CVE-2020-1927: Vulnerability in mod_rewrite that allows the server to be used to forward requests to other resources (open redirect). Some mod_rewrite settings may cause the user to be redirected to another link encoded with a newline character inside a parameter used in an existing redirect.
CVE-2020-1934: Vulnerability in mod_proxy_ftp. Using uninitialized values can lead to memory leaks when proxying requests to an attacker-controlled FTP server.
Memory leak in mod_ssl when pinning OCSP requests.
The most notable non-security changes are:
Added a new module mod_systemd, providing integration with the systemd system manager. The module allows you to use httpd in services with the "Type=notify" type.
Support for cross-compilation has been added to apxs.
The capabilities of the mod_md module, developed by the Let's Encrypt project to automate the receipt and maintenance of certificates using the ACME (Automatic Certificate Management Environment) protocol, have been extended:
The MDContactEmail directive has been added, through which you can specify a contact email that does not overlap with the data from the ServerAdmin directive.
For all virtual hosts, a check is provided to support the protocol used when negotiating a secure communication channel ("tls-alpn-01").
Allowed the use of mod_md directives in blocks And .
Provided replacement of past settings when reusing MDCAChallenges.
Added the ability to configure url for CTLog Monitor.
The commands defined in the MDMessageCmd directive are guaranteed to be called with the "installed" argument when a new certificate is activated after a server restart (for example, it can be used to copy or convert a new certificate for other applications).
mod_proxy_hcheck added support for %{Content-Type} mask in check expressions.
CookieSameSite, CookieHTTPOnly and CookieSecure modes have been added to mod_usertrack to customize how usertrack cookies are handled.
mod_proxy_ajp implemented a "secret" parameter for proxy handlers to support the legacy AJP13 authentication protocol.
Added configuration set for OpenWRT.
Added support for using private keys and certificates from OpenSSL ENGINE in mod_ssl by specifying PKCS#11 URI in SSLCertificateFile/KeyFile.
Implemented testing using Travis CI continuous integration system.
Tougher parsing of Transfer-Encoding headers.
mod_ssl provides TLS protocol negotiation in relation to virtual hosts (supported when building with OpenSSL-1.1.1+.
Due to the use of hashing for command tables, restarting in the “graceful” mode (without interruption of running request handlers) is accelerated.
Added read-only tables r:headers_in_table, r:headers_out_table, r:err_headers_out_table, r:notes_table and r:subprocess_env_table to mod_lua. It is allowed to assign the value "nil" to tables.
In mod_authn_socache, the limit on the size of the cached string has been increased from 100 to 256.