httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r10757 [2/3] - /dev/httpd/
Date Fri, 09 Oct 2015 17:38:57 GMT
Added: dev/httpd/CHANGES_2.4
==============================================================================
--- dev/httpd/CHANGES_2.4 (added)
+++ dev/httpd/CHANGES_2.4 Fri Oct  9 17:38:56 2015
@@ -0,0 +1,4387 @@
+                                                         -*- coding: utf-8 -*-
+
+Changes with Apache 2.4.17
+
+  *) mod_http2: added donated HTTP/2 implementation via core module. Similar
+     configuration options to mod_ssl. [Stefan Eissing]
+
+  *) mod_proxy: don't recyle backend announced "Connection: close" connections
+     to avoid reusing it should the close be effective after some new request
+     is ready to be sent.  [Yann Ylavic]
+
+  *) mod_substitute: Allow to configure the patterns merge order with the new
+     SubstituteInheritBefore on|off directive.  PR 57641
+     [Marc.Stern <Marc.Stern approach.be>, Yann Ylavic, William Rowe]
+
+  *) mod_proxy: Fix ProxySourceAddress binding failure with AH00938.
+     PR 56687.  [Arne de Bruijn <apache arbruijn.dds.nl>
+
+  *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3,
+     and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
+     in accordance with RFC 7568. PR 58349, PR 57120. [Kaspar Brand]
+
+  *) mod_ssl: append :!aNULL:!eNULL:!EXP to the cipher string settings,
+     instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
+     and later). Enables support for configuring the SUITEB* cipher
+     strings introduced in OpenSSL 1.0.2. PR 58213. [Kaspar Brand]
+
+  *) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
+     of subjectAltName entries of type "otherName" into
+     SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
+     variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,
+     Kaspar Brand]
+
+  *) mod_logio: Fix logging of %^FB (time to first byte) on the first request on
+     an SSL connection.  PR 58454.  
+     [Konstantin J. Chernov <k.j.chernov gmail.com>]
+
+  *) mod_cache: r->err_headers_out is not merged into
+     r->headers when mod_cache is enabled and the response
+     is cached for the first time. [Edward Lu]
+
+  *) mod_slotmem_shm: Fix slots/SHM files names on restart for systems that
+     can't create new (clear) slots while previous children gracefully stopping
+     still use the old ones (e.g. Windows, OS2). mod_proxy_balancer failed to
+     restart whenever the number of configured balancers/members changed during
+     restart.  PR 58024.  [Yann Ylavic]
+
+  *) core/util_script: make REDIRECT_URL a full URL.  PR 57785. [Nick Kew]
+
+  *) MPMs: Support SO_REUSEPORT to create multiple duplicated listener
+     records for scalability. [Yingqi Lu <yingqi.lu@intel.com>,
+     Jeff Trawick, Jim Jagielski, Yann Ylavic]
+
+  *) mod_proxy: Fix a race condition that caused a failed worker to be retried
+     before the retry period is over. [Ruediger Pluem]
+
+  *) mod_autoindex: Allow autoindexes when neither mod_dir nor mod_mime are
+     loaded. [Eric Covener]
+
+  *) mod_rewrite:  Allow cookies set by mod_rewrite to contain ':' by accepting
+     ';' as an alternate separator.  PR47241. 
+     [<bugzilla schermesser com>, Eric Covener]
+
+  *) apxs: Add HTTPD_VERSION and HTTPD_MMN to the variables available with 
+     apxs -q. PR58202. [Daniel Shahaf <danielsh apache.org>]
+
+  *) mod_rewrite: Avoid a crash when lacking correct DB access permissions
+     when using RewriteMap with MapType dbd or fastdbd.  [Christophe Jaillet]
+
+  *) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions.
+     PR 57868. [Jose Kahan <jose w3.org>, Yann Ylavic]
+
+  *) mod_socache_memcache: Add the 'MemcacheConnTTL' directive to control how 
+     long to keep idle connections with the memcache server(s).
+     Change default value from 600 usec (!) to 15 sec. PR 58091
+     [Christophe Jaillet]
+
+  *) mod_dir: Prevent the internal identifier "httpd/unix-directory" from
+     appearing as a Content-Type response header when requests for a directory
+     are rewritten by mod_rewrite. [Eric Covener]
+
+Changes with Apache 2.4.16
+
+  *) http: Fix LimitRequestBody checks when there is no more bytes to read.
+     [Michael Kaufmann <mail michael-kaufmann.ch>]
+
+  *) mod_alias: Revert expression parser support for Alias, ScriptAlias
+     and Redirect due to a regression (introduced in 2.4.13, not released).
+
+  *) mod_reqtimeout: Don't let pipelining checks and keep-alive times interfere
+     with the timeouts computed for subsequent requests.  PR 56729.
+     [Eric Covener, Yann Ylavic]
+
+  *) core: Avoid a possible truncation of the faulty header included in the
+     HTML response when LimitRequestFieldSize is reached.  [Yann Ylavic]
+
+  *) mod_ldap: In some case, LDAP_NO_SUCH_ATTRIBUTE could be returned instead
+     of an error during a compare operation. [Eric Covener]
+
+Changes with Apache 2.4.15 (not released)
+
+  *) mod_ext_filter, mod_charset_lite: Avoid inadvertent filtering of protocol
+     data during read of chunked request bodies. PR 58049. 
+     [Edward Lu <Chaosed0 gmail.com>]
+
+  *) mod_ldap: Stop leaking LDAP connections when 'LDAPConnectionPoolTTL 0' 
+     is configured.  PR 58037.  [Ted Phelps <phelps gnusto.com>]
+
+  *) core: Allow spaces after chunk-size for compatibility with implementations
+     using a pre-filled buffer.  [Yann Ylavic, Jeff Trawick]
+
+  *) mod_ssl: Remove deprecated SSLCertificateChainFile warning.
+     [Yann Ylavic]
+
+Changes with Apache 2.4.14 (not released)
+
+  *) SECURITY: CVE-2015-3183 (cve.mitre.org)
+     core: Fix chunk header parsing defect.
+     Remove apr_brigade_flatten(), buffering and duplicated code from
+     the HTTP_IN filter, parse chunks in a single pass with zero copy.
+     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
+     authorized characters.  [Graham Leggett, Yann Ylavic]
+
+  *) SECURITY: CVE-2015-3185 (cve.mitre.org)
+     Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
+     with new ap_some_authn_required and ap_force_authn hook.  [Ben Reser]
+
+Changes with Apache 2.4.13 (not released)
+
+  *) SECURITY: CVE-2015-0253 (cve.mitre.org)
+     core: Fix a crash with ErrorDocument 400 pointing to a local URL-path 
+     with the INCLUDES filter active, introduced in 2.4.11. PR 57531. 
+     [Yann Ylavic]
+
+  *) SECURITY: CVE-2015-0228 (cve.mitre.org)
+     mod_lua: A maliciously crafted websockets PING after a script
+     calls r:wsupgrade() can cause a child process crash. 
+     [Edward Lu <Chaosed0 gmail.com>]
+
+  *) mod_proxy: Don't put the worker in error state for 500 or 503 errors
+     returned by the backend unless failonstatus is configured to.  PR 56925.
+     [Yann Ylavic]
+
+  *) core: Don't lowercase the argument to SetHandler if it begins with
+     "proxy:unix". PR 57968. [Eric Covener]
+
+  *) mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
+     the OCSP response for a different certificate.  mod_ssl has an additional
+     global mutex, "ssl-stapling-refresh".  PR 57131 (partial fix).
+     [Jeff Trawick]
+
+  *) mod_authz_dbm: Fix crashes when "dbm-file-group" is used and
+     authz modules were loaded in the "wrong" order.  [Joe Orton]
+
+  *) mod_authn_dbd, mod_authz_dbd, mod_session_dbd, mod_rewrite: Fix lifetime
+     of DB lookup entries independently of the selected DB engine.  PR 46421.
+     [Steven whitson <steven.whitson gmail com>, Jan Kaluza, Yann Ylavic].
+
+  *) In alignment with RFC 7525, the default recommended SSLCipherSuite
+     and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
+     default recommended SSLProtocol and SSLProxyProtocol directives now
+     exclude SSLv3. Existing configurations must be adjusted by the
+     administrator. [William Rowe]
+
+  *) mod_ssl: Add support for extracting subjectAltName entries of type
+     rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
+     environment variables. Also addresses PR 57207. [Kaspar Brand]
+
+  *) dav_validate_request: avoid validating locks and ETags when there are
+     no If headers providing them on a resource we aren't modifying.
+     [Ben Reser]
+
+  *) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
+     response header to be used by the application, for when the application
+     or framework is unable to return Location in the internal-redirect
+     form.  [Jeff Trawick]
+
+  *) core: Cleanup the request soon/even if some output filter fails to
+     handle the EOR bucket.  [Yann Ylavic]
+
+  *) mpm_event: Allow for timer events duplicates. [Jim Jagielski, Yann Ylavic]
+
+  *) mod_proxy, mod_ssl, mod_cache_socache, mod_socache_*: Support machine
+     readable server-status produced when using the "?auto" query string.
+     [Rainer Jung]
+
+  *) mod_status: Add more data to machine readable server-status produced
+     when using the "?auto" query string.  [Rainer Jung]
+
+  *) mod_ssl: Check for the Entropy Gathering Daemon (EGD) availability at
+     configure time (RAND_egd), and complain if SSLRandomSeed requires using
+     it otherwise.  [Bernard Spil <pil.oss gmail com>, Stefan Sperling,
+     Kaspar Brand]
+
+  *) mod_ssl: make sure to consistently output SSLCertificateChainFile
+     deprecation warnings, when encountered in a VirtualHost block.
+     [Falco Schwarz <hiding falco.me>]
+
+  *) mod_log_config: Add "%{UNIT}T" format to output request duration in
+     seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
+     [Ben Reser, Rainer Jung]
+
+  *) Allow FallbackResource to work when a directory is requested and
+     there is no autoindex nor DirectoryIndex. 
+     [Jack <tjerk.meesters gmail.com>, Eric Covener]
+
+  *) mod_proxy_wstunnel: Bypass the handler while the connection is not
+     upgraded to WebSocket, so that other modules can possibly take over
+     the leading HTTP requests.  [Yann Ylavic]
+
+  *) mod_http: Fix incorrect If-Match handling. PR 57358
+     [Kunihiko Sakamoto <ksakamoto google.com>]
+
+  *) mod_ssl: Add a warning if protocol given in SSLProtocol or SSLProxyProtocol
+     will override other parameters given in the same directive. This could be
+     a missing + or - prefix.  PR 52820 [Christophe Jaillet]
+
+  *) core, modules: Avoid error response/document handling by the core if some
+     handler or input filter already did it while reading the request (causing
+     a double response body).  [Yann Ylavic]
+
+  *) mod_proxy_ajp: Fix client connection errors handling and logged status
+     when it occurs.  PR 56823.  [Yann Ylavic]
+
+  *) mod_proxy: Use the correct server name for SNI in case the backend
+     SSL connection itself is established via a proxy server.
+     PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
+
+  *) mod_ssl: Fix possible crash when loading server certificate constraints.
