mod_http2 v2.0.31 rpms released and added to all supported platforms.
Changes:
mod_http2 v2.0.30 rpms released and added to all supported platforms.
Changes:
H2MaxHeaderBlockLen to set the limit on responsenghttp2 1.65.0 rpms released and added to all supported platforms
ngtcp2 1.11.0, nghttp3 1.8.0 rpms released and added to all supported platforms
openssl+quic (quictls) 3.0.16 rpms released and added to all supported platforms.
OpenSSL 3.0.16 is a security patch release.
This release incorporates the following bug fixes and mitigations:
Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176) Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)
nginx 1.27.4 Mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.15.
Featuring optimized resource usage for complex SSL configurations, and with a fix for the SSL session reuse vulnerability (CVE-2025-23419).
nginx 1.26.3 Stable with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.15.
Fixed CVE-2025-23419.
Apache httpd 2.4.63 added to the repository.
Changes:
*) mod_dav: Update redirect-carefully example BrowserMatch config
to match more recent client versions. PR 66148, 67039.
[Michal Maloszewski <michal.maloszewski canonical.com>,
Romain Tartière <romain blogreen.org>]
*) mod_cache_socache: Fix possible crash on error path. PR 69358.
[Ruediger Pluem]
*) mod_ssl: Fail cleanly at startup if OpenSSL initialization fails.
[StephenWall]
*) mod_md: update to version 2.4.31
— Improved error reporting when waiting for ACME server to verify domains
or finalizing the order fails, e.g. times out.
— Increasing the timeouts to wait for ACME server to verify domain names
and issue the certificate from 30 seconds to 5 minutes.
— Change a log level from error to debug when Stapling is enabled but a
certificate carries no OCSP responder URL.
*) mod_proxy_balancer: Fix the handling of the stickysession configuration
parameter by the balancer manager. PR 69510
[Yutaka Tokunou <[email protected]>]
*) Add the ldap-search option to mod_authnz_ldap, allowing authorization
to be based on arbitrary expressions that do not include the username.
Make sure that when ldap searches are too long, we explicitly log the
error. [Graham Leggett]
*) mod_proxy: Honor parameters of ProxyPassMatch workers with substitution
in the host name or port. PR 69233. [Yann Ylavic]
*) mod_log_config: Fix merging for the «LogFormat» directive.
PR 65222. [Michael Kaufmann <mail michael-kaufmann.ch>]
*) mod_lua: Make r.ap_auth_type writable. PR 62497.
[Michael Osipov <michaelo apache.org>]
*) mod_md: update to version 2.4.29
— Fixed HTTP-01 challenges to not carry a final newline, as some ACME
server fail to ignore it. [Michael Kaufmann (@mkauf)]
— Fixed missing label+newline in server-status plain text output when
MDStapling is enabled.
*) mod_ssl: Restore support for loading PKCS#11 keys via ENGINE
without «SSLCryptoDevice» configured. [Joe Orton]
*) mod_authnz_ldap: Fix possible memory corruption if the
AuthLDAPSubGroupAttribute directive is configured. [Joe Orton]
*) mod_proxy_fcgi: Don’t re-encode SCRIPT_FILENAME when set via SetHandler.
PR 69203. [Yann Ylavic]
*) mod_rewrite, mod_proxy: mod_proxy to canonicalize rewritten [P] URLs,
including «unix:» ones. PR 69235, PR 69260. [Yann Ylavic, Ruediger Pluem]
*) mod_rewrite: Error out in case a RewriteRule in directory context uses the
proxy, but mod_proxy is not loaded. PR 56264.
[Christophe Jaillet, Michael Streeter <[email protected]>]
*) http: Remove support for Request-Range header sent by Navigator 2-3 and
MSIE 3. [Stefan Fritsch]
*) mod_rewrite: Don’t require [UNC] flag to preserve a leading //
added by applying the perdir prefix to the substitution.
[Ruediger Pluem, Eric Covener]
*) Windows: Restore the ability to «Include» configuration files on UNC
paths. PR 69313 [Eric Covener]
*) mod_proxy: Avoid AH01059 parsing error for SetHandler «unix:» URLs
in <Location> (incomplete fix in 2.4.62). PR 69160. [Yann Ylavic]
*) mod_md: update to version 2.4.28
— When the server starts, it looks for new, staged certificates to
activate. If the staged set of files in ‘md/staging/<domain>’ is messed
up, this could prevent further renewals to happen. Now, when the staging
set is present, but could not be activated due to an error, purge the
whole directory. [icing]
— Fix certificate retrieval on ACME renewal to not require a ‘Location:’
header returned by the ACME CA. This was the way it was done in ACME
before it became an IETF standard. Let’s Encrypt still supports this,
but other CAs do not. [icing]
— Restore compatibility with OpenSSL < 1.1. [ylavic]
*) mod_tls: removed the experimental module. It now is availble standalone
from https://github.com/icing/mod_tls. The rustls provided API is not
stable and does not align with the httpd release cycle.
[Stefan Eissing]
*) mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F.
PR 69197. [Yann Ylavic, Eric Covener]
*) mod_http2: Return connection monitoring to the event MPM when blocking
on client updates. [Stefan Eissing, Yann Ylavic]
mc 4.8.33 rpms released and added for all supported platforms
ngtcp2 1.10.0, nghttp3 1.7.0 rpms released and added to all supported platforms