From: Joe Orton <jorton@apache.org>
Date: Tue, 31 Jan 2017 09:52:02 +0000 (+0000)
Subject: Merge to current 2.4.x, r1781041.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=feeb25ffc1b26f9295e0ac1ebfd8799750a7afa2;p=thirdparty%2Fapache%2Fhttpd.git

Merge to current 2.4.x, r1781041.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1781045 13f79535-47bb-0310-9956-ffa450edef68
---

feeb25ffc1b26f9295e0ac1ebfd8799750a7afa2
diff --cc CHANGES
index 9e502d0c1a4,64acbbf85ea..6b4382b3330
--- a/CHANGES
+++ b/CHANGES
@@@ -1,9 -1,155 +1,157 @@@
                                                           -*- coding: utf-8 -*-
  
- Changes with Apache 2.4.24
+ Changes with Apache 2.4.26
  
 +  *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
 + 
+   *) mod_http2: regression fix on PR 59348, on graceful restart, ongoing 
+      streams are finished normally before the final GOAWAY is sent. 
+      [Stefan Eissing, <slavko gmail.com>]
+      
+   *) mod_http2: fixes PR60599, sending proper response for conditional requests
+      answered by mod_cache. [Jeff Wheelhouse, Stefan Eissing]
+      
+   *) mod_http2: rework of stream resource cleanup to avoid a crash in a close
+      of a lingering connection. Prohibit special file bucket beaming for
+      shared buckets. Files sent in stream output now use the stream pool
+      as read buffer, reducing memory footprint of connections.
+      [Yann Ylavic, Stefan Eissing]
+      
+   *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
+      modules add empty environment variables to the request. PR60275.
+      [<alex2grad AT gmail.com>]
+ 
+   *) mod_http2: fix for possible page fault when stream is resumed during 
+      session shutdown. [sidney-j-r-m (github)]
+      
+   *) mod_http2: fix for h2 session ignoring new responses while already
+      open streams continue to have data available. [Stefan Eissing]
+      
+   *) mod_http2: adding support for MergeTrailers directive. [Stefan Eissing]
+   
+   *) mod_http2: limiting DATA frame sizes by TLS record sizes in use on the 
+      connection. Flushing outgoing frames earlier. [Stefan Eissing]
+ 
+   *) mod_http2: cleanup beamer registry on server reload, Fixes PR60510.
+      [Pavel Mateja <pavel@verotel.cz>, Stefan Eissing]
+      
+   *) mod_proxy_{ajp,fcgi}: Fix a possible crash when reusing an established
+      backend connection, happening with LogLevel trace2 or higher configured,
+      or at any log level with compilers not detected as C99 compliant (e.g.
+      MSVC on Windows).  [Yann Ylavic]
+ 
+   *) mod_ext_filter: Don't interfere with "error buckets" issued by other
+      modules. PR60375.  [Eric Covener, Lubos Uhliarik]
+ 
+   *) mod_http2: fixes https://github.com/icing/mod_h2/issues/126 e.g. beam
+      bucket lifetime handling when data is sent over temporary pools.
+      [Stefan Eissing] 
+   
+ Changes with Apache 2.4.25
+ 
+   *) Fix some build issues related to various modules.
+      [Rainer Jung]
+ 
+ Changes with Apache 2.4.24 (not released)
+ 
+   *) SECURITY: CVE-2016-8740 (cve.mitre.org)
+      mod_http2: Mitigate DoS memory exhaustion via endless
+      CONTINUATION frames.
+      [Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State
+      University, Stefan Eissing]
+ 
+   *) SECURITY: CVE-2016-2161 (cve.mitre.org)
+      mod_auth_digest: Prevent segfaults during client entry allocation when
+      the shared memory space is exhausted.
+      [Maksim Malyutin <m.malyutin dsec.ru>, Eric Covener, Jacob Champion]
+ 
+   *) SECURITY: CVE-2016-0736 (cve.mitre.org)
+      mod_session_crypto: Authenticate the session data/cookie with a
+      MAC (SipHash) to prevent deciphering or tampering with a padding
+      oracle attack.  [Yann Ylavic, Colm MacCarthaigh]
+ 
+   *) SECURITY: CVE-2016-8743 (cve.mitre.org)
+      Enforce HTTP request grammar corresponding to RFC7230 for request lines
+      and request headers, to prevent response splitting and cache pollution by
+      malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
+ 
+   *) Validate HTTP response header grammar defined by RFC7230, resulting
+      in a 500 error in the event that invalid response header contents are
+      detected when serving the response, to avoid response splitting and cache
+      pollution by malicious clients, upstream servers or faulty modules.
+      [Stefan Fritsch, Eric Covener, Yann Ylavic]
+ 
+   *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
+      [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+ 
+   *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
+      looping RewriteRules when the local path significantly exceeds 
+      LimitRequestLine.  PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]
+ 
+   *) mod_ratelimit: Allow for initial "burst" amount at full speed before
+      throttling: PR 60145 [Andy Valencia <ajv-etradanalhos vsta.org>,
+      Jim Jagielski]
+ 
+   *) mod_socache_memcache: Provide memcache stats to mod_status.
+      [Jim Jagielski]
+ 
+   *) http_filters: Fix potential looping in new check_headers() due to new
+      pattern of ap_die() from http header filter. Explicitly clear the
+      previous headers and body.
+ 
+   *) core: Drop Content-Length header and message-body from HTTP 204 responses.
+      PR 51350 [Luca Toscano]
+ 
+   *) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is
+      configured in <Location>, like in 2.2. PR 60458.
+      [Eric Covener]
+ 
+   *) mod_lua: Fix default value of LuaInherit directive. It should be 
+      'parent-first' instead of 'none', as per documentation.  PR 60419
+      [Christophe Jaillet]
+ 
+   *) core: New directive HttpProtocolOptions to control httpd enforcement
+      of various RFC7230 requirements. [Stefan Fritsch, William Rowe]
+ 
+   *) core: Permit unencoded ';' characters to appear in proxy requests and
+      Location: response headers. Corresponds to modern browser behavior.
+      [William Rowe]
+ 
+   *) core: ap_rgetline_core now pulls from r->proto_input_filters.
+ 
+   *) core: Correctly parse an IPv6 literal host specification in an absolute
+      URL in the request line. [Stefan Fritsch]
+ 
+   *) core: New directive RegisterHttpMethod for registering non-standard
+      HTTP methods. [Stefan Fritsch]
+ 
+   *) mod_socache_memcache: Pass expiration time through to memcached.
+      [Faidon Liambotis <paravoid debian.org>, Joe Orton]
+ 
+   *) mod_cache: Use the actual URI path and query-string for identifying the
+      cached entity (key), such that rewrites are taken into account when
+      running afterwards (CacheQuickHandler off).  PR 21935.  [Yann Ylavic]
+ 
+   *) mod_http2: new directive 'H2EarlyHints' to enable sending of HTTP status
+      103 interim responses. Disabled by default. [Stefan Eissing]
+      
+   *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
+      in the client certificate chain.  PR 55786.  [Yann Ylavic]
+ 
+   *) event: Allow to use the whole allocated scoreboard (up to ServerLimit
+      slots) to avoid scoreboard full errors when some processes are finishing
+      gracefully. Also, make gracefully finishing processes close all
+      keep-alive connections. PR 53555. [Stefan Fritsch]
+ 
+   *) mpm_event: Don't take over scoreboard slots from gracefully finishing
+      threads. [Stefan Fritsch]
+ 
+   *) mpm_event: Free memory earlier when shutting down processes.
+      [Stefan Fritsch]
+ 
+   *) mod_status: Display the process slot number in the async connection
+      overview. [Stefan Fritsch]
+ 
    *) mod_dir: Responses that go through "FallbackResource" might appear to
       hang due to unterminated chunked encoding. PR58292. [Eric Covener]