+     PR 57694. [Paul Spangler <paul.spangler ni com>, Yann Ylavic]
+
+  *) build: Don't load both mod_cgi and mod_cgid in the default configuration
+     if they're both built.  [olli hauer <ohauer gmx.de>]
+
+  *) mod_logio: Add LogIOTrackTTFB and %^FB logformat to log the time 
+     taken to start writing response headers. [Eric Covener]
+
+  *) mod_ssl: Avoid compilation errors with LibreSSL related to
+     the use of ENGINE_CTRL_CHIL_SET_FORKCHECK. 
+     [Stuart Henderson <sthen openbsd.org>]
+
+  *) mod_proxy_http: Use the "Connection: close" header for requests to
+     backends not recycling connections (disablereuse), including the default
+     reverse and forward proxies.  [Yann Ylavic]
+
+  *) mod_proxy: Add ap_connection_reusable() for checking if a connection
+     is reusable as of this point in processing.  [Jeff Trawick]
+
+  *) mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad
+     Gateway) when no response is ever received from the backend.
+     [Jan Kaluza]
+
+  *) core_filters: Restore/disable TCP_NOPUSH option after non-blocking
+     sendfile.  [Yann Ylavic]
+
+  *) mod_buffer: Forward flushed input data immediately and avoid (unlikely)
+     access to freed memory. [Yann Ylavic, Christophe Jaillet]
+
+  *) core: Add CGIPassAuth directive to control whether HTTP authorization
+     headers are passed to scripts as CGI variables.  PR 56855.  [Jeff 
+     Trawick]
+
+  *) core: Initialize scoreboard's used optional functions on graceful restarts
+     to avoid a crash when relocation occurs.  PR 57177.  [Yann Ylavic]
+
+  *) mod_dav: Avoid a potential integer underflow in the lock timeout value sent
+     back to a client. The answer to a LOCK request could be an extremly large
+     integer if the time needed to lock the resource was longer that the
+     requested timeout given in the LOCK request. In such a case, we now answer
+     "Second-0".  PR55420
+     [Christophe Jaillet]
+
+  *) mod_cgid: Within the first minute of a server start or restart, 
+     allow mod_cgid to retry connecting to its daemon process. Previously,
+     'No such file or directory: unable to connect to cgi daemon...' could
+     be logged without an actual retry. PR57685. 
+     [Edward Lu <Chaosed0 gmail.com>]
+     
+  *) mod_proxy: Use the original (non absolute) form of the request-line's URI
+     for requests embedded in CONNECT payloads used to connect SSL backends via
+     a ProxyRemote forward-proxy.  PR 55892.  [Hendrik Harms <hendrik.harms
+     gmail com>, William Rowe, Yann Ylavic]
+
+  *) http: Make ap_die() robust against any HTTP error code and not modify
+     response status (finally logged) when nothing is to be done. PR 56035.
+     [Yann Ylavic]
+
+  *) mod_proxy_connect/wstunnel: If both client and backend sides get readable
+     at the same time, don't lose errors occuring while forwarding on the first
+     side when none occurs next on the other side, and abort.  [Yann Ylavic]
+
+  *) mod_rewrite: Improve relative substitutions in per-directory/htaccess
+     context for directories found by mod_userdir and mod_alias.  These no
+     longer require RewriteBase to be specified. [Eric Covener]
+
+  *) mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
+     finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
+     or force-proxy-request-1.0.  [Yann Ylavic]
+
+  *) core: If explicitly configured, use the KeepaliveTimeout value of the
+     virtual host which handled the latest request on the connection, or by
+     default the one of the first virtual host bound to the same IP:port.
+     PR56226.  [Yann Ylavic]
+
+  *) mod_lua: After a r:wsupgrade(), mod_lua was not properly
+     responding to a websockets PING but instead invoking the specified 
+     script. PR57524. [Edward Lu <Chaosed0 gmail.com>]
+
+  *) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
+     a combination of certificate serialNumber and issuer as defined by
+     CertificateExactMatch in RFC4523. [Graham Leggett]
+
+  *) core: Add expression support to ErrorDocument. Switch from a fixed
+     sized 664 byte array per merge to a hash table. [Graham Leggett]
+
+  *) ab: Add missing longest request (100%) to CSV export.
+     [Marcin Fabrykowski <bugzilla fabrykowski.pl>] 
+
+  *) mod_macro: Clear macros before initialization to avoid use-after-free
+     on startup or restart when the module is linked statically. PR 57525
+     [apache.org tech.futurequest.net, Yann Ylavic]
+
+  *) mod_alias: Introduce expression parser support for Alias, ScriptAlias
+     and Redirect. [Graham Leggett]
+
+  *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. 
+     PR 57100.  [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
+     Yann Ylavic]
+
+  *) mpm_event: Avoid access to the scoreboard from the connection while
+     it is suspended (waiting for events).  [Eric Covener, Jeff Trawick]
+
+  *) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument.
+     PR 57334.  [Yann Ylavic].
+
+  *) mod_deflate: A misplaced check prevents limiting small bodies with the
+     new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic]
+
+  *) mod_proxy_ajp: Forward SSL protocol name (SSLv3, TLSv1.1 etc.) as a
+     request attribute to the backend. Recent Tomcat versions will extract
+     it and provide it as a servlet request attribute named
+     "org.apache.tomcat.util.net.secure_protocol_version". [Rainer Jung]
+
+  *) core: Optimize string concatenation in expression parser when evaluating
+     a string expression. [Rainer Jung]
+
+  *) acinclude.m4: Generate #LoadModule directive in default httpd.conf for
+     every --enable-mpms-shared. PR 53882.  [olli hauer <ohauer gmx.de>,
+     Yann Ylavic]
+
+  *) mod_authn_dbd: Fix the error message logged in case of error while querying
+     the database. This is associated to AH01656 and AH01661. [Christophe Jaillet]
+
+  *) mod_authz_groupfile: Reduce the severity of AH01667 from ERROR to DEBUG,
+     because it may be evaluated inside <RequireAny>. PR55523. [Eric Covener] 
+
+  *) mod_ssl: Fix small memory leak during initialization when ECDH is used.
+     [Jan Kaluza]
+
+Changes with Apache 2.4.12
+
+  *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
+     internationalization.  [William Rowe]
+
+  *) mpm_winnt: Normalize the error and status messages emitted by service.c,
+     the service control interface for Windows.  [William Rowe]
+
+  *) configure: Fix --enable-v4-mapped configuration on *BSD. PR 53824.
+     [ olli hauer <ohauer gmx.de>, Yann Ylavic ]
+
+  *) Reverted <DirectoryMatch > behavior regression introduced in 2.4.11
+     (not released).
+
+Changes with Apache 2.4.11 (not released)
+  
+  *) SECURITY: CVE-2014-3583 (cve.mitre.org)
+     mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with 
+     response headers' size above 8K.  [Yann Ylavic, Jeff Trawick]
+
+  *) SECURITY: CVE-2014-3581 (cve.mitre.org)
+     mod_cache: Avoid a crash when Content-Type has an empty value.
+     PR 56924.  [Mark Montague <mark catseye.org>, Jan Kaluza]
+
+  *) SECURITY: CVE-2014-8109 (cve.mitre.org)
+     mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
+     used in multiple Require directives with different arguments.
+     PR57204 [Edward Lu <Chaosed0 gmail.com>]
+
+  *) SECURITY: CVE-2013-5704 (cve.mitre.org)
+     core: HTTP trailers could be used to replace HTTP headers
+     late during request processing, potentially undoing or
+     otherwise confusing modules that examined or modified
+     request headers earlier.  Adds "MergeTrailers" directive to restore
+     legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
+
+  *) mod_ssl: New directive SSLSessionTickets (On|Off).
+     The directive controls the use of TLS session tickets (RFC 5077),
+     default value is "On" (unchanged behavior).
+     Session ticket creation uses a random key created during web
+     server startup and recreated during restarts. No other key
+     recreation mechanism is available currently. Therefore using session
+     tickets without restarting the web server with an appropriate frequency
+     (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
+
+  *) mod_proxy_fcgi: Provide some basic alternate options for specifying 
+     how PATH_INFO is passed to FastCGI backends by adding significance to
+     the value of proxy-fcgi-pathinfo. PR 55329. [Eric Covener]
+ 
+  *) mod_proxy_fcgi: Enable UDS backends configured with SetHandler/RewriteRule
+     to opt-in to connection reuse and other Proxy options via explicitly
+     declared "proxy workers" (<Proxy unix:... enablereuse=on max=...)
+     [Eric Covener]
+
+  *) mod_proxy: Add "enablereuse" option as the inverse of "disablereuse".
+     [Eric Covener]
+
+  *) mod_proxy_fcgi: Enable opt-in to TCP connection reuse by explicitly
+     setting proxy option disablereuse=off. [Eric Covener] PR 57378.
+
+  *) event: Update the internal "connection id" when requests
+     move from thread to thread. Reuse can confuse modules like
+     mod_cgid. PR 57435. [Michael Thorpe <mike gistnet.com>]
+
+  *) mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME
+     passed to fastcgi backends. [Eric Covener]
+
+  *) core: Configuration files with long lines and continuation characters
+     are not read properly. PR 55910. [Manuel Mausz <manuel-as mausz.at>]
+
+  *) mod_include: the 'env' function was incorrectly handled as 'getenv' if the
+     leading 'e' was written in upper case in <!--#if expr="..." -->
+     statements. [Christophe Jaillet]
+
+  *) split-logfile: Fix perl error:  'Can't use string ("example.org:80") 
+     as a symbol ref while "strict refs"'. PR 56329.
+     [Holger Mauermann <mauermann gmail.com>]
+
+  *) mod_proxy: Prevent ProxyPassReverse from doing a substitution when
+     the URL parameter interpolates to an empty string. PR 56603.
+     [<ajprout hotmail.com>]
+
+  *) core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts. 
+     PR 57328.  [Armin Abfalterer <a.abfalterer gmail.com>, Yann Ylavic].
+
+  *) mod_proxy: Preserve original request headers even if they differ
+     from the ones to be forwarded to the backend. PR 45387.
+     [Yann Ylavic]
+
+  *) mod_ssl: dump SSL IO/state for the write side of the connection(s),
+     like reads (level TRACE4). [Yann Ylavic]
+
+  *) mod_proxy_fcgi: Ignore body data from backend for 304 responses. PR 57198.
+     [Jan Kaluza]
+
+  *) mod_ssl: Do not crash when looking up SSL related variables during
+     expression evaluation on non SSL connections. PR 57070  [Ruediger Pluem]
+
+  *) mod_proxy_ajp: Fix handling of the default port (8009) in the
+     ProxyPass and <Proxy> configurations.  PR 57259.  [Yann Ylavic]
+
+  *) mpm_event: Avoid a possible use after free when notifying the end of
+     connection during lingering close.  PR 57268.  [Eric Covener, Yann Ylavic]
+
+  *) mod_ssl: Fix recognition of OCSP stapling responses that are encoded
+     improperly or too large.  [Jeff Trawick]
+
+  *) core: Add ap_log_data(), ap_log_rdata(), etc. for logging buffers.
