Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.0.65 Changelog
  • SECURITY: CVE-2013-1862 (cve.mitre.org) mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file. [Eric Covener, Jeff Trawick, Joe Orton]
  • SECURITY: CVE-2012-0053 (cve.mitre.org) Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. [Eric Covener]
  • SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process to cause the parent to crash at shutdown rather than terminate cleanly. [Joe Orton]
  • SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations. [Joe Orton]
  • SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener, ]
  • SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. [Stefan Fritsch, Greg Ames]
  • NOTE: it remains possible to exhaust all memory using a carefully crafted .htaccess rule, which will not be addressed in 2.0; enabling processing of .htaccess files authored by untrusted users is the root of such security risks. Upgrade to httpd 2.2.25 or later to limit this specific risk.
  • core: Add MaxRanges directive to control the number of ranges permitted before returning the entire resource, with a default limit of 200. [Eric Covener, Rainer Jung]
  • Set 'Accept-Ranges: none' in the case Ranges are being ignored with MaxRanges none. [Eric Covener, Rainer Jung]
  • mod_rewrite: Allow merging RewriteBase down to subdirectories if new option 'RewriteOptions MergeBase' is configured. [Eric Covener]
  • mod_rewrite: Fix the RewriteEngine directive to work within a location. Previously, once RewriteEngine was switched on globally, it was impossible to switch off. [Graham Leggett]
  • mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
  • htdigest: Fix buffer overflow when reading digest password file with very long lines. PR 54893. [Rainer Jung]
  • mod_ssl: Add "SSLHonorCipherOrder" directive to enable the OpenSSL 0.9.7 flag which uses the server's cipher order rather than the client's. PR 28665. [Jim Schneider ]
  • mod_include: Prevent a case of SSI timefmt-smashing with filter chains including multiple INCLUDES filters. PR 39369 [Joe Orton]
  • mod_rewrite: When evaluating a proxy rule in directory context, do escape the filename by default. PR 46428 [Joe Orton]
  • Improve platform detection for bundled PCRE by updating config.guess and config.sub. [Rainer Jung]
  • ssl-std.conf: Disable AECDH ciphers in example config. PR 51363. [Rob Stradling ]
  • ssl-std.conf: Change the SSLCipherSuite default to a shorter, whitelist oriented definition. [Rainer Jung, Kaspar Brand]
  • ssl-std.conf: Only select old MSIE browsers for the downgrade in http/https behavior. [Greg Stein, Stefan Fritsch]