                                                         -*- coding: utf-8 -*-
Changes with Apache 2.4.61

Changes with Apache 2.4.60

  *) SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy
     handler substitution (cve.mitre.org)
     Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and
     earlier allows an attacker to cause unsafe RewriteRules to
     unexpectedly setup URL's to be handled by mod_proxy.
     Credits: Orange Tsai (@orange_8361) from DEVCORE

  *) SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in
     Denial of Service in mod_proxy via a malicious request
     (cve.mitre.org)
     null pointer dereference in mod_proxy in Apache HTTP Server
     2.4.59 and earlier allows an attacker to crash the server via a
     malicious request.
     Credits: Orange Tsai (@orange_8361) from DEVCORE

  *) SECURITY: CVE-2024-38476: Apache HTTP Server may use
     exploitable/malicious backend application output to run local
     handlers via internal redirect (cve.mitre.org)
     Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
     are vulnerably to information disclosure, SSRF or local script
     execution via backend applications whose response headers are
     malicious or exploitable.

     Note: Some legacy uses of the 'AddType' directive to connect a
     request to a handler must be ported to 'AddHandler' after this fix.

     Credits: Orange Tsai (@orange_8361) from DEVCORE

  *) SECURITY: CVE-2024-38475: Apache HTTP Server weakness in
     mod_rewrite when first segment of substitution matches
     filesystem path. (cve.mitre.org)
     Improper escaping of output in mod_rewrite in Apache HTTP Server
     2.4.59 and earlier allows an attacker to map URLs to filesystem
     locations that are permitted to be served by the server but are
     not intentionally/directly reachable by any URL, resulting in
     code execution or source code disclosure.
     Substitutions in server context that use a backreferences or
     variables as the first segment of the substitution are affected.
     Some unsafe RewiteRules will be broken by this change and the
     rewrite flag "UnsafePrefixStat" can be used to opt back in once
     ensuring the substitution is appropriately constrained.
     Credits: Orange Tsai (@orange_8361) from DEVCORE

  *) SECURITY: CVE-2024-38474: Apache HTTP Server weakness with
     encoded question marks in backreferences (cve.mitre.org)
     Substitution encoding issue in mod_rewrite in Apache HTTP Server
     2.4.59 and earlier allows attacker to execute scripts in
     directories permitted by the configuration but not directly
     reachable by any URL or source disclosure of scripts meant to
     only to be executed as CGI.

     Note: Some RewriteRules that capture and substitute unsafely will now
     fail unless rewrite flag "UnsafeAllow3F" is specified.

     Credits: Orange Tsai (@orange_8361) from DEVCORE

  *) SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding
     problem (cve.mitre.org)
     Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and
     earlier allows request URLs with incorrect encoding to be sent
     to backend services, potentially bypassing authentication via
     crafted requests.
     Credits: Orange Tsai (@orange_8361) from DEVCORE

  *) SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF
     (cve.mitre.org)
     SSRF in Apache HTTP Server on Windows allows to potentially leak
     NTML hashes to a malicious server via SSRF and malicious
     requests or content

     Note: Existing configurations that access UNC paths
     will have to configure new directive "UNCList" to allow access
     during request processing.

     Credits: Orange Tsai (@orange_8361) from DEVCORE

  *) SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null
     pointer in websocket over HTTP/2 (cve.mitre.org)
     Serving WebSocket protocol upgrades over a HTTP/2 connection
     could result in a Null Pointer dereference, leading to a crash
     of the server process, degrading performance.
     Credits: Marc Stern (<marc.stern AT approach-cyber.com>)

  *) mod_proxy: Fix DNS requests and connections closed before the
     configured addressTTL.  BZ 69126.  [Yann Ylavic]

  *) core: On Linux, log the real thread ID in error logs.  [Joe Orton]

  *) core: Support zone/scope in IPv6 link-local addresses in Listen and
     VirtualHost directives (requires APR 1.7.x or later).  PR 59396
     [Joe Orton]

  *) mod_ssl: Reject client-initiated renegotiation with a TLS alert
     (rather than connection closure).  [Joe Orton, Yann Ylavic]

  *) Updated mime.types.  [Mohamed Akram <mohd.akram outlook.com>,
     Adam Silverstein <adamsilverstein earthboundhosting.com>]

  *) mod_ssl: Fix a regression that causes the default DH parameters for a key
     no longer set and thus effectively disabling DH ciphers when no explicit
     DH parameters are set. PR 68863 [Ruediger Pluem]

  *) mod_cgid: Optional support for file descriptor passing, fixing
     error log handling (configure --enable-cgid-fdpassing) on Unix
     platforms. PR 54221.  [Joe Orton]

  *) mod_cgid/mod_cgi: Distinguish script stderr output clearly in
     error logs.  PR 61980.  [Hank Ibell <hwibell gmail.com>]

  *) mod_tls: update version of rustls-ffi to v0.13.0.
     [Daniel McCarney (@cpu}]

  *) mod_md:
     - Using OCSP stapling information to trigger certificate renewals. Proposed
       by @frasertweedale.
     - Added directive `MDCheckInterval` to control how often the server checks
       for detected revocations. Added proposals for configurations in the
       README.md chapter "Revocations".
     - OCSP stapling: accept OCSP responses without a `nextUpdate` entry which is
       allowed in RFC 6960. Treat those as having an update interval of 12 hours.
       Added by @frasertweedale.
     - Adapt OpenSSL usage to changes in their API. By Yann Ylavic.