+     [Jeff Trawick]
+
+  *) mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an
+     error when parsing or forwarding the response fails. [Yann Ylavic]
+
+  *) mod_ssl: Fix a memory leak in case of graceful restarts with OpenSSL >= 0.9.8e
+     PR 53435 [tadanori <tadanori2007 yahoo.com>, Sebastian Wiedenroth <wiedi frubar.net>]
+
+  *) mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read
+     determine whether it is a normal close or a real error. PR 57168. [Yann
+     Ylavic]
+
+  *) mod_proxy_wstunnel: abort backend connection on polling error to avoid
+     further processing.  [Yann Ylavic]
+
+  *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
+     PR 57167 [Edward Lu <Chaosed0 gmail.com>]
+
+  *) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC 
+     systems. PR 57092 [Edward Lu <Chaosed0 gmail.com>]
+
+  *) mod_cache: Avoid a 304 response to an unconditional requst when an AH00752
+     CacheLock error occurs during cache revalidation. [Eric Covener]
+ 
+  *) mod_ssl: Move OCSP stapling information from a per-certificate store to
+     a per-server hash. PR 54357, PR 56919. [Alex Bligh <alex alex.org.uk>,
+     Yann Ylavic, Kaspar Brand]
+
+  *) mod_cache_socache: Change average object size hint from 32 bytes to
+     2048 bytes.  [Rainer Jung]
+
+  *) mod_cache_socache: Add cache status to server-status.  [Rainer Jung]
+
+  *) event: Fix worker-listener deadlock in graceful restart.
+     PR 56960.
+
+  *) Concat strings at compile time when possible. PR 53741.
+
+  *) mod_substitute: Restrict configuration in .htaccess to
+     FileInfo as documented.  [Rainer Jung]
+
+  *) mod_substitute: Make maximum line length configurable.  [Rainer Jung]
+
+  *) mod_substitute: Fix line length limitation in case of regexp plus flatten.
+     [Rainer Jung]
+  
+  *) mod_proxy: Truncated character worker names are no longer fatal
+     errors. PR53218. [Jim Jagielski]
+
+  *) mod_dav: Set r->status_line in dav_error_response. PR 55426.
+
+  *) mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory.
+     [Yann Ylavic, Christophe Jaillet]
+
+  *) http_protocol: fix logic in ap_method_list_(add|remove) in order:
+       - to correctly reset bits
+       - not to modify the 'method_mask' bitfield unnecessarily
+     [Christophe Jaillet]
+
+  *) mod_slotmem_shm: Increase log level for some originally debug messages.
+     [Jim Jagielski]
+
+  *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with
+     the wrong credentials when a backend connection is reused.
+     [Eric Covener]
+
+  *) mod_macro: Add missing APLOGNO for some Warning log messages.
+     [Christophe Jaillet]
+
+  *) mod_cache: Avoid sending 304 responses during failed revalidations
+     PR56881. [Eric Covener]
+
+  *) mod_status: Honor client IP address using mod_remoteip. PR 55886.
+     [Jim Jagielski]
+
+  *) cmake-based build for Windows: Fix incompatibility with cmake 2.8.12
+     and later.  PR 56615.  [Chuck Liu <cliu81 gmail.com>, Jeff Trawick]
+
+  *) mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade
+     failed) messages from ERROR to TRACE1.  Other filters do not bother 
+     re-reporting failures from lower level filters.  PR56832.  [Eric Covener]
+
+  *) core: Avoid useless warning message when parsing a section guarded by
+     <IfDefine foo> if $(foo) is used within the section.
+     PR 56503 [Christophe Jaillet]
+
+  *) mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the
+     application.  PR 56858.  [Manuel Mausz <manuel-asf mausz.at>]
+
+  *) mod_proxy_http: Proxy responses with error status and
+     "ProxyErrorOverride On" hang until proxy timeout.
+     PR53420 [Rainer Jung]
+
+  *) mod_log_config: Allow three character log formats to be registered. For
+     backwards compatibility, the first character of a three-character format
+     must be the '^' (caret) character.  [Eric Covener]
+
+  *) mod_lua: Don't quote Expires and Path values. PR 56734.
+     [Keith Mashinter, <kmashint yahoo com>]
+
+  *) mod_authz_core: Allow <AuthzProviderAlias>'es to be seen from auth
+     stanzas under virtual hosts. PR 56870. [Eric Covener]
+
+Changes with Apache 2.4.10
+
+  *) SECURITY: CVE-2014-0117 (cve.mitre.org)
+     mod_proxy: Fix crash in Connection header handling which allowed a denial
+     of service attack against a reverse proxy with a threaded MPM.
+     [Ben Reser]
+
+  *) SECURITY: CVE-2014-3523 (cve.mitre.org)
+     Fix a memory consumption denial of service in the WinNT MPM, used in all
+     Windows installations. Workaround: AcceptFilter <protocol> {none|connect}
+     [Jeff Trawick]
+
+  *) SECURITY: CVE-2014-0226 (cve.mitre.org)
+     Fix a race condition in scoreboard handling, which could lead to
+     a heap buffer overflow.  [Joe Orton, Eric Covener]
+
+  *) SECURITY: CVE-2014-0118 (cve.mitre.org)
+     mod_deflate: The DEFLATE input filter (inflates request bodies) now
+     limits the length and compression ratio of inflated request bodies to
+     avoid denial of service via highly compressed bodies.  See directives
+     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
+     and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
+
+  *) SECURITY: CVE-2014-0231 (cve.mitre.org)
+     mod_cgid: Fix a denial of service against CGI scripts that do
+     not consume stdin that could lead to lingering HTTPD child processes
+     filling up the scoreboard and eventually hanging the server.  By
+     default, the client I/O timeout (Timeout directive) now applies to
+     communication with scripts.  The CGIDScriptTimeout directive can be
+     used to set a different timeout for communication with scripts.
+     [Rainer Jung, Eric Covener, Yann Ylavic]
+
+  *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
+     resumed by TLS session resumption (RFC 5077). [Rainer Jung]
+
+  *) mod_deflate: Don't fail when flushing inflated data to the user-agent
+     and that coincides with the end of stream ("Zlib error flushing inflate
+     buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
+
+  *) mod_proxy_ajp: Forward local IP address as a custom request attribute
+     like we already do for the remote port. [Rainer Jung]
+
+  *) core: Include any error notes set by modules in the canned error
+     response for 403 errors.  [Jeff Trawick]
+
+  *) mod_ssl: Set an error note for requests rejected due to
+     SSLStrictSNIVHostCheck.  [Jeff Trawick]
+
+  *) mod_ssl: Fix issue with redirects to error documents when handling
+     SNI errors.  [Jeff Trawick]
+
+  *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
+     larger keys and support up to 8192-bit keys.  [Ruediger Pluem,
+     Joe Orton]
+
+  *) mod_dav: Fix improper encoding in PROPFIND responses.  PR 56480.
+     [Ben Reser]
+
+  *) WinNT MPM: Improve error handling for termination events in child.
+     [Jeff Trawick]
+
+  *) mod_proxy: When ping/pong is configured for a worker, don't send or
+     forward "100 Continue" (interim) response to the client if it does
+     not expect one. [Yann Ylavic]
+
+  *) mod_ldap: Be more conservative with the last-used time for
+     LDAPConnectionPoolTTL. PR54587 [Eric Covener]
+
+  *) mod_ldap: LDAP connections used for authn were not respecting
+     LDAPConnectionPoolTTL. PR54587 [Eric Covener]
+
+  *) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.
+     [Jeff Trawick]
+
+  *) event MPM: Fix possible crashes (third-party modules accessing c->sbh) 
+     or occasional missed mod_status updates under load. PR 56639.
+     [Edward Lu <Chaosed0 gmail com>]
+
+  *) mod_authnz_ldap: Support primitive LDAP servers do not accept
+     filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
+     filter "none" to be specified in AuthLDAPURL. [Eric Covener]
+
+  *) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
+     [Lukas Bezdicka <social v3.sk>]
+
+  *) mod_deflate: Handle Zlib header and validation bytes received in multiple
+     chunks. PR 46146. [Yann Ylavic]
+
+  *) mod_proxy: Allow reverse-proxy to be set via explicit handler.
+     [ryo takatsuki <ryotakatsuki gmail com>]
+
+  *) ab: support custom HTTP method with -m argument. PR 56604.
+     [Roman Jurkov <winfinit gmail.com>]
+
+  *) mod_proxy_balancer: Correctly encode user provided data in management
+     interface. PR 56532 [Maksymilian, <max cert.cx>]
+
+  *) mod_proxy: Don't limit the size of the connectable Unix Domain Socket
+     paths. [Graham Dumpleton, Christophe Jaillet, Yann Ylavic]
+
+  *) mod_proxy_fcgi: Support iobuffersize parameter.  [Jeff Trawick]
+
+  *) event: Send the SSL close notify alert when the KeepAliveTimeout
+     expires. PR54998. [Yann Ylavic] 
+
+  *) mod_ssl: Ensure that the SSL close notify alert is flushed to the client.
+     PR54998. [Tim Kosse <tim.kosse filezilla-project.org>, Yann Ylavic] 
+
+  *) mod_proxy: Shutdown (eg. SSL close notify) the backend connection before
+     closing. [Yann Ylavic] 
+
+  *) mod_auth_form: Add a debug message when the fields on a form are not
+     recognised. [Graham Leggett]
+
+  *) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
+     response. PR 55547.  [Yann Ylavic]
+
+  *) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
+     scheme. PR55320. [Alex Liu <alex.leo.ca gmail.com>]
+
+  *) mod_socache_shmcb: Correct counting of expirations for status display.
+     Expirations happening during retrieval were not counted. [Rainer Jung]
+
+  *) mod_cache: Retry unconditional request with the full URL (including the
+     query-string) when the origin server's 304 response does not match the
+     conditions used to revalidate the stale entry.  [Yann Ylavic].
+
+  *) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
+     variables as a result of AliasMatch. [Eric Covener]
+ 
+  *) mod_cache: Don't add cached/revalidated entity headers to a 304 response.
+     PR 55547.  [Yann Ylavic]
+
+  *) mod_proxy_scgi: Support Unix sockets.  ap_proxy_port_of_scheme():
+     Support default SCGI port (4000).  [Jeff Trawick]
+
+  *) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
+     is enabled.  [Eric Covener]
+
+  *) mod_expires: don't add Expires header to error responses (4xx/5xx),
+     be they generated or forwarded. PR 55669.  [Yann Ylavic]
+
+  *) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
+     (regression in 2.4.9 release) [Jeff Trawick]
+
+  *) mod_authn_socache: Fix crash at startup in certain configurations.
+     PR 56371. (regression in 2.4.7) [Jan Kaluza]
+
+  *) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
+     programs to the form used in releases up to 2.4.7, and emulate
+     a backwards-compatible behavior for existing setups. [Kaspar Brand]
+
+  *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
+     OCSP requests should use a nonce to be checked against the responder's
+     one. PR 56233. [Yann Ylavic, Kaspar Brand]
+
+  *) mod_ssl: "SSLEngine off" will now override a Listen-based default
+     and does disable mod_ssl for the vhost.  [Joe Orton]
+
+  *) mod_lua: Enforce the max post size allowed via r:parsebody()
+     [Daniel Gruno]
+
+  *) mod_lua: Use binary comparison to find boundaries for multipart 
+     objects, as to not terminate our search prematurely when hitting
+     a NULL byte. [Daniel Gruno]
+
+  *) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
+     versions before 0.9.8h and not specifying an SSLCertificateChainFile
+     (regression introduced with 2.4.8). PR 56410. [Kaspar Brand]
+
+  *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
+     no longer send warning-level unrecognized_name(112) alerts,
+     and limit startup warnings to cases where an OpenSSL version
+     without TLS extension support is used. PR 56241. [Kaspar Brand]
+
+  *) mod_proxy_html: Avoid some possible memory access violation in case of
+     specially crafted files, when the ProxyHTMLMeta directive is turned on.
