Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.3.3 Changelog
  • SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials. [Stefan Fritsch , Joe Orton]
  • SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. [Stefan Fritsch , Joe Orton]
  • mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against OpenSSL 1.0.0b3. [Vipul Gupta , Sander Temme]
  • mod_dav: Include uri when logging a PUT error due to connection abort. PR 38149. [Stefan Fritsch]
  • mod_dav: Return 409 instead of 500 for a LOCK request if the parent resource does not exist or is not a collection. PR 43465. [Stefan Fritsch]
  • mod_dav_fs: Return 409 instead of 500 for Litmus test case copy_nodestcoll (a COPY request where the parent of the destination resource does not exist). PR 39299. [Stefan Fritsch]
  • mod_dav_fs: Don't delete the whole file if a PUT with content-range failed. PR 42896. [Stefan Fritsch]
  • mod_dav_fs: Make PUT create files atomically and no longer destroy the old file if the transfer aborted. PR 39815. [Paul Querna, Stefan Fritsch]
  • mod_dav_fs: Remove inode keyed locking as this conflicts with atomically creating files. On systems with inode numbers, this is a format change of the DavLockDB. The old DavLockDB must be deleted on upgrade. [Stefan Fritsch]
  • mod_log_config: Make ${cookie}C correctly match whole cookie names instead of substrings. PR 28037. [Dan Franklin , Stefan Fritsch]
  • vhost: A purely-numeric Host: header should not be treated as a port. PR 44979 [Nick Kew]
  • mod_ldap: Avoid 500 errors with "Unable to set LDAP_OPT_REFHOPLIMIT option to 5" when built against openldap by using SDK LDAP_OPT_REFHOPLIMIT defaults unless LDAPReferralHopLimit is explicitly configured. [Eric Covener]
  • mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'. [Eric Covener]
  • mod_ssl: Add support for OCSP Stapling. PR 43822. [Dr Stephen Henson ]
  • mod_socache_shmcb: Allow parens in file name if cache size is given. Fixes SSLSessionCache directive mis-parsing parens in pathname. PR 47945. [Stefan Fritsch]
  • htpasswd: Improve out of disk space handling. PR 30877. [Stefan Fritsch]
  • htpasswd: Use MD5 hash by default on all platforms. [Stefan Fritsch]
  • mod_sed: Reduce memory consumption when processing very long lines. PR 48024 [Basant Kumar Kukreja ]
  • ab: Fix segfault in case the argument for -n is a very large number. PR 47178. [Philipp Hagemeister ]
  • Allow ProxyPreserveHost to work in sections. PR 34901. [Stefan Fritsch]
  • configure: Fix THREADED_MPMS so that mod_cgid is enabled again for worker MPM. [Takashi Sato]
  • mod_dav: Provide a mechanism to obtain the request_rec and pathname from the dav_resource. [Jari Urpalainen , Brian France ]
  • Build: Use install instead of cp if available on installing modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com]
  • mod_cache: correctly consider s-maxage in cacheability decisions. [Dan Poirier]
  • mod_logio/core: Report more accurate byte counts in mod_status if mod_logio is loaded. PR 25656. [Stefan Fritsch]
  • mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge some cache entries and log a warning. Also increase the default LDAPSharedCacheSize to 500000. This is a more realistic size suitable for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries. PR 46749. [Stefan Fritsch]
  • mod_rewrite: Make sure that a hostname:port isn't fully qualified if the request is a CONNECT request. [Bill Zajac ]
  • mod_cache: Teach CacheEnable and CacheDisable to work from within a Location section, in line with how ProxyPass works. [Graham Leggett]
  • mod_reqtimeout: New module to set timeouts and minimum data rates for receiving requests from the client. [Stefan Fritsch]
  • core: Fix potential memory leaks by making sure to not destroy bucket brigades that have been created by earlier filters. [Stefan Fritsch]
  • core, mod_deflate, mod_sed: Reduce memory usage by reusing bucket brigades in several places. [Stefan Fritsch]
  • mod_cache: Fix uri_meets_conditions() so that CacheEnable will match by scheme, or by a wildcarded hostname. PR 40169 [Peter Grandi , Graham Leggett]
  • suxec: Allow to log an error if exec fails by setting FD_CLOEXEC on the log file instead of closing it. PR 10744. [Nicolas Rachinsky]
  • mod_mime: Make RemoveType override the info from TypesConfig. PR 38330. [Stefan Fritsch]
  • mod_cache: Introduce the option to run the cache from within the normal request handler, and to allow fine grained control over where in the filter chain content is cached. Adds CacheQuickHandler directive. [Graham Leggett]
  • core: Treat timeout reading request as 408 error, not 400. Log 408 errors in access log as was done in Apache 1.3.x. PR 39785 [Nobutaka Mantani , Stefan Fritsch , Dan Poirier]
  • mod_ssl: Reintroduce SSL_CLIENT_S_DN, SSL_CLIENT_I_DN, SSL_SERVER_S_DN, SSL_SERVER_I_DN back to the environment variables to be set by mod_ssl. [Peter Sylvester ]
  • mod_disk_cache: don't cache incomplete responses, per RFC 2616, 13.8. PR15866. [Dan Poirier]
  • ab: ab segfaults in verbose mode on https sites PR46393. [Ryan Niebur]
  • mod_dav: Allow other modules to become providers and add resource types to the DAV response. [Jari Urpalainen , Brian France ]
  • mod_dav: Allow other modules to add things to the DAV or Allow headers of an OPTIONS request. [Jari Urpalainen , Brian France ]
  • core: Lower memory usage of core output filter. [Stefan Fritsch ]
  • mod_mime: Detect invalid use of MultiviewsMatch inside Location and LocationMatch sections. PR47754. [Dan Poirier]
  • mod_request: Make sure the KeptBodySize directive rejects values that aren't valid numbers. [Graham Leggett]
