Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.0.45 Changelog
  • Fix possible segfaults under obscure error conditions within the cgid daemon. [Jeff Trawick, William Rowe]
  • SECURITY: CVE-2003-0132 (cve.mitre.org) Close a Denial of Service vulnerability identified by David Endler on all platforms. An unlimited stream of newlines were acceptable between requests where each would allocate an 80 byte buffer, leading very quickly to memory exahustion. [Brian Pane]
  • Added an rpm build script. [Graham Leggett, Joe Orton ]
  • Simpler, faster code path for request header scanning [Brian Pane]
  • SECURITY: Eliminated leaks of several file descriptors to child processes, such as CGI scripts. This fix depends on the APR library release 0.9.2 or later (0.9.3 was distributed with the httpd source tarball for Apache 2.0.45.) PR 17206 [Christian Kratzer , Bjoern A. Zeeb ]
  • Fix path handling of mod_rewrite, especially on non-unix systems. There was some confusion between local paths and URL paths. PR 12902. [André Malo]
  • Prevent endless loops of internal redirects in mod_rewrite by aborting after exceeding a limit of internal redirects. The limit defaults to 10 and can be changed using the RewriteOptions directive. PR 17462. [André Malo]
  • Win32: Avoid busy wait (consuming all the CPU idle cycles) when all worker threads are busy. [Igor Nazarenko ]
  • Keep the subrequest filter in place when a subrequest is redirected. PR 15423. [Jeff Trawick]
  • you can now specify the compression level for mod_deflate. [Ian Holsman, Stephen Pierzchala , Michael Schroepl ]
  • mod_deflate: Extend the DeflateFilterNote directive to allow accurate logging of the filter's in- and outstream. [André Malo]
  • Allow SSLMutex to select/use the full range of APR locking mechanisms available to it. Also, fix the bug that SSLMutex uses APR_LOCK_DEFAULT no matter what. PR 8122 [Jim Jagielski, Martin Kutschker ]
  • Restore the ability of htdigest.exe to create files that contain more than one user. PR 12910. [André Malo]
  • Improve binary compatibility of the core between debug (aka maintainer-mode) and a non-debug compile. [Sander Striker]
  • mod_usertrack: don't set the cookie in subrequests. This works around the problem that cookies were set twice during fast internal redirects. PR 13211. [André Malo]
  • mod_autoindex no longer forgets output format and enabled version sort in linked column headers. [André Malo]
  • Use .sv instead of .se as extension for Swedish documents in the default configuration. PR 12877. [André Malo]
  • Updated mod_ldap and mod_auth_ldap to support the Novell LDAP SDK SSL and standardized the LDAP SSL support across the various LDAP SDKs. Isolated the SSL functionality to mod_ldap rather than speading it across mod_auth_ldap and mod_ldap. Also added LDAPTrustedCA and LDAPTrustedCAType directives to mod_ldap to allow for a more common method of specifying the SSL certificate. [Dave Ward, Brad Nicholes]
  • Fixed mod_ssl's SSLCertificateChain initialization to no longer skip the first cert of the chain by default. This misbehavior was introduced in 2.0.34. PR 14560 [Madhusudan Mathihalli]
  • mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot be started on Unix because of such problems as bad permissions, bad shebang line, etc. [Jeff Trawick]
  • Fix 64-bit problem in mod_ssl input logic. [Madhusudan Mathihalli ]
  • Fix potential memory leaks in mod_deflate on malformed data. PR 16046. [Justin Erenkrantz]
  • Rewrite ap_xml_parse_input to use bucket brigades. PR 16134. [Justin Erenkrantz]
  • Fix segfault which occurred when a section in an included configuration file was not closed. PR 17093. [André Malo]
  • Enhance the behavior of mod_isapi's WriteClient() callback to provide better emulation for isapi modules that presume that the first WriteClient() call may send status and headers. An example of WriteClient() abuse is the foxisapi module, which relies on that assumpion and now works. [William Rowe, Milan Kosina]
  • Check the return value of ap_run_pre_connection(). So if the pre_connection phase fails (without setting c->aborted) ap_run_process_connection is not executed. [Stas Bekman]
