Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.0.55 Changelog
  • SECURITY: CVE-2005-2700 (cve.mitre.org) mod_ssl: Fix a security issue where "SSLVerifyClient" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the vhost configuration. [Joe Orton]
  • SECURITY: CVE-2005-2970 (cve.mitre.org) worker MPM: Fix a memory leak which can occur after an aborted connection in some limited circumstances. [Greg Ames]
  • mod_ldap: Fix PR 36563. Keep track of the number of attributes retrieved from LDAP so that all of the values can be properly cached even if the value is NULL. [Brad Nicholes, Ondrej Sury ]
  • SECURITY: CVE-2005-2491 (cve.mitre.org): Fix integer overflows in PCRE in quantifier parsing which could be triggered by a local user through use of a carefully-crafted regex in an .htaccess file. [Philip Hazel]
  • SECURITY: CVE-2005-2088 (cve.mitre.org) proxy: Correctly handle the Transfer-Encoding and Content-Length headers. Discard the request Content-Length whenever T-E: chunked is used, always passing one of either C-L or T-E: chunked whenever the request includes a request body. Resolves an entire class of proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]
  • Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method. This addresses a flaw in proxy conformance to RFC 2616 - previously the proxy server would accept a TRACE request body although the RFC prohibited it. The default remains 'TraceEnable on'. [William Rowe]
  • Add ap_log_cerror() for logging messages associated with particular client connections. [Jeff Trawick]
  • Correct mod_cgid's argv[0] so that the full path can be delved by the invoked cgi application, to conform to the behavior of mod_cgi. [Pradeep Kumar S ]
  • mod_include: Fix possible environment variable corruption when using nested includes. PR 12655. [Joe Orton]
  • Support the suppress-error-charset setting, as with Apache 1.3.x. PR 31274. [Jeff Trawick]
  • EBCDIC: Handle chunked input from client or, with proxy, origin server. [Jeff Trawick]
  • Fix bad globbing comparison which could result in getting a directory listing when a file was requested. PR 34512. [sean ]
  • Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker() was called even if mod_auth_ldap_check_user_id() was not (or if it didn't succeed) for non-authoritative cases. [Jim Jagielski]
  • SECURITY: CVE-2005-2728 (cve.mitre.org) Fix cases where the byterange filter would buffer responses into memory. PR 29962. [Joe Orton]
  • mod_proxy: Fix over-eager handling of '%' for reverse proxies. PR 15207. [Jim Jagielski]
  • mod_ldap: Fix various shared memory cache handling bugs. PR 34209. [Joe Orton]
  • Fix a file descriptor leak when starting piped loggers. PR 33748. [Joe Orton]
  • mod_ldap: Avoid segfaults when opening connections if using a version of OpenLDAP older than 2.2.21. PR 34618. [Brad Nicholes]
  • mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe]
  • SECURITY: CVE-2005-2088 (cve.mitre.org) core: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks. [Paul Querna, Joe Orton]
  • proxy HTTP: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection, mitigating some HTTP Response Splitting attacks. [Jeff Trawick]
  • Prevent hangs of child processes when writing to piped loggers at the time of graceful restart. PR 26467. [Jeff Trawick]
  • SECURITY: CVE-2005-1268 (cve.mitre.org) mod_ssl: Fix off-by-one overflow whilst printing CRL information at "LogLevel debug" which could be triggered if configured to use a "malicious" CRL. PR 35081. [Marc Stern ]
  • mod_userdir: Fix possible memory corruption issue. PR 34588. [David Leonard ]
  • worker mpm: don't take down the whole server for a transient thread creation failure. PR 34514 [Greg Ames]
  • mod_rewrite: use buffered I/O to improve performance with large RewriteMap txt: files. [Greg Ames]
  • proxy HTTP: Rework the handling of request bodies to handle chunked input and input filters which modify content length, and avoid spooling arbitrary-sized request bodies in memory. PR 15859. [Jeff Trawick]