Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.4.8 Changelog
  • SECURITY: CVE-2014-0098 (cve.mitre.org) Clean up cookie logging with fewer redundant string parsing passes. Log only cookies with a value assignment. Prevents segfaults when logging truncated cookies. [William Rowe, Ruediger Pluem, Jim Jagielski]
  • SECURITY: CVE-2013-6438 (cve.mitre.org) mod_dav: Keep track of length of cdata properly when removing leading spaces. Eliminates a potential denial of service from specifically crafted DAV WRITE requests [Amin Tora ]
  • core: Support named groups and backreferences within the LocationMatch, DirectoryMatch, FilesMatch and ProxyMatch directives. (Requires non-ancient PCRE library) [Graham Leggett]
  • core: draft-ietf-httpbis-p1-messaging-23 corrections regarding TE/CL conflicts. [Yann Ylavic, Jim Jagielski]
  • core: Detect incomplete request and response bodies, log an error and forward it to the underlying filters. PR 55475 [Yann Ylavic]
  • mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping execution when a handler is already set. PR53929. [Eric Covener]
  • mod_ssl: Do not perform SNI / Host header comparison in case of a forward proxy request. [Ruediger Pluem]
  • mod_ssl: Remove the hardcoded algorithm-type dependency for the SSLCertificateFile and SSLCertificateKeyFile directives, to enable future algorithm agility, and deprecate the SSLCertificateChainFile directive (obsoleted by SSLCertificateFile). [Kaspar Brand]
  • mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore, and IgnoreInherit to allow RewriteRules to be pushed from parent scopes to child scopes without explicitly configuring each child scope. PR56153. [Edward Lu ]
  • prefork: Fix long delays when doing a graceful restart. PR 54852 [Jim Jagielski, Arkadiusz Miskiewicz ]
  • FreeBSD: Disable IPv4-mapped listening sockets by default for versions 5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick]
  • mod_proxy_wstunnel: Avoid busy loop on client errors, drop message IDs 02445, 02446, and 02448 to TRACE1 from DEBUG. PR 56145. [Joffroy Christen , Eric Covener]
  • mod_remoteip: Correct the trusted proxy match test. PR 54651. [Yoshinori Ehara , Eugene L ]
  • mod_proxy_fcgi: Fix error message when an unexpected protocol version number is received from the application. PR 56110. [Jeff Trawick]
  • mod_remoteip: Use the correct IP addresses to populate the proxy_ips field. PR 55972. [Mike Rumph]
  • mod_lua: Update r:setcookie() to accept a table of options and add domain, path and httponly to the list of options available to set. PR 56128 [Edward Lu , Daniel Gruno] mod_lua: Fix r:setcookie() to add, rather than replace, the Set-Cookie header. PR56105 [Kevin J Walters , Edward Lu ]
  • mod_lua: Allow for database results to be returned as a hash with row-name/value pairs instead of just row-number/value. [Daniel Gruno]
  • mod_rewrite: Add %{CONN_REMOTE_ADDR} as the non-useragent counterpart to %{REMOTE_ADDR}. PR 56094. [Edward Lu ]
  • WinNT MPM: If ap_run_pre_connection() fails or sets c->aborted, don't save the socket for reuse by the next worker as if it were an APR_SO_DISCONNECTED socket. Restores 2.2 behavior. [Eric Covener]
  • mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a URL that was just rewritten by mod_rewrite. PR53929. [Eric Covener]
  • mod_session: When we have a session we were unable to decode, behave as if there was no session at all. [Thomas Eckert ]
  • mod_session: Fix problems interpreting the SessionInclude and SessionExclude configuration. PR 56038. [Erik Pearson ]
  • mod_authn_core: Allow 'es to be seen from auth stanzas under virtual hosts. PR 55622. [Eric Covener]
  • mod_proxy_fcgi: Use apr_socket_timeout_get instead of hard-coded 30 seconds timeout. [Jan Kaluza]
  • build: only search for modules (config*.m4) in known subdirectories, see build/config-stubs. [Stefan Fritsch]
  • mod_cache_disk: Fix potential hangs on Windows when using mod_cache_disk. PR 55833. [Eric Covener]
  • mod_ssl: Add support for OpenSSL configuration commands by introducing the SSLOpenSSLConfCmd directive. [Stephen Henson, Kaspar Brand]
  • mod_proxy: Remove (never documented) syntax which is equivalent to . [Christophe Jaillet]
  • mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm, mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the require directives. [Graham Leggett]
  • mod_proxy_http: Core dumped under high load. PR 50335. [Jan Kaluza ]
  • mod_socache_shmcb.c: Remove arbitrary restriction on shared memory size previously limited to 64MB. [Jens Laas ]
  • mod_lua: Use binary copy when dealing with uploads through r:parsebody() to prevent truncating files. [Daniel Gruno]