Changes with Apache 2.4.59

  *) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
     memory exhaustion on endless continuation frames (cve.mitre.org)
     HTTP/2 incoming headers exceeding the limit are temporarily
     buffered in nghttp2 in order to generate an informative HTTP 413
     response. If a client does not stop sending headers, this leads
     to memory exhaustion.
     Credits: Bartek Nowotarski (https://nowotarski.info/)

  *) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
     Splitting in multiple modules (cve.mitre.org)
     HTTP Response splitting in multiple modules in Apache HTTP
     Server allows an attacker that can inject malicious response
     headers into backend applications to cause an HTTP
     desynchronization attack.

     After this change, CGI-like scripts cannot set Transfer-Encoding
     or Content-Length headers.  To restore the ability to set Content-Length
     header, set per-request environment variable 'ap_trust_cgilike_cl' to any
     non-empty value.

     Credits: Keran Mu, Tsinghua University and Zhongguancun
     Laboratory.

  *) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
     splitting (cve.mitre.org)
     Faulty input validation in the core of Apache allows malicious
     or exploitable backend/content generators to split HTTP
     responses.
     This issue affects Apache HTTP Server: through 2.4.58.
     Credits: Orange Tsai (@orange_8361) from DEVCORE

  *) mod_deflate: Fixes and better logging for handling various
     error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
     Eric Norris <enorris etsy.com>]

  *) Add CGIScriptTimeout to mod_cgi. [Eric Covener]

  *) mod_xml2enc: Tolerate libxml2 2.12.0 and later.  PR 68610
     [ttachi <tachihara AT hotmail.com>]

  *) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable.
     [Jean-Frederic Clere]

  *) mod_ssl: Use OpenSSL-standard functions to assemble CA
     name lists for SSLCACertificatePath/SSLCADNRequestPath.
     Names will now be consistently sorted. PR 61574.
     [Joe Orton]

  *) mod_xml2enc: Update check to accept any text/ media type
     or any XML media type per RFC 7303, avoiding
     corruption of Microsoft OOXML formats.  PR 64339.
     [Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton]

  *) mod_http2: v2.0.26 with the following fixes:
     - Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
       <https://github.com/icing/mod_h2/issues/272>.
     - Fixed small memory leak in h2 header bucket free. Thanks to
       Michael Kaufmann for finding this and providing the fix.

  *) htcacheclean: In -a/-A mode, list all files per subdirectory
     rather than only one. PR 65091.
     [Artem Egorenkov <aegorenkov.91 gmail.com>]

  *) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files
     which include CA certificates; those CA certs are treated as if
     configured with SSLProxyMachineCertificateChainFile.  [Joe Orton]

  *) htpasswd, htdbm, dbmmanage: Update help&docs to refer to
     "hashing", rather than "encrypting" passwords.
     [Michele Preziuso <mpreziuso kaosdynamics.com>]

  *) mod_ssl: Fix build with LibreSSL 2.0.7+. PR 64047.
     [Giovanni Bechis, Yann Ylavic]

  *) htpasswd: Add support for passwords using SHA-2.  [Joe Orton,
     Yann Ylavic]

  *) core: Allow mod_env to override system environment vars. [Joe Orton]

  *) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
     operation which removes a directory/file between apr_dir_read() and
     apr_stat(). Current behaviour is to abort the connection which seems
     inferior to tolerating (and logging) the error. [Joe Orton]

  *) mod_ldap: HTML-escape data in the ldap-status handler.
     [Eric Covener, Chamal De Silva]

  *) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
     Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
     notably with OpenSSL >= 3.  PR 68080.  [Yann Ylavic, Joe Orton]

  *) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
     deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
     to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
     [Yann Ylavic]

  *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]

  *) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
     some dollar substitution (backreference) happens in the hostname or port
     part of the URL.  [Yann Ylavic]

  *) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend
     systems are cached. [Yann Ylavic]

  *) mod_proxy: Add optional third argument for ProxyRemote, which
     configures Basic authentication credentials to pass to the remote
     proxy.  PR 37355.  [Joe Orton]

Changes with Apache 2.4.58

  *) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
     memory not reclaimed right away on RST (cve.mitre.org)
     When a HTTP/2 stream was reset (RST frame) by a client, there
     was a time window were the request's memory resources were not
     reclaimed immediately. Instead, de-allocation was deferred to
     connection close. A client could send new requests and resets,
     keeping the connection busy and open and causing the memory
     footprint to keep on growing. On connection close, all resources
     were reclaimed, but the process might run out of memory before
     that.
     This was found by the reporter during testing of CVE-2023-44487
     (HTTP/2 Rapid Reset Exploit) with their own test client. During
     "normal" HTTP/2 use, the probability to hit this bug is very
     low. The kept memory would not become noticeable before the
     connection closes or times out.
     Users are recommended to upgrade to version 2.4.58, which fixes
     the issue.
     Credits: Will Dormann of Vul Labs

