NGINX 1.25.5 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.13, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.25.5 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.13.

Apache httpd 2.4.59 with brotli support, TLS 1.3, OpenSSL 3.0.13 with http2, mod_http2 2.0.27 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9

Apache httpd 2.4.59-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.11.

Important fix: CVE-2024-27316

We build OpenSSL+QUIC 3.0.11 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

nghttp2 1.61.0 released fixing CVE-2024-28182

nghttp2 1.61.0 rpms released and added to all platforms.

UPD. EL7 and EL8 also updated with the added patch reverting migrate-to-ares_getaddrinfo changes.

Fixes CVE-2024-28182 nghttpx: Shutdown h3 stream read with trailer as well by @tatsuhiro-t in #2087 Checkout with submodules by @jonaski in #2093 Respect BUILD_STATIC_LIBS and add option for tests by @jonaski in #2092 build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0 by @dependabot in #2097 Workaround llvm issue on github ubuntu runner by @tatsuhiro-t in #2098 docker: Use copy –link by @tatsuhiro-t in #2099 Nghttpx header idle timeout by @tatsuhiro-t in #2100 nghttpx: Fix frontend-header-timeout does not work in config file by @tatsuhiro-t in #2101 Rewrite hexdump by @tatsuhiro-t in #2102 Switch to distroless/base-nossl by @tatsuhiro-t in #2103 Bump ngtcp2 by @tatsuhiro-t in #2105 nghttpx: Simplify quic connection close handling by @tatsuhiro-t in #2106 build(deps): bump github.com/quic-go/quic-go from 0.41.0 to 0.42.0 by @dependabot in #2107 autotools: Use tar-ustar automake option by @tatsuhiro-t in #2108 Automate release process by @tatsuhiro-t in #2109 autotools: Switch to tar-pax by @tatsuhiro-t in #2110 nghttpx: Drop a UDP datagram from well-known port by @tatsuhiro-t in #2111 nghttpx: Fix port byte order by @tatsuhiro-t in #2112 h2load: Allow host header to be overridden by @tatsuhiro-t in #2113 nghttpx: Rework QUIC stateless reset packet size by @tatsuhiro-t in #2114 nghttpx: More QUIC prohibited ports by @tatsuhiro-t in #2115 Add actions/stale by @tatsuhiro-t in #2116 nghttpx: Discard UDP datagram that is too short to be a valid QUIC packet by @tatsuhiro-t in #2117 nghttp: Support SSLKEYLOGFILE by @tatsuhiro-t in #2119 No rfc7540 priority fix by @tatsuhiro-t in #2120 Further reduce Stateless reset emission by @tatsuhiro-t in #2122 nghttpx: Rework Connection ID construction by @tatsuhiro-t in #2124 Nghttpx faster worker lookup by @tatsuhiro-t in #2125 nghttpx: Split thread into worker_process and thread by @tatsuhiro-t in #2126 bpf: Drop bad QUIC packet by @tatsuhiro-t in #2127 cmake: check SSL_provide_quic_data when ENABLE_HTTP3 is ON by @jimmy-park in #2128 nghttpx: Allocate 3 bits for QUIC configuration in Connection ID by @tatsuhiro-t in #2129 nghttpx: Migrate to ares_getaddrinfo by @tatsuhiro-t in #2132 Bump munit by @tatsuhiro-t in #2131 nghttpx: Fix error message by @tatsuhiro-t in #2133 nghttpd: Fix read stall by @tatsuhiro-t in #2134