+     Follow up of PR 56287 [Christophe Jaillet]
+
+  *) mod_auth_form: Make sure the optional functions are loaded even when
+     the AuthFormProvider isn't specified. [Graham Leggett]
+
+  *) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
+     (and logging garbled file names). PR 56306. [Kaspar Brand]
+
+  *) mod_ssl: fix merging of global and vhost-level settings with the
+     SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
+     directives. PR 56353. [Kaspar Brand]
+
+  *) mod_headers: Allow the "value" parameter of Header and RequestHeader to 
+     contain an ap_expr expression if prefixed with "expr=". [Eric Covener]
+
+  *) rotatelogs: Avoid creation of zombie processes when -p is used on
+     Unix platforms.  [Joe Orton]
+
+  *) mod_authnz_fcgi: New module to enable FastCGI authorizer
+     applications to authenticate and/or authorize clients.
+     [Jeff Trawick]
+
+  *) mod_proxy: Do not try to parse the regular expressions passed by
+     ProxyPassMatch as URL as they do not follow their syntax.
+     PR 56074. [Ruediger Pluem]
+
+  *) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests 
+     under the Event MPM. PR56216.  [Frank Meier <frank meier ergon ch>]
+
+  *) mod_proxy_fcgi: Fix sending of response without some HTTP headers
+     that might be set by filters.  PR 55558. [Jim Riggs <jim riggs.me>]
+
+  *) mod_proxy_html: Do not delete the wrong data from HTML code when a
+     "http-equiv" meta tag specifies a Content-Type behind any other
+     "http-equiv" meta tag. PR 56287 [Micha Lenk <micha lenk info>]
+
+  *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
+     differs. PR 55782.  [Yann Ylavic]
+
+  *) Add suspend_connection and resume_connection hooks to notify modules
+     when the thread/connection relationship changes.  (Should be implemented
+     for any third-party async MPMs.)  [Jeff Trawick]
+
+  *) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine 
+     hangups from websockets origin servers. PR 56299
+     [Yann Ylavic, Edward Lu <Chaosed0 gmail com>, Eric Covener] 
+
+  *) mod_proxy_wstunnel: Don't pool backend websockets connections,
+     because we need to handshake every time. PR 55890.
+     [Eric Covener]
+
+  *) mod_lua: Redesign how request record table access behaves,
+     in order to utilize the request record from within these tables.
+     [Daniel Gruno]
+
+  *) mod_lua: Add r:wspeek for peeking at WebSocket frames. [Daniel Gruno]
+ 
+  *) mod_lua: Log an error when the initial parsing of a Lua file fails.
+     [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
+
+  *) mod_lua: Reformat and escape script error output.
+     [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
+
+  *) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
+     from causing response splitting.
+     [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
+
+  *) mod_lua: Disallow newlines in table values inside the request_rec, 
+     to prevent HTTP Response Splitting via tainted headers.
+     [Daniel Gruno, Felipe Daragon <filipe syhunt com>]
+
+  *) mod_lua: Remove the non-working early/late arguments for 
+     LuaHookCheckUserID. [Daniel Gruno]
+
+  *) mod_lua: Change IVM storage to use shm [Daniel Gruno]
+
+  *) mod_lua: More verbose error logging when a handler function cannot be
+     found. [Daniel Gruno]
+
+Changes with Apache 2.4.9
+
+  *) mod_ssl: Work around a bug in some older versions of OpenSSL that
+     would cause a crash in SSL_get_certificate for servers where the
+     certificate hadn't been sent. [Stephen Henson]
+
+  *) mod_lua: Add a fixups hook that checks if the original request is intended 
+     for LuaMapHandler. This fixes a bug where FallbackResource invalidates the 
+     LuaMapHandler directive in certain cases by changing the URI before the map 
+     handler code executes [Daniel Gruno, Daniel Ferradal <dferradal gmail com>].
+
+Changes with Apache 2.4.8 (not released)
+
+  *) SECURITY: CVE-2014-0098 (cve.mitre.org)
+     Clean up cookie logging with fewer redundant string parsing passes.
+     Log only cookies with a value assignment. Prevents segfaults when
+     logging truncated cookies.
+     [William Rowe, Ruediger Pluem, Jim Jagielski]
+
+  *) SECURITY: CVE-2013-6438 (cve.mitre.org)
+     mod_dav: Keep track of length of cdata properly when removing
+     leading spaces. Eliminates a potential denial of service from
+     specifically crafted DAV WRITE requests
+     [Amin Tora <Amin.Tora neustar.biz>]
+
+  *) core: Support named groups and backreferences within the LocationMatch,
+     DirectoryMatch, FilesMatch and ProxyMatch directives. (Requires
+     non-ancient PCRE library) [Graham Leggett]
+
+  *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
+     TE/CL conflicts. [Yann Ylavic, Jim Jagielski]
+
+  *) core: Detect incomplete request and response bodies, log an error and
+     forward it to the underlying filters. PR 55475 [Yann Ylavic]
+
+  *) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping 
+     execution when a handler is already set. PR53929. [Eric Covener]
+
+  *) mod_ssl: Do not perform SNI / Host header comparison in case of a
+     forward proxy request. [Ruediger Pluem]
+
+  *) mod_ssl: Remove the hardcoded algorithm-type dependency for the
+     SSLCertificateFile and SSLCertificateKeyFile directives, to enable
+     future algorithm agility, and deprecate the SSLCertificateChainFile
+     directive (obsoleted by SSLCertificateFile). [Kaspar Brand]
+
+  *) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore, 
+     and IgnoreInherit to allow RewriteRules to be pushed from parent scopes
+     to child scopes without explicitly configuring each child scope.
+     PR56153.  [Edward Lu <Chaosed0 gmail com>] 
+
+  *) prefork: Fix long delays when doing a graceful restart.
+     PR 54852 [Jim Jagielski, Arkadiusz Miskiewicz <arekm maven pl>]
+
+  *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
+     5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick]
+
+  *) mod_proxy_wstunnel: Avoid busy loop on client errors, drop message
+     IDs 02445, 02446, and 02448 to TRACE1 from DEBUG. PR 56145.
+     [Joffroy Christen <joffroy.christen solvaxis com>, Eric Covener]
+
+  *) mod_remoteip: Correct the trusted proxy match test. PR 54651.
+     [Yoshinori Ehara <yoshinori ehara gmail com>, Eugene L <eugenel amazon com>]
+
+  *) mod_proxy_fcgi: Fix error message when an unexpected protocol version
+     number is received from the application.  PR 56110.  [Jeff Trawick]
+
+  *) mod_remoteip: Use the correct IP addresses to populate the proxy_ips field.
+     PR 55972. [Mike Rumph]
+
+  *) mod_lua: Update r:setcookie() to accept a table of options and add domain,
+     path and httponly to the list of options available to set.
+     PR 56128 [Edward Lu <Chaosed0 gmail com>, Daniel Gruno]
+     
+  *) mod_lua: Fix r:setcookie() to add, rather than replace,
+     the Set-Cookie header. PR56105
+     [Kevin J Walters <kjw ms com>, Edward Lu <Chaosed0 gmail com>]
+
+  *) mod_lua: Allow for database results to be returned as a hash with 
+     row-name/value pairs instead of just row-number/value. [Daniel Gruno]
+
+  *) mod_rewrite: Add %{CONN_REMOTE_ADDR} as the non-useragent counterpart to
+     %{REMOTE_ADDR}. PR 56094. [Edward Lu <Chaosed0 gmail com>]
+
+  *) WinNT MPM: If ap_run_pre_connection() fails or sets c->aborted, don't
+     save the socket for reuse by the next worker as if it were an 
+     APR_SO_DISCONNECTED socket. Restores 2.2 behavior. [Eric Covener]
+
+  *) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a URL
+     that was just rewritten by mod_rewrite. PR53929. [Eric Covener]
+
+  *) mod_session: When we have a session we were unable to decode,
+     behave as if there was no session at all. [Thomas Eckert
+     <thomas.r.w.eckert gmail com>]
+
+  *) mod_session: Fix problems interpreting the SessionInclude and
+     SessionExclude configuration. PR 56038. [Erik Pearson
+     <erik adaptations.com>]
+
+  *) mod_authn_core: Allow <AuthnProviderAlias>'es to be seen from auth
+     stanzas under virtual hosts. PR 55622. [Eric Covener]
+
+  *) mod_proxy_fcgi: Use apr_socket_timeout_get instead of hard-coded
+     30 seconds timeout. [Jan Kaluza]
+
+  *) build: only search for modules (config*.m4) in known subdirectories, see
+     build/config-stubs. [Stefan Fritsch]
+
+  *) mod_cache_disk: Fix potential hangs on Windows when using mod_cache_disk. 
+     PR 55833. [Eric Covener]
+
+  *) mod_ssl: Add support for OpenSSL configuration commands by introducing
+     the SSLOpenSSLConfCmd directive. [Stephen Henson, Kaspar Brand]
+
+  *) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
+     is equivalent to <ProxyMatch wildcard-url>. [Christophe Jaillet]
+
+  *) mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
+     mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
+     require directives. [Graham Leggett]
+
+  *) mod_proxy_http: Core dumped under high load. PR 50335.
+     [Jan Kaluza <jkaluza redhat.com>]
+
+  *) mod_socache_shmcb.c: Remove arbitrary restriction on shared memory size
+     previously limited to 64MB. [Jens Låås <jelaas gmail.com>]
+
+  *) mod_lua: Use binary copy when dealing with uploads through r:parsebody() 
+     to prevent truncating files. [Daniel Gruno]
+
+Changes with Apache 2.4.7
+
+  *) SECURITY: CVE-2013-4352 (cve.mitre.org)
+     mod_cache: Fix a NULL pointer deference which allowed untrusted
+     origin servers to crash mod_cache in a forward proxy
+     configuration.  [Graham Leggett]
+
+  *) APR 1.5.0 or later is now required for the event MPM.
+  
+  *) slotmem_shm: Error detection. [Jim Jagielski]
+
+  *) event: Use skiplist data structure. [Jim Jagielski]
+
+  *) event: Fail at startup with message AP02405 if the APR atomic
+     implementation is not compatible with the MPM.  [Jim Jagielski]
+
+  *) mpm_unix: Add ap_mpm_podx_* implementation to avoid code duplication
+     and align w/ trunk. [Jim Jagielski]
+
+  *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
+     directives.  [Mike Rumph <mike.rumph oracle.com>]
+
+  *) mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars.
