Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id BD830200BD4 for ; Fri, 16 Dec 2016 19:28:07 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id BC06E160B24; Fri, 16 Dec 2016 18:28:07 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 8EE35160B10 for ; Fri, 16 Dec 2016 19:28:06 +0100 (CET) Received: (qmail 5320 invoked by uid 500); 16 Dec 2016 18:28:05 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 5311 invoked by uid 99); 16 Dec 2016 18:28:05 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Dec 2016 18:28:05 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 20F583A0026 for ; Fri, 16 Dec 2016 18:28:05 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r17458 - /dev/httpd/ Date: Fri, 16 Dec 2016 18:28:04 -0000 To: cvs@httpd.apache.org From: jim@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20161216182805.20F583A0026@svn01-us-west.apache.org> archived-at: Fri, 16 Dec 2016 18:28:07 -0000 Author: jim Date: Fri Dec 16 18:28:04 2016 New Revision: 17458 Log: Make 2.4.25 avail Added: dev/httpd/CHANGES_2.4.25 dev/httpd/httpd-2.4.25-deps.tar.bz2 (with props) dev/httpd/httpd-2.4.25-deps.tar.bz2.asc (with props) dev/httpd/httpd-2.4.25-deps.tar.bz2.md5 dev/httpd/httpd-2.4.25-deps.tar.bz2.sha1 dev/httpd/httpd-2.4.25-deps.tar.gz (with props) dev/httpd/httpd-2.4.25-deps.tar.gz.asc (with props) dev/httpd/httpd-2.4.25-deps.tar.gz.md5 dev/httpd/httpd-2.4.25-deps.tar.gz.sha1 dev/httpd/httpd-2.4.25.tar.bz2 (with props) dev/httpd/httpd-2.4.25.tar.bz2.asc (with props) dev/httpd/httpd-2.4.25.tar.bz2.md5 dev/httpd/httpd-2.4.25.tar.bz2.sha1 dev/httpd/httpd-2.4.25.tar.gz (with props) dev/httpd/httpd-2.4.25.tar.gz.asc (with props) dev/httpd/httpd-2.4.25.tar.gz.md5 dev/httpd/httpd-2.4.25.tar.gz.sha1 Modified: dev/httpd/CHANGES_2.4 Modified: dev/httpd/CHANGES_2.4 ============================================================================== --- dev/httpd/CHANGES_2.4 (original) +++ dev/httpd/CHANGES_2.4 Fri Dec 16 18:28:04 2016 @@ -1,5 +1,10 @@ -*- coding: utf-8 -*- +Changes with Apache 2.4.25 + + *) Fix some build issues related to various modules. + [Rainer Jung] + Changes with Apache 2.4.24 *) SECURITY: CVE-2016-8740 (cve.mitre.org) Added: dev/httpd/CHANGES_2.4.25 ============================================================================== --- dev/httpd/CHANGES_2.4.25 (added) +++ dev/httpd/CHANGES_2.4.25 Fri Dec 16 18:28:04 2016 @@ -0,0 +1,274 @@ + -*- coding: utf-8 -*- + +Changes with Apache 2.4.25 + + *) Fix some build issues related to various modules. + [Rainer Jung] + +Changes with Apache 2.4.24 + + *) SECURITY: CVE-2016-8740 (cve.mitre.org) + mod_http2: Mitigate DoS memory exhaustion via endless + CONTINUATION frames. + [Naveen Tiwari and CDF/SEFCOM at Arizona State + University, Stefan Eissing] + + *) SECURITY: CVE-2016-5387 (cve.mitre.org) + core: Mitigate [f]cgi "httpoxy" issues. + [Dominic Scheirlinck , Yann Ylavic] + + *) SECURITY: CVE-2016-2161 (cve.mitre.org) + mod_auth_digest: Prevent segfaults during client entry allocation when + the shared memory space is exhausted. + [Maksim Malyutin , Eric Covener, Jacob Champion] + + *) SECURITY: CVE-2016-0736 (cve.mitre.org) + mod_session_crypto: Authenticate the session data/cookie with a + MAC (SipHash) to prevent deciphering or tampering with a padding + oracle attack. [Yann Ylavic, Colm MacCarthaigh] + + *) SECURITY: CVE-2016-8743 (cve.mitre.org) + Enforce HTTP request grammar corresponding to RFC7230 for request lines + and request headers, to prevent response splitting and cache pollution by + malicious clients or downstream proxies. [William Rowe, Stefan Fritsch] + + *) Validate HTTP response header grammar defined by RFC7230, resulting + in a 500 error in the event that invalid response header contents are + detected when serving the response, to avoid response splitting and cache + pollution by malicious clients, upstream servers or faulty modules. + [Stefan Fritsch, Eric Covener, Yann Ylavic] + + *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of + looping RewriteRules when the local path significantly exceeds + LimitRequestLine. PR 60478. [Jeff Wheelhouse ] + + *) mod_ratelimit: Allow for initial "burst" amount at full speed before + throttling: PR 60145 [Andy Valencia , + Jim Jagielski] + + *) mod_socache_memcache: Provide memcache stats to mod_status. + [Jim Jagielski] + + *) http_filters: Fix potential looping in new check_headers() due to new + pattern of ap_die() from http header filter. Explicitly clear the + previous headers and body. + + *) core: Drop Content-Length header and message-body from HTTP 