  *) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
     initial windows size 0 (cve.mitre.org)
     An attacker, opening a HTTP/2 connection with an initial window
     size of 0, was able to block handling of that connection
     indefinitely in Apache HTTP Server. This could be used to
     exhaust worker resources in the server, similar to the well
     known "slow loris" attack pattern.
     This has been fixed in version 2.4.58, so that such connection
     are terminated properly after the configured connection timeout.
     This issue affects Apache HTTP Server: from 2.4.55 through
     2.4.57.
     Users are recommended to upgrade to version 2.4.58, which fixes
     the issue.
     Credits: Prof. Sven Dietrich (City University of New York)

  *) SECURITY: CVE-2023-31122: mod_macro buffer over-read
     (cve.mitre.org)
     Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
     Server.This issue affects Apache HTTP Server: through 2.4.57.
     Credits: David Shoon (github/davidshoon)

  *) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:
     SSL routines::unexpected eof while reading" when using
     OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
     available. [Rainer Jung]

  *) mod_http2: improved early cleanup of streams.
     [Stefan Eissing]

  *) mod_proxy_http2: improved error handling on connection errors while
     response is already underway.
     [Stefan Eissing]

  *) mod_http2: fixed a bug that could lead to a crash in main connection
     output handling. This occured only when the last request on a HTTP/2
     connection had been processed and the session decided to shut down.
     This could lead to an attempt to send a final GOAWAY while the previous
     write was still in progress. See PR 66646.
     [Stefan Eissing]

  *) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value.
     Fixes PR66752.
     [Stefan Eissing]

  *) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as
     described in RFC 8441. A new directive 'H2WebSockets on|off' has been
     added. The feature is by default not enabled.
     As also discussed in the manual, this feature should work for setups
     using "ProxyPass backend-url upgrade=websocket" without further changes.
     Special server modules for WebSockets will have to be adapted,
     most likely, as the handling if IO events is different with HTTP/2.
     HTTP/2 WebSockets are supported on platforms with native pipes. This
     excludes Windows.
     [Stefan Eissing]

  *) mod_rewrite: Fix a regression with both a trailing ? and [QSA].
     in OCSP stapling. PR 66672. [Frank Meier <frank.meier ergon.ch>, covener]

  *) mod_http2: fixed a bug in flushing pending data on an already closed
     connection that could lead to a busy loop, preventing the HTTP/2 session
     to close down successfully. Fixed PR 66624.
     [Stefan Eissing]

  *) mod_http2: v2.0.15 with the following fixes and improvements
     - New directive 'H2EarlyHint name value' to add headers to a response,
       picked up already when a "103 Early Hints" response is sent. 'name' and
       'value' must comply to the HTTP field restrictions.
       This directive can be repeated several times and header fields of the
       same names add. Sending a 'Link' header with 'preload' relation will
       also cause a HTTP/2 PUSH if enabled and supported by the client.
     - Fixed an issue where requests were not logged and accounted in a timely
       fashion when the connection returns to "keepalive" handling, e.g. when
       the request served was the last outstanding one.
       This led to late appearance in access logs with wrong duration times
       reported.
     - Accurately report the bytes sent for a request in the '%O' Log format.
       This addresses #203, a long outstanding issue where mod_h2 has reported
       numbers over-eagerly from internal buffering and not what has actually
       been placed on the connection.
       The numbers are now the same with and without H2CopyFiles enabled.
     [Stefan Eissing]

  *) mod_proxy_http2: fix retry handling to not leak temporary errors.
     On detecting that that an existing connection was shutdown by the other
     side, a 503 response leaked even though the request was retried on a
     fresh connection.
     [Stefan Eissing]

  *) mod_rewrite: Add server directory to include path as mod_rewrite requires
     test_char.h. PR 66571 [Valeria Petrov <valeria.petrov@spinetix.com>]

  *) mod_http2: new directive `H2ProxyRequests on|off` to enable handling
     of HTTP/2 requests in a forward proxy configuration.
     General forward proxying is enabled via `ProxyRequests`. If the
     HTTP/2 protocol is also enabled for such a server/host, this new
     directive is needed in addition.
     [Stefan Eissing]

  *) core: Updated conf/mime.types:
     - .js moved from 'application/javascript' to 'text/javascript'
     - .mjs was added as 'text/javascript'
     - add .opus ('audio/ogg')
     - add 'application/vnd.geogebra.slides'
     - add WebAssembly MIME types and extension
     [Mathias Bynens <@mathiasbynens> via PR 318,
      Richard de Boer <richard tubul.net>, Dave Hodder <dmh dmh.org.uk>,
      Zbynek Konecny <zbynek1729 gmail.com>]

