Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.2.24 Changelog
  • SECURITY: CVE-2012-3499 (cve.mitre.org) Various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. [Jim Jagielski, Stefan Fritsch, Niels Heinen ]
  • SECURITY: CVE-2012-4558 (cve.mitre.org) XSS in mod_proxy_balancer manager interface. [Jim Jagielski, Niels Heinen ]
  • mod_rewrite: Stop merging RewriteBase down to subdirectories unless new option 'RewriteOptions MergeBase' is configured. Merging RewriteBase was unconditionally turned on in 2.2.23. PR 53963. [Eric Covener]
  • mod_ssl: Send the error message for speaking http to an https port using HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when using SNI. PR 50823. [Stefan Fritsch]
  • mod_ssl: log revoked certificates at level INFO instead of DEBUG. PR 52162. [Stefan Fritsch]
  • mod_proxy_ajp: Support unknown HTTP methods. PR 54416. [Rainer Jung]
  • mod_dir: Add support for the value 'disabled' in FallbackResource. [Vincent Deffontaines]
  • mod_ldap: Fix regression in handling "server unavailable" errors on Windows. PR 54140. [Eric Covener]
  • mod_ssl: fix a regression with the string rendering of the "UID" RDN introduced in 2.2.15. PR 54510. [Kaspar Brand] ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output to more accurately report the negotiated protocol. PR 53916. [Nicolás Pernas Maradei , Kaspar Brand]
  • mod_cache: Explicitly allow cache implementations to cache a 206 Partial Response if they so choose to do so. Previously an attempt to cache a 206 was arbitrarily allowed if the response contained an Expires or Cache-Control header, and arbitrarily denied if both headers were missing. Currently the disk and memory cache providers do not cache 206 Partial Responses. [Graham Leggett]
  • core: Remove unintentional APR 1.3 dependency introduced with Apache 2.2.22. [Eric Covener]
  • core: Use a TLS 1.0 close_notify alert for internal dummy connection if the chosen listener is configured for https. [Joe Orton]
  • mod_ssl: Add new directive SSLCompression to disable TLS-level compression. PR 53219. [Björn Jacke , Stefan Fritsch]