+     An individual envvar with an encoded length of more than 16K will be
+     omitted.  [Jeff Trawick]
+  
+  *) mod_proxy_fcgi: Handle reading protocol data that is split between
+     packets.  [Jeff Trawick]
+
+  *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
+     allowing custom parameters to be configured via SSLCertificateFile,
+     and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
+     Unless custom parameters are configured, the standardized parameters
+     are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
+
+  *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand]
+
+  *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
+     keys, and unconditionally disable aNULL, eNULL and EXP ciphers
+     (not overridable via SSLCipherSuite). [Kaspar Brand]
+
+  *) mod_proxy: Added support for unix domain sockets as the
+     backend server endpoint [Jim Jagielski, Blaise Tarr
+     <blaise tarr gmail com>]
+
+  *) Add experimental cmake-based build system for Windows.  [Jeff Trawick,
+     Tom Donovan]
+
+  *) event MPM: Fix possible crashes (third party modules accessing c->sbh) 
+     or occasional missed mod_status updates for some keepalive requests 
+     under load. [Eric Covener]
+
+  *) mod_authn_socache: Support optional initialization arguments for
+     socache providers.  [Chris Darroch]
+
+  *) mod_session: Reset the max-age on session save. PR 47476. [Alexey
+     Varlamov <alexey.v.varlamov gmail com>]
+
+  *) mod_session: After parsing the value of the header specified by the
+     SessionHeader directive, remove the value from the response. PR 55279.
+     [Graham Leggett]
+
+  *) mod_headers: Allow for format specifiers in the substitution string
+     when using Header edit. [Daniel Ruggeri]
+
+  *) mod_dav: dav_resource->uri is treated as unencoded. This was an
+     unnecessary ABI changed introduced in 2.4.6. PR 55397.
+
+  *) mod_dav: Don't require lock tokens for COPY source. PR 55306.
+
+  *) core: Don't truncate output when sending is interrupted by a signal,
+     such as from an exiting CGI process. PR 55643. [Jeff Trawick]
+
+  *) WinNT MPM: Exit the child if the parent process crashes or is terminated.
+     [Oracle Corporation]
+
+  *) Windows: Correct failure to discard stderr in some error log
+     configurations.  (Error message AH00093)  [Jeff Trawick]
+
+  *) mod_session_crypto: Allow using exec: calls to obtain session
+     encryption key.  [Daniel Ruggeri]
+
+  *) core: Add missing Reason-Phrase in HTTP response headers.
+     PR 54946. [Rainer Jung]
+
+  *) mod_rewrite: Make rewrite websocket-aware to allow proxying.
+     PR 55598. [Chris Harris <chris.harris kitware com>]
+
+  *) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
+     instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]
+
+  *) ab: Add wait time, fix processing time, and output write errors only if
+     they occured. [Christophe Jaillet]
+
+  *) worker MPM: Don't forcibly kill worker threads if the child process is
+     exiting gracefully.  [Oracle Corporation]
+
+  *) core: apachectl -S prints wildcard name-based virtual hosts twice. 
+     PR54948 [Eric Covener]
+
+  *) mod_auth_basic: Add AuthBasicUseDigestAlgorithm directive to
+     allow migration of passwords from digest to basic authentication.
+     [Chris Darroch]
+
+  *) ab: Add a new -l parameter in order not to check the length of the responses.
+     This can be usefull with dynamic pages.
+     PR9945, PR27888, PR42040 [<ccikrs1 cranbrook edu>]
+     
+  *) Suppress formatting of startup messages written to the console when
+     ErrorLogFormat is used.  [Jeff Trawick]
+
+  *) mod_auth_digest: Be more specific when the realm mismatches because the
+     realm has not been specified. [Graham Leggett]
+
+  *) mod_proxy: Add a note in the balancer manager stating whether changes
+     will or will not be persisted and whether settings are inherited.
+     [Daniel Ruggeri, Jim Jagielski]
+
+  *) core: Add util_fcgi.h and associated definitions and support
+     routines for FastCGI, based largely on mod_proxy_fcgi.
+     [Jeff Trawick]
+
+  *) mod_headers: Add 'Header note header-name note-name' for copying a response
+     headers value into a note. [Eric Covener]
+
+  *) mod_headers: Add 'setifempty' command to Header and RequestHeader.
+     [Eric Covener]
+
+  *) mod_logio: new format-specifier %S (sum) which is the sum of received
+     and sent byte counts.
+     PR54015 [Christophe Jaillet]
+
+  *) mod_deflate: Improve error detection when decompressing request bodies
+     with trailing garbage: handle case where trailing bytes are in
+     the same bucket. [Rainer Jung]
+
+  *) mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663
+     from ERROR to DEBUG, since these modules do not know what mod_authz_core
+     is doing with their AUTHZ_DENIED return value. [Eric Covener]
+
+  *) mod_ldap: add TRACE5 for LDAP retries. [Eric Covener]
+
+  *) mod_ldap: retry on an LDAP timeout during authn. [Eric Covener]
+
+  *) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP 
+     SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK 
+     default, sans rebind authentication callback.
+     [Jan Kaluza <kaluze AT redhat.com>]
+
+  *) core: Log a message at TRACE1 when the client aborts a connection.
+     [Eric Covener]
+
+  *) WinNT MPM: Don't crash during child process initialization if the
+     Listen protocol is unrecognized.  [Jeff Trawick]
+
+  *) modules: Fix some compiler warnings. [Guenter Knauf]
+
+  *) Sync 2.4 and trunk
+       - Avoid some memory allocation and work when TRACE1 is not activated
+       - fix typo in include guard
+       - indent
+       - No need to lower the string before removing the path, it is just 
+         a waste of time...
+       - Save a few cycles
+     [Christophe Jaillet <christophe.jaillet wanadoo.fr>]
+
+  *) mod_filter: Add "change=no" as a proto-flag to FilterProtocol
+     to remove a providers initial flags set at registration time.
+     [Eric Covener]
+
+  *) core, mod_ssl: Enable the ability for a module to reverse the sense of
+     a poll event from a read to a write or vice versa. This is a step on
+     the way to allow mod_ssl taking full advantage of the event MPM.
+     [Graham Leggett]
+
+  *) Makefile.win: Install proper pcre DLL file during debug build install.
+     PR 55235.  [Ben Reser <ben reser org>]
+
+  *) mod_ldap: Fix a potential memory leak or corruption.  PR 54936.
+     [Zhenbo Xu <zhenbo1987 gmail com>]
+
+  *) ab: Fix potential buffer overflows when processing the T and X
+     command-line options.  PR 55360.
+     [Mike Rumph <mike.rumph oracle.com>]
+
+  *) fcgistarter: Specify SO_REUSEADDR to allow starting a server
+     with old connections in TIME_WAIT.  [Jeff Trawick]
+
+  *) core: Add open_htaccess hook which, in conjunction with dirwalk_stat
+     and post_perdir_config (introduced in 2.4.5), allows mpm-itk to be 
+     used without patches to httpd core. [Stefan Fritsch]
+
+  *) support/htdbm: fix processing of -t command line switch. Regression
+     introduced in 2.4.4
+     PR 55264 [Jo Rhett <jrhett netconsonance com>]
+
+  *) mod_lua: add websocket support via r:wsupgrade, r:wswrite, r:wsread 
+     and r:wsping. [Daniel Gruno]
+
+  *) mod_lua: add support for writing/reading cookies via r:getcookie and 
+     r:setcookie. [Daniel Gruno]
+
+  *) mod_lua: If the first yield() of a LuaOutputFilter returns a string, it should
+     be prefixed to the response as documented. [Eric Covener] 
+     Note: Not present in 2.4.7 CHANGES
+
+  *) mod_lua: Remove ETAG, Content-Length, and Content-MD5 when a LuaOutputFilter
+     is configured without mod_filter. [Eric Covener]
+     Note: Not present in 2.4.7 CHANGES
+
+  *) mod_lua: Register LuaOutputFilter scripts as changing the content and
+     content-length by default, when run my mod_filter.  Previously,
+     growing or shrinking a response that started with Content-Length set
+     would require mod_filter and FilterProtocol change=yes. [Eric Covener]
+     Note: Not present in 2.4.7 CHANGES
+
+  *) mod_lua: Return a 500 error if a LuaHook* script doesn't return a
+     numeric return code. [Eric Covener]
+     Note: Not present in 2.4.7 CHANGES
+
+Changes with Apache 2.4.6
+
+  *) Revert a broken fix for PR54948 that was applied to 2.4.5 (which was
+     not released) and found post-2.4.5 tagging.
+
+Changes with Apache 2.4.5
+
+  *) SECURITY: CVE-2013-1896 (cve.mitre.org)
+     mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
+     the source href (sent as part of the request body as XML) pointing to a
+     URI that is not configured for DAV will trigger a segfault. [Ben Reser
+     <ben reser.org>]
+
+  *) SECURITY: CVE-2013-2249 (cve.mitre.org)
+     mod_session_dbd: Make sure that dirty flag is respected when saving
+     sessions, and ensure the session ID is changed each time the session
+     changes. This changes the format of the updatesession SQL statement.
+     Existing configurations must be changed.
+     [Takashi Sato, Graham Leggett]
+
+  *) mod_auth_basic: Add a generic mechanism to fake basic authentication
+     using the ap_expr parser. AuthBasicFake allows the administrator to 
+     construct their own username and password for basic authentication based 
+     on their needs. [Graham Leggett]
+
+  *) mpm_event: Check that AsyncRequestWorkerFactor is not negative. PR 54254.
+     [Jackie Zhang <jackie qq zhang gmail com>]
+
+  *) mod_proxy: Ensure we don't attempt to amend a table we are iterating
+     through, ensuring that all headers listed by Connection are removed.
+     [Graham Leggett, Co-Advisor <coad measurement-factory.com>]
+
+  *) mod_proxy_http: Make the proxy-interim-response environment variable
+     effective by formally overriding origin server behaviour. [Graham
+     Leggett, Co-Advisor <coad measurement-factory.com>]
+
+  *) mod_proxy: Fix seg-faults when using the global pool on threaded
+     MPMs [Thomas Eckert <thomas.r.w.eckert gmail.com>, Graham Leggett,
+     Jim Jagielski]
+
+  *) mod_deflate: Remove assumptions as to when an EOS bucket might arrive.
+     Gracefully step aside if the body size is zero. [Graham Leggett]
+
+  *) mod_ssl: Fix possible truncation of OCSP responses when reading from the
+     server.  [Joe Orton]
+
+  *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
+     on Linux kernel versions 3.x and above.  PR 55121.  [Bradley Heilbrun
+     <apache heilbrun.org>]
+
+  *) mod_cache_socache: Make sure the CacheSocacheMaxSize directive is merged
+     correctly. [Jens Låås <jelaas gmail.com>]
+
+  *) rotatelogs: add -n number-of-files option to rotate through a number
+     of fixed-name logfiles. [Eric Covener]
+
+  *) mod_proxy: Support web-socket tunnels via mod_proxy_wstunnel.
+     [Jim Jagielski]
+
+  *) mod_cache_socache: Use the name of the socache implementation when performing
+     a lookup rather than using the raw arguments. [Martin Ksellmann
+     <martin@ksellmann.de>]
+
+  *) core: Add dirwalk_stat hook.  [Jeff Trawick]
+
+  *) core: Add post_perdir_config hook.
