Advertisement

CHANGELOG

What's New in version 2.4.46:

  • SECURITY: CVE-2020-11984 (cve.mitre.org) mod_proxy_uwsgi: Malicious request may result in information disclosure or RCE of existing file on the server running under a malicious process environment. [Yann Ylavic]

What's New in version 2.4.38:

  • mod_ssl: Clear retry flag before aborting client-initiated renegotiation.PR 63052 [Joe Orton]
  • mod_negotiation: Treat LanguagePriority as case-insensitive to match AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]
  • mod_md: incorrect behaviour when synchronizing ongoing ACME challenges have been fixed. [Michael Kaufmann, Stefan Eissing]
  • mod_setenvif: We can have expressions that become true if a regex pattern in the expression does NOT match. In this case val is NULL and we should just set the value for the environment variable like in the pattern case. [Ruediger Pluem]
  • mod_session: Always decode session attributes early. [Hank Ibell]
  • core: Incorrect values for environment variables are substituted when multiple environment variables are specified in a directive. [Hank Ibell]
  • mod_rewrite: Only create the global mutex used by 'RewriteMap prg:' when this type of map is present in the configuration. PR62311. Hank Ibell ]
  • mod_dav: Fix invalid Location header when a resource is created by passing an absolute URI on the request line [Jim Jagielski]
  • mod_session_cookie: avoid duplicate Set-Cookie header in the response.[Emmanuel Dreyfus , Luca Toscano]
  • mod_ssl: clear *SSL errors before loading certificates and checking afterwards. Otherwise errors are reported when other SSL using modules are in play. Fixes PR 62880. [Michael Kaufmann]
  • mod_ssl: Fix the error code returned in an error path of 'ssl_io_filter_handshake('. This messes-up error handling performed in 'ssl_io_filter_error(' [Yann Ylavic]
  • mod_ssl: Fix $HTTPS definition for 'SSLEngine optional' case, and fix authz provider so 'Require ssl' works correctly in HTTP/2.
  • PR 61519, 62654. [Joe Orton, Stefan Eissing]
  • mod_proxy: If ProxyPassReverse is used for reverse mapping of relative redirects, subsequent ProxyPassReverse statements, whether they are
  • relative or absolute, may fail. PR 60408. [Peter Haworth ]
  • mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1]

What's New in version 2.4.35:

  • http: Enforce consistently no response body with both 204 and 304 statuses. [Yann Ylavic]
  • mod_status: Cumulate CPU time of exited child processes in the 'cu' and 'cs' values. Add CPU time of the parent process to the 'c' and 's' values. [Rainer Jung]
  • mod_proxy: Improve the balancer member data shown in mod_status when 'ProxyStatus' is 'On': add 'busy' count and show byte counts in auto mode always in units of kilobytes. [Rainer Jung]
  • mod_status: Add cumulated response duration time in milliseconds. [Rainer Jung]
  • mod_status: Complete the data shown for async MPMs in 'auto' mode. Added number of processes, number of stopping processes and number of busy and idle workers. [Rainer Jung]
  • mod_ratelimit: Don't interfere with 'chunked' encoding, fixing regression introduced in 2.4.34. PR 62568. [Yann Ylavic]
  • mod_proxy: Remove load order and link dependency between mod_lbmethod_* modules and mod_proxy. PR 62557. [Ruediger Pluem, William Rowe]
  • Allow the argument to , , , , and to be quoted. This is primarily for the benefit of . [Eric Covener]
  • mod_watchdog: Correct some log messages. [Rainer Jung]
  • mod_md: When the last domain name from an MD is moved to another one, that now empty MD gets moved to the store archive. PR 62572. [Stefan Eissing]
  • mod_ssl: Fix merging of SSLOCSPOverrideResponder. [Jeff Trawick, [Frank Meier ]
  • mod_proxy_balancer: Restore compatibility with APR 1.4. [Joe Orton]
  • [Apache 2.3.0-dev includes those bug fixes and changes with the Apache 2.2.xx tree as documented, and except as noted, below.]

What's New in version 2.4.34:

  • Introduce zh-cn and zh-tw (simplified and traditional Chinese) error document translations. [CodeingBoy, popcorner]
  • event: avoid possible race conditions with modules on the child pool.[Stefan Fritsch]
  • mod_proxy: Fix a corner case where the ProxyPassReverseCookieDomain or ProxyPassReverseCookiePath directive could fail to update correctly'domain=' or 'path=' in the 'Set-Cookie' header. PR 61560. [Christophe Jaillet]
  • mod_ratelimit: fix behavior when proxing content. PR 62362. [Luca Toscano, Yann Ylavic]
  • core: Re-allow '_' (underscore) in hostnames.[Eric Covener]
  • mod_authz_core: If several parameters are used in a AuthzProviderAlias directive, if these parameters are not enclosed in quotation mark, only the first one is handled. The other ones are silently ignored. Add a message to warn about such a spurious configuration. PR 62469 [Hank Ibell , Christophe Jaillet]

mod_md: improvements and bugfixes:

  • MDNotifyCmd now takes additional parameter that are passed on to the called command.
  • ACME challenges have better checks for interference with other modules
  • ACME challenges are only handled for domains managed by the module, allowing
  • other ACME clients to operate for other domains in the server.
  • better libressl integration
  • mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'. PR 62480. [Lubos Uhliarik }
  • logging: Some early logging-related startup messages could be lost when using syslog for the global ErrorLog. [Eric Covener]
  • mod_cache: Handle case of an invalid Expires header value RFC compliant like the case of an Expires time in the past: allow to overwrite the non-caching decision using CacheStoreExpired and respect Cache-Control 'max-age' and 's-maxage'. [Rainer Jung]
  • mod_xml2enc: Fix forwarding of error metadata/responses. PR 62180. [Micha Lenk , Yann Ylavic]
  • mod_proxy_http: Fix response header thrown away after the previous one was considered too large and truncated. PR 62196. [Yann Ylavic]
  • core: Add and handle AP_GETLINE_NOSPC_EOL flag for ap_getline() family of functions to consume the end of line when the buffer is exhausted. PR 62198. [Yann Ylavic]
  • mod_proxy_http: Add new worker parameter 'responsefieldsize' to allow maximum HTTP response header size to be increased past 8192 bytes. PR 62199. [Hank Ibell ]
  • mod_ssl: Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a certificate chain. PR62112.[Ricardo Martin Camarero ]
  • http: Fix small memory leak per request when handling persistent connections. [Ruediger Pluem, Joe Orton]
  • mod_proxy_html: Fix variable interpolation and memory allocation failure in ProxyHTMLURLMap. [Ewald Dieterich ]
  • mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30. PR 62220. [Chritophe Jaillet, Yann Ylavic]
  • mod_remoteip: When overriding the useragent address from X-Forwarded-For, zero out what had been initialized as the connection-level port. PR59931. [Hank Ibell ]
  • core: In ONE_PROCESS/debug mode, cleanup everything when exiting. [Yann Ylavic]
  • mod_proxy_balancer: Add hot spare member type and corresponding flag (R). Hot spare members are used as drop-in replacements for unusable workers in the same load balancer set. This differs from hot standbys which are only used when all workers in a set are unusable. PR 61140. [Jim Riggs]
  • suexec: Add --enable-suexec-capabilites support on Linux, to use setuid/setgid capability bits rather than a setuid root binary. [Joe Orton]
  • suexec: Add support for logging to syslog as an alternative to logging to a file; use --without-suexec-logfile --with-suexec-syslog. [Joe Orton]
  • mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling which broke some rare but previously-working configs. [Joe Orton]
  • core, log: improve sanity checks for the ErrorLog's syslog config, and explicitly allow only lowercase 'syslog' settings. PR 62102 [Luca Toscano, Jim Riggs, Christophe Jaillet]
  • mod_http2: accurate reporting of h2 data input/output per request via mod_logio. Fixes an issue where output sizes where counted n-times on reused slave connections. [Stefan Eissing] See github issue: https://github.com/icing/mod_h2/issues/158
  • mod_http2: Fix unnecessary timeout waits in case streams are aborted [Stefan Eissing]
  • mod_http2: restoring the v1.10.16 keepalive timeout behaviour of mod_http2.[Stefan Eissing]
  • mod_proxy: Do not restrict the maximum pool size for backend connections any longer by the maximum number of threads per process and use a better default if mod_http2 is loaded. [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Gregg Smith]
  • mod_slotmem_shm: Add generation number to shm filename to fix races with graceful restarts. PRs 62044 and 62308. [Jim Jagielski, Yann Ylavic]
  • core: Preserve the original HTTP request method in the '%]
  • mod_remoteip: make proxy-protocol work on slave connections, e.g. in
  • HTTP/2 requests. [Stefan Eissing] See also https://github.com/roadrunner2/mod-proxy-protocol/issues/6
  • mod_ssl: Fix merging of proxy SSL context outside sections, regression introduced in 2.4.30. PR 62232. [Rainer Jung, Yann Ylavic]
  • mod_md: Fix compilation with OpenSSL before version 1.0.2. [Rainer Jung]
  • mod_dumpio: do nothing below log level TRACE7. [Yann Ylavic]
  • mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
  • [Eric Covener]
  • core: On ECBDIC platforms, some errors related to oversized headers
  • may be misreported or be logged as ASCII escapes. PR 62200
  • [Hank Ibell ]
  • mod_ssl: Fix cmake-based build. PR 62266. [Rainer Jung]
  • core: Add , and conditional
  • section containers. [Eric Covener, Joe Orton]

