-*- coding: utf-8 -*- Changes with Apache 2.4.58 *) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST (cve.mitre.org) When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Will Dormann of Vul Labs *) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 (cve.mitre.org) An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Prof. Sven Dietrich (City University of New York) *) SECURITY: CVE-2023-31122: mod_macro buffer over-read (cve.mitre.org) Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57. Credits: David Shoon (github/davidshoon) *) mod_ssl: Silence info log message "SSL Library Error: error:0A000126: SSL routines::unexpected eof while reading" when using OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if available. [Rainer Jung] *) mod_http2: improved early cleanup of streams. [Stefan Eissing] *) mod_proxy_http2: improved error handling on connection errors while response is already underway. [Stefan Eissing] *) mod_http2: fixed a bug that could lead to a crash in main connection output handling. This occured only when the last request on a HTTP/2 connection had been processed and the session decided to shut down. This could lead to an attempt to send a final GOAWAY while the previous write was still in progress. See PR 66646. [Stefan Eissing] *) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value. Fixes PR66752. [Stefan Eissing] *) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as described in RFC 8441. A new directive 'H2WebSockets on|off' has been added. The feature is by default not enabled. As also discussed in the manual, this feature should work for setups using "ProxyPass backend-url upgrade=websocket" without further changes. Special server modules for WebSockets will have to be adapted, most likely, as the handling if IO events is different with HTTP/2. HTTP/2 WebSockets are supported on platforms with native pipes. This excludes Windows. [Stefan Eissing] *) mod_rewrite: Fix a regression with both a trailing ? and [QSA]. in OCSP stapling. PR 66672. [Frank Meier , covener] *) mod_http2: fixed a bug in flushing pending data on an already closed connection that could lead to a busy loop, preventing the HTTP/2 session to close down successfully. Fixed PR 66624. [Stefan Eissing] *) mod_http2: v2.0.15 with the following fixes and improvements - New directive 'H2EarlyHint name value' to add headers to a response, picked up already when a "103 Early Hints" response is sent. 'name' and 'value' must comply to the HTTP field restrictions. This directive can be repeated several times and header fields of the same names add. Sending a 'Link' header with 'preload' relation will also cause a HTTP/2 PUSH if enabled and supported by the client. - Fixed an issue where requests were not logged and accounted in a timely fashion when the connection returns to "keepalive" handling, e.g. when the request served was the last outstanding one. This led to late appearance in access logs with wrong duration times reported. - Accurately report the bytes sent for a request in the '%O' Log format. This addresses #203, a long outstanding issue where mod_h2 has reported numbers over-eagerly from internal buffering and not what has actually been placed on the connection. The numbers are now the same with and without H2CopyFiles enabled. [Stefan Eissing] *) mod_proxy_http2: fix retry handling to not leak temporary errors. On detecting that that an existing connection was shutdown by the other side, a 503 response leaked even though the request was retried on a fresh connection. [Stefan Eissing] *) mod_rewrite: Add server directory to include path as mod_rewrite requires test_char.h. PR 66571 [Valeria Petrov ] *) mod_http2: new directive `H2ProxyRequests on|off` to enable handling of HTTP/2 requests in a forward proxy configuration. General forward proxying is enabled via `ProxyRequests`. If the HTTP/2 protocol is also enabled for such a server/host, this new directive is needed in addition. [Stefan Eissing] *) core: Updated conf/mime.types: - .js moved from 'application/javascript' to 'text/javascript' - .mjs was added as 'text/javascript' - add .opus ('audio/ogg') - add 'application/vnd.geogebra.slides' - add WebAssembly MIME types and extension [Mathias Bynens <@mathiasbynens> via PR 318, Richard de Boer , Dave Hodder , Zbynek Konecny ] *) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend connection when sending data on the frontend one. This caused crashes or infinite loops in rare situations. *) mod_proxy_http2: fixed a bug in retry/response handling that could lead to wrong status codes or HTTP messages send at the end of response bodies exceeding the announced content-length. *) mod_proxy_http2: fix retry handling to not leak temporary errors. On detecting that that an existing connection was shutdown by the other side, a 503 response leaked even though the request was retried on a fresh connection. *) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in the wrong order when a bucket_beam was destroyed. [Stefan Eissing] *) mod_http2: avoid double chunked-encoding on internal redirects. PR 66597 [Yann Ylavic, Stefan Eissing] *) mod_http2: Fix reporting of `Total Accesses` in server-status to not count HTTP/2 requests twice. Fixes PR 66801. [Stefan Eissing] *) mod_ssl: Fix handling of Certificate Revoked messages in OCSP stapling. PR 66626. [] *) mod_http2: fixed a bug in handling of stream timeouts. [Stefan Eissing] *) mod_tls: updating to rustls-ffi version 0.9.2 or higher. Checking in configure for proper version installed. Code fixes for changed clienthello member name. [Stefan Eissing] *) mod_md: - New directive `MDMatchNames all|servernames` to allow more control over how MDomains are matched to VirtualHosts. - New directive `MDChallengeDns01Version`. Setting this to `2` will provide the command also with the challenge value on `teardown` invocation. In version 1, the default, only the `setup` invocation gets this parameter. Refs #312. Thanks to @domrim for the idea. - For Managed Domain in "manual" mode, the checks if all used ServerName and ServerAlias are part of the MDomain now reports a warning instead of an error (AH10040) when not all names are present. - MDChallengeDns01 can now be configured for individual domains. Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge teardown not being invoked as it should. *) mod_ldap: Avoid performance overhead of APR-util rebind cache for OpenLDAP 2.2+. PR 64414. [Joe Orton] *) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum amount of response body bytes put into a single HTTP/2 DATA frame. Setting this to 0 places no limit (but the max size allowed by the protocol is observed). The module, by default, tries to use the maximum size possible, which is somewhat around 16KB. This sets the maximum. When less response data is available, smaller frames will be sent. *) mod_md: fixed passing of the server environment variables to programs started via MDMessageCmd and MDChallengeDns01 on *nix system. See . [Stefan Eissing] *) mod_dav: Add DavBasePath directive to configure the repository root path. PR 35077. [Joe Orton] *) mod_alias: Add AliasPreservePath directive to map the full path after the alias in a location. [Graham Leggett] *) mod_alias: Add RedirectRelative to allow relative redirect targets to be issued as-is. [Eric Covener, Graham Leggett] *) core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make sure that if the format is configured early enough it applies to every log line. PR 62161. [Yann Ylavic] *) mod_deflate: Add DeflateAlterETag to control how the ETag is modified. The 'NoChange' parameter mimics 2.2.x behavior. PR 45023, PR 39727. [Eric Covener] *) core: Optimize send_brigade_nonblocking(). [Yann Ylavic, Christophe Jaillet] *) mod_status: Remove duplicate keys "BusyWorkers" and "IdleWorkers". Resolve inconsistency between the previous two occurrences by counting workers in state SERVER_GRACEFUL no longer as busy, but instead in a new counter "GracefulWorkers" (or on HTML view as "workers gracefully restarting"). Also add the graceful counter as a new column to the existing HTML per process table for async MPMs. PR 63300. [Rainer Jung]