Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.4.11 Changelog
  • SECURITY: CVE-2014-3583 (cve.mitre.org) mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with response headers' size above 8K. [Yann Ylavic, Jeff Trawick]
  • SECURITY: CVE-2014-3581 (cve.mitre.org) mod_cache: Avoid a crash when Content-Type has an empty value. PR 56924. [Mark Montague , Jan Kaluza]
  • SECURITY: CVE-2014-8109 (cve.mitre.org) mod_lua: Fix handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments. PR57204 [Edward Lu ]
  • SECURITY: CVE-2013-5704 (cve.mitre.org) core: HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. Adds "MergeTrailers" directive to restore legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
  • mod_ssl: New directive SSLSessionTickets (On|Off). The directive controls the use of TLS session tickets (RFC 5077), default value is "On" (unchanged behavior). Session ticket creation uses a random key created during web server startup and recreated during restarts. No other key recreation mechanism is available currently. Therefore using session tickets without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
  • mod_proxy_fcgi: Provide some basic alternate options for specifying how PATH_INFO is passed to FastCGI backends by adding significance to the value of proxy-fcgi-pathinfo. PR 55329. [Eric Covener] mod_proxy_fcgi: Enable UDS backends configured with SetHandler/RewriteRule to opt-in to connection reuse and other Proxy options via explicitly declared "proxy workers" (
  • mod_proxy: Add "enablereuse" option as the inverse of "disablereuse". [Eric Covener]
  • mod_proxy_fcgi: Enable opt-in to TCP connection reuse by explicitly setting proxy option disablereuse=off. [Eric Covener] PR 57378.
  • event: Update the internal "connection id" when requests move from thread to thread. Reuse can confuse modules like mod_cgid. PR 57435. [Michael Thorpe ]
  • mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME passed to fastcgi backends. [Eric Covener]
  • core: Configuration files with long lines and continuation characters are not read properly. PR 55910. [Manuel Mausz ]
  • mod_include: the 'env' function was incorrectly handled as 'getenv' if the leading 'e' was written in upper case in statements. [Christophe Jaillet]
  • split-logfile: Fix perl error: 'Can't use string ("example.org:80") as a symbol ref while "strict refs"'. PR 56329. [Holger Mauermann ]
  • mod_proxy: Prevent ProxyPassReverse from doing a substitution when the URL parameter interpolates to an empty string. PR 56603. []
  • core: Fix -D[efined] or [d] variables lifetime accross restarts. PR 57328. [Armin Abfalterer , Yann Ylavic].
  • mod_proxy: Preserve original request headers even if they differ from the ones to be forwarded to the backend. PR 45387. [Yann Ylavic]
  • mod_ssl: dump SSL IO/state for the write side of the connection(s), like reads (level TRACE4). [Yann Ylavic]
  • mod_proxy_fcgi: Ignore body data from backend for 304 responses. PR 57198. [Jan Kaluza]
  • mod_ssl: Do not crash when looking up SSL related variables during expression evaluation on non SSL connections. PR 57070 [Ruediger Pluem]
  • mod_proxy_ajp: Fix handling of the default port (8009) in the ProxyPass and configurations. PR 57259. [Yann Ylavic]
  • mpm_event: Avoid a possible use after free when notifying the end of connection during lingering close. PR 57268. [Eric Covener, Yann Ylavic]
  • mod_ssl: Fix recognition of OCSP stapling responses that are encoded improperly or too large. [Jeff Trawick]
  • core: Add ap_log_data(), ap_log_rdata(), etc. for logging buffers. [Jeff Trawick]
  • mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an error when parsing or forwarding the response fails. [Yann Ylavic]
  • mod_ssl: Fix a memory leak in case of graceful restarts with OpenSSL >= 0.9.8e PR 53435 [tadanori , Sebastian Wiedenroth ]
  • mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read determine whether it is a normal close or a real error. PR 57168. [Yann Ylavic]
  • mod_proxy_wstunnel: abort backend connection on polling error to avoid further processing. [Yann Ylavic]
  • core: Support custom ErrorDocuments for HTTP 501 and 414 status codes. PR 57167 [Edward Lu ]
  • mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC systems. PR 57092 [Edward Lu ]
  • mod_cache: Avoid a 304 response to an unconditional requst when an AH00752 CacheLock error occurs during cache revalidation. [Eric Covener] mod_ssl: Move OCSP stapling information from a per-certificate store to a per-server hash. PR 54357, PR 56919. [Alex Bligh , Yann Ylavic, Kaspar Brand]
  • mod_cache_socache: Change average object size hint from 32 bytes to 2048 bytes. [Rainer Jung]
  • mod_cache_socache: Add cache status to server-status. [Rainer Jung]
  • event: Fix worker-listener deadlock in graceful restart. PR 56960.
  • Concat strings at compile time when possible. PR 53741.
  • mod_substitute: Restrict configuration in .htaccess to FileInfo as documented. [Rainer Jung]
  • mod_substitute: Make maximum line length configurable. [Rainer Jung]
  • mod_substitute: Fix line length limitation in case of regexp plus flatten. [Rainer Jung] mod_proxy: Truncated character worker names are no longer fatal errors. PR53218. [Jim Jagielski]
  • mod_dav: Set r->status_line in dav_error_response. PR 55426.
  • mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory. [Yann Ylavic, Christophe Jaillet]
  • http_protocol: fix logic in ap_method_list_(add|remove) in order: - to correctly reset bits - not to modify the 'method_mask' bitfield unnecessarily [Christophe Jaillet]
  • mod_slotmem_shm: Increase log level for some originally debug messages. [Jim Jagielski]
  • mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with the wrong credentials when a backend connection is reused. [Eric Covener]
  • mod_macro: Add missing APLOGNO for some Warning log messages. [Christophe Jaillet]
  • mod_cache: Avoid sending 304 responses during failed revalidations PR56881. [Eric Covener]
  • mod_status: Honor client IP address using mod_remoteip. PR 55886. [Jim Jagielski]
  • cmake-based build for Windows: Fix incompatibility with cmake 2.8.12 and later. PR 56615. [Chuck Liu , Jeff Trawick]
  • mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade failed) messages from ERROR to TRACE1. Other filters do not bother re-reporting failures from lower level filters. PR56832. [Eric Covener]
  • core: Avoid useless warning message when parsing a section guarded by if $(foo) is used within the section. PR 56503 [Christophe Jaillet]
  • mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the application. PR 56858. [Manuel Mausz ]
  • mod_proxy_http: Proxy responses with error status and "ProxyErrorOverride On" hang until proxy timeout. PR53420 [Rainer Jung]
  • mod_log_config: Allow three character log formats to be registered. For backwards compatibility, the first character of a three-character format must be the '^' (caret) character. [Eric Covener]
  • mod_lua: Don't quote Expires and Path values. PR 56734. [Keith Mashinter, ]
  • mod_authz_core: Allow 'es to be seen from auth stanzas under virtual hosts. PR 56870. [Eric Covener]