  • Fixed a problem with mod_ldap which caused it to fault when caching was disabled. Needed to make sure that the code did not attempt to use the cache if it didn't exist. Also fixed some memory leaks which were due to not releasing LDAP resources on error conditions. [Brad Nicholes]
  • Hook mod_proxy's fixup before mod_rewrite's fixup, so that by mod_rewrite proxied URLs will not be escaped accidentally by mod_proxy's fixup. PR 16368 [André Malo]
  • While processing filters on internal redirects, remember seen EOS buckets also in the request structure of the redirect issuer(s). This prevents filters (such as mod_deflate) from adding garbage to the response. PR 14451. [André Malo]
  • suexec: Be more pedantic when cleaning environment. Clean it immediately after startup. PR 2790, 10449. [Jeff Stewart , André Malo]
  • Fix apxs to insert LoadModule directives only outside of sections. PR 8712, 9012. [André Malo]
  • Fix suexec compile error under SUNOS4, where strerror() doesn't exist. PR 5913, 9977. [Jonathan W Miner ]
  • Fix If header parsing when a non-mod_dav lock token is passed to it. PR 16452. [Justin Erenkrantz]
  • mod_auth_digest no longer tries to guess AuthDigestDomain, if it's not specified. Now it assumes "/" as already documented. PR 16937. [André Malo]
  • Try to log an error if a piped log program fails. Try to restart a piped log program in more failure situations. Fix an existing problem with error handling in piped_log_spawn(). Use new APR apr_proc_create() features to prevent Apache from starting on Unix* in most cases where a piped log program can be started, and add log messages for the other situations. *Other platforms already failed Apache initialization if a piped log program couldn't be started. PR 15761 [Jeff Trawick]
  • Fix mod_cern_meta to not create empty metafiles when the metafile searched for does not exist. PR 12353 [Owen Rees ]
  • Introduce debugging symbols for Win32 release builds, both .pdb and .dbg files (older debuggers and Dr. Watson-type utilities on WinNT or Win9x don't support the newer .pdb flavor.) [Allen Edwards, William Rowe]
  • Fix bug where 'Satisfy Any' without an AuthType lost all MIME information (and more). Related to PR 9076. [André Malo]
  • mod_file_cache: fix segfault serving mmaped cached files. [Bill Stoddard]
  • mod_file_cache: fixed a segfault when multiple MMapFile directives were used. PR 16313. [Cliff Woolley]
  • Fix a nasty segfault in mmap_bucket_setaside() caused by passing an incompatible pointer type to mmap_bucket_destroy(void. [Gerard Eviston ]
  • Enable the -n name parameter on NetWare to allow the administrator to rename the Apache console screen [Brad Nicholes]
  • Fixed piped access logs on Win32 by disabling OTHER_CHILD support by default in APR. More development is required to deploy OTHER_CHILD on Win32. [William Rowe]
  • Use saner default config values for suexec. PR 15713. [Thom May ]
  • mod_rewrite: Allow "RewriteEngine Off" even if no "Options FollowSymlinks" (or SymlinksIfOwnermatch) is set. PR 12395. [André Malo]
  • apxs: Include any special APR ld flags when linking the DSO. This resolves problems on AIX when building a DSO with apxs+gcc. [Jeff Trawick]
  • Added character set support to mod_auth_LDAP to allow it to convert extended characters used in the user ID to UTF-8 before authenticating against the LDAP directory. The new directive AuthLDAPCharsetConfig is used to specify the config file that contains the character set conversion table. [Brad Nicholes]
  • Don't remove the Content-Length from responses in mod_proxy PR: 8677 [Brian Pane]
  • Ensure LDAP version is set to v3 on every bind. PR 14235. [Sergey A. Lipnevich ]
  • Fix mod_ldap to open an existing shared memory file should one already exist. PR 12757. [Scooter Morris , Graham Leggett]
  • Fix the ulimit command used by apachectl on Tru64. PR 13609. [Joseph Senulis , Jeff Trawick]
  • Change the ulimit command used by apachectl on AIX so that it works in all locales. [Jeff Trawick]
  • mod_ext_filter: Fix a problem building argument lists which occasionally caused exec to fail. PR 15491. [Jeff Trawick]