  *) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend
     connection when sending data on the frontend one. This caused crashes
     or infinite loops in rare situations.
  *) mod_proxy_http2: fixed a bug in retry/response handling that could lead
     to wrong status codes or HTTP messages send at the end of response bodies
     exceeding the announced content-length.
  *) mod_proxy_http2: fix retry handling to not leak temporary errors.
     On detecting that that an existing connection was shutdown by the other
     side, a 503 response leaked even though the request was retried on a
     fresh connection.
  *) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in
     the wrong order when a bucket_beam was destroyed.
     [Stefan Eissing]

  *) mod_http2: avoid double chunked-encoding on internal redirects.
     PR 66597 [Yann Ylavic, Stefan Eissing]

  *) mod_http2: Fix reporting of `Total Accesses` in server-status to not count
     HTTP/2 requests twice. Fixes PR 66801.
     [Stefan Eissing]

  *) mod_ssl: Fix handling of Certificate Revoked messages
     in OCSP stapling. PR 66626. [<gmoniker gmail.com>]

  *) mod_http2: fixed a bug in handling of stream timeouts.
     [Stefan Eissing]

  *) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
     Checking in configure for proper version installed. Code
     fixes for changed clienthello member name.
     [Stefan Eissing]

  *) mod_md:
     - New directive `MDMatchNames all|servernames` to allow more control over how
       MDomains are matched to VirtualHosts.
     - New directive `MDChallengeDns01Version`. Setting this to `2` will provide
       the command also with the challenge value on `teardown` invocation. In version
       1, the default, only the `setup` invocation gets this parameter.
       Refs #312. Thanks to @domrim for the idea.
     - For Managed Domain in "manual" mode, the checks if all used ServerName and
       ServerAlias are part of the MDomain now reports a warning instead of an error
       (AH10040) when not all names are present.
     - MDChallengeDns01 can now be configured for individual domains.
       Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
     - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
       teardown not being invoked as it should.

  *) mod_ldap: Avoid performance overhead of APR-util rebind cache for
     OpenLDAP 2.2+.  PR 64414.  [Joe Orton]

  *) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum
     amount of response body bytes put into a single HTTP/2 DATA frame.
     Setting this to 0 places no limit (but the max size allowed by the
     protocol is observed).
     The module, by default, tries to use the maximum size possible, which is
     somewhat around 16KB. This sets the maximum. When less response data is
     available, smaller frames will be sent.

  *) mod_md: fixed passing of the server environment variables to programs
     started via MDMessageCmd and MDChallengeDns01 on *nix system.
     See <https://github.com/icing/mod_md/issues/319>.
     [Stefan Eissing]

  *) mod_dav: Add DavBasePath directive to configure the repository root
     path.  PR 35077.  [Joe Orton]

  *) mod_alias: Add AliasPreservePath directive to map the full
     path after the alias in a location. [Graham Leggett]

  *) mod_alias: Add RedirectRelative to allow relative redirect targets to be
     issued as-is. [Eric Covener, Graham Leggett]

  *) core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make
     sure that if the format is configured early enough it applies to every log
     line.  PR 62161.  [Yann Ylavic]

  *) mod_deflate: Add DeflateAlterETag to control how the ETag
     is modified. The 'NoChange' parameter mimics 2.2.x behavior.
     PR 45023, PR 39727. [Eric Covener]

  *) core: Optimize send_brigade_nonblocking(). [Yann Ylavic, Christophe Jaillet]

  *) mod_status: Remove duplicate keys "BusyWorkers" and "IdleWorkers".
     Resolve inconsistency between the previous two occurrences by
     counting workers in state SERVER_GRACEFUL no longer as busy,
     but instead in a new counter "GracefulWorkers" (or on HTML
     view as "workers gracefully restarting"). Also add the graceful
     counter as a new column to the existing HTML per process table
     for async MPMs. PR 63300. [Rainer Jung]

Changes with Apache 2.4.57

  *) mod_proxy: Check before forwarding that a nocanon path has not been
     rewritten with spaces during processing.  [Yann Ylavic]

  *) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
     double encode encoded slashes in the URL sent by the reverse proxy to the
     backend. [Ruediger Pluem]

  *) mod_http2: fixed a crash during connection termination. See PR 66539.
     [Stefan Eissing]

  *) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
     in a question mark. PR66547. [Eric Covener]

  *) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
     characters on redirections without the "NE" flag. 
     [Yann Ylavic, Eric Covener]

  *) mod_proxy: Fix double encoding of the uri-path of the request forwarded
     to the origin server, when using mapping=encoded|servlet.  [Yann Ylavic]

  *) mod_mime: Do not match the extention against possible query string
     parameters in case ProxyPass was used with the nocanon option.
     [Ruediger Pluem]

Changes with Apache 2.4.56

  *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
     HTTP response splitting (cve.mitre.org)
     HTTP Response Smuggling vulnerability in Apache HTTP Server via
     mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
     2.4.30 through 2.4.55.
     Special characters in the origin response header can
     truncate/split the response forwarded to the client.
     Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)