+     [Steinar Gunderson <sgunderson bigfoot.com>]
+
+  *) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
+     [Christophe Jaillet]
+
+  *) mod_remoteip: close file in error path. [Christophe Jaillet]
+
+  *) core: make the "default" parameter of the "ErrorDocument" option case
+     insensitive. PR 54419 [Tianyin Xu <tixu cs ucsd edu>]
+
+  *) mod_proxy_html: make the "ProxyHTMLFixups" options case insensitive.
+     PR 54420 [Tianyin Xu <tixu cs ucsd edu>]
+
+  *) mod_cache: Make option "CacheDisable" in mod_cache case insensitive.
+     PR 54462 [Tianyin Xu <tixu cs ucsd edu>]
+
+  *) mod_cache: If a 304 response indicates an entity not currently cached, then
+     the cache MUST disregard the response and repeat the request without the
+     conditional. [Graham Leggett, Co-Advisor <coad measurement-factory.com>]
+
+  *) mod_cache: Ensure that we don't attempt to replace a cached response
+     with an older response as per RFC2616 13.12. [Graham Leggett, Co-Advisor
+     <coad measurement-factory.com>]
+
+  *) core, mod_cache: Ensure RFC2616 compliance in ap_meets_conditions()
+     with weak validation combined with If-Range and Range headers. Break
+     out explicit conditional header checks to be useable elsewhere in the
+     server. Ensure weak validation RFC compliance in the byteranges filter.
+     Ensure RFC validation compliance when serving cached entities. PR 16142
+     [Graham Leggett, Co-Advisor <coad measurement-factory.com>]
+
+  *) core: Add the ability to do explicit matching on weak and strong ETags
+     as per RFC2616 Section 13.3.3. [Graham Leggett, Co-Advisor
+     <coad measurement-factory.com>]
+
+  *) mod_cache: Ensure that updated responses to HEAD requests don't get
+     mistakenly paired with a previously cached body. Ensure that any existing
+     body is removed when a HEAD request is cached. [Graham Leggett,
+     Co-Advisor <coad measurement-factory.com>]
+
+  *) mod_cache: Honour Cache-Control: no-store in a request. [Graham Leggett]
+
+  *) mod_cache: Make sure that contradictory entity headers present in a 304
+     Not Modified response are caught and cause the entity to be removed.
+     [Graham Leggett]
+
+  *) mod_cache: Make sure Vary processing handles multivalued Vary headers and
+     multivalued headers referred to via Vary. [Graham Leggett]
+
+  *) mod_cache: When serving from cache, only the last header of a multivalued
+     header was taken into account. Fixed. Ensure that Warning headers are
+     correctly handled as per RFC2616. [Graham Leggett]
+
+  *) mod_cache: Ignore response headers specified by no-cache=header and
+     private=header as specified by RFC2616 14.9.1 What is Cacheable. Ensure
+     that these headers are still processed when multiple Cache-Control
+     headers are present in the response. PR 54706 [Graham Leggett,
+     Yann Ylavic <ylavic.dev gmail.com>]
+
+  *) mod_cache: Invalidate cached entities in response to RFC2616 Section
+     13.10 Invalidation After Updates or Deletions. PR 15868 [Graham
+     Leggett]
+
+  *) mod_dav: Improve error handling in dav_method_put(), add new
+     dav_join_error() function.  PR 54145.  [Ben Reser <ben reser.org>]
+
+  *) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
+     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
+
+  *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
+     property on a resource for which there is no dead property in the same
+     namespace httpd segfaults. PR 52559 [Diego Santa Cruz
+     <diego.santaCruz spinetix.com>]
+
+  *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
+     result in a 412 Precondition Failed for a COPY operation. PR54610
+     [Timothy Wood <tjw omnigroup.com>]
+
+  *) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
+     we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
+
+  *) mod_deflate: Remove assumptions as to when an EOS bucket might arrive.
+     Gracefully step aside if the body size is zero. [Graham Leggett]
+
+  *) 'AuthGroupFile' and 'AuthUserFile' do not accept anymore the optional
+     'standard' keyword . It was unused and not documented.
+     PR54463 [Tianyin Xu <tixu cs.ucsd.edu> and Christophe Jaillet]
+
+  *) core: Do not over allocate memory within 'ap_rgetline_core' for
+     the common case. [Christophe Jaillet]
+
+  *) core: speed up (for common cases) and reduce memory usage of
+     ap_escape_logitem(). This should save 70-100 bytes in the request
+     pool for a default config. [Christophe Jaillet]
+
+  *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
+     [Timothy Wood <tjw omnigroup.com>]
+
+  *) mod_proxy: Reject invalid values for Max-Forwards. [Graham Leggett,
+     Co-Advisor <coad measurement-factory.com>]
+
+  *) mod_cache: RFC2616 14.9.3 The s-maxage directive also implies the
+     semantics of the proxy-revalidate directive. [Graham Leggett]
+
+  *) mod_ssl: add support for subjectAltName-based host name checking
+     in proxy mode (SSLProxyCheckPeerName). PR 54030. [Kaspar Brand]
+
+  *) core: Use the proper macro for HTTP/1.1. [Graham Leggett]
+
+  *) event MPM: Provide error handling for ThreadStackSize. PR 54311
+     [Tianyin Xu <tixu cs.ucsd.edu>, Christophe Jaillet]
+
+  *) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
+     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
+
+  *) core: Improve error message where client's request-line exceeds
+     LimitRequestLine. PR 54384 [Christophe Jaillet]
+
+  *) mod_macro: New module that provides macros within configuration files.
+     [Fabien Coelho]
+
+  *) mod_cache_socache: New cache implementation backed by mod_socache
+     that replaces mod_mem_cache known from httpd 2.2. [Graham
+     Leggett]
+
+  *) htpasswd: Add -v option to verify a password. [Stefan Fritsch]
+
+  *) mod_proxy: Add BalancerInherit and ProxyPassInherit to control
+     whether Proxy Balancers and Workers are inherited by vhosts
+     (default is On). [Jim Jagielski]
+
+  *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
+     password.  [Daniel Ruggeri]
+
+  *) Added balancer parameter failontimeout to allow server admin
+     to configure an IO timeout as an error in the balancer.
+     [Daniel Ruggeri]
+
+  *) mod_auth_digest: Fix crashes if shm initialization failed. [Stefan
+     Fritsch]
+
+  *) htpasswd, htdbm: Fix password generation. PR 54735. [Stefan Fritsch]
+
+  *) core: Add workaround for gcc bug on sparc/64bit. PR 52900.
+     [Stefan Fritsch]
+
+  *) mod_setenvif: Fix crash in case SetEnvif and SetEnvIfExpr are used
+     together. PR 54881. [Ruediger Pluem]
+
+  *) htdigest: Fix buffer overflow when reading digest password file
+     with very long lines. PR 54893. [Rainer Jung]
+
+  *) ap_expr: Add the ability to base64 encode and base64 decode
+     strings and to generate their SHA1 and MD5 hash.
+     [Graham Leggett, Stefan Fritsch]
+
+  *) mod_log_config: Fix crash when logging request end time for a failed
+     request.  PR 54828 [Rainer Jung]
+
+  *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
+     with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
+     [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
+
+  *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
+     in the error log to debug level.  [William Rowe]
+
+  *) mod_cache_disk: CacheMinFileSize and CacheMaxFileSize were always
+     using compiled in defaults of 1000000/1 respectively. [Eric Covener]
+
+  *) mod_lbmethod_heartbeat, mod_heartmonitor: Respect DefaultRuntimeDir/
+     DEFAULT_REL_RUNTIMEDIR for the heartbeat storage file.  [Jeff Trawick]
+
+  *) mod_include: Use new ap_expr for 'elif', like 'if', 
+     if legacy parser is not specified.  PR 54548 [Tom Donovan]
+
+  *) mod_lua: Add some new functions: r:htpassword(), r:mkdir(), r:mkrdir(),
+     r:rmdir(), r:touch(), r:get_direntries(), r.date_parse_rfc().
+     [Guenter Knauf]
+
+  *) mod_lua: Add multipart form data handling. [Daniel Gruno]
+
+  *) mod_lua: If a LuaMapHandler doesn't return any value, log a warning
+     and treat it as apache2.OK. [Eric Covener]
+
+  *) mod_lua: Add bindings for apr_dbd/mod_dbd database access
+     [Daniel Gruno]
+
+  *) mod_lua: Add LuaInputFilter/LuaOutputFilter for creating content
+     filters in Lua [Daniel Gruno]
+
+  *) mod_lua: Allow scripts handled by the lua-script handler to return
+     a status code to the client (such as a 302 or a 500) [Daniel Gruno]
+
+  *) mod_lua: Decline handling 'lua-script' if the file doesn't exist,
+     rather than throwing an internal server error. [Daniel Gruno]
+
+  *) mod_lua: Add functions r:flush and r:sendfile as well as additional
+     request information to the request_rec structure. [Daniel Gruno]
+
+  *) mod_lua: Add a server scope for Lua states, which creates a pool of
+     states with managable minimum and maximum size. [Daniel Gruno]
+
+  *) mod_lua: Add new directive, LuaMapHandler, for dynamically mapping
+     URIs to Lua scripts and functions using regular expressions.
+     [Daniel Gruno]
+
+  *) mod_lua: Add new directive LuaCodeCache for controlling in-memory
+     caching of lua scripts. [Daniel Gruno]
+
+Changes with Apache 2.4.4
+
+  *) SECURITY: CVE-2012-3499 (cve.mitre.org)
+     Various XSS flaws due to unescaped hostnames and URIs HTML output in
+     mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
+     [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
+
+  *) SECURITY: CVE-2012-4558 (cve.mitre.org)
+     XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
+     Niels Heinen <heinenn google com>]
+
+  *) mod_dir: Add support for the value 'disabled' in FallbackResource.
+     [Vincent Deffontaines]
+
+  *) mod_proxy_connect: Don't keepalive the connection to the client if the
+     backend closes the connection. PR 54474. [Pavel Mateja <pavel netsafe cz>]
+
+  *) mod_lua: Add bindings for mod_dbd/apr_dbd database access.
+     [Daniel Gruno]
+
+  *) mod_proxy: Allow for persistence of local changes made via the
+     balancer-manager between graceful/normal restarts and power
+     cycles. [Jim Jagielski]
+
+  *) mod_proxy: Fix startup crash with mis-defined balancers.
+     PR 52402. [Jim Jagielski]
+
+  *) --with-module: Fix failure to integrate them into some existing
+     module directories.  PR 40097.  [Jeff Trawick]
+
+  *) htcacheclean: Fix potential segfault if "-p" is omitted.  [Joe Orton]
+
+  *) mod_proxy_http: Honour special value 0 (unlimited) of LimitRequestBody
+     PR 54435.  [Pavel Mateja <pavel netsafe.cz>]
+
+  *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
+     [Rainer Jung]
+
+  *) htcacheclean: Fix list options "-a" and "-A".
+     [Rainer Jung]
+
+  *) mod_slotmem_shm: Fix mistaken reset of num_free for restored shm.
+     [Jim Jagielski]
+
+  *) mod_proxy: non-existance of byrequests is not an immediate error.
+     [Jim Jagielski]
+
+  *) mod_proxy_balancer: Improve output of balancer-manager (re: Drn,
+     Dis, Ign, Stby). PR 52478 [Danijel <dt-ng rbfh de>]
+  
+  *) configure: Fix processing of --disable-FEATURE for various features.
