release of Apache HTTP Server 2.4.43 (release 2.4.42 was skipped), which introduced and eliminated :
- CVE-2020-1927: Vulnerability in mod_rewrite that allows the server to be used to forward requests to other resources (open redirect). Some mod_rewrite settings may cause the user to be redirected to another link encoded with a newline character inside a parameter used in an existing redirect.
- CVE-2020-1934: Vulnerability in mod_proxy_ftp. Using uninitialized values can lead to memory leaks when proxying requests to an attacker-controlled FTP server.
- Memory leak in mod_ssl when pinning OCSP requests.
The most notable non-security changes are:
- Added a new module , providing integration with the systemd system manager. The module allows you to use httpd in services with the "Type=notify" type.
- Support for cross-compilation has been added to apxs.
- The capabilities of the mod_md module, developed by the Let's Encrypt project to automate the receipt and maintenance of certificates using the ACME (Automatic Certificate Management Environment) protocol, have been extended:
- The MDContactEmail directive has been added, through which you can specify a contact email that does not overlap with the data from the ServerAdmin directive.
- For all virtual hosts, a check is provided to support the protocol used when negotiating a secure communication channel ("tls-alpn-01").
- Allowed the use of mod_md directives in blocks And .
- Provided replacement of past settings when reusing MDCAChallenges.
- Added the ability to configure url for CTLog Monitor.
- The commands defined in the MDMessageCmd directive are guaranteed to be called with the "installed" argument when a new certificate is activated after a server restart (for example, it can be used to copy or convert a new certificate for other applications).
- mod_proxy_hcheck added support for %{Content-Type} mask in check expressions.
- CookieSameSite, CookieHTTPOnly and CookieSecure modes have been added to mod_usertrack to customize how usertrack cookies are handled.
- mod_proxy_ajp implemented a "secret" parameter for proxy handlers to support the legacy AJP13 authentication protocol.
- Added configuration set for OpenWRT.
- Added support for using private keys and certificates from OpenSSL ENGINE in mod_ssl by specifying PKCS#11 URI in SSLCertificateFile/KeyFile.
- Implemented testing using Travis CI continuous integration system.
- Tougher parsing of Transfer-Encoding headers.
- mod_ssl provides TLS protocol negotiation in relation to virtual hosts (supported when building with OpenSSL-1.1.1+.
- Due to the use of hashing for command tables, restarting in the “graceful” mode (without interruption of running request handlers) is accelerated.
- Added read-only tables r:headers_in_table, r:headers_out_table, r:err_headers_out_table, r:notes_table and r:subprocess_env_table to mod_lua. It is allowed to assign the value "nil" to tables.
- In mod_authn_socache, the limit on the size of the cached string has been increased from 100 to 256.
Source: opennet.ru