  *) SECURITY: CVE-2023-25690: HTTP request splitting with
     mod_rewrite and mod_proxy (cve.mitre.org)
     Some mod_proxy configurations on Apache HTTP Server versions
     2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
     Configurations are affected when mod_proxy is enabled along with
     some form of RewriteRule or ProxyPassMatch in which a non-specific
     pattern matches some portion of the user-supplied request-target (URL)
     data and is then re-inserted into the proxied request-target
     using variable substitution. For example, something like:
        RewriteEngine on
        RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
        ProxyPassReverse /here/  http://example.com:8080/
     Request splitting/smuggling could result in bypass of access
     controls in the proxy server, proxying unintended URLs to
     existing origin servers, and cache poisoning.
     Credits: Lars Krapf of Adobe

  *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
     truncated without the initial logfile being truncated.  [Eric Covener]

  *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
     allow connections of any age to be reused. Up to now, a negative value
     was handled as an error when parsing the configuration file.  PR 66421.
     [nailyk <bzapache nailyk.fr>, Christophe Jaillet]

  *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
     of headers. [Ruediger Pluem]

  *) mod_md:
     - Enabling ED25519 support and certificate transparency information when
       building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
     - MDChallengeDns01 can now be configured for individual domains.
       Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
     - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
       teardown not being invoked as it should.
     [Stefan Eissing]

  *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
     reported in access logs and error documents. The processing of the
     reset was correct, only unneccesary reporting was caused.
     [Stefan Eissing]

  *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
     [Yann Ylavic]

Changes with Apache 2.4.55

  *) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
     2.4.55 allows a backend to trigger HTTP response splitting
     (cve.mitre.org)
     Prior to Apache HTTP Server 2.4.55, a malicious backend can
     cause the response headers to be truncated early, resulting in
     some headers being incorporated into the response body. If the
     later headers have any security purpose, they will not be
     interpreted by the client.
     Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)

  *) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
     Possible request smuggling (cve.mitre.org)
     Inconsistent Interpretation of HTTP Requests ('HTTP Request
     Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
     allows an attacker to smuggle requests to the AJP server it
     forwards requests to.  This issue affects Apache HTTP Server
     Apache HTTP Server 2.4 version 2.4.54 and prior versions.
     Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
     at Qi'anxin Group

  *) SECURITY: CVE-2006-20001: mod_dav out of  bounds read, or write
     of zero byte (cve.mitre.org)
     A carefully crafted If: request header can cause a memory read,
     or write of a single zero byte, in a pool (heap) memory location
     beyond the header value sent. This could cause the process to
     crash.
     This issue affects Apache HTTP Server 2.4.54 and earlier.

  *) mod_dav: Open the lock database read-only when possible.
     PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]

  *) mod_proxy_http2: apply the standard httpd content type handling
     to responses from the backend, as other proxy modules do. Fixes PR 66391.
     Thanks to Jérôme Billiras for providing the patch.
     [Stefan Eissing]

  *) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
     [Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
     <alejandro.alvarez.ayllon cern.ch>]

  *) mod_proxy_hcheck: Honor worker timeout settings.  [Yann Ylavic]

  *) mod_http2: version 2.0.11 of the module, synchronizing changes
     with the gitgub version. This is a partial rewrite of how connections
     and streams are handled.
     - an APR pollset and pipes (where supported) are used to monitor
       the main connection and react to IO for request/response handling.
       This replaces the stuttered timed waits of earlier versions.
     - H2SerializeHeaders directive still exists, but has no longer an effect.
     - Clients that seemingly misbehave still get less resources allocated,
       but ongoing requests are no longer disrupted.
     - Fixed an issue since 1.15.24 that "Server" headers in proxied requests
       were overwritten instead of preserved. [PR by @daum3ns]
     - A regression in v1.15.24 was fixed that could lead to httpd child
       processes not being terminated on a graceful reload or when reaching
       MaxConnectionsPerChild. When unprocessed h2 requests were queued at
       the time, these could stall. See #212.
     - Improved information displayed in 'server-status' for H2 connections when
       Extended Status is enabled. Now one can see the last request that IO
       operations happened on and transferred IO stats are updated as well.
     - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
       send a GOAWAY frame much too early on new connections, leading to invalid
       protocol state and a client failing the request. See PR65731 at
       <https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
       The module now initializes the HTTP/2 protocol correctly and allows the
       client to submit one request before the shutdown via a GOAWAY frame
       is being announced.
     - :scheme pseudo-header values, not matching the
       connection scheme, are forwarded via absolute uris to the
       http protocol processing to preserve semantics of the request.
       Checks on combinations of pseudo-headers values/absence
       have been added as described in RFC 7540. Fixes #230.
     - A bug that prevented trailers (e.g. HEADER frame at the end) to be
       generated in certain cases was fixed. See #233 where it prevented
       gRPC responses to be properly generated.
     - Request and response header values are automatically stripped of leading
       and trialing space/tab characters. This is equivalent behaviour to what
       Apache httpd's http/1.1 parser does.
       The checks for this in nghttp2 v1.50.0+ are disabled.
     - Extensive testing in production done by Alessandro Bianchi (@alexskynet)
       on the v2.0.x versions for stability. Many thanks!