204 responses. + PR 51350 [Luca Toscano] + + *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is + configured in , like in 2.2. PR 60458. + [Eric Covener] + + *) mod_lua: Fix default value of LuaInherit directive. It should be + 'parent-first' instead of 'none', as per documentation. PR 60419 + [Christophe Jaillet] + + *) core: New directive HttpProtocolOptions to control httpd enforcement + of various RFC7230 requirements. [Stefan Fritsch, William Rowe] + + *) core: Permit unencoded ';' characters to appear in proxy requests and + Location: response headers. Corresponds to modern browser behavior. + [William Rowe] + + *) core: ap_rgetline_core now pulls from r->proto_input_filters. + + *) core: Correctly parse an IPv6 literal host specification in an absolute + URL in the request line. [Stefan Fritsch] + + *) core: New directive RegisterHttpMethod for registering non-standard + HTTP methods. [Stefan Fritsch] + + *) mod_socache_memcache: Pass expiration time through to memcached. + [Faidon Liambotis , Joe Orton] + + *) mod_cache: Use the actual URI path and query-string for identifying the + cached entity (key), such that rewrites are taken into account when + running afterwards (CacheQuickHandler off). PR 21935. [Yann Ylavic] + + *) mod_http2: new directive 'H2EarlyHints' to enable sending of HTTP status + 103 interim responses. Disabled by default. [Stefan Eissing] + + *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate + in the client certificate chain. PR 55786. [Yann Ylavic] + + *) event: Allow to use the whole allocated scoreboard (up to ServerLimit + slots) to avoid scoreboard full errors when some processes are finishing + gracefully. Also, make gracefully finishing processes close all + keep-alive connections. PR 53555. [Stefan Fritsch] + + *) mpm_event: Don't take over scoreboard slots from gracefully finishing + threads. [Stefan Fritsch] + + *) mpm_event: Free memory earlier when shutting down processes. + [Stefan Fritsch] + + *) mod_status: Display the process slot number in the async connection + overview. [Stefan Fritsch] + + *) mod_dir: Responses that go through "FallbackResource" might appear to + hang due to unterminated chunked encoding. PR58292. [Eric Covener] + + *) mod_dav: Fix a potential cause of unbounded memory usage or incorrect + behavior in a routine that sends 's to the output filters. + [Evgeny Kotkov] + + *) mod_http2: new directive 'H2PushResource' to enable early pushes before + processing of the main request starts. Resources are announced to the + client in Link headers on a 103 early hint response. + All responses with status code <400 are inspected for Link header and + trigger pushes accordingly. 304 still does prevent pushes. + 'H2PushResource' can mark resources as 'critical' which gives them higher + priority than the main resource. This leads to preferred scheduling for + processing and, when content is available, will send it first. 'critical' + is also recognized on Link headers. [Stefan Eissing] + + *) mod_proxy_http2: uris in Link headers are now mapped back to a suitable + local url when available. Relative uris with an absolute path are mapped + as well. This makes reverse proxy mapping available for resources + announced in this header. + With 103 interim responses being forwarded to the main client connection, + this effectively allows early pushing of resources by a reverse proxied + backend server. [Stefan Eissing] + + *) mod_proxy_http2: adding support for newly proposed 103 status code. + [Stefan Eissing] + + *) mpm_unix: Apache fails to start if previously crashed then restarted with + the same PID (e.g. in container). PR 60261. + [Val , Yann Ylavic] + + *) mod_http2: unannounced and multiple interim responses (status code < 200) + are parsed and forwarded to client until a final response arrives. + [Stefan Eissing] + + *) mod_proxy_http2: improved robustness when main connection is closed early + by resetting all ongoing streams against the backend. + [Stefan Eissing] + + *) mod_http2: allocators from slave connections are released earlier, + resulting in less overall memory use on busy, long lived connections. + [Stefan Eissing] + + *) mod_remoteip: Pick up where we left off during a subrequest rather + than running with the modified XFF but original TCP address. + PR 49839/PR 60251 + + *) http: Respond with "408 Request Timeout" when a timeout occurs while + reading the request body. [Yann Ylavic] + + *) mod_http2: connection shutdown revisited: corrected edge cases on + shutting down ongoing streams, changed log warnings