  • mod_session_crypto: Sanity check should the potentially encrypted session cookie be too short. [Graham Leggett]
  • mod_session.c: Prevent a segfault when session is added but not configured. [Graham Leggett]
  • htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
  • mod_auth_digest: Fail server start when nonce count checking is configured without shared memory, or md5-sess algorithm is configured. [Dan Poirier]
  • mod_proxy_connect: The connect method doesn't work if the client is connecting to the apache proxy through an ssl socket. Fixed. PR29744. [Brad Boyer, Mark Cave-Ayland, Julian Gilbey, Fabrice Durand, David Gence, Tim Dodge, Per Gunnar Hans, Emmanuel Elango, Kevin Croft, Rudolf Cardinal]
  • mod_ssl: The error message when SSLCertificateFile is missing should at least give the name or position of the problematic virtual host definition. [Stefan Fritsch sf sfritsch.de]
  • mod_auth_digest: Fix null pointer when qop=none. [Dan Poirier]
  • Add support for HTTP PUT to ab. [Jeff Barnes ]
  • mod_headers: generalise the envclause to support expression evaluation with ap_expr parser [Nick Kew]
  • mod_cache: Introduce the thundering herd lock, a mechanism to keep the flood of requests at bay that strike a backend webserver as a cached entity goes stale. [Graham Leggett]
  • mod_auth_digest: Fix usage of shared memory and re-enable it. PR 16057 [Dan Poirier]
  • Preserve Port information over internal redirects PR 35999 [Jonas Ringh ]
  • Proxy: unable to connect to a backend is SERVICE_UNAVAILABLE, rather than BAD_GATEWAY or (especially) NOT_FOUND. PR 46971 [evanc nortel.com]
  • Various modules: Do better checking of pollset operations in order to avoid segmentation faults if they fail. PR 46467 [Stefan Fritsch ]
  • mod_autoindex: Correctly create an empty cell if the description for a file is missing. PR 47682 [Peter Poeml ]
  • ab: Fix broken error messages after resolver or connect() failures. [Jeff Trawick]
  • SECURITY: CVE-2009-1890 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration, where a remote attacker can force a proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
  • SECURITY: CVE-2009-1191 (cve.mitre.org) mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. PR 46949 [Ruediger Pluem]
  • htdbm: Fix possible buffer overflow if dbm database has very long values. PR 30586 [Dan Poirier]
  • core: Return APR_EOF if request body is shorter than the length announced by the client. PR 33098 [ Stefan Fritsch ]
  • mod_suexec: correctly set suexec_enabled when httpd is run by a non-root user and may have insufficient permissions. PR 42175 [Jim Radford ]
  • mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute type. PR 45107. [Michael Ströder , Peter Sylvester ]
  • mod_proxy_http: fix case sensitivity checking transfer encoding PR 47383 [Ryuzo Yamamoto ]
  • mod_alias: ensure Redirect issues a valid URL. PR 44020 [Hakon Stordahl ]
  • mod_dir: add FallbackResource directive, to enable admin to specify an action to happen when a URL maps to no file, without resorting to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew]
  • mod_cgid: Do not leak the listening Unix socket file descriptor to the CGI process. PR 47335 [Kornél Pál ]
  • mod_rewrite: Remove locking for writing to the rewritelog. PR 46942 [Dan Poirier ]
  • mod_alias: check sanity in Redirect arguments. PR 44729 [Sönke Tesch , Jim Jagielski]
  • mod_proxy_http: fix Host: header for literal IPv6 addresses. PR 47177 [Carlos Garcia Braschi ]
  • mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore defined session identifiers encoded in the URL when caching. [Ruediger Pluem]
  • mod_rewrite: Fix the error string returned by RewriteRule. RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd argument of RewriteRule was not started with "[" or not ended with "]". PR 45082 [Vitaly Polonetsky ]
  • Windows: Fix usage message. [Rainer Jung]
  • apachectl: When passing through arguments to httpd in non-SysV mode, use the "$@" syntax to preserve arguments. [Eric Covener]
  • mod_dbd: add DBDInitSQL directive to enable SQL statements to be run when a connection is opened. PR 46827 [Marko Kevac ]
  • mod_cgid: Improve handling of long AF_UNIX socket names (ScriptSock). PR 47037. [Jeff Trawick]
  • mod_proxy_ajp: Check more strictly that the backend follows the AJP protocol. [Mladen Turk]
  • mod_proxy_ajp: Forward remote port information by default. [Rainer Jung]
  • Allow MPMs to be loaded dynamically, as with most other modules. Use --enable-mpms-shared={list|"all"} to enable. This required changes to the MPM interfaces. Removed: mpm.h, mpm_default.h (as an installed header), APACHE_MPM_DIR, MPM_NAME, ap_threads_per_child, ap_max_daemons_limit, ap_my_generation, etc. ap_mpm_query() can't be called until after the register-hooks phase. [Jeff Trawick]
  • mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates. [Ruediger Pluem]
  • ab: Fix a 100% CPU loop on platforms where a failed non-blocking connect returns EINPROGRESS and a subsequent poll() returns only POLLERR. Observed on HP-UX. [Eric Covener]
  • Remove broken support for BeOS, TPF, and even older platforms such as A/UX, Next, and Tandem. [Jeff Trawick]
  • mod_proxy_ftp: Add ProxyFtpListOnWildcard directive to allow files with globbing characters to be retrieved instead of converted into a directory listing. PR 46789 [Dan Poirier ]
  • Provide ap_retained_data_create()/ap_retained_data_get() for preservation of module state across unload/load. [Jeff Trawick]
  • mod_substitute: Fix a memory leak. PR 44948 [Dan Poirier ]