  *) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
     request ':authority' is known. Improved test case that did not catch that
     the previous 'fix' was incorrect.

  *) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
     using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]

  *) mod_proxy: The AH03408 warning for a forcibly closed backend
     connection is now logged at INFO level.  [Yann Ylavic]

  *) mod_ssl: When dumping the configuration, the existence of
     certificate/key files is no longer tested.  [Joe Orton]

  *) mod_authn_core: Add expression support to AuthName and AuthType.
     [Graham Leggett]

  *) mod_ssl: when a proxy connection had handled a request using SSL, an
     error was logged when "SSLProxyEngine" was only configured in the
     location/proxy section and not the overall server. The connection
     continued to work, the error log was in error. Fixed PR66190.
     [Stefan Eissing]

  *) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
     [Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]

  *) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
     [Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]

  *) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]

  *) mod_md: a new directive `MDStoreLocks` can be used on cluster
     setups with a shared file system for `MDStoreDir` to order
     activation of renewed certificates when several cluster nodes are
     restarted at the same time. Store locks are not enabled by default.
     Restored curl_easy cleanup behaviour from v2.4.14 and refactored
     the use of curl_multi for OCSP requests to work with that.
     Fixes <https://github.com/icing/mod_md/issues/293>.

  *) core: Avoid an overflow on large inputs in ap_is_matchexp.  PR 66033
     [Ruediger Pluem]

  *) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
     storage instead of slotmem. Needed after setting
     HeartbeatMaxServers default to the documented value 10 in 2.4.54.
     PR 66131.  [Jérôme Billiras]

  *) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
     This is a game changer for performances if client use PROPFIND a lot,
     PR 66313. [Emmanuel Dreyfus]

Changes with Apache 2.4.54

  *) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
     hop-by-hop mechanism (cve.mitre.org)
     Apache HTTP Server 2.4.53 and earlier may not send the
     X-Forwarded-* headers to the origin server based on client side
     Connection header hop-by-hop mechanism.
     This may be used to bypass IP based authentication on the origin
     server/application.
     Credits: The Apache HTTP Server project would like to thank
     Gaetan Ferry (Synacktiv) for reporting this issue

  *) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
     websockets (cve.mitre.org)
     Apache HTTP Server 2.4.53 and earlier may return lengths to
     applications calling r:wsread() that point past the end of the
     storage allocated for the buffer.
     Credits: The Apache HTTP Server project would like to thank
     Ronald Crane (Zippenhop LLC) for reporting this issue

  *) SECURITY: CVE-2022-30522: mod_sed denial of service
     (cve.mitre.org)
     If Apache HTTP Server 2.4.53 is configured to do transformations
     with mod_sed in contexts where the input to mod_sed may be very
     large, mod_sed may make excessively large memory allocations and
     trigger an abort.
     Credits: This issue was found by Brian Moussalli from the JFrog
     Security Research team

  *) SECURITY: CVE-2022-29404: Denial of service in mod_lua
     r:parsebody (cve.mitre.org)
     In Apache HTTP Server 2.4.53 and earlier, a malicious request to
     a lua script that calls r:parsebody(0) may cause a denial of
     service due to no default limit on possible input size.
     Credits: The Apache HTTP Server project would like to thank
     Ronald Crane (Zippenhop LLC) for reporting this issue

  *) SECURITY: CVE-2022-28615: Read beyond bounds in
     ap_strcmp_match() (cve.mitre.org)
     Apache HTTP Server 2.4.53 and earlier may crash or disclose
     information due to a read beyond bounds in ap_strcmp_match()
     when provided with an extremely large input buffer.  While no
     code distributed with the server can be coerced into such a
     call, third-party modules or lua scripts that use
     ap_strcmp_match() may hypothetically be affected.
     Credits: The Apache HTTP Server project would like to thank
     Ronald Crane (Zippenhop LLC) for reporting this issue

  *) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite()
     (cve.mitre.org)
     The ap_rwrite() function in Apache HTTP Server 2.4.53 and
     earlier may read unintended memory if an attacker can cause the
     server to reflect very large input using ap_rwrite() or
     ap_rputs(), such as with mod_luas r:puts() function.
     Credits: The Apache HTTP Server project would like to thank
     Ronald Crane (Zippenhop LLC) for reporting this issue

  *) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi
     (cve.mitre.org)
     Apache HTTP Server 2.4.53 and earlier on Windows may read beyond
     bounds when configured to process requests with the mod_isapi
     module.
     Credits: The Apache HTTP Server project would like to thank
     Ronald Crane (Zippenhop LLC) for reporting this issue

  *) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request
     smuggling (cve.mitre.org)
     Inconsistent Interpretation of HTTP Requests ('HTTP Request
     Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
     allows an attacker to smuggle requests to the AJP server it
     forwards requests to.  This issue affects Apache HTTP Server
     Apache HTTP Server 2.4 version 2.4.53 and prior versions.
     Credits: Ricter Z @ 360 Noah Lab

