   *) mod_serf: New module for Reverse Proxying. [Paul Querna]
 5954 
 5955   *) core: Add the option to keep aside a request body up to a certain
 5956      size that would otherwise be discarded, to be consumed by filters
 5957      such as mod_include. When enabled for a directory, POST requests
 5958      to shtml files can be passed through to embedded scripts as POST
 5959      requests, rather being downgraded to GET requests. [Graham Leggett]
 5960 
 5961   *) mod_ssl: Fix TLS upgrade (RFC 2817) support.  PR 41231.  [Joe Orton]
 5962 
 5963   *) scoreboard: Correctly declare ap_time_process_request.
 5964      PR 43789 [Tom Donovan <Tom.Donovan acm.org>]
 5965 
 5966   *) core; scoreboard: ap_get_scoreboard_worker(sbh) now takes the sbh member
 5967      from the connection rec, ap_get_scoreboard_worker(proc, thread) will now
 5968      provide the unusual legacy lookup.  [William Rowe]
 5969 
 5970   *) mpm winnt: fix null pointer dereference
 5971      PR 42572 [Davi Arnaut]
 5972 
 5973   *) mod_authnz_ldap, mod_authn_dbd: Tidy up the code to expose authn
 5974      parameters to the environment. Improve portability to
 5975      EBCDIC machines by using apr_toupper(). [Martin Kraemer]
 5976 
 5977   *) mod_ldap, mod_authnz_ldap: Add support for nested groups (i.e. the ability
 5978      to authorize an authenticated user via a "require ldap-group X" directive
 5979      where the user is not in group X, but is in a subgroup contained in X.
 5980      PR 42891 [Paul J. Reder]
 5981 
 5982   *) mod_ssl: Add support for caching SSL Sessions in memcached. [Paul Querna]
 5983 
 5984   *) apxs: Enhance -q flag to print all known variables and their values
 5985      when invoked without variable name(s).
 5986      [William Rowe, Sander Temme]
 5987 
 5988   *) apxs: Eliminate run-time check for mod_so.  PR 40653.
 5989      [David M. Lee <dmlee crossroads.com>]
 5990 
 5991   *) beos MPM: Create pmain pool and run modules' child_init hooks when
 5992      entering ap_mpm_run(), then destroy pmain when exiting ap_mpm_run().
 5993      [Chris Darroch]
 5994 
 5995   *) netware MPM: Destroy pmain pool when exiting ap_mpm_run() so that
 5996      cleanups registered in modules' child_init hooks are performed.
 5997      [Chris Darroch]
 5998 
 5999   *) Fix issue which could cause error messages to be written to access logs
 6000      on Win32.  PR 40476.  [Tom Donovan <Tom.Donovan acm.org>]
 6001 
 6002   *) The LockFile directive, which specifies the location of
 6003      the accept() mutex lockfile, is deprecated. Instead, the
 6004      AcceptMutex directive now takes an optional lockfile
 6005      location parameter, ala SSLMutex. [Jim Jagielski]
 6006 
 6007   *) mod_authn_dbd: Export any additional columns queried in the SQL select
 6008      into the environment with the name AUTHENTICATE_<COLUMN>. This brings
 6009      mod_authn_dbd behaviour in line with mod_authnz_ldap. [Graham Leggett]
 6010 
 6011   *) mod_dbd: Key the storage of prepared statements on the hex string
 6012      value of server_rec, rather than the server name, as the server name
 6013      may change (eg when the server name is set) at any time, causing
 6014      weird behaviour in modules dependent on mod_dbd. [Graham Leggett]
 6015 
 6016   *) mod_proxy_fcgi: Added win32 build. [Mladen Turk]
 6017 
 6018   *) sendfile_nonblocking() takes the _brigade_ as an argument, gets
 6019      the first bucket from the brigade, finds it not to be a FILE
 6020      bucket and barfs. The fix is to pass a bucket rather than a brigade.
 6021      [Niklas Edmundsson <nikke acc.umu.se>]
 6022 
 6023   *) mod_rewrite: support rewritemap by SQL query [Nick Kew]
 6024 
 6025   *) ap_get_server_version() has been removed.  Third-party modules must
 6026      now use ap_get_server_banner() or ap_get_server_description().
 6027      [Jeff Trawick]
 6028 
 6029   *) All MPMs: Introduce a check_config phase between pre_config and
 6030      open_logs, to allow modules to review interdependent configuration
 6031      directive values and adjust them while messages can still be logged
 6032      to the console.  Handle relevant MPM directives during this phase
 6033      and format messages for both the console and the error log, as
 6034      appropriate.  [Chris Darroch]
 6035 
 6036   *) core: Do not allow internal redirects like the DirectoryIndex of mod_dir
 6037      to circumvent the symbolic link checks imposed by FollowSymLinks and
 6038      SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem, William Rowe]
 6039 
 6040   *) New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ]
 6041      configures the I/O Dump of SSL traffic, when LogLevel is set to Debug.
