Apache Changelog

New in version 2.2.26

February 5th, 2014
  • mod_dav: dav_resource->uri treated as unencoded. This was an unnecessary ABI changed introduced in 2.2.25 PR 55397.
  • mod_dav: Do not validate locks against parent collection of COPY source URI. PR 55304.
  • mod_ssl: Check SNI hostname against Host header case-insensitively. PR 49491.
  • mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against OpenSSL 1.0.0b3.
  • mod_ssl: Change default for SSLCompression to off, as compression causes security issues in most setups. (The so called "CRIME" attack).
  • mod_ssl: Fix compilation error when OpenSSL does not contain support for SSLv2. Problem was introduced in 2.2.25. PR 55194.
  • mod_dav: Fix double encoding of URIs in XML and Location header (caused by unintential ABI change in 2.2.25). PR 55397.

New in version 2.4.7 (November 22nd, 2013)

  • APR 1.5.0 or later is now required for the event MPM.
  • slotmem_shm: Error detection. [Jim Jagielski]
  • event: Use skiplist data structure. [Jim Jagielski]
  • mpm_unix: Add ap_mpm_podx_* implementation to avoid code duplication and align w/ trunk. [Jim Jagielski]
  • Fix potential rejection of valid MaxMemFree and ThreadStackSize directives. [Mike Rumph ]
  • mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars. An individual envvar with an encoded length of more than 16K will be omitted. [Jeff Trawick]
  • mod_proxy_fcgi: Handle reading protocol data that is split between packets. [Jeff Trawick]
  • mod_ssl: Improve handling of ephemeral DH and ECDH keys by allowing custom parameters to be configured via SSLCertificateFile, and by adding standardized DH parameters for 1024/2048/3072/4096 bits. Unless custom parameters are configured, the standardized parameters are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
  • mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand]
  • mod_ssl: drop support for export-grade ciphers with ephemeral RSA keys, and unconditionally disable aNULL, eNULL and EXP ciphers (not overridable via SSLCipherSuite). [Kaspar Brand]
  • Add experimental cmake-based build system for Windows. [Jeff Trawick, Tom Donovan]
  • event MPM: Fix possible crashes (third party modules accessing c->sbh) or occasional missed mod_status updates for some keepalive requests under load. [Eric Covener]
  • mod_authn_socache: Support optional initialization arguments for socache providers. [Chris Darroch]
  • mod_session: Reset the max-age on session save. PR 47476. [Alexey Varlamov ]
  • mod_session: After parsing the value of the header specified by the SessionHeader directive, remove the value from the response. PR 55279. [Graham Leggett]
  • mod_headers: Allow for format specifiers in the substitution string when using Header edit. [Daniel Ruggeri]
  • mod_dav: dav_resource->uri is treated as unencoded. This was an unnecessary ABI changed introduced in 2.4.6. PR 55397.
  • mod_dav: Don't require lock tokens for COPY source. PR 55306.
  • core: Don't truncate output when sending is interrupted by a signal, such as from an exiting CGI process. PR 55643. [Jeff Trawick]
  • WinNT MPM: Exit the child if the parent process crashes or is terminated. [Oracle Corporation]
  • Windows: Correct failure to discard stderr in some error log configurations. (Error message AH00093) [Jeff Trawick]
  • mod_session_crypto: Allow using exec: calls to obtain session encryption key. [Daniel Ruggeri]
  • core: Add missing Reason-Phrase in HTTP response headers. PR 54946. [Rainer Jung]
  • mod_rewrite: Make rewrite websocket-aware to allow proxying. PR 55598. [Chris Harris ]
  • mod_ldap: When looking up sub-groups, use an implicit objectClass=* instead of an explicit cn=* filter. [David Hawes ]