  *) mod_ssl: SSLFIPS compatible with OpenSSL 3.0.  PR 66063.
     [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]

  *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
     PR 65666.  [Yann Ylavic]

  *) mod_md:  a bug was fixed that caused very large MDomains
     with the combined DNS names exceeding ~7k to fail, as
     request bodies would contain partially wrong data from
     uninitialized memory. This would have appeared as failure
     in signing-up/renewing such configurations.
     [Stefan Eissing, Ronald Crane (Zippenhop LLC)]

  *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
     PR 65666.  [Yann Ylavic]

  *) MPM event: Restart children processes killed before idle maintenance.
     PR 65769.  [Yann Ylavic, Ruediger Pluem]

  *) ab: Allow for TLSv1.3 when the SSL library supports it.
     [abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic]

  *) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
     transmission delays.  PR 66019.  [Yann Ylavic]

  *) MPM event: Fix accounting of active/total processes on ungraceful restart,
     PR 66004 (follow up to PR 65626 from 2.4.52).  [Yann Ylavic]

  *) core: make ap_escape_quotes() work correctly on strings
     with more than MAX_INT/2 characters, counting quotes double.
     Credit to <generalbugs@zippenhop.com> for finding this.
     [Stefan Eissing]

  *) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
     an ACME CA. This gives a failover for renewals when several consecutive attempts
     to get a certificate failed.
     A new directive was added: `MDRetryDelay` sets the delay of retries.
     A new directive was added: `MDRetryFailover` sets the number of errored
     attempts before an alternate CA is selected for certificate renewals.
     [Stefan Eissing]

  *) mod_http2: remove unused and insecure code. Fixes PR66037.
     Thanks to Ronald Crane (Zippenhop LLC) for reporting this.
     [Stefan Eissing]

  *) mod_proxy: Add backend port to log messages to
     ease identification of involved service.  [Rainer Jung]

  *) mod_http2: removing unscheduling of ongoing tasks when
     connection shows potential abuse by a client. This proved
     counter-productive and the abuse detection can false flag
     requests using server-side-events.
     Fixes <https://github.com/icing/mod_h2/issues/231>.
     [Stefan Eissing]

  *) mod_md: Implement full auto status ("key: value" type status output).
     Especially not only status summary counts for certificates and
     OCSP stapling but also lists. Auto status format is similar to
     what was used for mod_proxy_balancer.
     [Rainer Jung]

  *) mod_md: fixed a bug leading to failed transfers for OCSP
     stapling information when more than 6 certificates needed
     updates in the same run.  [Stefan Eissing]

  *) mod_proxy: Set a status code of 502 in case the backend just closed the
     connection in reply to our forwarded request.  [Ruediger Pluem]

  *) mod_md: a possible NULL pointer deref was fixed in
     the JSON code for persisting time periods (start+end).
     Fixes #282 on mod_md's github.
     Thanks to @marcstern for finding this.  [Stefan Eissing]

  *) mod_heartmonitor: Set the documented default value
     "10" for HeartbeatMaxServers instead of "0". With "0"
     no shared memory slotmem was initialized.  [Rainer Jung]

  *) mod_md: added support for managing certificates via a
     local tailscale daemon for users of that secure networking.
     This gives trusted certificates for tailscale assigned
     domain names in the *.ts.net space.
     [Stefan Eissing]

  *) core: Change default value of LimitRequestBody from 0 (unlimited)
     to 1GB. [Eric Covener]

Changes with Apache 2.4.53

  *) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
     (cve.mitre.org)
     Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
     Server allows an attacker to overwrite heap memory with possibly
     attacker provided data.
     This issue affects Apache HTTP Server 2.4 version 2.4.52 and
     prior versions.
     Credits: Ronald Crane (Zippenhop LLC)

  *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
     very large or unlimited LimitXMLRequestBody (cve.mitre.org)
     If LimitXMLRequestBody is set to allow request bodies larger
     than 350MB (defaults to 1M) on 32 bit systems an integer
     overflow happens which later causes out of bounds writes.
     This issue affects Apache HTTP Server 2.4.52 and earlier.
     Credits: Anonymous working with Trend Micro Zero Day Initiative

  *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
     in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
     Apache HTTP Server 2.4.52 and earlier fails to close inbound
     connection when errors are encountered discarding the request
     body, exposing the server to HTTP Request Smuggling
     Credits: James Kettle <james.kettle portswigger.net>

  *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
     in r:parsebody (cve.mitre.org)
     A carefully crafted request body can cause a read to a random
     memory area which could cause the process to crash.
     This issue affects Apache HTTP Server 2.4.52 and earlier.
     Credits: Chamal De Silva

  *) core: Make sure and check that LimitXMLRequestBody fits in system memory.
     [Ruediger Pluem, Yann Ylavic]

  *) core: Simpler connection close logic if discarding the request body fails.
     [Yann Ylavic, Ruediger Pluem]

  *) mod_http2: preserve the port number given in a HTTP/1.1
     request that was Upgraded to HTTP/2. Fixes PR65881.
     [Stefan Eissing]