What's New in version 2.4.32:

  • Mod_access_compat: Fail if a comment is found in an Allow or Deny Directive. [Jan Kaluza]
  • Mod_authz_host: Ignore comments after 'Require host', logging a Warning, or logging an error if the line is otherwise empty. [Jan Kaluza, Joe Orton]
  • Rotatelogs: Fix expansion of Z in localtime (-l) mode, and fix Y2K38 bug. [Joe Orton]
  • Mod_ssl: Support SSL DN raw variable extraction without conversion To UTF-8, using _RAW suffix on variable names. [Joe Orton]
  • Ab: Fix https:// connection failures (regression in 2.4.30); fix Crash generating CSV output for large -n. [Joe Orton, Jan Kaluza]

What's new in version 2.4.18:

  • mod_ssl: for all ssl_engine_vars.c lookups, fall back to master connection if conn_rec itself holds no valid SSLConnRec*. Fixes PR58666
  • mod_http2: connection level window for flow control is set to protocol maximum of 2GB-1, preventing window exhaustion when sending data on many streams with higher cumulative window size
  • Reducing write frequency unless push promises need to be flushed
  • mod_http2: required minimum version of libnghttp2 is 1.2.1
  • mod_proxy_fdpass: Fix AH01153 error when using the default configuration. In earlier version of httpd, you can explicitelly set the 'flusher' parameter to 'flush' as a workaround. (i.e. flusher=flush). Add documentation for the 'flusher' parameter when defining a proxy worker
  • mod_ssl: For the 'SSLStaplingReturnResponderErrors off' case, make sure to only staple responses with certificate status 'good'.
  • mod_http2: new directive 'H2PushPriority' to allow priority specifications on server pushed streams according to their content-type
  • mod_http2: fixes crash on connection abort for a busy connection fixes crash on a request that did not produce any response
  • mod_http2: trailers are sent after reponse body if set in request_rec trailers_out before the end-of-request bucket is sent through the output filters.
  • mod_http2: incoming trailers (headers after request body) are properly forwarded to the processing engine.
  • mod_http2: new directive 'H2Push' to en-/disable HTTP/2 server pushes a server/virtual host. Pushes are initiated by the presence of 'Link:' headers with relation 'preload' on a response.
  • mod_http2: write performance of http2 improved for larger resources especially static files.
  • core: if the first HTTP/1.1 request on a connection goes to a server that prefers different protocols, these protocols are announced in a Upgrade header on the response, mentioning the preferred protocols
  • mod_http2: new directives 'H2TLSWarmUpSize' and 'H2TLSCoolDownSecs' to control TLS record sizes during connection lifetime
  • mod_http2: new directive 'H2ModernTLSOnly' to enforce security requirements of RFC 7540 on TLS connections
  • core: add ap_get_protocol_upgrades() to retrieve the list of protocols that a client could possibly upgrade to. Use in first request on a connection to announce protocol choices.
  • mod_http2: reworked deallocation on connection shutdown and worker abort. Separate parent pool for all workers. worker threads are joined on planned worker shutdown.
  • mod_ssl: when receiving requests for other virtual hosts than the handshake server, the SSL parameters are checked for equality. With equal configuration, requests are passed for processing. Any change will trigger the old behaviour of '421 Misdirected Request'
  • SSL now remembers the cipher suite that was used for the last handshake. This is compared against for any vhost/directory cipher specification. Detailed examination of renegotiation is only done when these do not match
  • Renegotiation is 403ed when a master connection is present. Exact reason is given additionally in a request note.
  • core: Fix scoreboard crash (SIGBUS) on hardware requiring strict 64bit alignment (SPARC64, PPC64).
  • mod_cache: Accept HT (Horizontal Tab) when parsing cache related header fields as described in RFC7230.
  • core/util_script: making REDIRECT_URL a full URL is now opt-in via new 'QualifyRedirectURL' directive
  • core: Limit to ten the number of tolerated empty lines between request and consume them before the pipelining check to avoid possible response delay when reading the next request without flushing.
  • mod_ssl: Extend expression parser registration to support ssl variables in any expression using mod_rewrite syntax '{SSL:VARNAME}' or function syntax 'ssl(VARNAME)'.

