Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.2.23 Changelog
  • SECURITY: CVE-2012-0883 (cve.mitre.org) envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the current working directory to be searched for DSOs. [Stefan Fritsch]
  • SECURITY: CVE-2012-2687 (cve.mitre.org) mod_negotiation: Escape filenames in variant list to prevent a possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled. [Niels Heinen ]
  • htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). [Paul Wouters , Joe Orton]
  • mod_ldap: Treat the "server unavailable" condition as a transient error with all LDAP SDKs. [Filip Valder ]
  • core: Add filesystem paths to access denied / access failed messages. [Eric Covener]
  • core: Fix error handling in ap_scan_script_header_err_brigade() if there is no EOS bucket in the brigade. PR 48272. [Stefan Fritsch]
  • core: Prevent "httpd -k restart" from killing server in presence of config error. [Joe Orton]
  • mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive, adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'. [Kaspar Brand, William Rowe]
  • mod_log_config: Fix %{abc}C truncating cookie values at first "=". PR 53104. [Greg Ames]
  • Unix MPMs: Fix small memory leak in parent process if connect() failed when waking up children. [Joe Orton]
  • mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945. [Peter Pramberger , Jim Jagielski]
  • Added SSLProxyMachineCertificateChainFile directive so the proxy client can select the proper client certificate when using a chain and the remote server only lists the root CA as allowed.
  • mpm_event, mpm_worker: Remain active amidst prevalent child process resource shortages. [Jeff Trawick]
  • mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
  • mod_rewrite: Fix the RewriteEngine directive to work within a location. Previously, once RewriteEngine was switched on globally, it was impossible to switch off. [Graham Leggett]
  • mod_proxy_balancer: Restore balancing after a failed worker has recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick]
  • mod_dumpio: Properly handle errors from subsequent input filters. PR 52914. [Stefan Fritsch]
  • mpm_worker: Fix cases where the spawn rate wasn't reduced after child process resource shortages. [Jeff Trawick]
  • mpm_prefork: Reduce spawn rate after a child process exits due to unexpected poll or accept failure. [Jeff Trawick]
  • core: Adjust ap_scan_script_header_err*() to prevent mod_cgi and mod_cgid from logging bogus data in case of errors. [Stefan Fritsch]
  • mod_disk_cache, mod_mem_cache: Decline the opportunity to cache if the response is a 206 Partial Content. This stops a reverse proxied partial response from becoming cached, and then being served in subsequent responses. PR 49113. [Graham Leggett]
  • configure: Fix usage with external apr and apu in non-default paths and recent gcc versions >= 4.6. [Jean-Frederic Clere]
  • core: Fix building against PCRE 8.30 by switching from the obsolete pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]
  • mod_proxy: Add the forcerecovery balancer parameter that determines if recovery for balancer workers is enforced. [Ruediger Pluem]