 6042      The default is none as this is far greater debugging resolution than
 6043      the typical administrator is prepared to untangle.  [William Rowe]
 6044 
 6045   *) mod_disk_cache: If possible, check if the size of an object to cache is
 6046      within the configured boundaries before actually saving data.
 6047      [Niklas Edmundsson <nikke acc.umu.se>]
 6048 
 6049   *) Worker and event MPMs: Remove improper scoreboard updates which were
 6050      performed in the event of a fork() failure.  [Chris Darroch]
 6051 
 6052   *) Add support for fcgi:// proxies to mod_rewrite.
 6053      [Markus Schiegl <ms schiegl.com>]
 6054 
 6055   *) Remove incorrect comments from scoreboard.h regarding conditional
 6056      loading of worker_score structure with mod_status, and remove unused
 6057      definitions relating to old life_status field.
 6058      [Chris Darroch <chrisd pearsoncmg.com>]
 6059 
 6060   *) Remove allocation of memory for unused array of lb_score pointers
 6061      in ap_init_scoreboard().  [Chris Darroch <chrisd pearsoncmg.com>]
 6062 
 6063   *) Add mod_proxy_fcgi, a FastCGI back end for mod_proxy.
 6064      [Garrett Rooney, Jim Jagielski, Paul Querna]
 6065 
 6066   *) Event MPM: Fill in the scoreboard's tid field. PR 38736.
 6067      [Chris Darroch <chrisd pearsoncmg.com>]
 6068 
 6069   *) mod_charset_lite: Remove Content-Length when output filter can
 6070      invalidate it.  Warn when input filter can invalidate it.
 6071      [Jeff Trawick]
 6072 
 6073   *) Authz: Add the new module mod_authn_core that will provide common
 6074      authn directives such as 'AuthType', 'AuthName'.  Move the directives
 6075      'AuthType' and 'AuthName' out of the core module and merge mod_authz_alias
 6076      into mod_authn_core. [Brad Nicholes]
 6077 
 6078   *) Authz: Move the directives 'Order', 'Allow', 'Deny' and 'Satisfy'
 6079      into the new module mod_access_compat which can be loaded to provide
 6080      support for these directives.
 6081      [Brad Nicholes]
 6082 
 6083   *) Authz: Move the 'Require' directive from the core module as well as
 6084      add the directives '<SatisfyAll>', '<SatisfyOne>', '<RequireAlias>'
 6085      and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR'
 6086      logic into the authorization processing. [Brad Nicholes]
 6087 
 6088   *) Authz: Add the new module mod_authz_core which acts as the
 6089      authorization provider vector and contains common authz
 6090      directives. [Brad Nicholes]
 6091 
 6092   *) Authz: Renamed mod_authz_dbm authz providers from 'group' and
 6093      'file-group' to 'dbm-group' and 'dbm-file-group'. [Brad Nicholes]
 6094 
 6095   *) Authz: Added the new authz providers 'env', 'ip', 'host', 'all' to handle
 6096      host-based access control provided by mod_authz_host and invoked
 6097      through the 'Require' directive. [Brad Nicholes]
 6098 
 6099   *) Authz: Convert all of the authz modules from hook based to
 6100      provider based. [Brad Nicholes]
 6101 
 6102   *) mod_cache: Add CacheMinExpire directive to set the minimum time in
 6103      seconds to cache a document.
 6104      [Brian Akins <brian.akins turner.com>, Ruediger Pluem]
 6105 
 6106   *) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]
 6107 
 6108   *) Fix typo in ProxyStatus syntax error message.
 6109      [Christophe Jaillet <christophe.jaillet wanadoo.fr>]
 6110 
 6111   *) Asynchronous write completion for the Event MPM.  [Brian Pane]
 6112 
 6113   *) Added an End-Of-Request bucket type.  The logging of a request and
 6114      the freeing of its pool are now done when the EOR bucket is destroyed.
 6115      This has the effect of delaying the logging until right after the last
 6116      of the response is sent; ap_core_output_filter() calls the access logger
 6117      indirectly when it destroys the EOR bucket.  [Brian Pane]
 6118 
 6119   *) Rewrite of logresolve support utility: IPv6 addresses are now supported
 6120      and the format of statistical output has changed. [Colm MacCarthaigh]
 6121 
 6122   *) Rewrite of ap_coreoutput_filter to do nonblocking writes  [Brian Pane]
 6123 
 6124   *) Added new connection states for handler and write completion
 6125      [Brian Pane]
 6126 
 6127   *) mod_cgid: Refuse to work on Solaris 10 due to OS bugs.  PR 34264.
 6128      [Justin Erenkrantz]
 6129 
 6130   *) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive,
 6131      allowing string-valued client certificate attributes to be used for
 6132      access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1")
 6133      [Martin Kraemer, David Reid]
 6134 
 6135   [Apache 2.3.0-dev includes those bug fixes and changes with the
 6136    Apache 2.2.xx tree as documented, and except as noted, below.]
 6137 
 6138 Changes with Apache 2.2.x and later:
 6139 
 6140   *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
 6141 
 6142 Changes with Apache 2.0.x and later:
 6143 
 6144   *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup