httpd-2.4.55

[Douglas R. Reno]

New point version

Three security vulnerabilities fixed in this update, one of which from... 2006

[Bruce Dubbs]

Changes with Apache 2.4.55

• mod_dav: Open the lock database read-only when possible. PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]

• mod_proxy_http2: apply the standard httpd content type handling to responses from the backend, as other proxy modules do. Fixes PR 66391.

• mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981

• mod_proxy_hcheck: Honor worker timeout settings.

• mod_http2: version 2.0.10 of the module, synchronizing changes with the gitgub version. This is a partial rewrite of how connections and streams are handled.
  • an APR pollset and pipes (where supported) are used to monitor the main connection and react to IO for request/response handling. This replaces the stuttered timed waits of earlier versions.
  • H2SerializeHeaders directive still exists, but has no longer an effect.
  • Clients that seemingly misbehave still get less resources allocated, but ongoing requests are no longer disrupted.
  • Fixed an issue since 1.15.24 that "Server" headers in proxied requests were overwritten instead of preserved. [PR by @daum3ns]
  • A regression in v1.15.24 was fixed that could lead to httpd child processes not being terminated on a graceful reload or when reaching MaxConnectionsPerChild. When unprocessed h2 requests were queued at the time, these could stall. See 212.
  • Improved information displayed in 'server-status' for H2 connections when Extended Status is enabled. Now one can see the last request that IO operations happened on and transferred IO stats are updated as well.
  • When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection send a GOAWAY frame much too early on new connections, leading to invalid protocol state and a client failing the request. See PR65731 at <​https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>. The module now initializes the HTTP/2 protocol correctly and allows the client to submit one request before the shutdown via a GOAWAY frame is being announced.
  • :scheme pseudo-header values, not matching the connection scheme, are forwarded via absolute uris to the http protocol processing to preserve semantics of the request. Checks on combinations of pseudo-headers values/absence have been added as described in RFC 7540. Fixes 230.
  • A bug that prevented trailers (e.g. HEADER frame at the end) to be generated in certain cases was fixed. See 233 where it prevented gRPC responses to be properly generated.
  • Request and response header values are automatically stripped of leading and trialing space/tab characters. This is equivalent behaviour to what Apache httpd's http/1.1 parser does. The checks for this in nghttp2 v1.50.0+ are disabled.

• mod_proxy_http2: fixed 235 by no longer forwarding 'Host:' header when request ':authority' is known. Improved test case that did not catch that the previous 'fix' was incorrect.

• mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests using GET11, HEAD11 and/or OPTIONS11.

• mod_proxy: The AH03408 warning for a forcibly closed backend connection is now logged at INFO level.

• mod_ssl: When dumping the configuration, the existence of certificate/key files is no longer tested.

• mod_authn_core: Add expression support to AuthName and AuthType.

• mod_ssl: when a proxy connection had handled a request using SSL, an error was logged when "SSLProxyEngine" was only configured in the location/proxy section and not the overall server. The connection continued to work, the error log was in error. Fixed PR66190.

• mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.

• mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.

• mod_http2: Export mod_http2.h as public header.

• mod_md: a new directive MDStoreLocks can be used on cluster setups with a shared file system for MDStoreDir to order activation of renewed certificates when several cluster nodes are restarted at the same time. Store locks are not enabled by default. Restored curl_easy cleanup behaviour from v2.4.14 and refactored the use of curl_multi for OCSP requests to work with that.

• core: Avoid an overflow on large inputs in ap_is_matchexp. PR 66033

• mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based storage instead of slotmem. Needed after setting HeartbeatMaxServers default to the documented value 10 in 2.4.54. PR 66131.

• mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery This is a game changer for performances if client use PROPFIND a lot, PR 66313.

[Bruce Dubbs]

Fixed at commits

4fe5cec23e Update to git-2.39.1.
5ad1120ad6 Update to httpd-2.4.55.

[Douglas R. Reno]

SA-11.2-072 issued