Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.0.43 Changelog
  • SECURITY: CVE-2002-0840 (cve.mitre.org) HTML-escape the address produced by ap_server_signature() against this cross-site scripting vulnerability exposed by the directive 'UseCanonicalName Off'. Also HTML-escape the SERVER_NAME environment variable for CGI and SSI requests. It's safe to escape as only the '<', '>', and '&' characters are affected, which won't appear in a valid hostname. Reported by Matthew Murphy . [Brian Pane]
  • Fix a core dump in mod_cache when it attemtped to store uncopyable buckets. This happened, for instance, when a file to be cached contained SSI tags to execute a CGI script (passed as a pipe bucket). [Paul J. Reder]
  • Ensure that output already available is flushed to the network when the content-length filter realizes that no new output will be available for a while. This helps some streaming CGIs as well as some other dynamically-generated content. [Jeff Trawick]
  • Fix a mutex problem in mod_ssl session cache support which could lead to an infinite loop. PR 12705 [Amund Elstad , Jeff Trawick]
  • SECURITY: CVE-2002-1156 (cve.mitre.org) Fix the exposure of CGI source when a POST request is sent to a location where both DAV and CGI are enabled. [Ryan Bloom]
  • Allow the UserDir directive to accept a list of directories. This matches what Apache 1.3 does. Also add documentation for this feature. [Jay Ball ]
  • New Module: mod_logio. adds the ability to log bytes sent and received. [Bojan Smojver ]
  • SuExec needs to use the same default directory as the rest of server, namely /usr/local/apache2. [SangBeom han ]
  • Get mod_auth_ldap to retry connections on LDAP_SERVER_DOWN. [Thomas Bennett , Graham Leggett]
  • Make sure the contents of the WWW-Authenticate header is passed on a 4xx error by proxy. Previously all headers were dropped, resulting in the browser being unable to authenticate. [Dr Richard Reiner , Richard Danielli , Graham Wiseman , David Henderson ]
  • Make mod_cache's CacheMaxStreamingBuffer directive work properly for virtual hosts that override server-wide mod_cache setttings. [Matthieu Estrade ]
  • Add -p option to apxs to allow programs to be compiled with apxs. [Justin Erenkrantz]