to be less noisy + when waiting on long running tasks. [Stefan Eissing] + + *) mod_http2: changed all AP_DEBUG_ASSERT to ap_assert to have them + available also in normal deployments. [Stefan Eissing] + + *) mod_http2/mod_proxy_http2: 100-continue handling now properly implemented + up to the backend. Reused HTTP/2 proxy connections with more than a second + not used will block request bodies until a PING answer is received. + Requests headers are not delayed by this, since they are repeatable in + case of failure. This greatly increases robustness, especially with + busy server and/or low keepalive connections. [Stefan Eissing] + + *) mod_proxy_http2: fixed duplicate symbols with mod_http2. + [Stefan Eissing] + + *) mod_http2: rewrite of how responses and trailers are transferred between + master and slave connection. Reduction of internal states for tasks + and streams, stability. Heuristic id generation for slave connections + to better keep promise of connection ids unique at given point int time. + Fix for mod_cgid interop in high load situtations. + Fix for handling of incoming trailers when no request body is sent. + [Stefan Eissing] + + *) mod_http2: fix suspended handling for streams. Output could become + blocked in rare cases. [Stefan Eissing] + + *) mpm_winnt: Prevent a denial of service when the 'data' AcceptFilter is in + use by replacing it with the 'connect' filter. PR 59970. [Jacob Champion] + + *) mod_cgid: Resolve a case where a short CGI response causes a subsequent + CGI to be killed prematurely, resulting in a truncated subsequent + response. [Eric Covener] + + *) mod_proxy_hcheck: Set health check URI and expression correctly for health + check worker. PR 60038 [zdeno ] + + *) mod_http2: if configured with nghttp2 1.14.0 and onward, invalid request + headers will immediately reset the stream with a PROTOCOL error. Feature + logged by module on startup as 'INVHD' in info message. + [Stefan Eissing] + + *) mod_http2: fixed handling of stream buffers during shutdown. + [Stefan Eissing] + + *) mod_reqtimeout: Fix body timeout disabling for CONNECT requests to avoid + triggering mod_proxy_connect's AH01018 once the tunnel is established. + [Yann Ylavic] + + *) ab: Set the Server Name Indication (SNI) extension on outgoing TLS + connections (unless -I is specified), according to the Host header (if + any) or the requested URL's hostname otherwise. [Yann Ylavic] + + *) mod_proxy_fcgi: avoid loops when ProxyErrorOverride is enabled + and the error documents are proxied. PR 55415. [Luca Toscano] + + *) mod_proxy_fcgi: read the whole FCGI response even when the content + has not been modified (HTTP 304) or in case of a precondition failure + (HTTP 412) to avoid subsequent bogus reads and confusing + error messages logged. [Luca Toscano] + + *) mod_http2: h2 status resource follows latest draft, see + http://www.ietf.org/id/draft-benfield-http2-debug-state-01.txt + [Stefan Eissing] + + *) mod_http2: handling graceful shutdown gracefully, e.g. handling existing + streams to the end. [Stefan Eissing] + + *) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data + available before the request is sent. PR 57832. [Yann Ylavic] + + *) mod_proxy_balancer: Prevent redirect loops between workers within a + balancer by limiting the number of redirects to the number balancer + members. PR 59864 [Ruediger Pluem] + + *) mod_proxy: Correctly consider error response codes by the backend when + processing failonstatus. PR 59869 [Ruediger Pluem] + + *) mod_dav: Add dav_get_provider_name() function to obtain the name + of the provider from mod_dav. [Graham Leggett] + + *) mod_dav: Add support for childtags to dav_error. + [Jari Urpalainen ] + + *) mod_proxy_fcgi: Fix 2.4.23 breakage for mod_rewrite per-dir and query + string showing up in SCRIPT_FILENAME. PR59815 + + *) mod_include: Fix a potential memory misuse while evaluating expressions. + PR59844. [Eric Covener] + + *) mod_http2: new H2CopyFiles directive that changes treatment of file + handles in responses. Necessary in order to fix broken lifetime handling + in modules such as mod_wsgi. + + *) mod_http2: removing timeouts on master connection while requests are + being processed. Requests may timeout, but the master only times out when + no more requests are active. [Stefan Eissing] + + *) mod_http2: fixes connection flush when answering SETTINGS without any + stream open. [Moto Ishizawa <@summerwind>, Stefan Eissing] + + + + [Apache 2.3.0-dev includes those bug fixes and changes with the + Apache 2.2.xx tree as documented, and except