Bug 4284 - SITE UTIME not working with group permissions.
Bug 4289 - LDAPSearchScope does not alter search scope as expected. When
the LDAPServer directive is used with LDAP URLs, the LDAPSearchScope should
not be used; the handler was failing to handle this case properly.
Bug 4285 - In AIX, log failed logins so that user accounts can be locked by
the OS after multiple failed login attempts.
Added mod_wrap2_redis to the contrib/ modules directory.
Bug 4295 - AllowChrootSymlinks off does not check entire DefaultRoot path
for symlinks (CVE-2017-7418).
Bug 4299 - TimeoutLogin not working for SFTP connections.
1.3.6rc4 - Released 15-Jan-2017
Bug 4283 - All FTP logins treated as anonymous logins again. This is a
regression of Bug#3307.
1.3.6rc3 - Released 14-Jan-2017
Bug 4222 - Add support for curve25519-sha256@… key exchange.
Bug 4186 - ProFTPD creates name-based vhost when it should not.
Bug 4233 - Support enforcing minimum key lengths for SFTP/SCP.
Bug 4235 - Recursive SCP uploads of directories fail with "No such file or
directory".
Bug 4154 - Support for scrypt in mod_sql_passwd. This also includes
support for Argon2, assuming use of libsodium-1.0.9 or later.
Bug 4237 - Corrupted ASCII uploads. The refactoring work for Bug#4151 had
introduced a bug in the handling of ASCII uploads, now fixed.
Bug 4220 - Support reading geoip filters from SQL databases.
Bug 4242 - Using mod_memcache results in segfault (signal 11). Caused by
a bug in libmemcached-1.0.18 and earlier.
1.3.6 - Released 09-Apr-2017
1.3.6rc4 - Released 15-Jan-2017
1.3.6rc3 - Released 14-Jan-2017
Many more in NEWS file.