What's New in version 2.2.22:

  • SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations. [Joe Orton]
  • SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. [Stefan Fritsch, Greg Ames]
  • SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations. [Joe Orton]
  • SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the '{cookiename}C' log format string is in use and a client sends a nameless, valueless cookie, causing a denial of service. The issue existed since version 2.2.17. PR 52256. [Rainer Canavan ]
  • SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly. [Joe Orton]
  • SECURITY: CVE-2012-0053 (cve.mitre.org) Fix an issue in error responses that could expose 'httpOnly' cookies when no custom ErrorDocument is specified for status code 400. [Eric Covener]
  • mod_proxy_ajp: Try to prevent a single long request from marking a worker in error. [Jean-Frederic Clere]
  • config: Update the default mod_ssl configuration: Disable SSLv2, only allow >= 128bit ciphers, add commented example for speed optimized cipher list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]
  • core: Fix segfault in ap_send_interim_response(). PR 52315. [Stefan Fritsch]
  • mod_log_config: Prevent segfault. PR 50861. [Torsten F?rtsch ]
  • mod_win32: Invert logic for env var UTF-8 fixing. Now we exclude a list of vars which we know for sure they dont hold UTF-8 chars; all other vars will be fixed. This has the benefit that now also all vars from 3rd-party modules will be fixed. PR 13029 / 34985. [Guenter Knauf]
  • core: Fix hook sorting for Perl modules, a regression introduced in 2.2.21. PR: 45076. [Torsten Foertsch ]
  • Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20: A range of '0-' will now return 206 instead of 200. PR 51878. [Jim Jagielski]
  • Example configuration: Fix entry for MaxRanges (use 'unlimited' instead of '0'). [Rainer Jung]
  • mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung]

What's New in version 2.2.21:

  • SECURITY: CVE-2011-3348 (cve.mitre.org) mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized. [Jean-Frederic Clere]
  • Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20. PR 51748. []
  • mod_filter: Instead of dropping the Accept-Ranges header when a filter registered with AP_FILTER_PROTO_NO_BYTERANGE is present, set the header value to 'none'. [Eric Covener, Ruediger Pluem]
  • mod_proxy_ajp: Ignore flushing if headers have not been sent. PR 51608 [Ruediger Pluem]
  • mod_dav_fs: Fix segfault if apr DBM driver cannot be loaded. PR 51751. [Stefan Fritsch]
  • mod_alias: Adjust log severity of 'incomplete redirection target' message. PR 44020.
  • mod_rewrite: Check validity of each internal (int:) RewriteMap even if the RewriteEngine is disabled in server context, avoiding a crash while referencing the invalid int: map at runtime. PR 50994. [Ben Noordhuis ]
  • core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none' in the case Ranges are being ignored with MaxRanges none. [Eric Covener]
  • mod_proxy_ajp: Respect 'reuse' flag in END_REPONSE packets. [Rainer Jung]

