Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.0.48 Changelog
  • SECURITY: CVE-2003-0789 (cve.mitre.org) mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick]
  • SECURITY: CVE-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [André Malo]
  • mod_include: fix segfault which occured if the filename was not set, for example, when processing some error conditions. PR 23836. [Brian Akins , André Malo]
  • fix the config parser to support .. containers (no arguments in the opening tag) supported by httpd 1.3. Without this change mod_perl 2.0's sections are broken. ["Philippe M. Chiasson" ]
  • mod_cgid: fix a hash table corruption problem which could result in the wrong script being cleaned up at the end of a request. [Jeff Trawick]
  • Update httpd-*.conf to be clearer in describing the connection between AddType and AddEncoding for defining the meaning of compressed file extensions. [Roy Fielding]
  • mod_rewrite: Don't die silently when failing to open RewriteLogs. PR 23416. [André Malo]
  • mod_rewrite: Fix mod_rewrite's support of the [P] option to send rewritten request using "proxy:". The code was adding multiple "proxy:" fields in the rewritten URI. PR: 13946. [Eider Oliveira ]
  • cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and expires as directed in RFC 2616. [Thomas Castelle ]
  • Ensure that ssl-std.conf is generated at configure time, and switch to using the expanded config variables to work the same as httpd-std.conf PR: 19611 [Thom May]
  • mod_ssl: Fix segfaults after renegotiation failure. PR 21370 [Hartmut Keil ]
  • mod_autoindex: If a directory contains a file listed in the DirectoryIndex directive, the folder icon is no longer replaced by the icon of that file. PR 9587. [David Shane Holden ]
  • Fixed mod_usertrack to not get false positive matches on the user-tracking cookie's name. PR 16661. [Manni Wood ]
  • mod_cache: Fix the cache code so that responses can be cached if they have an Expires header but no Etag or Last-Modified headers. PR 23130. []
  • mod_log_config: Fix %b log format to write really "-" when 0 bytes were sent (e.g. with 304 or 204 response codes). [Astrid Keßler]
  • Modify ap_get_client_block() to note if it has seen EOS. [Justin Erenkrantz]
  • Fix a bug, where mod_deflate sometimes unconditionally compressed the content if the Accept-Encoding header contained only other tokens than "gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]
  • Avoid an infinite recursion, which occured if the name of an included config file or directory contained a wildcard character. PR 22194. [André Malo]
  • mod_ssl: Fix a problem setting variables that represent the client certificate chain. PR 21371 [Jeff Trawick]
  • Unix: Handle permissions settings for flock-based mutexes in unixd_set_global|proc_mutex_perms(). Allow the functions to be called for any type of mutex. PR 20312 [Jeff Trawick]
  • ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
  • Fix a misleading message from the some of the threaded MPMs when MaxClients has to be lowered due to the setting of ServerLimit. [Jeff Trawick]
  • Lower the severity of the "listener thread didn't exit" message to debug, as it is of interest only to developers. PR 9011 [Jeff Trawick]
  • MPMs: The bucket brigades subsystem now honors the MaxMemFree setting. [Cliff Woolley, Jean-Jacques Clar]
  • Install config.nice into the build/ directory to make minor version upgrades easier. [Joshua Slive]
  • Fix mod_deflate so that it does not call deflate() without checking first whether it has something to deflate. (Currently this causes deflate to generate a fatal error according to the zlib spec.) PR 22259. [Stas Bekman]
  • mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an identity spoof is encountered. [Sander Striker]
  • mod_rewrite: Ignore RewriteRules in .htaccess files if the directory containing the .htaccess file is requested without a trailing slash. PR 20195. [André Malo]
  • ab: Overlong credentials given via command line no longer clobber the buffer. [André Malo]
  • mod_deflate: Don't attempt to hold all of the response until we're done. [Justin Erenkrantz]
  • Assure that we block properly when reading input bodies with SSL. PR 19242. [David Deaves , William Rowe]
  • Update mime.types to include latest IANA and W3C types. [Roy Fielding]
  • mod_ext_filter: Set additional environment variables for use by the external filter. PR 20944. [Andrew Ho, Jeff Trawick]
  • Fix buildconf errors when libtool version changes. [Jeff Trawick]
  • Remember an authenticated user during internal redirects if the redirection target is not access protected and pass it to scripts using the REDIRECT_REMOTE_USER environment variable. PR 10678, 11602. [André Malo]
  • mod_include: Fix a trio of bugs that would cause various unusual sequences of parsed bytes to omit portions of the output stream. PR 21095. [Ron Park , André Malo, Cliff Woolley]
  • Update the header token parsing code to allow LWS between the token word and the ':' seperator. [PR 16520] [Kris Verbeeck , Nicel KM ]
  • Eliminate creation of a temporary table in ap_get_mime_headers_core() [Joe Schaefer ]
  • Added FreeBSD directory layout. PR 21100. [Sander Holthaus , André Malo]
  • Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP response. PR 21085. [Glenn Nielsen , André Malo]
  • mod_rewrite: Perform child initialization on the rewrite log lock. This fixes a log corruption issue when flock-based serialization is used (e.g., FreeBSD). [Jeff Trawick]
  • Don't respect the Server header field as set by modules and CGIs. As with 1.3, for proxy requests any such field is from the origin server; otherwise it will have our server info as controlled by the ServerTokens directive. [Jeff Trawick]