  • ab: Add wait time, fix processing time, and output write errors only if they occured. [Christophe Jaillet]
  • worker MPM: Don't forcibly kill worker threads if the child process is exiting gracefully. [Oracle Corporation]
  • core: apachectl -S prints wildcard name-based virtual hosts twice. PR54948 [Eric Covener]
  • mod_auth_basic: Add AuthBasicUseDigestAlgorithm directive to allow migration of passwords from digest to basic authentication. [Chris Darroch]
  • ab: Add a new -l parameter in order not to check the length of the responses. This can be usefull with dynamic pages. PR9945, PR27888, PR42040 [] Suppress formatting of startup messages written to the console when ErrorLogFormat is used. [Jeff Trawick]
  • mod_auth_digest: Be more specific when the realm mismatches because the realm has not been specified. [Graham Leggett]
  • mod_proxy: Add a note in the balancer manager stating whether changes will or will not be persisted and whether settings are inherited. [Daniel Ruggeri, Jim Jagielski]
  • mod_cache: Avoid a crash with strcmp() when the hostname is not provided. [Graham Leggett]
  • core: Add util_fcgi.h and associated definitions and support routines for FastCGI, based largely on mod_proxy_fcgi. [Jeff Trawick]
  • mod_headers: Add 'Header note header-name note-name' for copying a response headers value into a note. [Eric Covener]
  • mod_headers: Add 'setifempty' command to Header and RequestHeader. [Eric Covener]
  • mod_logio: new format-specifier %S (sum) which is the sum of received and sent byte counts. PR54015 [Christophe Jaillet]
  • mod_deflate: Improve error detection when decompressing request bodies with trailing garbage: handle case where trailing bytes are in the same bucket. [Rainer Jung]
  • mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663 from ERROR to DEBUG, since these modules do not know what mod_authz_core is doing with their AUTHZ_DENIED return value. [Eric Covener]
  • mod_ldap: add TRACE5 for LDAP retries. [Eric Covener]
  • mod_ldap: retry on an LDAP timeout during authn. [Eric Covener]
  • mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK default, sans rebind authentication callback. [Jan Kaluza ]
  • core: Log a message at TRACE1 when the client aborts a connection. [Eric Covener]
  • WinNT MPM: Don't crash during child process initialization if the Listen protocol is unrecognized. [Jeff Trawick]
  • modules: Fix some compiler warnings. [Guenter Knauf]
  • Sync 2.4 and trunk - Avoid some memory allocation and work when TRACE1 is not activated - fix typo in include guard - indent - No need to lower the string before removing the path, it is just a waste of time... - Save a few cycles [Christophe Jaillet ]
  • mod_filter: Add "change=no" as a proto-flag to FilterProtocol to remove a providers initial flags set at registration time. [Eric Covener]
  • core, mod_ssl: Enable the ability for a module to reverse the sense of a poll event from a read to a write or vice versa. This is a step on the way to allow mod_ssl taking full advantage of the event MPM. [Graham Leggett]
  • Makefile.win: Install proper pcre DLL file during debug build install. PR 55235. [Ben Reser ]
  • mod_ldap: Fix a potential memory leak or corruption. PR 54936. [Zhenbo Xu ]
  • ab: Fix potential buffer overflows when processing the T and X command-line options. PR 55360. [Mike Rumph ]
  • fcgistarter: Specify SO_REUSEADDR to allow starting a server with old connections in TIME_WAIT. [Jeff Trawick]
  • core: Add open_htaccess hook which, in conjunction with dirwalk_stat and post_perdir_config (introduced in 2.4.5), allows mpm-itk to be used without patches to httpd core. [Stefan Fritsch]
  • support/htdbm: fix processing of -t command line switch. Regression introduced in 2.4.4

New in version 2.4.1 (February 21st, 2012)

  • Core Enhancements:
  • Run-time Loadable MPMs
  • Multiple MPMs can now be built as loadable modules at compile time. The MPM of choice can be configured at run time.
  • Event MPM
  • The Event MPM is no longer experimental but is now fully supported.
  • Asynchronous support
  • Better support for asynchronous read/write for supporting MPMs and platforms.
  • Per-module and per-directory LogLevel configuration
  • The LogLevel can now be configured per module and per directory. New levels trace1 to trace8 have been added above the debug log level.
  • Per-request configuration sections
  • , , and sections can be used to set the configuration based on per-request criteria.
  • General-purpose expression parser
  • A new expression parser allows to specify complex conditions using a common syntax in directives like SetEnvIfExpr, RewriteCond, Header, , and others.
  • KeepAliveTimeout in milliseconds
  • It is now possible to specify KeepAliveTimeout in milliseconds.
  • NameVirtualHost directive
  • No longer needed and is now deprecated.
  • Override Configuration
  • The new AllowOverrideList directive allows more fine grained control which directives are allowed in .htaccess files.
  • Config file variables
  • It is now possible to Define variables in the configuration, allowing a clearer representation if the same value is used at many places in the configuration.
  • Reduced memory usage
  • Despite many new features, 2.4.x tends to use less memory than 2.2.x.
  • New Modules:
  • mod_proxy_fcgi
  • FastCGI Protocol backend for mod_proxy
  • mod_proxy_scgi
  • SCGI Protocol backend for mod_proxy
  • mod_proxy_express
  • Provides dynamically configured mass reverse proxies for mod_proxy
  • mod_remoteip
  • Replaces the apparent client remote IP address and hostname for the request with the IP address list presented by a proxies or a load balancer via the request headers.
  • mod_heartmonitor, mod_lbmethod_heartbeat
  • Allow mod_proxy_balancer to base loadbalancing decisions on the number of active connections on the backend servers.
  • mod_proxy_html
  • Formerly a third-party module, this supports fixing of HTML links in a reverse proxy situation, where the backend generates URLs that are not valid for the proxy's clients.
  • mod_sed
  • An advanced replacement of mod_substitute, allows to edit the response body with the full power of sed.
  • mod_auth_form
  • Allows to do form-based authentication.
  • mod_session
  • Allows to keep session state for clients, using cookie or database storage.
  • mod_allowmethods
  • New module to restrict certain HTTP methods without interfering with authentication or authorization.
  • mod_lua
  • Embeds the Lua language into httpd, for configuration and small business logic functions. (Experimental)
  • mod_log_debug
  • Allows to add customizable debug logging at different phases of the request processing.
  • mod_buffer
  • Provides for buffering the input and output filter stacks
  • mod_data
  • Convert response body into an RFC2397 data URL
  • mod_ratelimit
  • Provides Bandwidth Rate Limiting for Clients
  • mod_request
  • Provides Filters to handle and make available HTTP request bodies
  • mod_reflector
  • Provides Reflection of a request body as a response via the output filter stack.
  • mod_slotmem_shm
  • Provides a Slot-based shared memory provider (ala the scoreboard).
  • mod_xml2enc
  • Formerly a third-party module, this supports internationalisation in libxml2-based (markup-aware) filter modules.
  • Module Enhancements:
  • mod_ssl
  • mod_ssl can now be configured to use an OCSP server to check the validation status of a client certificate. The default responder is configurable, along with the decision on whether to prefer the responder designated in the client certificate itself.
  • mod_ssl now also supports OCSP stapling, where the server pro-actively obtains an OCSP verification of its certificate and transmits that to the client during the handshake.
  • mod_ssl can now be configured to share SSL Session data between servers through memcached
  • EC keys are now supported in addition to RSA and DSA.
  • mod_proxy
  • The ProxyPass directive is now most optimally configured within a Location or LocationMatch block, and offers a significant performance advantage over the traditional two-parameter syntax when present in large numbers.
  • The source address used for proxy requests is now configurable.
  • mod_proxy_balancer
  • More runtime configuration changes for BalancerMembers via balancer-manager
  • Additional BalancerMembers can be added at runtime via balancer-manager
  • Runtime configuration of a subset of Balancer parameters
  • BalancerMembers can be set to 'Drain' so that they only respond to existing sticky sessions, allowing them to be taken gracefully offline.
  • Balancer settings can be persistent after restarts.
  • mod_cache
  • mod_cache can now cache HEAD requests.
  • Where possible, mod_cache directives can now be set per directory, instead of per server.
  • The base URL of cached URLs can be customised, so that a cluster of caches can share the same endpoint URL prefix.
  • mod_cache is now capable of serving stale cached data when a backend is unavailable (error 5xx).
  • mod_cache can now insert HIT/MISS/REVALIDATE into an X-Cache header.
  • mod_include
  • Support for the 'onerror' attribute within an 'include' element, allowing an error document to be served on error instead of the default error string.
  • mod_cgi, mod_include, mod_isapi, ...
  • Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped. Environment Variables in Apache has some pointers on how to work around broken legacy clients which require such headers. (This affects all modules which use these environment variables.)
  • mod_authz_core Authorization Logic Containers
  • Advanced authorization logic may now be specified using the Require directive and the related container directives, such as .
  • mod_rewrite
  • mod_rewrite adds the [QSD] (Query String Discard) and [END] flags for RewriteRule to simplify common rewriting scenarios.
  • Adds the possibility to use complex boolean expressions in RewriteCond.
  • Allows to use SQL queries as RewriteMap functions.
  • mod_ldap, mod_authnz_ldap
  • mod_authnz_ldap adds support for nested groups.
  • mod_ldap adds LDAPConnectionPoolTTL, LDAPTimeout, and other improvements in the handling of timeouts. This is especially useful for setups where a stateful firewall drops idle connections to the LDAP server.
  • mod_ldap adds LDAPLibraryDebug to log debug information provided by the used LDAP toolkit.
  • mod_info
  • mod_info can now dump the pre-parsed configuration to stdout during server startup.
  • Program Enhancements:
  • fcgistarter
  • New FastCGI deamon starter utility
  • htcacheclean
  • Current cached URLs can now be listed, with optional metadata included.
  • Allow explicit deletion of individual cached URLs from the cache.
  • File sizes can now be rounded up to the given block size, making the size limits map more closely to the real size on disk.
  • Cache size can now be limited by the number of inodes, instead of or in addition to being limited by the size of the files on disk.
  • rotatelogs
  • May now create a link to the current log file.
  • May now invoke a custom post-rotate script.
  • Documentation:
  • mod_rewrite
  • The mod_rewrite documentation has been rearranged and almost completely rewritten, with a focus on examples and common usage, as well as on showing you when other solutions are more appropriate. The Rewrite Guide is now a top-level section with much more detail and better organization.
  • mod_ssl
  • The mod_ssl documentation has been greatly enhanced, with more examples at the getting started level, in addition to the previous focus on technical details.
  • Module Developer Changes:
  • Check Configuration Hook Added
  • A new hook, check_config, has been added which runs between the pre_config and open_logs hooks. It also runs before the test_config hook when the -t option is passed to httpd. The check_config hook allows modules to review interdependent configuration directive values and adjust them while messages can still be logged to the console. The user can thus be alerted to misconfiguration problems before the core open_logs hook function redirects console output to the error log.
  • Expression Parser Added
  • We now have a general-purpose expression parser, whose API is exposed in ap_expr.h. This is adapted from the expression parser previously implemented in mod_ssl.
  • Authorization Logic Containers
  • Authorization modules now register as a provider, via ap_register_auth_provider(), to support advanced authorization logic, such as .
  • Small-Object Caching Interface
  • The ap_socache.h header exposes a provider-based interface for caching small data objects, based on the previous implementation of the mod_ssl session cache. Providers using a shared-memory cyclic buffer, disk-based dbm files, and a memcache distributed cache are currently supported.
  • Cache Status Hook Added
  • The mod_cache module now includes a new cache_status hook, which is called when the caching decision becomes known. A default implementation is provided which adds an optional X-Cache and X-Cache-Detail header to the response.