nghttp2 1.60.0 released

nghttp2 1.60.0 rpms released and added to all supported platforms

makerelease.sh: Speed up git submodule by @tatsuhiro-t in #2043 Speed up git clone by @tatsuhiro-t in #2044 build(deps): bump actions/cache from 3 to 4 by @dependabot in #2046 Fixing the build and install trees by @anthonyalayo in #2051 build(deps): bump microsoft/setup-msbuild from 1 to 2 by @dependabot in #2052 nghttpx: Set ocsp response to SSL in case of boringssl by @tatsuhiro-t in #2055 Run with python3 by @tatsuhiro-t in #2054 src: Certificate Compression with boringssl by @tatsuhiro-t in #2056 Fix missing newline by @tatsuhiro-t in #2057 Switch to aws lc by @tatsuhiro-t in #2058 Libbrotli fixup by @tatsuhiro-t in #2059 Deprecate RFC 7540 priorities (aka stream dependencies) by @tatsuhiro-t in #2060 Let dependabot manage go modules by @tatsuhiro-t in #2061 build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0 by @dependabot in #2062 integration-tests: Omit unused parameters by @tatsuhiro-t in #2065 Munit by @tatsuhiro-t in #2064 Introduce nghttp2_ssize API by @tatsuhiro-t in #2066 Move deprecated warning upfront by @tatsuhiro-t in #2067 Describe RFC 7540 priorities deprecation plan by @tatsuhiro-t in #2068 Apps migrate nghttp2 ssize by @tatsuhiro-t in #2069 src: Remove unused functions by @tatsuhiro-t in #2070 Reconsider ssize t usage in src by @tatsuhiro-t in #2071 Use GitHub private vulnerability reporting by @tatsuhiro-t in #2072 Move security policy to GitHub standard location by @tatsuhiro-t in #2073 Bump mruby to 3.3.0 by @tatsuhiro-t in #2074 Bump llhttp to 48588093ca4219b5f689acfc9ebea9e4c8c37663 by @tatsuhiro-t in #2075 h2load: Add –sni option by @tatsuhiro-t in #2076 Bump ngtcp2 dependencies by @tatsuhiro-t in #2077 mruby: Adopt deprecation of mrbc_ prefix by @tatsuhiro-t in #2078 neverbleed: Define _GNU_SOURCE for pthread_setaffinity_np by @tatsuhiro-t in #2079 bpf: Pre-expand aes key by @tatsuhiro-t in #2080 mruby: Exclude mrdb gem which causes nghttpx to crash by @tatsuhiro-t in #2081 nghttpx: Reuse EVP_CIPHER_CTX for QUIC connection ID encryption by @tatsuhiro-t in #2082 Run apt-get update before install by @tatsuhiro-t in #2083 src: Deal with the case that send_quantum < max_udp_payload_size by @tatsuhiro-t in #2084 nghttpx: Remove SHRPX_QUIC_MAX_UDP_PAYLOAD_SIZE by @tatsuhiro-t in #2085 Fix build when AI_NUMERICSERV is undefined by @barracuda156 in #2086

NGINX 1.25.4 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.13, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.25.4 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.12.

Major changes:

  • fixes for vulnerabilities in HTTP/3 (CVE-2024-24989, CVE-2024-24990)

RHEL 7 / CentOS 7:

yum upgrade -y codeit-repo-release
yum-config-manager --enable CodeIT-mainline --save
yum install nginx

RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now. To install nginx with HTTP/3 support, you need to enable the appropriate stream:

dnf module reset -y nginx
dnf module enable -y nginx:codeit-mainline
dnf install nginx

We build OpenSSL+QUIC 3.0 separately since v1.21.6, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries.

Exerimental HTTP/3 support added in NGINX 1.25.0 Mainline. We build it with the corresponding module (–with-http_v3_module).