+     [Jeff Trawick]
+
+  *) mod_dialup/mod_http: Prevent a crash in mod_dialup in case of internal
+     redirect. PR 52230.
+
+  *) various modules, rotatelogs: Replace use of apr_file_write() with
+     apr_file_write_full() to prevent incomplete writes. PR 53131.
+     [Nicolas Viennot <apache viennot biz>, Stefan Fritsch]
+
+  *) ab: Support socket timeout (-s timeout).
+     [Guido Serra <zeph fsfe org>]
+
+  *) httxt2dbm: Correct length computation for the 'value' stored in the
+     DBM file. PR 47650 [jon buckybox com]
+
+  *) core: Be more correct about rejecting directives that cannot work in <If>
+     sections. [Stefan Fritsch]
+
+  *) core: Fix directives like LogLevel that need to know if they are invoked
+     at virtual host context or in Directory/Files/Location/If sections to
+     work properly in If sections that are not in a Directory/Files/Location.
+     [Stefan Fritsch]
+
+  *) mod_xml2enc: Fix problems with charset conversion altering the
+     Content-Length. [Micha Lenk <micha lenk info>]
+
+  *) ap_expr: Add req_novary function that allows HTTP header lookups
+     without adding the name to the Vary header. [Stefan Fritsch]
+
+  *) mod_slotmem_*: Add in new fgrab() function which forces a grab and
+     slot allocation on a specified slot. Allow for clearing of inuse
+     array. [Jim Jagielski]
+
+  *) mod_proxy_ftp: Fix segfaults on IPv4 requests to hosts with DNS
+     AAAA records. PR  40841. [Andrew Rucker Jones <arjones simultan
+     dyndns org>, <ast domdv de>, Jim Jagielski]
+
+  *) mod_auth_form: Make sure that get_notes_auth() sets the user as does
+     get_form_auth() and get_session_auth(). Makes sure that REMOTE_USER
+     does not vanish during mod_include driven subrequests. [Graham
+     Leggett]
+
+  *) mod_cache_disk: Resolve errors while revalidating disk-cached files on
+     Windows ("...rename tempfile to datafile failed..."). PR 38827
+     [Eric Covener]
+
+  *) mod_proxy_balancer: Bring XML output up to date. [Jim Jagielski]
+
+  *) htpasswd, htdbm: Optionally read passwords from stdin, as more
+     secure alternative to -b.  PR 40243. [Adomas Paltanavicius <adomas
+     paltanavicius gmail com>, Stefan Fritsch]
+
+  *) htpasswd, htdbm: Add support for bcrypt algorithm (requires
+     apr-util 1.5 or higher). PR 49288. [Stefan Fritsch]
+
+  *) htpasswd, htdbm: Put full 48bit of entropy into salt, improve
+     error handling. Add some of htpasswd's improvements to htdbm,
+     e.g. warn if password is truncated by crypt(). [Stefan Fritsch]
+
+  *) mod_auth_form: Support the expr parser in the
+     AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and
+     AuthFormLogoutLocation directives. [Graham Leggett]
+
+  *) mod_ssl: Add support for TLS-SRP (Secure Remote Password key exchange
+     for TLS, RFC 5054). PR 51075. [Quinn Slack <sqs cs stanford edu>,
+     Christophe Renou, Peter Sylvester]
+
+  *) mod_rewrite: Stop mergeing RewriteBase down to subdirectories
+     unless new option 'RewriteOptions MergeBase' is configured.
+     PR 53963. [Eric Covener]
+
+  *) mod_header: Allow for exposure of loadavg and server load using new 
+     format specifiers %l, %i, %b [Jim Jagielski]
+  
+  *) core: Make ap_regcomp() return AP_REG_ESPACE if out of memory.  Make
+     ap_pregcomp() abort if out of memory. This raises the minimum PCRE
+     requirement to version 6.0. [Stefan Fritsch]
+
+  *) mod_proxy: Add ability to configure the sticky session separator.
+     PR 53893. [<inu inusasha de>, Jim Jagielski]
+
+  *) mod_dumpio: Correctly log large messages
+     PR 54179 [Marek Wianecki <mieszek2 interia pl>]
+
+  *) core: Don't fail at startup with AH00554 when Include points to 
+     a directory without any wildcard character. [Eric Covener]
+
+  *) core: Fail startup if the argument to ServerTokens is unrecognized.
+     [Jackie Zhang  <jackie.qq.zhang gmail.com>]
+
+  *) mod_log_forensic: Don't log a spurious "-" if a request has been rejected
+     before mod_log_forensic could attach its id to it. [Stefan Fritsch]
+
+  *) rotatelogs: Omit the second argument for the first invocation of
+     a post-rotate program when -p is used, per the documentation.
+     [Joe Orton]
+
+  *) mod_session_dbd: fix a segmentation fault in the function dbd_remove.
+     PR 53452. [<rebanerebane gmail com>, Reimo Rebane]
+
+  *) core: Functions to provide server load values: ap_get_sload() and
+     ap_get_loadavg(). [Jim Jagielski, Jan Kaluza <jkaluza redhat.com>,
+     Jeff Trawick]
+
+  *) mod_ldap: Fix regression in handling "server unavailable" errors on 
+     Windows.  PR 54140.  [Eric Covener]
+ 
+  *) syslog logging: Remove stray ", referer" at the end of some messages.
+     [Jeff Trawick]
+
+  *) "Iterate" directives: Report an error if no arguments are provided.
+     [Jeff Trawick]
+
+  *) mod_ssl: Change default for SSLCompression to off, as compression
+     causes security issues in most setups. (The so called "CRIME" attack).
+     [Stefan Fritsch]
+
+  *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
+     to more accurately report the negotiated protocol. PR 53916.
+     [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
+
+  *) core: ErrorDocument now works for requests without a Host header.
+     PR 48357.  [Jeff Trawick]
+
+  *) prefork: Avoid logging harmless errors during graceful stop.
+     [Joe Orton, Jeff Trawick]
+
+  *) mod_proxy: When concatting for PPR, avoid cases where we
+     concat ".../" and "/..." to create "...//..." [Jim Jagielski]
+
+  *) mod_cache: Wrong content type and character set when
+     mod_cache serves stale content because of a proxy error. 
+     PR 53539.  [Rainer Jung, Ruediger Pluem]
+
+  *) mod_proxy_ajp: Fix crash in packet dump code when logging
+     with LogLevel trace7 or trace8.  PR 53730.  [Rainer Jung]
+
+  *) httpd.conf: Removed the configuration directives setting a bad_DNT
+     environment introduced in 2.4.3. The actual directives are commented
+     out in the default conf file.
+
+  *) core: Apply length limit when logging Status header values.
+     [Jeff Trawick, Chris Darroch]
+
+  *) mod_proxy_balancer: The nonce is only derived from the UUID iff
+     not set via the 'nonce' balancer param. [Jim Jagielski]
+
+  *) mod_ssl: Match wildcard SSL certificate names in proxy mode.  
+     PR 53006.  [Joe Orton]
+
+  *) Windows: Fix output of -M, -L, and similar command-line options
+     which display information about the server configuration.
+     [Jeff Trawick]
+
+Changes with Apache 2.4.3
+
+  *) SECURITY: CVE-2012-3502  (cve.mitre.org)
+     mod_proxy_ajp, mod_proxy_http: Fix an issue in back end
+     connection closing which could lead to privacy issues due
+     to a response mixup. PR 53727. [Rainer Jung]
+
+  *) SECURITY: CVE-2012-2687 (cve.mitre.org)
+     mod_negotiation: Escape filenames in variant list to prevent a
+     possible XSS for a site where untrusted users can upload files to
+     a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+
+  *) mod_authnz_ldap: Don't try a potentially expensive nested groups
+     search before exhausting all AuthLDAPGroupAttribute checks on the
+     current group. PR 52464 [Eric Covener]
+
+  *) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
+     authorization provider in lua. [Stefan Fritsch]
+
+  *) core: Be less strict when checking whether Content-Type is set to 
+     "application/x-www-form-urlencoded" when parsing POST data, 
+     or we risk losing data with an appended charset. PR 53698
+     [Petter Berntsen <petterb gmail.com>]
+
+  *) httpd.conf: Added configuration directives to set a bad_DNT environment
+     variable based on User-Agent and to remove the DNT header field from
+     incoming requests when a match occurs. This currently has the effect of
+     removing DNT from requests by MSIE 10.0 because it deliberately violates
+     the current specification of DNT semantics for HTTP. [Roy T. Fielding]
+
+  *) mod_socache_shmcb: Fix bus error due to a misalignment
+     in some 32 bit builds, especially on Solaris Sparc.
+     PR 53040.  [Rainer Jung]
+
+  *) mod_cache: Set content type in case we return stale content.
+     [Ruediger Pluem]
+
+  *) Windows: Fix SSL failures on windows with AcceptFilter https none.
+     PR 52476.  [Jeff Trawick]
+
+  *) ab: Fix read failure when targeting SSL server.  [Jeff Trawick]
+
+  *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
+     - mod_auth_digest: shared memory file
+     [Jeff Trawick]
+
+  *) htpasswd: Use correct file mode for checking if file is writable.
+     PR 45923. [Stefan Fritsch]
+
+  *) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T.
+     <mi apache aldan algebra com>]
+
+  *) mod_ssl: Add new directive SSLCompression to disable TLS-level
+     compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
+
+  *) mod_lua: Add a few missing request_rec fields. Rename remote_ip to
+     client_ip to match conn_rec. [Stefan Fritsch]
+
+  *) mod_lua: Change prototype of vm_construct, to work around gcc bug which
+     causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>]
+
+  *) mpm_event: Don't count connections in lingering close state when
+     calculating how many additional connections may be accepted.
+     [Stefan Fritsch]
+
+  *) mod_ssl: If exiting during initialization because of a fatal error,
+     log a message to the main error log pointing to the appropriate
+     virtual host error log. [Stefan Fritsch]
+
+  *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
+     one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]
+
+  *) mod_proxy_balancer: Restore balancing after a failed worker has
+     recovered when using lbmethod_bybusyness.  PR 48735.  [Jeff Trawick]
+
+  *) mod_setenvif: Compile some global regex only once during startup.
+     This should save some memory, especially with .htaccess.
+     [Stefan Fritsch]
+
+  *) core: Add the port number to the vhost's name in the scoreboard.
+     [Stefan Fritsch]
+
+  *) mod_proxy: Fix ProxyPassReverse for balancer configurations.
+     PR 45434.  [Joe Orton]
+
+  *) mod_lua: Add the parsebody function for parsing POST data. PR 53064.
+     [Daniel Gruno]
+
+  *) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS.