  *) mod_proxy: Allow for larger worker name.  PR 53218.  [Yann Ylavic]

  *) dbm: Split the loading of a dbm driver from the opening of a dbm file. When
     an attempt to load a dbm driver fails, log clearly which driver triggered
     the error (not "default"), and what the error was. [Graham Leggett]

  *) mod_proxy: Use the maxium of front end and backend timeouts instead of the
     minimum when tunneling requests (websockets, CONNECT requests).
     Backend timeouts can be configured more selectively (per worker if needed)
     as front end timeouts and typically the backend timeouts reflect the
     application requirements better.  PR 65886 [Ruediger Pluem]

  *) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers
     when an efficient TLS implementation is available. [Yann Ylavic]

  *) core, mod_info: Add compiled and loaded PCRE versions to version
     number display.  [Rainer Jung]

  *) mod_md: do not interfere with requests to /.well-known/acme-challenge/
     resources if challenge type 'http-01' is not configured for a domain.
     Fixes <https://github.com/icing/mod_md/issues/279>.
     [Stefan Eissing]

  *) mod_dav: Fix regression when gathering properties which could lead to huge
     memory consumption proportional to the number of resources.
     [Evgeny Kotkov, Ruediger Pluem]

  *) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x)
     for regular expression evaluation. This depends on locating pcre2-config.
     [William Rowe, Petr Pisar <ppisar redhat.com>, Rainer Jung]

  *) Add the ldap function to the expression API, allowing LDAP filters and
     distinguished names based on expressions to be escaped correctly to
     guard against LDAP injection. [Graham Leggett]

  *) mod_md: the status description in MDomain's JSON, exposed in the
     md-status handler (if configured) did sometimes not carry the correct
     message when certificates needed renew.
     [Stefan Eissing]

  *) mpm_event: Fix a possible listener deadlock on heavy load when restarting
     and/or reaching MaxConnectionsPerChild.  PR 65769.  [Yann Ylavic]

Changes with Apache 2.4.52

  *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A carefully crafted request body can cause a buffer overflow in
     the mod_lua multipart parser (r:parsebody() called from Lua
     scripts).
     The Apache httpd team is not aware of an exploit for the
     vulnerability though it might be possible to craft one.
     This issue affects Apache HTTP Server 2.4.51 and earlier.
     Credits: Chamal

  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
     forward proxy configurations in Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A crafted URI sent to httpd configured as a forward proxy
     (ProxyRequests on) can cause a crash (NULL pointer dereference)
     or, for configurations mixing forward and reverse proxy
     declarations, can allow for requests to be directed to a
     declared Unix Domain Socket endpoint (Server Side Request
     Forgery).
     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
     (included).
     Credits: 漂亮鼠
     TengMA(@Te3t123)

  *) http: Enforce that fully qualified uri-paths not to be forward-proxied
     have an http(s) scheme, and that the ones to be forward proxied have a
     hostname, per HTTP specifications.  [Ruediger Pluem, Yann Ylavic]

  *) configure: OpenSSL detection will now use pkg-config data from
     .../lib64/ within the --with-ssl path. [Jean-Frederic Clere]

  *) mod_proxy_connect, mod_proxy: Do not change the status code after we
     already sent it to the client. [Ruediger Pluem]

  *) mod_http: Correctly sent a 100 Continue status code when sending an interim
     response as result of an Expect: 100-Continue in the request and not the
     current status code of the request. PR 65725 [Ruediger Pluem]

  *) mod_dav: Some DAV extensions, like CalDAV, specify both document
     elements and property elements that need to be taken into account
     when generating a property. The document element and property element
     are made available in the dav_liveprop_elem structure by calling
     dav_get_liveprop_element(). [Graham Leggett]

  *) mod_dav: Add utility functions dav_validate_root_ns(),
     dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
     dav_find_attr() so that other modules get to play too.
     [Graham Leggett]

  *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.
     [Yann Ylavic, Ruediger Pluem]

  *) mod_http2: fixes 2 regressions in server limit handling.
     1. When reaching server limits, such as MaxRequestsPerChild, the
        HTTP/2 connection send a GOAWAY frame much too early on new
        connections, leading to invalid protocol state and a client
        failing the request. See PR65731.
        The module now initializes the HTTP/2 protocol correctly and
        allows the client to submit one request before the shutdown
        via a GOAWAY frame is being announced.
     2. A regression in v1.15.24 was fixed that could lead to httpd
        child processes not being terminated on a graceful reload or
        when reaching MaxConnectionsPerChild. When unprocessed h2
        requests were queued at the time, these could stall.
        See <https://github.com/icing/mod_h2/issues/212>.
     [Stefan Eissing]

  *) mod_ssl: Add build support for OpenSSL v3. [Rainer Jung,
     Stefan Fritsch, Yann Ylavic, Stefan Eissing, Joe Orton,
     Giovanni Bechis]

  *) mod_proxy_connect: Honor the smallest of the backend or client timeout
     while tunneling.  [Yann Ylavic]

  *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
     half-close forwarding when tunneling protocols.  [Yann Ylavic]