ngtcp2 1.2.0, nghttp2 1.59.0 released

ngtcp2 1.2.0, nghttp2 1.59.0 rpms released and added to all supported platforms

ngtcp2 1.2.0:
cmake: Require nghttp3 >= v1.0.0 by @tatsuhiro-t in #1026
examples: Clarify stream limits by @tatsuhiro-t in #1032
Bump actions/stale from 8 to 9 by @dependabot in #1033
Avoid detecting OpenSSL 3.2 as quictls by @tatsuhiro-t in #1035
Clarify the behavior when a stream is not found by @tatsuhiro-t in #1036
Do not recognize boringssl as quictls by @tatsuhiro-t in #1038
Bump github/codeql-action from 2 to 3 by @dependabot in #1037
docker: Switch to bsslclient and bsslserver by @tatsuhiro-t in #1039
interop: Switch to wolfssl by @tatsuhiro-t in #1040
Revert “docker: Switch to bsslclient and bsslserver” by @tatsuhiro-t in #1041
docker: Switch to wolfssl by @tatsuhiro-t in #1042
Use wolfSSL in a README example by @tatsuhiro-t in #1043
Add aws-lc as BoringSSL alternative by @tatsuhiro-t in #1044
wolfSSL: Disable deprecated signature algorithms by @tatsuhiro-t in #1046
Remove use of SSL_set_quic_transport_version by @tatsuhiro-t in #1047
examples: Build with libressl by @tatsuhiro-t in #1048
Fix zero len file by @tatsuhiro-t in #1049
Assert that _BitScanReverse64 never fail by @tatsuhiro-t in #1051
Revert “wolfSSL: Disable deprecated signature algorithms” by @tatsuhiro-t in #1052
wolfssl: Enable –enable-keylog-export by @tatsuhiro-t in #1053
h09client: Fix display ecn bits by @tatsuhiro-t in #1054
Bump wolfSSL to v5.6.6-stable by @tatsuhiro-t in #1055
ngtcp2_pkt_adjust_pkt_num: Take bytes rather than bits by @tatsuhiro-t in #1056
Initial and Handshake packets are immediately acknowledged by @tatsuhiro-t in #1057
Refactor by @tatsuhiro-t in #1058
examples: Print remote HTTP/3 settings by @tatsuhiro-t in #1059
Fix assertion failure on immediate migration by @tatsuhiro-t in #1060
Add ngtcp2_window_filter tests by @tatsuhiro-t in #1061
Fix gcc-13 warning by @tatsuhiro-t in #1062
Fix persistent congestion by @tatsuhiro-t in #1064
Port missing changes to h09server by @tatsuhiro-t in #1065
Fix typo by @tatsuhiro-t in #1066
Update docker by @tatsuhiro-t in #1067
Fix docker build-arg by @tatsuhiro-t in #1069
Revert “Send RESET_STREAM if stream is reset by client” by @tatsuhiro-t in #1071
Return early when STOP_SENDING is received more than once by @tatsuhiro-t in #1072
Do not send STOP_SENDING if RESET_STREAM has been received by @tatsuhiro-t in #1073
Update doc by @tatsuhiro-t in #1074
wolfssl: Just use QUIC v1 transport parameter codepoint by @tatsuhiro-t in #1075
wolfssl: Disable ECH by @tatsuhiro-t in #1076
Bump boringssl by @tatsuhiro-t in #1077
Bump picotls by @tatsuhiro-t in #1078
Remove sample_offset field from ngtcp2_ppe by @tatsuhiro-t in #1079
ci: Build and verify aws-lc flavored builds by @tatsuhiro-t in #1080
Update boringssl build procedure by @tatsuhiro-t in #1081
Bump aws-lc to v1.20.0 by @tatsuhiro-t in #1082
Update doc by @tatsuhiro-t in #1083