New in version 2.3.15 Beta (November 21st, 2011)

  • SECURITY: CVE-2011-3348 (cve.mitre.org)
  • mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized.
  • SECURITY: CVE-2011-3192 (cve.mitre.org)
  • core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714.
  • SECURITY: CVE-2011-3607 (cve.mitre.org)
  • core: Fix integer overflow in ap_pregsub. This can be triggered e.g. with mod_setenvif via a malicious .htaccess.
  • configure: Load all modules in the generated default configuration when using --enable-load-all-modules.
  • mod_reqtimeout: Change the default to set some reasonable timeout values.
  • core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove the inode. PR 49623.
  • mod_lua: Expose SSL variables via r:ssl_var_lookup().
  • mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName} can now additionally be run as "early" or "late" relative to other modules.
  • configure: By default, only load those modules that are either required or explicitly selected by a configure --enable-foo argument. The LoadModule statements for modules enabled by --enable-mods-shared=most and friends will be commented out.
  • mod_lua: Prevent early Lua hooks (LuaHookTranslateName and LuaHookQuickHandler) from being configured in , , and htaccess where the configuration would have been ignored.
  • mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors in LuaMapHandler scripts
  • mod_log_debug: Rename optional argument from if= to expr=, to be more in line with other config directives.
  • mod_headers: Require an expression to be specified with expr=, to be more in line with other config directives.
  • mod_substitute: To prevent overboarding memory usage, limit line length to 1MB.
  • mod_lua: Make the query string (r.args) writable.
  • mod_include: Add support for application/x-www-form-urlencoded encoding and decoding.
  • rotatelogs: Add -c option to force logfile creation in every rotation interval, even if empty.
  • core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings.
  • mod_session_crypto: Refactor to support the new apr_crypto API.
  • http: Add missing Location header if local URL-path is used as ErrorDocument for 30x.
  • mod_buffer: Make sure we step down for subrequests, but not for internal redirects triggered by mod_rewrite.
  • mod_lua: add r:construct_url as a wrapper for ap_construct_url.
  • mod_remote_ip: Fix configuration of internal proxies. PR 49272.
  • mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific server IP endpoint and remote client IP upon connection.
  • mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with PeerExtList().
  • mpm_prefork, mpm_worker, mpm_event: If a child is created just before graceful restart and then exits because of a missing lock file, don't shutdown the whole server. PR 39311.
  • mpm_event: Check the return value from ap_run_create_connection. PR: 41194.
  • mod_mime_magic: Add signatures for PNG and SWF to the example config. PR: 48352.
  • core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items from the parsed (or default) config. This is useful for init scripts that need to setup temporary directories and permissions.
  • core, mod_actions, mod_asis: Downgrade error log messages which accompany a 404 request status from loglevel error to info. PR: 35768.
  • core: Fix hook sorting with Perl modules. PR: 45076.
  • core: Enforce LimitRequestFieldSize after multiple headers with the same name have been merged.
  • mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory usage. PR 51618.
  • mod_ssl: At startup, when checking a server certificate whether it matches the configured ServerName, also take dNSName entries in the subjectAltName extension into account. PR 32652, PR 47051.
  • mod_substitute: Reduce memory usage and copying of data. PR 50559.
  • mod_ssl/proxy: enable the SNI extension for backend TLS connections
  • Add wrappers for malloc, calloc, realloc that check for out of memory situations and use them in many places. PR 51568, PR 51569, PR 51571.
  • Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is false but RLIMIT_* are defined. PR51371.
  • core: Correctly obey ServerName / ServerAlias if the Host header from the request matches the VirtualHost address. PR 51709.
  • mod_unique_id: Use random number generator to initialize counter. PR 45110.
  • core: Add convenience API for apr_random.
  • core: Add MaxRangeOverlaps and MaxRangeReversals directives to control the number of overlapping and reversing ranges (respectively) permitted before returning the entire resource, with a default limit of 20.
  • mod_ldap: Optional function uldap_ssl_supported(r) always returned false if called from a virtual host with mod_ldap directives in it. Did not affect mod_authnz_ldap's usage of mod_ldap.
  • mod_filter: Instead of dropping the Accept-Ranges header when a filter registered with AP_FILTER_PROTO_NO_BYTERANGE is present, set the header value to "none".
  • core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none' in the case Ranges are being ignored with MaxRanges none.
  • mod_ssl: revamp CRL-based revocation checking when validating certificates of clients or proxied servers. Completely delegate CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck directive for controlling the revocation checking mode.
  • core: Add MaxRanges directive to control the number of ranges permitted before returning the entire resource, with a default limit of 200.
  • mod_cache: Ensure that CacheDisable can correctly appear within a LocationMatch.
  • mod_cache: Fix the moving of the CACHE filter, which erroneously stood down if the original filter was not added by configuration.
  • mod_ssl: improve certificate error logging. PR 47408.
  • mod_authz_groupfile: Increase length limit of lines in the group file to 16MB. PR 43084.
  • core: Increase length limit of lines in the configuration file to 16MB. PR 45888. PR 50824.
  • core: Add API for resizable buffers.
  • mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such as Tivoli Directory Server 6.3 and later.
  • mod_ldap: Change default number of retries from 10 to 3, and add an LDAPRetries and LDAPRetryDelay directives.
  • mod_authnz_ldap: Don't retry during authentication, because this just multiplies the ample retries already being done by mod_ldap.
  • configure: Allow to explicitly disable modules even with module selection 'reallyall'.
  • mod_rewrite: Check validity of each internal (int:) RewriteMap even if the RewriteEngine is disabled in server context, avoiding a crash while referencing the invalid int: map at runtime. PR 50994.
  • mod_ssl, configure: require OpenSSL 0.9.7 or later.
  • mod_ssl: remove ssl_toolkit_compat layer.
  • mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
  • mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the cookie is set when modules such as mod_rewrite trigger a redirect. Also use r->err_headers_out for the cookie, for the same reason. PR29755.
  • mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and 'proxy-source-port' request notes for logging. PR 30195.
  • configure: Enable ldap modules in 'all' and 'most' selections if ldap is compiled into apr-util.
  • core: Add ap_check_cmd_context()-check if a command is executed in .htaccess file.
  • mod_deflate: Fix endless loop if first bucket is metadata. PR 51590.
  • mod_authn_socache: Fix to work in .htaccess if not configured anywhere in httpd.conf, and introduce an AuthnCacheEnable directive. PR 51991
  • mod_xml2enc: new (formerly third-party) module supporting internationalisation for filters via smart charset sniffing and conversion.
  • mod_proxy_html: new (formerly third-party) module to fix up HTML links in a reverse proxy situation, where a backend generates URLs that are not resolvable by Clients.

New in version 2.3.12 Beta (May 24th, 2011)

  • This release includes the Apache Portable Runtime (APR) version 1.4.5 and APR-Util version 1.3.12 in a separate -deps tarball. The APR libraries must be upgraded for all features of httpd to operate correctly.