Software 42498 Published by

The release candidate for Apache HTTP server 2.4.60 is now ready for testing. This update includes several changes, including fixing DNS requests and connections closed before configured addressTTL, logging real thread ID in error logs on Linux, supporting zone/scope in IPv6 link-local addresses in Listen and VirtualHost directives, rejecting client-initiated renegotiation with a TLS alert, updating mime.types, fixing a regression that caused default DH parameters for a key to no longer be set, and updating rustls-ffi to v0.13.0.



apache/httpd 2.4.60-rc1-candidate

Changes with Apache 2.4.60

*) mod_proxy: Fix DNS requests and connections closed before the
configured addressTTL. BZ 69126. [Yann Ylavic]

*) core: On Linux, log the real thread ID in error logs. [Joe Orton]

*) core: Support zone/scope in IPv6 link-local addresses in Listen and
VirtualHost directives (requires APR 1.7.x or later). PR 59396
[Joe Orton]

*) mod_ssl: Reject client-initiated renegotiation with a TLS alert
(rather than connection closure). [Joe Orton, Yann Ylavic]

*) Updated mime.types. [Mohamed Akram <mohd.akram outlook.com>,
Adam Silverstein <adamsilverstein earthboundhosting.com>]

*) mod_ssl: Fix a regression that causes the default DH parameters for a key
no longer set and thus effectively disabling DH ciphers when no explicit
DH parameters are set. PR 68863 [Ruediger Pluem]

*) mod_cgid: Optional support for file descriptor passing, fixing
error log handling (configure --enable-cgid-fdpassing) on Unix
platforms. PR 54221. [Joe Orton]

*) mod_cgid/mod_cgi: Distinguish script stderr output clearly in
error logs. PR 61980. [Hank Ibell <hwibell gmail.com>]

*) mod_tls: update version of rustls-ffi to v0.13.0.
[Daniel McCarney (@cpu}]

*) mod_md:
- Using OCSP stapling information to trigger certificate renewals. Proposed
by @frasertweedale.
- Added directive `MDCheckInterval` to control how often the server checks
for detected revocations. Added proposals for configurations in the
README.md chapter "Revocations".
- OCSP stapling: accept OCSP responses without a `nextUpdate` entry which is
allowed in RFC 6960. Treat those as having an update interval of 12 hours.
Added by @frasertweedale.
- Adapt OpenSSL usage to changes in their API. By Yann Ylavic.

Release 2.4.60-rc1-candidate · apache/httpd