From: Stefan Eissing Date: Wed, 24 Nov 2021 11:08:47 +0000 (+0000) Subject: integration of CHANGES [skip ci] X-Git-Tag: candidate-2.4.52-rc1~100 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d01041ef18e8f9d30c09aa05594eee14eb028bc;p=thirdparty%2Fapache%2Fhttpd.git integration of CHANGES [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1895290 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 8017b35a343..96cb925b779 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,46 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.52 + *) mod_md: Fix memory leak in case of failures to load the private key. + PR 65620 [ Filipe Casal ] + + *) mod_md: adding v2.4.8 with the following changes + - Added support for ACME External Account Binding (EAB). + Use the new directive `MDExternalAccountBinding` to provide the + server with the value for key identifier and hmac as provided by + your CA. + While working on some servers, EAB handling is not uniform + across CAs. First tests with a Sectigo Certificate Manager in + demo mode are successful. But ZeroSSL, for example, seems to + regard EAB values as a one-time-use-only thing, which makes them + fail if you create a seconde account or retry the creation of the + first account with the same EAB. + - The directive 'MDCertificateAuthority' now checks if its parameter + is a http/https url or one of a set of known names. Those are + 'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test' + for now and they are not case-sensitive. + The default of LetsEncrypt is unchanged. + - `MDContactEmail` can now be specified inside a `` + section. + - Treating 401 HTTP status codes for orders like 403, since some ACME + servers seem to prefer that for accessing oders from other accounts. + - When retrieving certificate chains, try to read the repsonse even + if the HTTP Content-Type is unrecognized. + - Fixed a bug that reset the error counter of a certificate renewal + and prevented the increasing delays in further attempts. + - Fixed the renewal process giving up every time on an already existing + order with some invalid domains. Now, if such are seen in a previous + order, a new order is created for a clean start over again. + See + - Fixed a mixup in md-status handler when static certificate files + and renewal was configured at the same time. + + *) mod_md: values for External Account Binding (EAB) can + now also be configured to be read from a separate JSON + file. This allows to keep server configuration permissions + world readable without exposing secrets. + [Stefan Eissing] + *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO. PR 65616. [Ruediger Pluem] diff --git a/changes-entries/md_2.4.8.txt b/changes-entries/md_2.4.8.txt deleted file mode 100644 index e9d099f0bf1..00000000000 --- a/changes-entries/md_2.4.8.txt +++ /dev/null @@ -1,31 +0,0 @@ - *) mod_md: adding v2.4.8 with the following changes - - Added support for ACME External Account Binding (EAB). - Use the new directive `MDExternalAccountBinding` to provide the - server with the value for key identifier and hmac as provided by - your CA. - While working on some servers, EAB handling is not uniform - across CAs. First tests with a Sectigo Certificate Manager in - demo mode are successful. But ZeroSSL, for example, seems to - regard EAB values as a one-time-use-only thing, which makes them - fail if you create a seconde account or retry the creation of the - first account with the same EAB. - - The directive 'MDCertificateAuthority' now checks if its parameter - is a http/https url or one of a set of known names. Those are - 'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test' - for now and they are not case-sensitive. - The default of LetsEncrypt is unchanged. - - `MDContactEmail` can now be specified inside a `` - section. - - Treating 401 HTTP status codes for orders like 403, since some ACME - servers seem to prefer that for accessing oders from other accounts. - - When retrieving certificate chains, try to read the repsonse even - if the HTTP Content-Type is unrecognized. - - Fixed a bug that reset the error counter of a certificate renewal - and prevented the increasing delays in further attempts. - - Fixed the renewal process giving up every time on an already existing - order with some invalid domains. Now, if such are seen in a previous - order, a new order is created for a clean start over again. - See - - Fixed a mixup in md-status handler when static certificate files - and renewal was configured at the same time. - diff --git a/changes-entries/md_2.4.9.txt b/changes-entries/md_2.4.9.txt deleted file mode 100644 index 27cc5c9c28e..00000000000 --- a/changes-entries/md_2.4.9.txt +++ /dev/null @@ -1,6 +0,0 @@ - *) mod_md: values for External Account Binding (EAB) can - now also be configured to be read from a separate JSON - file. This allows to keep server configuration permissions - world readable without exposing secrets. - [Stefan Eissing] - diff --git a/changes-entries/pr65620.txt b/changes-entries/pr65620.txt deleted file mode 100644 index c14f2756889..00000000000 --- a/changes-entries/pr65620.txt +++ /dev/null @@ -1,2 +0,0 @@ - *) mod_md: Fix memory leak in case of failures to load the private key. - PR 65620 [ Filipe Casal ]