+     [Stefan Fritsch]
+
+  *) mod_proxy: Fix memory leak or possible corruption in ProxyBlock
+     implementation.  [Ruediger Pluem, Joe Orton]
+
+  *) mod_proxy: Check hostname from request URI against ProxyBlock list,
+     not forward proxy, if ProxyRemote* is configured.  [Joe Orton]
+
+  *) mod_proxy_connect: Avoid DNS lookup on hostname from request URI 
+     if ProxyRemote* is configured.  PR 43697.  [Joe Orton]
+
+  *) mpm_event, mpm_worker: Remain active amidst prevalent child process
+     resource shortages.  [Jeff Trawick]
+
+  *) Add "strict" and "warnings" pragmas to Perl scripts.  [Rich Bowen]
+
+  *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
+     - core: the scoreboard (ScoreBoardFile), pid file (PidFile), and
+       mutexes (Mutex)
+     [Jim Jagielski]
+
+  *) ab: Fix bind() errors.  [Joe Orton]
+
+  *) mpm_event: Don't do a blocking write when starting a lingering close
+     from the listener thread. PR 52229. [Stefan Fritsch]
+
+  *) mod_so: If a filename without slashes is specified for LoadFile or
+     LoadModule and the file cannot be found in the server root directory,
+     try to use the standard dlopen() search path. [Stefan Fritsch]
+
+  *) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced
+     after child process resource shortages.  [Jeff Trawick]
+
+  *) mpm_prefork: Reduce spawn rate after a child process exits due to
+     unexpected poll or accept failure.  [Jeff Trawick]
+
+  *) core: Log value of Status header line in script responses rather
+     than the fixed header name.  [Chris Darroch]
+
+  *) mod_ssl: Fix handling of empty response from OCSP server.
+     [Jim Meyering <meyering redhat.com>, Joe Orton]
+
+  *) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch]
+
+  *) mod_authz_core: If an expression in "Require expr" returns denied and
+     references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
+     [Stefan Fritsch]
+
+  *) core: Always log if LimitRequestFieldSize triggers.  [Stefan Fritsch]
+
+  *) mod_deflate: Skip compression if compression is enabled at SSL level.
+     [Stefan Fritsch]
+
+  *) core: Add missing HTTP status codes registered with IANA.
+     [Julian Reschke <julian.reschke gmx.de>, Rainer Jung]
+
+  *) mod_ldap: Treat the "server unavailable" condition as a transient
+     error with all LDAP SDKs.  [Filip Valder <filip.valder vsb.cz>]
+
+  *) core: Fix spurious "not allowed here" error returned when the Options 
+     directive is used in .htaccess and "AllowOverride Options" (with no 
+     specific options restricted) is configured.  PR 53444. [Eric Covener]
+
+  *) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
+     PR 53048. [Stefan Fritsch]
+
+  *) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
+     PR 53104. [Greg Ames]
+
+  *) mod_ext_filter: Fix error_log spam when input filters are configured.  
+     [Joe Orton]
+
+  *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
+
+  *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). 
+     [Paul Wouters <pwouters redhat.com>, Joe Orton]
+
+  *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
+     the chosen listener is configured for https. [Joe Orton]
+
+  *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
+     forwarding to SSL backends. PR 53134.
+     [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
+
+  *) mod_info: Display all registered providers. [Stefan Fritsch]
+
+  *) mod_ssl: Send the error message for speaking http to an https port using
+     HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
+     using SNI. PR 50823. [Stefan Fritsch]
+
+  *) core: Fix segfault in logging if r->useragent_addr or c->client_addr is
+     unset. PR 53265. [Stefan Fritsch]
+
+  *) log_server_status: Bring Perl style forward to the present, use
+     standard modules, update for new format of server-status output.
+     PR 45424. [Richard Bowen, Dave Brondsema, and others]
+
+  *) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups. 
+     [Joe Orton, André Malo]
+
+  *) core: Prevent "httpd -k restart" from killing server in presence of
+     config error. [Joe Orton]
+
+  *) mod_proxy_fcgi: If there is an error reading the headers from the
+     backend, send an error to the client. PR 52879. [Stefan Fritsch]
+
+Changes with Apache 2.4.2
+
+  *) SECURITY: CVE-2012-0883 (cve.mitre.org)
+     envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
+     current working directory to be searched for DSOs. [Stefan Fritsch]
+
+  *) mod_slotmem_shm: Honor DefaultRuntimeDir [Jim Jagielski]
+
+  *) mod_ssl: Fix crash with threaded MPMs due to race condition when
+     initializing EC temporary keys. [Stefan Fritsch]
+
+  *) mod_rewrite: Fix RewriteCond integer checks to be parsed correctly.
+     PR 53023. [Axel Reinhold <apache freakout.de>, André Malo]
+
+  *) mod_proxy: Add the forcerecovery balancer parameter that determines if
+     recovery for balancer workers is enforced. [Ruediger Pluem]
+
+  *) Fix MPM DSO load failure on AIX.  [Jeff Trawick]
+
+  *) mod_proxy: Correctly set up reverse proxy worker. PR 52935.
+     [Petter Berntsen <petterb gmail.com>]
+
+  *) mod_sed: Don't define PATH_MAX to a potentially undefined value, causing
+     compile problems on GNU hurd. [Stefan Fritsch]
+
+  *) core: Add ap_runtime_dir_relative() and DefaultRuntimeDir.
+     [Jeff Trawick]
+
+  *) core: Fix breakage of Listen directives with MPMs that use a
+     per-directory config. PR 52904. [Stefan Fritsch]
+
+  *) core: Disallow directives in AllowOverrideList which are only allowed
+     in VirtualHost or server context. These are usually not prepared to be
+     called in .htaccess files. [Stefan Fritsch]
+
+  *) core: In AllowOverrideList, do not allow 'None' together with other
+     directives. PR 52823. [Stefan Fritsch]
+
+  *) mod_slotmem_shm: Support DEFAULT_REL_RUNTIMEDIR for file-based shm.
+     [Jim Jagielski]
+
+  *) core: Fix merging of AllowOverrideList and ContentDigest.
+     [Stefan Fritsch]
+
+  *) mod_request: Fix validation of the KeptBodySize argument so it
+     doesn't always throw a configuration error. PR 52981 [Eric Covener]
+
+  *) core: Add filesystem paths to access denied / access failed messages
+     AH00035 and AH00036. [Eric Covener]
+
+  *) mod_dumpio: Properly handle errors from subsequent input filters.
+     PR 52914. [Stefan Fritsch]
+
+  *) Unix MPMs: Fix small memory leak in parent process if connect()
+     failed when waking up children.  [Joe Orton]
+
+  *) "DirectoryIndex disabled" now undoes DirectoryIndex settings in
+     the current configuration section, not just previous config sections.
+     PR 52845. [Eric Covener]
+
+  *) mod_xml2enc: Fix broken handling of EOS buckets which could lead to
+     response headers not being sent. PR 52766. [Stefan Fritsch]
+
+  *) mod_ssl: Properly free the GENERAL_NAMEs. PR 32652. [Kaspar Brand]
+
+  *) core: Check during config test that directories for the access
+     logs actually exist. PR 29941. [Stefan Fritsch]
+
+  *) mod_xml2enc, mod_proxy_html: Enable per-module loglevels.
+     [Stefan Fritsch]
+
+  *) mod_filter: Fix segfault with AddOutputFilterByType. PR 52755.
+     [Stefan Fritsch]
+
+  *) mod_session: Sessions are encoded as application/x-www-form-urlencoded
+     strings, however we do not handle the encoding of spaces properly.
+     Fixed. [Graham Leggett]
+
+  *) Configuration: Example in comment should use a path consistent
+     with the default configuration. PR 52715.
+     [Rich Bowen, Jens Schleusener, Rainer Jung]
+
+  *) Configuration: Switch documentation links from trunk to 2.4.
+     [Rainer Jung]
+
+  *) configure: Fix out of tree build using apr and apr-util in srclib.
+     [Rainer Jung]
+
+Changes with Apache 2.4.1
+
+  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
+     Fix an issue in error responses that could expose "httpOnly" cookies
+     when no custom ErrorDocument is specified for status code 400.  
+     [Eric Covener]
+
+  *) mod_proxy_balancer: Fix crash on Windows. PR 52402 [Mladen Turk]
+
+  *) core: Check during configtest that the directories for error logs exist.
+     PR 29941 [Stefan Fritsch]
+
+  *) Core configuration: add AllowOverride option to treat syntax
+     errors in .htaccess as non-fatal. PR 52439 [Nick Kew, Jim Jagielski]
+
+  *) core: Fix memory consumption in core output filter with streaming
+     bucket types like CGI or PIPE.  [Joe Orton, Stefan Fritsch]
+
+  *) configure: Disable modules at configure time if a prerequisite module
+     is not enabled. PR 52487. [Stefan Fritsch]
+
+  *) Rewrite and proxy now decline what they don't support rather
+     than fail the request. [Joe Orton]
+
+  *) Fix building against external apr plus apr-util if apr is not installed
+     in a system default path. [Rainer Jung]
+
+  *) Doxygen fixes and improvements. [Joe Orton, Igor Galić]
+
+  *) core: Fix building against PCRE 8.30 by switching from the obsolete
+     pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]
+
+Changes with Apache 2.4.0
+
+  *) SECURITY: CVE-2012-0031 (cve.mitre.org)
+     Fix scoreboard issue which could allow an unprivileged child process
+     to cause the parent to crash at shutdown rather than terminate
+     cleanly.  [Joe Orton]
+
+  *) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch]
+
+  *) SECURITY: CVE-2012-0021 (cve.mitre.org)
+     mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
+     string is in use and a client sends a nameless, valueless cookie, causing
+     a denial of service. The issue existed since version 2.2.17 and 2.3.3.
+     PR 52256.  [Rainer Canavan <rainer-apache 7val com>]
+
+  *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
+     control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive.
+     [Kaspar Brand]
+
+  *) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
+     or later, to improve binary compatibility with future OpenSSL releases.
+     [Kaspar Brand]
+
+  *) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass,
+     but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime
+     behave identically in both cases. PR52342. [Graham Leggett]
+
+  *) Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with
+     corresponding man pages. [Graham Leggett]
+
+  *) Distinguish properly between the bindir and sbindir directories when
+     installing binaries. Previously all binaries were silently installed to
+     sbindir, whether they were system administration commands or not.
+     [Graham Leggett]
+
+Changes with Apache 2.3.16
+
+  *) SECURITY: CVE-2011-4317 (cve.mitre.org)
+     Resolve additional cases of URL rewriting with ProxyPassMatch or
+     RewriteRule, where particular request-URIs could result in undesired
+     backend network exposure in some configurations.
+     [Joe Orton]
+
+  *) core: Limit line length in .htaccess to 8K like in 2.2.x, to avoid
+     additional DoS potential. [Stefan Fritsch]
+
+  *) core, all modules: Add unique tag to most error log messages. [Stefan
+     Fritsch]
+
+  *) mod_socache_memcache: Change provider name from "mc" to "memcache" to
+     match module name. [Stefan Fritsch]
+
+  *) mod_slotmem_shm: Change provider name from "shared" to "shm" to match
+     module name. [Stefan Fritsch]
+
+  *) mod_ldap: Fix segfault with Solaris LDAP when enabling ldaps. This
+     requires an apr-util fix in which is available in apr-util >= 1.4.0.
+     PR 42682. [Stefan Fritsch]
+
+  *) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible
+     for RewriteRules to be placed in .htaccess files that match the directory
+     with no trailing slash. PR 48304.
+     [Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>]
+
+  *) mod_session_crypto: Add a SessionCryptoPassphraseFile directive so that

[... 2352 lines stripped ...]



Mime
View raw message