Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.0.50 Changelog
  • SECURITY: CVE-2004-0493 (cve.mitre.org) Close a denial of service vulnerability identified by Georgi Guninski which could lead to memory exhaustion with certain input data. [Jeff Trawick]
  • mod_cgi: Handle output on stderr during script execution on Unix platforms; preventing deadlock when stderr output fills pipe buffer. Also fixes case where stderr from nph- scripts could be lost. PR 22030, 18348. [Joe Orton, Jeff Trawick]
  • mod_alias now emits a warning if it detects overlapping *Alias* directives. [André Malo]
  • mod_rewrite no longer turns forward proxy requests into reverse proxy requests. PR 28125 [ast domdv.de, André Malo]
  • ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now exported on Win32 and Netware as well (minor MMN bump). PR 28523. [Edward Rudd , André Malo]
  • Restore the ability to disable the use of AcceptEx on Win9x systems automatically (broken in 2.0.49). PR 28529. [André Malo]
  • now applies to all IP addresses for myhost instead of just the first one reported by the resolver. This corrects a regression since 1.3. [Jeff Trawick]
  • util_ldap: allow relative paths for LDAPTrustedCA to be resolved against ServerRoot PR#26602 [Brad Nicholes]
  • SECURITY: CVE-2004-0488 (cve.mitre.org) mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a (trusted) client certificate subject DN which exceeds 6K in length. [Joe Orton]
  • mod_dav_fs: Fix MKCOL response for missing parent collections, which caused issues for the Eclipse WebDAV extension. PR 29034. [Joe Orton]
  • mod_deflate: Fix memory consumption (which was proportional to the response size). PR 29318. [Joe Orton]
  • mod_ssl: Log the errors returned on failure to load or initialize a crypto accelerator engine. [Joe Orton]
  • Allow RequestHeader directives to be conditional. PR 27951. [Vincent Deffontaines , André Malo]
  • Allow LimitRequestBody to be reset to unlimited. PR 29106 [André Malo]
  • Fix a bunch of cases where the return code of the regex compiler was not checked properly. This affects: mod_setenvif, mod_usertrack, mod_proxy, mod_proxy_ftp and core. PR 28218. [André Malo]
  • mod_ssl: Fix a potential segfault in the 'shmcb' session cache for small cache sizes. PR 27751. [Geoff Thorpe ]
  • Remove 2Gb log file size restriction on some 32-bit platforms. PR 13511. [Joe Orton]
  • mod_logio no longer removes the EOS bucket. PR 27928. [Bojan Smojver ]
  • htpasswd no longer refuses to process files that contain empty lines. [André Malo]
  • Regression from 1.3: At startup, suexec now will be checked for availability, the setuid bit and user root. The works only if httpd is compiled with the shipped APR version (0.9.5). PR 28287. [André Malo]
  • Unix MPMs: Stop dropping connections when the file descriptor is at least FD_SETSIZE. [Jeff Trawick]
  • Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick]
  • mod_isapi: send_response_header() failed to copy status string's last character. PR 20619. [Jesse Pelton ]
  • Fix a segfault when requests for shared memory fails and returns NULL. Fix a segfault caused by a lack of bounds checking on the cache. PR 24801. [Graham Leggett]
  • Throw an error message if an attempt is made to use the LDAPTrustedCA or LDAPTrustedCAType directives in a VirtualHost. PR 26390 [Brad Nicholes]
  • Fix a potential segfault if the bind password in the LDAP cache is NULL. PR 28250. [Jari Ahonen ]
  • Quotes cannot be used around require group and require dn directives, update the documentation to reflect this. Also add quotes around the dn and group within debug messages, to make it more obvious why authentication is failing if quotes are used in error. PR 19304. [Graham Leggett]
  • The Microsoft LDAP SDK escapes filters for us, stop util_ldap from escaping filters twice when the backslash character is used. PR 24437. [Jess Holle ]
  • Overhaul handling of LDAP error conditions, so that the util_ldap_* functions leave the connections in a sane state after errors have occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134, 27271 [Graham Leggett]
  • mod_ldap calls ldap_simple_bind_s() to validate the user credentials. If the bind fails, the connection is left in an unbound state. Make sure that the ldap connection record is updated to show that the connection is no longer bound. [Brad Nicholes]
  • Ensure that lines in the request which are too long are properly terminated before logging. [Tsurutani Naoki ]
  • Update the bind credentials for the cached LDAP connection to reflect the last bind. This prevents util_ldap from creating unnecessary connections rather than reusing cached connections. [Brad Nicholes]
  • mod_isapi: GetServerVariable returned improperly terminated header fields given "ALL_HTTP" or "ALL_RAW". PR 20656. [Jesse Pelton ]
  • mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer size. PR 20617. [Jesse Pelton ]
  • mod_dav: Fix a problem that could cause crashes when manipulating locks on some platforms. [Jeff Trawick]
  • mod_headers no longer crashes if an empty header value should be added. [André Malo]
  • Fix segfault in mod_expires, which occured under certain circumstances. PR 28047. [André Malo]
  • htpasswd: use apr_temp_dir_get() and general cleanup [Guenter Knauf , Thom May]
  • mod_ssl: Fix memory leak in session cache handling. PR 26562 [Madhusudan Mathihalli]
  • mod_ssl: Fix potential segfaults when performing SSL shutdown from a pool cleanup. PR 27945. [Joe Orton]
  • Add forensic logging module (mod_log_forensic). [Ben Laurie]
  • logresolve: Allow size of log line buffer to be overridden at build time (MAXLINE). PR 27793. [Jeff Trawick]
  • Fix the comment delimiter in htdbm so that it correctly parses the username comment. Also add a terminate function to allow NetWare to pause the output before the screen is destroyed. [Guenter Knauf , Brad Nicholes]
  • Fix crash when Apache was started with no Listen directives. [Michael Corcoran ]
  • core_output_filter: Fix bug that could result in sending garbage over the network when module handlers construct bucket brigades containing multiple file buckets all referencing the same open file descriptor. [Bojan Smojver]
  • Fix memory corruption problem with ap_custom_response() function. The core per-dir config would later point to request pool data that would be reused for different purposes on different requests. [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]
  • Win32: Tweak worker thread accounting routines to eliminate server hang when number of Listen directives in httpd.conf is greater than or equal to the setting of ThreadsPerChild. [Bill Stoddard]