What's New in version 2.2.20:

  • SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
  • mod_authnz_ldap: If the LDAP server returns constraint violation, don't treat this as an error but as 'auth denied'. [Stefan Fritsch]
  • mod_filter: Fix FilterProvider conditions of type 'resp=' (response headers) for CGI. [Joe Orton, Rainer Jung]
  • mod_reqtimeout: Fix a timed out connection going into the keep-alive state after a timeout when discarding a request body. PR 51103. [Stefan Fritsch]
  • core: Do the hook sorting earlier so that the hooks are properly sorted for the pre_config hook and during parsing the config. [Stefan Fritsch]

What's New in version 2.2.19:

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.19 of the Apache HTTP Server ('Apache'). This version of Apache is principally a bug fix release, correcting regressions in the httpd 2.2.18 package; the use of that previous 2.2.18 package is discouraged due to these flaws:

  • SECURITY: CVE-2011-1928 (cve.mitre.org) A fix in bundled APR 1.4.4 apr_fnmatch() to address CVE-2011-0419 introduced a new vulnerability. httpd workers enter a hung state (100 percent cpu utilization) after updating to APR 1.4.4. Upgrading to APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3 or prior with the 'IgnoreClient' option of the 'IndexOptions' directive will circumvent both issues.
  • httpd 2.2.18: The ap_unescape_url_keep2f() function signature was inadvertantly changed. This breaks binary compatibility of a number of third-party modules. This httpd-2.2.19 package restores the function signature provided by 2.2.17 and prior.

We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.

What's New in version 2.2.18:

  • Log an error for failures to read a chunk-size, and return 408 instead 413 when this is due to a read timeout. This change also fixes some cases of two error documents being sent in the response for the same scenario. [Eric Covener] PR49167
  • core: Only log a 408 if it is no keepalive timeout. PR 39785 [Ruediger Pluem, Mark Montague ]
  • core: Treat timeout reading request as 408 error, not 400. Log 408 errors in access log as was done in Apache 1.3.x. PR 39785 [Nobutaka Mantani , Stefan Fritsch, Dan Poirier]
  • Core HTTP: disable keepalive when the Client has sent Expect: 100-continue but we respond directly with a non-100 response. Keepalive here led to data from clients continuing being treated as a new request. PR 47087. [Nick Kew]
  • htpasswd: Change the default algorithm for htpasswd to MD5 on all platforms. Crypt with its 8 character limit is not useful anymore; improve out of disk space handling (PR 30877); print a warning if a password is truncated by crypt. [Stefan Fritsch]
  • mod_win32: Added shebang check for '! so that .vbs scripts work as CGI. Win32's cscript interpreter can only use a single quote as comment char. [Guenter Knauf]
  • configure: Fix htpasswd/htdbm libcrypt link errors with some newer linkers. [Stefan Fritsch]
  • MinGW build improvements. PR 49535. [John Vandenberg , Jeff Trawick]
  • mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. [Stefan Fritsch]
  • core: AllowEncodedSlashes new option NoDecode to allow encoded slashes in request URL path info but not decode them. PR 35256, PR 46830. [Dan Poirier]
  • mod_rewrite: Allow to unset environment variables. PR 50746. [Rainer Jung]
  • suEXEC: Add Suexec directive to disable suEXEC without renaming the binary (Suexec Off), or force startup failure if suEXEC is required but not supported (Suexec On). [Jeff Trawick]
  • mod_proxy: Put the worker in error state if the SSL handshake with the backend fails. PR 50332. [Daniel Ruggeri , Ruediger Pluem]
  • prefork: Update MPM state in children during a graceful restart. Allow the HTTP connection handling loop to terminate early during a graceful restart. PR 41743. [Andrew Punch ]
  • mod_ssl: Correctly read full lines in input filter when the line is incomplete during first read. PR 50481. [Ruediger Pluem]
  • mod_autoindex: Merge IndexOptions from server to directory context when the directory has no mod_autoindex directives. PR 47766. [Eric Covener]
  • mod_cache: Make sure that we never allow a 304 Not Modified response that we asked for to leak to the client should the 304 response be uncacheable. PR45341 [Graham Leggett]
  • mod_dav: Send 400 error if malformed Content-Range header is received for a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
  • mod_userdir: Add merging of enable, disable, and filename arguments to UserDir directive, leaving enable/disable of userlists unmerged. PR 44076 [Eric Covener]
  • core: Honor 'AcceptPathInfo OFF' during internal redirects, such as per-directory mod_rewrite substitutions. PR 50349. [Eric Covener]
  • mod_cache: Check the request to determine whether we are allowed to return cached content at all, and respect a 'Cache-Control: no-cache' header from a client. Previously, 'no-cache' would behave like 'max-age=0'. [Graham Leggett]
  • mod_mem_cache: Add a debug msg when a streaming response exceeds MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary 'memory allocation failed' debug message. PR 49604. [Eric Covener]
  • proxy_connect: Don't give up in the middle of a CONNECT tunnel when the child process is starting to exit. PR50220. [Eric Covener]

What's New in version 2.2.17:

  • prefork MPM: Run cleanups for final request when process exits gracefully to work around a flaw in apr-util. PR 43857. [Tom Donovan]
  • mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend connections and other protocol handlers (like mod_ftp). Enforce the timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering close time from 30 to 2 seconds. [Stefan Fritsch]
  • Proxy balancer: support setting error status according to HTTP response code from a backend. PR 48939. [Daniel Ruggeri ]
  • mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the password to UTF-8. PR 45318. [Johannes Müller , Stefan Fritsch]
  • core: check symlink ownership if both FollowSymlinks and SymlinksIfOwnerMatch are set [Nick Kew]
  • core: fix origin checking in SymlinksIfOwnerMatch PR 36783 [Robert L Mathews ]
  • mod_headers: Enable multi-match-and-replace edit option PR 46594 [Nick Kew]
  • mod_log_config: Make ${cookie}C correctly match whole cookie names instead of substrings. PR 28037. [Dan Franklin , Stefan Fritsch]
  • mod_dir, mod_negotiation: Pass the output filter information to newly created sub requests; as these are later on used as true requests with an internal redirect. This allows for mod_cache et.al. to trap the results of the redirect. PR 17629, 43939 [Dirk-Willem van Gulik, Jim Jagielski, Joe Orton, Ruediger Pluem]
  • rotatelogs: Fix possible buffer overflow if admin configures a mongo log file path. [Jeff Trawick]
  • mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton]
  • vhost: A purely-numeric Host: header should not be treated as a port. PR 44979 [Nick Kew]
  • core: (re)-introduce -T commandline option to suppress documentroot check at startup. PR 41887 [Jan van den Berg ]

What's New in version 2.2.16:

  • SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav, mod_cache: Fix Handling of requests without a path segment. PR: 49246 [Mark Drayton, Jeff Trawick]
  • SECURITY: CVE-2010-2068 (cve.mitre.org) mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung]
  • core: Filter init functions are now run strictly once per request before handler invocation. The init functions are no longer run for connection filters. PR 49328. [Joe Orton]
  • mod_filter: enable it to act on non-200 responses. PR 48377 [Nick Kew]
  • mod_ldap: LDAP caching was suppressed (and ldap-status handler returns title page only) when any mod_ldap directives were used in VirtualHost context. [Eric Covener]
  • mod_ssl: Fix segfault at startup if proxy client certs are shared across multiple vhosts. PR 39915. [Joe Orton]
  • mod_proxy_http: Log the port of the remote server in various messages. PR 48812. [Igor Galic ]
  • apxs: Fix -A and -a options to ignore whitespace in httpd.conf [Philip M. Gollucci]
  • mod_dir: add FallbackResource directive, to enable admin to specify an action to happen when a URL maps to no file, without resorting to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew]
  • mod_rewrite: Allow to set environment variables without explicitely giving a value. [Rainer Jung]