Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.3.15 Changelog
  • SECURITY: CVE-2011-3348 (cve.mitre.org) mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized. [Jean-Frederic Clere]
  • SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener, ]
  • SECURITY: CVE-2011-3607 (cve.mitre.org) core: Fix integer overflow in ap_pregsub. This can be triggered e.g. with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]
  • SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations. [Joe Orton]
  • configure: Load all modules in the generated default configuration when using --enable-load-all-modules. [Rainer Jung]
  • mod_reqtimeout: Change the default to set some reasonable timeout values. [Stefan Fritsch]
  • core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove the inode. PR 49623. [Stefan Fritsch]
  • mod_lua: Expose SSL variables via r:ssl_var_lookup(). [Eric Covener]
  • mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName} can now additionally be run as "early" or "late" relative to other modules. [Eric Covener]
  • configure: By default, only load those modules that are either required or explicitly selected by a configure --enable-foo argument. The LoadModule statements for modules enabled by --enable-mods-shared=most and friends will be commented out. [Stefan Fritsch]
  • mod_lua: Prevent early Lua hooks (LuaHookTranslateName and LuaHookQuickHandler) from being configured in , , and htaccess where the configuration would have been ignored. [Eric Covener]
  • mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors in LuaMapHandler scripts [Eric Covener]
  • mod_log_debug: Rename optional argument from if= to expr=, to be more in line with other config directives. [Stefan Fritsch]
  • mod_headers: Require an expression to be specified with expr=, to be more in line with other config directives. [Stefan Fritsch]
  • mod_substitute: To prevent overboarding memory usage, limit line length to 1MB. [Stefan Fritsch]
  • mod_lua: Make the query string (r.args) writable. [Eric Covener]
  • mod_include: Add support for application/x-www-form-urlencoded encoding and decoding. [Graham Leggett]
  • rotatelogs: Add -c option to force logfile creation in every rotation interval, even if empty. [Jan Kaluža ] core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings. [Stefan Fritsch]
  • mod_session_crypto: Refactor to support the new apr_crypto API. [Graham Leggett]
  • http: Add missing Location header if local URL-path is used as ErrorDocument for 30x. [Stefan Fritsch]
  • mod_buffer: Make sure we step down for subrequests, but not for internal redirects triggered by mod_rewrite. [Graham Leggett]
  • mod_lua: add r:construct_url as a wrapper for ap_construct_url. [Eric Covener] mod_remote_ip: Fix configuration of internal proxies. PR 49272. [Jim Riggs ]
  • mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific server IP endpoint and remote client IP upon connection. [William Rowe]
  • mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with PeerExtList(). [Stefan Fritsch]
  • mpm_prefork, mpm_worker, mpm_event: If a child is created just before graceful restart and then exits because of a missing lock file, don't shutdown the whole server. PR 39311. [Shawn Michael ]
  • mpm_event: Check the return value from ap_run_create_connection. PR 41194. [Davi Arnaut]
  • mod_mime_magic: Add signatures for PNG and SWF to the example config. PR 48352. [Jeremy Wagner-Kaiser ]
  • core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items from the parsed (or default) config. This is useful for init scripts that need to setup temporary directories and permissions. [Stefan Fritsch]
  • core, mod_actions, mod_asis: Downgrade error log messages which accompany a 404 request status from loglevel error to info. PR 35768. [Stefan Fritsch]
  • core: Fix hook sorting with Perl modules. PR 45076. [Torsten Foertsch ]
  • core: Enforce LimitRequestFieldSize after multiple headers with the same name have been merged. [Stefan Fritsch]
  • mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory usage. PR 51618. [Cristian Rodríguez , Stefan Fritsch]
  • mod_ssl: At startup, when checking a server certificate whether it matches the configured ServerName, also take dNSName entries in the subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand]
  • mod_substitute: Reduce memory usage and copying of data. PR 50559. [Stefan Fritsch]
  • mod_ssl/proxy: enable the SNI extension for backend TLS connections [Kaspar Brand]