as noted, below.] + +Changes with Apache 2.2.x and later: + + *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup + +Changes with Apache 2.0.x and later: + + *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup + Added: dev/httpd/httpd-2.4.25-deps.tar.bz2 ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.25-deps.tar.bz2 ------------------------------------------------------------------------------ svn:mime-type = application/x-bzip2 Added: dev/httpd/httpd-2.4.25-deps.tar.bz2.asc ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.25-deps.tar.bz2.asc ------------------------------------------------------------------------------ svn:mime-type = application/pgp-signature Added: dev/httpd/httpd-2.4.25-deps.tar.bz2.md5 ============================================================================== --- dev/httpd/httpd-2.4.25-deps.tar.bz2.md5 (added) +++ dev/httpd/httpd-2.4.25-deps.tar.bz2.md5 Fri Dec 16 18:28:04 2016 @@ -0,0 +1 @@ +db154c0a590947d554bd292b31ed4a6f *httpd-2.4.25-deps.tar.bz2 Added: dev/httpd/httpd-2.4.25-deps.tar.bz2.sha1 ============================================================================== --- dev/httpd/httpd-2.4.25-deps.tar.bz2.sha1 (added) +++ dev/httpd/httpd-2.4.25-deps.tar.bz2.sha1 Fri Dec 16 18:28:04 2016 @@ -0,0 +1 @@ +df4604d70f590477f318374cd4cf632dbb2b49a1 *httpd-2.4.25-deps.tar.bz2 Added: dev/httpd/httpd-2.4.25-deps.tar.gz ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.25-deps.tar.gz ------------------------------------------------------------------------------ svn:mime-type = application/x-gzip Added: dev/httpd/httpd-2.4.25-deps.tar.gz.asc ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.25-deps.tar.gz.asc ------------------------------------------------------------------------------ svn:mime-type = application/pgp-signature Added: dev/httpd/httpd-2.4.25-deps.tar.gz.md5 ============================================================================== --- dev/httpd/httpd-2.4.25-deps.tar.gz.md5 (added) +++ dev/httpd/httpd-2.4.25-deps.tar.gz.md5 Fri Dec 16 18:28:04 2016 @@ -0,0 +1 @@ +66b33ab896b44b78a031bc8c6c8a6f8a *httpd-2.4.25-deps.tar.gz Added: dev/httpd/httpd-2.4.25-deps.tar.gz.sha1 ============================================================================== --- dev/httpd/httpd-2.4.25-deps.tar.gz.sha1 (added) +++ dev/httpd/httpd-2.4.25-deps.tar.gz.sha1 Fri Dec 16 18:28:04 2016 @@ -0,0 +1 @@ +48d10881344fc95aec8ff62aedace6dd0ca94d92 *httpd-2.4.25-deps.tar.gz Added: dev/httpd/httpd-2.4.25.tar.bz2 ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.25.tar.bz2 ------------------------------------------------------------------------------ svn:mime-type = application/x-bzip2 Added: dev/httpd/httpd-2.4.25.tar.bz2.asc ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.25.tar.bz2.asc ------------------------------------------------------------------------------ svn:mime-type = application/pgp-signature Added: dev/httpd/httpd-2.4.25.tar.bz2.md5 ============================================================================== --- dev/httpd/httpd-2.4.25.tar.bz2.md5 (added) +++ dev/httpd/httpd-2.4.25.tar.bz2.md5 Fri Dec 16 18:28:04 2016 @@ -0,0 +1 @@ +2826f49619112ad5813c0be5afcc7ddb *httpd-2.4.25.tar.bz2 Added: dev/httpd/httpd-2.4.25.tar.bz2.sha1 ============================================================================== --- dev/httpd/httpd-2.4.25.tar.bz2.sha1 (added) +++ dev/httpd/httpd-2.4.25.tar.bz2.sha1 Fri Dec 16 18:28:04 2016 @@ -0,0 +1 @@ +bd6d138c31c109297da2346c6e7b93b9283993d2 *httpd-2.4.25.tar.bz2 Added: dev/httpd/httpd-2.4.25.tar.gz ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.25.tar.gz ------------------------------------------------------------------------------ svn:mime-type = application/x-gzip Added: dev/httpd/httpd-2.4.25.tar.gz.asc ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.25.tar.gz.asc ------------------------------------------------------------------------------ svn:mime-type = application/pgp-signature Added: dev/httpd/httpd-2.4.25.tar.gz.md5 ============================================================================== --- dev/httpd/httpd-2.4.25.tar.gz.md5 (added) +++ dev/httpd/httpd-2.4.25.tar.gz.md5 Fri Dec 16 18:28:04 2016 @@ -0,0 +1 @@ +24fb8b9e36cf131d78caae864fea0f6a *httpd-2.4.25.tar.gz Added: dev/httpd/httpd-2.4.25.tar.gz.sha1 ============================================================================== --- dev/httpd/httpd-2.4.25.tar.gz.sha1 (added) +++ dev/httpd/httpd-2.4.25.tar.gz.sha1 Fri Dec 16 18:28:04 2016 @@ -0,0 +1 @@ +377c62dc6b25c9378221111dec87c28f8fe6ac69 *httpd-2.4.25.tar.gz