nghttp2 1.59.0:
Bump clang to 15 by @tatsuhiro-t in #1986
Bump clang format by @tatsuhiro-t in #1987
Bump quictls to 3.1.4+quic by @tatsuhiro-t in #1988
Update ax_cxx_compile_stdcxx.m4 by @tatsuhiro-t in #1989
nghttpx: Prefer FILE_NAME if defined by @tatsuhiro-t in #1990
Add API to get and parse RFC 9218 priority by @tatsuhiro-t in #1991
nghttpx: Propagate stream priority from backend to frontend by @tatsuhiro-t in #1992
Check whether CLOCK_MONOTONIC is declared by @tatsuhiro-t in #1995
Bump go packages by @tatsuhiro-t in #2001
cmake: Remove itprep target by @tatsuhiro-t in #2002
h2load: Fix IPv6 address in :authority by @tatsuhiro-t in #2000
Bump ngtcp2 and nghttp3 by @tatsuhiro-t in #2006
Bump libbpf to v1.3.0 by @tatsuhiro-t in #2007
Use nghttp3_pri_parse_priority added since nghttp3 v1.1.0 by @tatsuhiro-t in #2008
cmake: Set minimum quic package versions by @tatsuhiro-t in #2009
Use #include <windows.h> instead of #include <sysinfoapi.h> by @hrxi in #1997
build(deps): bump actions/setup-go from 4 to 5 by @dependabot in #2010
cmake: bring back ENABLE_STATIC_CRT by @bwncp in #2011
Avoid detecting OpenSSL 3.2 as quictls by @tatsuhiro-t in #2012
build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 by @dependabot in #2015
build(deps): bump actions/upload-artifact from 3 to 4 by @dependabot in #2014
src: Support building with aws-lc by @tatsuhiro-t in #2013
boringssl has SSL_CTX_set1_groups_list by @tatsuhiro-t in #2016
Drop old OpenSSL support by @tatsuhiro-t in #2017
Drop old OpenSSL support part 2 by @tatsuhiro-t in #2019
Remove NPN by @tatsuhiro-t in #2020
Remove end_to_end.py by @tatsuhiro-t in #2021
cmake: Require OpenSSL >= 1.1.1 by @tatsuhiro-t in #2022
nghttpx: OpenSSL needs SSL_CTX_set_recv_max_early_data by @tatsuhiro-t in #2023
App fix by @tatsuhiro-t in #2024
nghttpx: Remove a trailing whitespace by @tatsuhiro-t in #2025
H2load header ttfb fix by @tatsuhiro-t in #2026
Not finding packages when ENABLE_LIB_ONLY is set by @anthonyalayo in #2027
Have less stuff in config.h by @hrxi in #1996
Update minimum CMake version to 3.5 by @anthonyalayo in #2030
build(deps): bump github.com/quic-go/quic-go from 0.35.1 to 0.37.7 by @dependabot in #2032
Fix typo by @tatsuhiro-t in #2033
Specify DEBIAN_FRONTEND=noninteractive by @tatsuhiro-t in #2034
Revert “nghttpx: Shutdown h3 stream write if reset by a remote endpoint” by @tatsuhiro-t in #2036
ci: Add aws-lc builds by @tatsuhiro-t in #2037
Bump go modules by @tatsuhiro-t in #2038
Bump neverbleed by @tatsuhiro-t in #2039
Bump go-nghttp2 and go mod tidy by @tatsuhiro-t in #2040
Bump ngtcp2 to v1.2.0 by @tatsuhiro-t in #2041
src: Avoid copies by @tatsuhiro-t in #2042

NGINX 1.25.3 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.12, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.25.3 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.12.

Major changes:

  • Changes and fixes in HTTP/2
  • Changes and fixes in HTTP/3

RHEL 7 / CentOS 7:

yum upgrade -y codeit-repo-release
yum-config-manager --disable CodeIT-quic --save
yum-config-manager --enable CodeIT-mainline --save

RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now.  To install nginx with HTTP/3 support, you need to enable the appropriate stream:

dnf module reset -y nginx
dnf module enable -y nginx:codeit-mainline

We build OpenSSL+QUIC 3.0 separately since v1.21.6, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries.

Exerimental HTTP/3 support added in NGINX 1.25.0 Mainline. We build it with the corresponding module (–with-http_v3_module).

Apache httpd 2.4.58 with brotli support, TLS 1.3, OpenSSL 3.0.11 with http2, mod_http2 2.0.24 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9

Apache httpd 2.4.58-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.11.

We build OpenSSL+QUIC 3.0.11 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Changes:

                                                         -*- coding: utf-8 -*-
Changes with Apache 2.4.58

  *) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
     memory not reclaimed right away on RST (cve.mitre.org)
     When a HTTP/2 stream was reset (RST frame) by a client, there
     was a time window were the request's memory resources were not
     reclaimed immediately. Instead, de-allocation was deferred to
     connection close. A client could send new requests and resets,
     keeping the connection busy and open and causing the memory
     footprint to keep on growing. On connection close, all resources
     were reclaimed, but the process might run out of memory before
     that.
     This was found by the reporter during testing of CVE-2023-44487
     (HTTP/2 Rapid Reset Exploit) with their own test client. During
     "normal" HTTP/2 use, the probability to hit this bug is very
     low. The kept memory would not become noticeable before the
     connection closes or times out.
     Users are recommended to upgrade to version 2.4.58, which fixes
     the issue.
     Credits: Will Dormann of Vul Labs

  *) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
     initial windows size 0 (cve.mitre.org)
     An attacker, opening a HTTP/2 connection with an initial window
     size of 0, was able to block handling of that connection
     indefinitely in Apache HTTP Server. This could be used to
     exhaust worker resources in the server, similar to the well
     known "slow loris" attack pattern.
     This has been fixed in version 2.4.58, so that such connection
     are terminated properly after the configured connection timeout.
     This issue affects Apache HTTP Server: from 2.4.55 through
     2.4.57.
     Users are recommended to upgrade to version 2.4.58, which fixes
     the issue.
     Credits: Prof. Sven Dietrich (City University of New York)

  *) SECURITY: CVE-2023-31122: mod_macro buffer over-read
     (cve.mitre.org)
     Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
     Server.This issue affects Apache HTTP Server: through 2.4.57.
     Credits: David Shoon (github/davidshoon)

  *) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:
     SSL routines::unexpected eof while reading" when using
     OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
     available. [Rainer Jung]

  *) mod_http2: improved early cleanup of streams.
     [Stefan Eissing]

  *) mod_proxy_http2: improved error handling on connection errors while
     response is already underway.
     [Stefan Eissing]

  *) mod_http2: fixed a bug that could lead to a crash in main connection
     output handling. This occured only when the last request on a HTTP/2
     connection had been processed and the session decided to shut down.
     This could lead to an attempt to send a final GOAWAY while the previous
     write was still in progress. See PR 66646.
     [Stefan Eissing]

  *) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value.
     Fixes PR66752.
     [Stefan Eissing]

  *) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as
     described in RFC 8441. A new directive 'H2WebSockets on|off' has been
     added. The feature is by default not enabled.
     As also discussed in the manual, this feature should work for setups
     using "ProxyPass backend-url upgrade=websocket" without further changes.
     Special server modules for WebSockets will have to be adapted,
     most likely, as the handling if IO events is different with HTTP/2.
     HTTP/2 WebSockets are supported on platforms with native pipes. This
     excludes Windows.
     [Stefan Eissing]

  *) mod_rewrite: Fix a regression with both a trailing ? and [QSA].
     in OCSP stapling. PR 66672. [Frank Meier , covener]

  *) mod_http2: fixed a bug in flushing pending data on an already closed
     connection that could lead to a busy loop, preventing the HTTP/2 session
     to close down successfully. Fixed PR 66624.
     [Stefan Eissing]

  *) mod_http2: v2.0.15 with the following fixes and improvements
     - New directive 'H2EarlyHint name value' to add headers to a response,
       picked up already when a "103 Early Hints" response is sent. 'name' and
       'value' must comply to the HTTP field restrictions.
       This directive can be repeated several times and header fields of the
       same names add. Sending a 'Link' header with 'preload' relation will
       also cause a HTTP/2 PUSH if enabled and supported by the client.
     - Fixed an issue where requests were not logged and accounted in a timely
       fashion when the connection returns to "keepalive" handling, e.g. when
       the request served was the last outstanding one.
       This led to late appearance in access logs with wrong duration times
       reported.
     - Accurately report the bytes sent for a request in the '%O' Log format.
       This addresses #203, a long outstanding issue where mod_h2 has reported
       numbers over-eagerly from internal buffering and not what has actually
       been placed on the connection.
       The numbers are now the same with and without H2CopyFiles enabled.
     [Stefan Eissing]

  *) mod_proxy_http2: fix retry handling to not leak temporary errors.
     On detecting that that an existing connection was shutdown by the other
     side, a 503 response leaked even though the request was retried on a
     fresh connection.
     [Stefan Eissing]

  *) mod_rewrite: Add server directory to include path as mod_rewrite requires
     test_char.h. PR 66571 [Valeria Petrov ]

  *) mod_http2: new directive `H2ProxyRequests on|off` to enable handling
     of HTTP/2 requests in a forward proxy configuration.
     General forward proxying is enabled via `ProxyRequests`. If the
     HTTP/2 protocol is also enabled for such a server/host, this new
     directive is needed in addition.
     [Stefan Eissing]

  *) core: Updated conf/mime.types:
     - .js moved from 'application/javascript' to 'text/javascript'
     - .mjs was added as 'text/javascript'
     - add .opus ('audio/ogg')
     - add 'application/vnd.geogebra.slides'
     - add WebAssembly MIME types and extension
     [Mathias Bynens <@mathiasbynens> via PR 318,
      Richard de Boer , Dave Hodder ,
      Zbynek Konecny ]

  *) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend
     connection when sending data on the frontend one. This caused crashes
     or infinite loops in rare situations.
  *) mod_proxy_http2: fixed a bug in retry/response handling that could lead
     to wrong status codes or HTTP messages send at the end of response bodies
     exceeding the announced content-length.
  *) mod_proxy_http2: fix retry handling to not leak temporary errors.
     On detecting that that an existing connection was shutdown by the other
     side, a 503 response leaked even though the request was retried on a
     fresh connection.
  *) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in
     the wrong order when a bucket_beam was destroyed.
     [Stefan Eissing]

  *) mod_http2: avoid double chunked-encoding on internal redirects.
     PR 66597 [Yann Ylavic, Stefan Eissing]

  *) mod_http2: Fix reporting of `Total Accesses` in server-status to not count
     HTTP/2 requests twice. Fixes PR 66801.
     [Stefan Eissing]

  *) mod_ssl: Fix handling of Certificate Revoked messages
     in OCSP stapling. PR 66626. []

  *) mod_http2: fixed a bug in handling of stream timeouts.
     [Stefan Eissing]

  *) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
     Checking in configure for proper version installed. Code
     fixes for changed clienthello member name.
     [Stefan Eissing]

  *) mod_md:
     - New directive `MDMatchNames all|servernames` to allow more control over how
       MDomains are matched to VirtualHosts.
     - New directive `MDChallengeDns01Version`. Setting this to `2` will provide
       the command also with the challenge value on `teardown` invocation. In version
       1, the default, only the `setup` invocation gets this parameter.
       Refs #312. Thanks to @domrim for the idea.
     - For Managed Domain in "manual" mode, the checks if all used ServerName and
       ServerAlias are part of the MDomain now reports a warning instead of an error
       (AH10040) when not all names are present.
     - MDChallengeDns01 can now be configured for individual domains.
       Using PR from JГ©rГґme Billiras (@bilhackmac) and adding test case and fixing proper working
     - Fixed a bug found by JГ©rГґme Billiras (@bilhackmac) that caused the challenge
       teardown not being invoked as it should.

  *) mod_ldap: Avoid performance overhead of APR-util rebind cache for
     OpenLDAP 2.2+.  PR 64414.  [Joe Orton]

  *) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum
     amount of response body bytes put into a single HTTP/2 DATA frame.
     Setting this to 0 places no limit (but the max size allowed by the
     protocol is observed).
     The module, by default, tries to use the maximum size possible, which is
     somewhat around 16KB. This sets the maximum. When less response data is
     available, smaller frames will be sent.

  *) mod_md: fixed passing of the server environment variables to programs
     started via MDMessageCmd and MDChallengeDns01 on *nix system.
     See .
     [Stefan Eissing]

  *) mod_dav: Add DavBasePath directive to configure the repository root
     path.  PR 35077.  [Joe Orton]

  *) mod_alias: Add AliasPreservePath directive to map the full
     path after the alias in a location. [Graham Leggett]

  *) mod_alias: Add RedirectRelative to allow relative redirect targets to be
     issued as-is. [Eric Covener, Graham Leggett]

  *) core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make
     sure that if the format is configured early enough it applies to every log
     line.  PR 62161.  [Yann Ylavic]

  *) mod_deflate: Add DeflateAlterETag to control how the ETag
     is modified. The 'NoChange' parameter mimics 2.2.x behavior.
     PR 45023, PR 39727. [Eric Covener]

  *) core: Optimize send_brigade_nonblocking(). [Yann Ylavic, Christophe Jaillet]

  *) mod_status: Remove duplicate keys "BusyWorkers" and "IdleWorkers".
     Resolve inconsistency between the previous two occurrences by
     counting workers in state SERVER_GRACEFUL no longer as busy,
     but instead in a new counter "GracefulWorkers" (or on HTML
     view as "workers gracefully restarting"). Also add the graceful
     counter as a new column to the existing HTML per process table
     for async MPMs. PR 63300. [Rainer Jung]