Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.0.46 Changelog
  • SECURITY: CVE-2003-0245 (cve.mitre.org) Fixed a bug causing apr_pvsprintf() to crash by sending an overly long string. This can be triggered remotely through mod_dav, mod_ssl, and other mechanisms. Reported by David Endler . [Joe Orton]
  • SECURITY: CVE-2003-0189 (cve.mitre.org) Fixed a denial-of-service vulnerability affecting basic authentication on Unix platforms related to thread-safety in apr_password_validate(). Reported by John Hughes .
  • Fix for mod_dav. Call the 'can_be_activity' callback, if provided, when a MKACTIVITY request comes in. [Ben Collins-Sussman ]
  • Perform run-time query in apxs for apr and apr-util's includes. [Justin Erenkrantz]
  • run libtool from the apr install directory (in case that is different from the apache install directory) [Jeff Trawick]
  • configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]
  • If mod_mime_magic does not know the content-type, do not attempt to guess. PR 16908. [Andrew Gapon ]
  • ssl session caching(shmht) : Fix a SEGV problem with SHMHT session caching. PR 17864. [Andreas Leimbacher , Madhusudan Mathihalli]
  • Add a delete flag to htpasswd. [Thom May]
  • Fix mod_rewrite's handling of absolute URIs. The escaping routines now work scheme dependent and the query string will only be appended if supported by the particular scheme. [André Malo]
  • Add another check for already compressed content in mod_deflate. PR 19913. [Tsuyoshi SASAMOTO ]
  • Fixes for VPATH builds; copying special.mk and any future .mk files from the source tree as well as the build tree (now creates a usable configuration for apxs), and eliminated redundant -I'nclude paths. [William Rowe]
  • Code fixes, constness corrections and ssl_toolkit_compat.h updates for SSLC and OpenSSL toolkit compatibility. Still work remains to be done to cripple features based on the limitations of RSA's binary distribution of their SSL-C toolkit. [William Rowe, Madhusudan Mathihalli, Jeff Trawick]
  • Linux 2.4+: If Apache is started as root and you code CoreDumpDirectory, coredumps are enabled via the prctl() syscall. [Greg Ames]
  • ap_get_mime_headers_core: allocate space for the trailing null when folding is in effect. PR 18170 [Peter Mayne ]
  • Fix --enable-mods-shared=most and other variants. [Aaron Bannert]
  • mod_log_config: Add the ability to log the id of the thread processing the request via new %P formats. [Jeff Trawick]
  • Use appropriate language codes for Czech (cs) and Traditional Chinese (zh-tw) in default config files. PR 9427. [André Malo]
  • mod_auth_ldap: Use generic whitespace character class when parsing "require" directives, instead of literal spaces only. PR 17135. [André Malo]
  • Hook mod_rewrite's type checker before mod_mime's one. That way the RewriteRule [T=...] Flag should work as expected now. PR 19626. [André Malo]
  • htpasswd: Check the processed file on validity. If a line is not empty and not a comment, it must contain at least one colon. Otherwise exit with error code 7. [Kris Verbeeck , Thom May]
  • Fix a problem that caused httpd to be linked with incorrect flags on some platforms when mod_so was enabled by default, breaking DSOs on AIX. PR 19012 [Jeff Trawick]
  • By default, use the same CC and CPP with which APR was built. The user can override with CC and CPP environment variables. [Jeff Trawick]
  • Fix ap_construct_url() so that it surrounds IPv6 literal address strings with []. This fixes certain types of redirection. PR 19207. [Jeff Trawick]
  • forward port of buffer overflow fixes for htdigest. [Thom May]
  • Added AllowEncodedSlashes directive to permit control of whether the server will accept encoded slashes ('%2f') in the URI path. Default condition is off (the historical behaviour). This permits environments in which the path-info needs to contain encoded slashes. PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639. [Ken Coar]
  • When using Redirect in directory context, append requested query string if there's no one supplied by configuration. PR 10961. [André Malo]
  • Unescape the supplied wildcard pattern in mod_autoindex. Otherwise the pattern will not always match as desired. PR 12596. [André Malo]
  • mod_autoindex now emits and accepts modern query string parameter delimiters (;). Thus column headers no longer contain unescaped ampersands. PR 10880 [André Malo]
  • Enable ap_sock_disable_nagle for Windows. This along with the addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle to be disabled for Windows. [Allan Edwards]
  • Correct a mis-correlation between mpm_common.c and mpm_common.h; This patch reverts us to pre-2.0.46 behavior, using the ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle was never compiled on Win32. [Allan Edwards, William Rowe]
  • Fix a build problem with passing unsupported --enable-layout args to apr and apr-util. This broke binbuild.sh as well as user-specified layout parameters. PR 18649 [Justin Erenkrantz, Jeff Trawick]
  • If a Date response header was already set in the headers array, this value was ignored in favour of the current time. This meant that Date headers on proxied requests where rewritten when they should not have been. PR: 14376 [Graham Leggett]
  • Add code to buildconf that produces an httpd.spec file from httpd.spec.in, using build/get-version.sh from APR. [Graham Leggett]
  • Fixed a segfault when multiple ProxyBlock directives were used. PR: 19023 [Sami Tikka ]
  • SECURITY: CVE-2003-0134 (cve.mitre.org) OS2: Fix a Denial of Service vulnerability identified and reported by Robert Howard that where device names faulted the running OS2 worker process. The fix is actually in APR 0.9.4. [Brian Havard]
  • SECURITY: CVE-2003-0083 (cve.mitre.org) Forward port: Escape special characters (especially control characters) in mod_log_config to make a clear distinction between client-supplied strings (with special characters) and server-side strings. This was already introduced in version 1.3.25. [André Malo]
  • mod_deflate: Check also err_headers_out for an already set Content-Encoding: gzip header. This prevents gzip compressed content from a CGI script from being compressed once more. PR 17797. [André Malo]