  • Add wrappers for malloc, calloc, realloc that check for out of memory situations and use them in many places. PR 51568, PR 51569, PR 51571. [Stefan Fritsch]
  • Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is false but RLIMIT_* are defined. PR51371. [Eric Covener]
  • core: Correctly obey ServerName / ServerAlias if the Host header from the request matches the VirtualHost address. PR 51709. [Micha Lenk ]
  • mod_unique_id: Use random number generator to initialize counter. PR 45110. [Stefan Fritsch]
  • core: Add convenience API for apr_random. [Stefan Fritsch]
  • core: Add MaxRangeOverlaps and MaxRangeReversals directives to control the number of overlapping and reversing ranges (respectively) permitted before returning the entire resource, with a default limit of 20. [Jim Jagielski]
  • mod_ldap: Optional function uldap_ssl_supported(r) always returned false if called from a virtual host with mod_ldap directives in it. Did not affect mod_authnz_ldap's usage of mod_ldap. [Eric Covener]
  • mod_filter: Instead of dropping the Accept-Ranges header when a filter registered with AP_FILTER_PROTO_NO_BYTERANGE is present, set the header value to "none". [Eric Covener, Ruediger Pluem]
  • core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none' in the case Ranges are being ignored with MaxRanges none. [Eric Covener]
  • mod_ssl: revamp CRL-based revocation checking when validating certificates of clients or proxied servers. Completely delegate CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck directive for controlling the revocation checking mode. [Kaspar Brand]
  • core: Add MaxRanges directive to control the number of ranges permitted before returning the entire resource, with a default limit of 200. [Eric Covener]
  • mod_cache: Ensure that CacheDisable can correctly appear within a LocationMatch. [Graham Leggett]
  • mod_cache: Fix the moving of the CACHE filter, which erroneously stood down if the original filter was not added by configuration. [Graham Leggett]
  • mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]
  • mod_authz_groupfile: Increase length limit of lines in the group file to 16MB. PR 43084. [Stefan Fritsch]
  • core: Increase length limit of lines in the configuration file to 16MB. PR 45888. PR 50824. [Stefan Fritsch]
  • core: Add API for resizable buffers. [Stefan Fritsch]
  • mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such as Tivoli Directory Server 6.3 and later. [Eric Covener]
  • mod_ldap: Change default number of retries from 10 to 3, and add an LDAPRetries and LDAPRetryDelay directives. [Eric Covener]
  • mod_authnz_ldap: Don't retry during authentication, because this just multiplies the ample retries already being done by mod_ldap. [Eric Covener]
  • configure: Allow to explicitly disable modules even with module selection 'reallyall'. [Stefan Fritsch]
  • mod_rewrite: Check validity of each internal (int:) RewriteMap even if the RewriteEngine is disabled in server context, avoiding a crash while referencing the invalid int: map at runtime. PR 50994. [Ben Noordhuis ]
  • mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]
  • mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
  • mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit. [Kaspar Brand]
  • mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the cookie is set when modules such as mod_rewrite trigger a redirect. Also use r->err_headers_out for the cookie, for the same reason. PR29755. [Sami J. Mäkinen , Eric Covener]
  • mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and 'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch]
  • configure: Enable ldap modules in 'all' and 'most' selections if ldap is compiled into apr-util. [Stefan Fritsch]
  • core: Add ap_check_cmd_context()-check if a command is executed in .htaccess file. [Stefan Fritsch]
  • mod_deflate: Fix endless loop if first bucket is metadata. PR 51590. [Torsten Foertsch ]
  • mod_authn_socache: Fix to work in .htaccess if not configured anywhere in httpd.conf, and introduce an AuthnCacheEnable directive. PR 51991 [Nick Kew]
  • mod_xml2enc: new (formerly third-party) module supporting internationalisation for filters via smart charset sniffing and conversion. [Nick Kew]
  • mod_proxy_html: new (formerly third-party) module to fix up HTML links in a reverse proxy situation, where a backend generates URLs that are not resolvable by Clients. [Nick Kew]