Tag: httpd

httpd mod_http2 v2.0.30 rpms released

mod_http2 v2.0.30 rpms released and added to all supported platforms.

Changes:

  • Fixed bug in handling over long response headers. When the 64 KB limit
    of nghttp2 was exceeded, the request was not reset and the client was
    left hanging, waiting for it. Now the stream is reset.
  • Added new directive H2MaxHeaderBlockLen to set the limit on response
    header sizes.
  • Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
    connection was reset.

Apache httpd 2.4.63 with brotli support, TLS 1.3, OpenSSL 3.0.14 with http2, mod_http2 2.0.29 and ALPN for Red Hat Enterprise Linux, CentOS 7/8/9, Alma Linux, Rocky Linux 8/9

Apache httpd 2.4.63 added to the repository.

Changes:

*) mod_dav: Update redirect-carefully example BrowserMatch config
to match more recent client versions. PR 66148, 67039.
[Michal Maloszewski <michal.maloszewski canonical.com>,
Romain Tartière <romain blogreen.org>]

*) mod_cache_socache: Fix possible crash on error path. PR 69358.
[Ruediger Pluem]

*) mod_ssl: Fail cleanly at startup if OpenSSL initialization fails.
[StephenWall]

*) mod_md: update to version 2.4.31
– Improved error reporting when waiting for ACME server to verify domains
or finalizing the order fails, e.g. times out.
– Increasing the timeouts to wait for ACME server to verify domain names
and issue the certificate from 30 seconds to 5 minutes.
– Change a log level from error to debug when Stapling is enabled but a
certificate carries no OCSP responder URL.

*) mod_proxy_balancer: Fix the handling of the stickysession configuration
parameter by the balancer manager. PR 69510
[Yutaka Tokunou <[email protected]>]

*) Add the ldap-search option to mod_authnz_ldap, allowing authorization
to be based on arbitrary expressions that do not include the username.
Make sure that when ldap searches are too long, we explicitly log the
error. [Graham Leggett]

*) mod_proxy: Honor parameters of ProxyPassMatch workers with substitution
in the host name or port. PR 69233. [Yann Ylavic]

*) mod_log_config: Fix merging for the “LogFormat” directive.
PR 65222. [Michael Kaufmann <mail michael-kaufmann.ch>]

*) mod_lua: Make r.ap_auth_type writable. PR 62497.
[Michael Osipov <michaelo apache.org>]

*) mod_md: update to version 2.4.29
– Fixed HTTP-01 challenges to not carry a final newline, as some ACME
server fail to ignore it. [Michael Kaufmann (@mkauf)]
– Fixed missing label+newline in server-status plain text output when
MDStapling is enabled.

*) mod_ssl: Restore support for loading PKCS#11 keys via ENGINE
without “SSLCryptoDevice” configured. [Joe Orton]

*) mod_authnz_ldap: Fix possible memory corruption if the
AuthLDAPSubGroupAttribute directive is configured. [Joe Orton]

*) mod_proxy_fcgi: Don’t re-encode SCRIPT_FILENAME when set via SetHandler.
PR 69203. [Yann Ylavic]

*) mod_rewrite, mod_proxy: mod_proxy to canonicalize rewritten [P] URLs,
including “unix:” ones. PR 69235, PR 69260. [Yann Ylavic, Ruediger Pluem]

*) mod_rewrite: Error out in case a RewriteRule in directory context uses the
proxy, but mod_proxy is not loaded. PR 56264.
[Christophe Jaillet, Michael Streeter <[email protected]>]

*) http: Remove support for Request-Range header sent by Navigator 2-3 and
MSIE 3. [Stefan Fritsch]

*) mod_rewrite: Don’t require [UNC] flag to preserve a leading //
added by applying the perdir prefix to the substitution.
[Ruediger Pluem, Eric Covener]

*) Windows: Restore the ability to “Include” configuration files on UNC
paths. PR 69313 [Eric Covener]

*) mod_proxy: Avoid AH01059 parsing error for SetHandler “unix:” URLs
in <Location> (incomplete fix in 2.4.62). PR 69160. [Yann Ylavic]

