Software 42837 Published by

Apache HTTP Server 2.4.54 has been released.



Apache/HTTPD 2.4.54

Changes with Apache 2.4.54

*) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063.
[Petr Sumbera petr.sumbera oracle.com, Yann Ylavic]

*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
PR 65666. [Yann Ylavic]

*) mod_md: a bug was fixed that caused very large MDomains
with the combined DNS names exceeding ~7k to fail, as
request bodies would contain partially wrong data from
uninitialized memory. This would have appeared as failure
in signing-up/renewing such configurations.
[Stefan Eissing, Ronald Crane (Zippenhop LLC)]

*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
PR 65666. [Yann Ylavic]

*) MPM event: Restart chilren processes killed before idle maintenance.
PR 65769. [Yann Ylavic, Ruediger Pluem]

*) ab: Allow for TLSv1.3 when the SSL library supports it.
[abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic]

*) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
transmission delays. PR 66019. [Yann Ylavic]

*) MPM event: Fix accounting of active/total processes on ungraceful restart,
PR 66004 (follow up to PR 65626 from 2.4.52). [Yann Ylavic]

*) core: make ap_escape_quotes() work correctly on strings
with more than MAX_INT/2 characters, counting quotes double.
Credit to generalbugs@zippenhop.com for finding this.
[Stefan Eissing]

*) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
an ACME CA. This gives a failover for renewals when several consecutive attempts
to get a certificate failed.
A new directive was added: `MDRetryDelay` sets the delay of retries.
A new directive was added: `MDRetryFailover` sets the number of errored
attempts before an alternate CA is selected for certificate renewals.
[Stefan Eissing]

*) mod_http2: remove unused and insecure code. Fixes PR66037.
Thanks to Ronald Crane (Zippenhop LLC) for reporting this.
[Stefan Eissing]

*) mod_proxy: Add backend port to log messages to
ease identification of involved service. [Rainer Jung]

*) mod_http2: removing unscheduling of ongoing tasks when
connection shows potential abuse by a client. This proved
counter-productive and the abuse detection can false flag
requests using server-side-events.
Fixes https://github.com/icing/mod_h2/issues/231.
[Stefan Eissing]

*) mod_md: Implement full auto status ("key: value" type status output).
Especially not only status summary counts for certificates and
OCSP stapling but also lists. Auto status format is similar to
what was used for mod_proxy_balancer.
[Rainer Jung]

*) mod_md: fixed a bug leading to failed transfers for OCSP
stapling information when more than 6 certificates needed
updates in the same run. [Stefan Eissing]

*) mod_proxy: Set a status code of 502 in case the backend just closed the
connection in reply to our forwarded request. [Ruediger Pluem]

*) mod_md: a possible NULL pointer deref was fixed in
the JSON code for persisting time periods (start+end).
Fixes #282 on mod_md's github.
Thanks to @marcstern for finding this. [Stefan Eissing]

*) mod_heartmonitor: Set the documented default value
"10" for HeartbeatMaxServers instead of "0". With "0"
no shared memory slotmem was initialized. [Rainer Jung]

*) mod_md: added support for managing certificates via a
local tailscale daemon for users of that secure networking.
This gives trusted certificates for tailscale assigned
domain names in the *.ts.net space.
[Stefan Eissing]



Release 2.4.54 · apache/httpd