*) mod_md: update to version 2.4.28
– When the server starts, it looks for new, staged certificates to
activate. If the staged set of files in ‘md/staging/<domain>’ is messed
up, this could prevent further renewals to happen. Now, when the staging
set is present, but could not be activated due to an error, purge the
whole directory. [icing]
– Fix certificate retrieval on ACME renewal to not require a ‘Location:’
header returned by the ACME CA. This was the way it was done in ACME
before it became an IETF standard. Let’s Encrypt still supports this,
but other CAs do not. [icing]
– Restore compatibility with OpenSSL < 1.1. [ylavic]

*) mod_tls: removed the experimental module. It now is availble standalone
from https://github.com/icing/mod_tls. The rustls provided API is not
stable and does not align with the httpd release cycle.
[Stefan Eissing]

*) mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F.
PR 69197. [Yann Ylavic, Eric Covener]

*) mod_http2: Return connection monitoring to the event MPM when blocking
on client updates. [Stefan Eissing, Yann Ylavic]

Apache httpd 2.4.62-2 with brotli support, TLS 1.3, OpenSSL 3.0.14 with http2, mod_http2 2.0.29 and ALPN for Red Hat Enterprise Linux, CentOS 7/8/9, Alma Linux, Rocky Linux 8/9

Apache httpd 2.4.62-2 added to the repository.

Changes:

  • spec file updated to be close to match next EL10
  • mod_lua moved to the separate package (now it is required to avoid problems with current setup)
  • mod_lua requirement will be removed in 2.4.63, thus it will be available for deletion

Apache httpd 2.4.62 with brotli support, TLS 1.3, OpenSSL 3.0.14 with http2, mod_http2 2.0.29 and ALPN for Red Hat Enterprise Linux, CentOS 7/8/9, Alma Linux, Rocky Linux 8/9

Apache httpd 2.4.62-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS (including CentOS 7), Alma Linux, Rocky Linux 8/9 added to repository. mod_http2 2.0.29 and mod_ssl are built dynamically against OpenSSL 3.0.14.

Important security fixes: CVE-2024-40725: Apache HTTP Server: source code disclosure with handlers configured via AddType; CVE-2024-40898: Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows.

Brotli conf loading file is now separated to align with new fedora builds.

We build OpenSSL+QUIC separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

mod_http2 v2.0.29 rpms released

mod_http2 v2.0.29 rpms released and added to all supported platforms.

Changes:

  • When HTTP/2 flow controls blocks further writes, return processing to an
  • async mpm to free a worker thread. The connection needs window updates from
  • the client in such a case and can leave monitoring the socket to the mpm.
  • So far, only effective on Apache httpd 2.5.0 (trunk).
  • [ylavic, icing]
  • Backport fix of CVE-2024-36387 from Apache 2.4.60
  • fixed a compiler warning about an unused static var when AP_MPMQ_CAN_WAITIO is not defined.

Apache httpd 2.4.61 with brotli support, TLS 1.3, OpenSSL 3.0.14 with http2, mod_http2 2.0.27 and ALPN for Red Hat Enterprise Linux, CentOS 7/8/9, Alma Linux, Rocky Linux 8/9

Apache httpd 2.4.61-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS (including CentOS 7), Alma Linux, Rocky Linux 8/9 added to repository. mod_http2 2.0.27 and mod_ssl are built dynamically against OpenSSL 3.0.14.

Important security fixes: CVE-2024-39884: Apache HTTP Server: source code disclosure with handlers configured via AddType.

We build OpenSSL+QUIC separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Apache httpd 2.4.60 with brotli support, TLS 1.3, OpenSSL 3.0.14 with http2, mod_http2 2.0.27 and ALPN for Red Hat Enterprise Linux, CentOS, Alma Linux, Rocky Linux 8/9

Apache httpd 2.4.60-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS, Alma Linux, Rocky Linux 8/9 added to repository. mod_http2 2.0.27 and mod_ssl are built dynamically against OpenSSL 3.0.14.

Important security fixes: CVE-2024-39573, CVE-2024-38477, CVE-2024-38476, CVE-2024-38475, CVE-2024-38474, CVE-2024-38473, CVE-2024-38472, CVE-2024-36387.

We build OpenSSL+QUIC separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Apache httpd 2.4.59 with brotli support, TLS 1.3, OpenSSL 3.0.13 with http2, mod_http2 2.0.27 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9

Apache httpd 2.4.59-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.11.

Important fix: CVE-2024-27316

We build OpenSSL+QUIC 3.0.11 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript