Apache Icon

Apache

Popular website server software.

ApacheOverview

Apache is the most popular Internet webserver application in the world. It's created by a collaborative effect of software developers.

The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. These volunteers are known as the Apache Group. In addition, hundreds of users have contributed ideas, code, and documentation to the project.

NEW

  • http: Fix LimitRequestBody checks when there is no more bytes to read.
  • mod_alias: Revert expression parser support for Alias, ScriptAlias and Redirect due to a regression (introduced in 2.4.13, not released).
  • mod_reqtimeout: Don't let pipelining checks and keep-alive times interfere with the timeouts computed for subsequent requests.
  • core: Avoid a possible truncation of the faulty header included in the HTML response when LimitRequestFieldSize is reached.
  • mod_ldap: In some case, LDAP_NO_SUCH_ATTRIBUTE could be returned instead of an error during a compare operation.
  • mod_ext_filter, mod_charset_lite: Avoid inadvertent filtering of protocol data during read of chunked request bodies.
  • mod_ldap: Stop leaking LDAP connections when 'LDAPConnectionPoolTTL 0' is configured.
  • core: Allow spaces after chunk-size for compatibility with implementations using a pre-filled buffer.
  • mod_ssl: Remove deprecated SSLCertificateChainFile warning.
  • SECURITY: CVE-2015-3183 (cve.mitre.org) core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters.
  • SECURITY: CVE-2015-3185 (cve.mitre.org) Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook.
  • SECURITY: CVE-2015-0253 (cve.mitre.org) core: Fix a crash with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11.
  • SECURITY: CVE-2015-0228 (cve.mitre.org) mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash.
  • mod_proxy: Don't put the worker in error state for 500 or 503 errors returned by the backend unless failonstatus is configured to.
  • core: Don't lowercase the argument to SetHandler if it begins with "proxy:unix".
  • mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing the OCSP response for a different certificate. mod_ssl has an additional global mutex, "ssl-stapling-refresh". PR 57131 (partial fix).
  • mod_authz_dbm: Fix crashes when "dbm-file-group" is used and authz modules were loaded in the "wrong" order.
  • mod_authn_dbd, mod_authz_dbd, mod_session_dbd, mod_rewrite: Fix lifetime of DB lookup entries independently of the selected DB engine..
  • In alignment with RFC 7525, the default recommended SSLCipherSuite and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the default recommended SSLProtocol and SSLProxyProtocol directives now exclude SSLv3. Existing configurations must be adjusted by the administrator.
  • mod_ssl: Add support for extracting subjectAltName entries of type rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n environment variables. Also addresses
  • dav_validate_request: avoid validating locks and ETags when there are no If headers providing them on a resource we aren't modifying.
  • mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate response header to be used by the application, for when the application or framework is unable to return Location in the internal-redirect form.
  • core: Cleanup the request soon/even if some output filter fails to handle the EOR bucket.
  • mpm_event: Allow for timer events duplicates.
  • mod_proxy, mod_ssl, mod_cache_socache, mod_socache_*: Support machine readable server-status produced when using the "?auto" query string.
  • mod_status: Add more data to machine readable server-status produced when using the "?auto" query string.
  • mod_ssl: Check for the Entropy Gathering Daemon (EGD) availability at configure time (RAND_egd), and complain if SSLRandomSeed requires using it otherwise.
  • mod_ssl: make sure to consistently output SSLCertificateChainFile deprecation warnings, when encountered in a VirtualHost block.
  • mod_log_config: Add "%{UNIT}T" format to output request duration in seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
  • Allow FallbackResource to work when a directory is requested and there is no autoindex nor DirectoryIndex.
  • mod_proxy_wstunnel: Bypass the handler while the connection is not upgraded to WebSocket, so that other modules can possibly take over the leading HTTP requests.
  • mod_http: Fix incorrect If-Match handling. PR 57358
  • mod_ssl: Add a warning if protocol given in SSLProtocol or SSLProxyProtocol will override other parameters given in the same directive. This could be a missing + or - prefix. PR 52820
  • core, modules: Avoid error response/document handling by the core if some handler or input filter already did it while reading the request (causing a double response body).
  • mod_proxy_ajp: Fix client connection errors handling and logged status when it occurs.
  • mod_proxy: Use the correct server name for SNI in case the backend SSL connection itself is established via a proxy server. PR 57139
  • mod_ssl: Fix possible crash when loading server certificate constraints.
  • build: Don't load both mod_cgi and mod_cgid in the default configuration if they're both built.
  • mod_logio: Add LogIOTrackTTFB and %^FB logformat to log the time taken to start writing response headers.
  • mod_ssl: Avoid compilation errors with LibreSSL related to the use of ENGINE_CTRL_CHIL_SET_FORKCHECK.
  • mod_proxy_http: Use the "Connection: close" header for requests to backends not recycling connections (disablereuse), including the default reverse and forward proxies.
  • mod_proxy: Add ap_connection_reusable() for checking if a connection is reusable as of this point in processing.
  • mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad Gateway) when no response is ever received from the backend.
  • core_filters: Restore/disable TCP_NOPUSH option after non-blocking sendfile.
  • mod_buffer: Forward flushed input data immediately and avoid (unlikely) access to freed memory.
  • core: Add CGIPassAuth directive to control whether HTTP authorization headers are passed to scripts as CGI variables.
  • core: Initialize scoreboard's used optional functions on graceful restarts to avoid a crash when relocation occurs.
  • mod_dav: Avoid a potential integer underflow in the lock timeout value sent back to a client. The answer to a LOCK request could be an extremly large integer if the time needed to lock the resource was longer that the requested timeout given in the LOCK request. In such a case, we now answer "Second-0". PR55420
  • mod_cgid: Within the first minute of a server start or restart, allow mod_cgid to retry connecting to its daemon process. Previously, 'No such file or directory: unable to connect to cgi daemon...' could be logged without an actual retry.
  • mod_proxy: Use the original (non absolute) form of the request-line's URI for requests embedded in CONNECT payloads used to connect SSL backends via a ProxyRemote forward-proxy.
  • http: Make ap_die() robust against any HTTP error code and not modify response status (finally logged) when nothing is to be done.
  • mod_proxy_connect/wstunnel: If both client and backend sides get readable at the same time, don't lose errors occuring while forwarding on the first side when none occurs next on the other side, and abort.
  • mod_rewrite: Improve relative substitutions in per-directory/htaccess context for directories found by mod_userdir and mod_alias. These no longer require RewriteBase to be specified.
  • mod_proxy_http: Don't expect the backend to ack the "Connection: close" to finally close those not meant to be kept alive by SetEnv proxy-nokeepalive or force-proxy-request-1.0.
  • core: If explicitly configured, use the KeepaliveTimeout value of the virtual host which handled the latest request on the connection, or by default the one of the first virtual host bound to the same IP:port.
  • mod_lua: After a r:wsupgrade(), mod_lua was not properly responding to a websockets PING but instead invoking the specified script.
  • mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides a combination of certificate serialNumber and issuer as defined by CertificateExactMatch in RFC4523.
  • core: Add expression support to ErrorDocument. Switch from a fixed sized 664 byte array per merge to a hash table.
  • ab: Add missing longest request (100%) to CSV export.
  • mod_macro: Clear macros before initialization to avoid use-after-free on startup or restart when the module is linked statically. PR 57525
  • mod_alias: Introduce expression parser support for Alias, ScriptAlias and Redirect.
  • mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
  • mpm_event: Avoid access to the scoreboard from the connection while it is suspended (waiting for events).
  • mod_ssl: Fix renegotiation failures redirected to an ErrorDocument..
  • mod_deflate: A misplaced check prevents limiting small bodies with the new inflate limits.
  • mod_proxy_ajp: Forward SSL protocol name (SSLv3, TLSv1.1 etc.) as a request attribute to the backend. Recent Tomcat versions will extract it and provide it as a servlet request attribute named "org.apache.tomcat.util.net.secure_protocol_version".
  • core: Optimize string concatenation in expression parser when evaluating a string expression.
  • acinclude.m4: Generate #LoadModule directive in default httpd.conf for every --enable-mpms-shared.
  • mod_authn_dbd: Fix the error message logged in case of error while querying the database. This is associated to AH01656 and AH01661.
  • mod_authz_groupfile: Reduce the severity of AH01667 from ERROR to DEBUG, because it may be evaluated inside RequireAny.
  • mod_ssl: Fix small memory leak during initialization when ECDH is used.
  • mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for internationalization.
  • mpm_winnt: Normalize the error and status messages emitted by service.c, the service control interface for Windows.
  • configure: Fix --enable-v4-mapped configuration on *BSD.
  • Reverted DirectoryMatch behavior regression introduced in 2.4.11 (not released).
  • SECURITY: CVE-2014-3583 (cve.mitre.org) mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with response headers' size above 8K.
  • SECURITY: CVE-2014-3581 (cve.mitre.org) mod_cache: Avoid a crash when Content-Type has an empty value.
  • SECURITY: CVE-2014-8109 (cve.mitre.org) mod_lua: Fix handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments. PR57204
  • SECURITY: CVE-2013-5704 (cve.mitre.org) core: HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. Adds "MergeTrailers" directive to restore legacy behavior.
  • mod_ssl: New directive SSLSessionTickets (OnOff). The directive controls the use of TLS session tickets (RFC 5077), default value is "On" (unchanged behavior). Session ticket creation uses a random key created during web server startup and recreated during restarts. No other key recreation mechanism is available currently. Therefore using session tickets without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy.
  • mod_proxy_fcgi: Provide some basic alternate options for specifying how PATH_INFO is passed to FastCGI backends by adding significance to the value of proxy-fcgi-pathinfo.
  • mod_proxy_fcgi: Enable UDS backends configured with SetHandler/RewriteRule to opt-in to connection reuse and other Proxy options via explicitly declared "proxy workers" (Proxy unix:... enablereuse=on max=...)
  • mod_proxy: Add "enablereuse" option as the inverse of "disablereuse".
  • mod_proxy_fcgi: Enable opt-in to TCP connection reuse by explicitly setting proxy option disablereuse=off.
  • event: Update the internal "connection id" when requests move from thread to thread. Reuse can confuse modules like mod_cgid.
  • mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME passed to fastcgi backends.
  • core: Configuration files with long lines and continuation characters are not read properly.
  • mod_include: the 'env' function was incorrectly handled as 'getenv' if the leading 'e' was written in upper case in !--#if expr="..." -- statements.
  • split-logfile: Fix perl error: 'Can't use string ("example.org:80") as a symbol ref while "strict refs"'.
  • mod_proxy: Prevent ProxyPassReverse from doing a substitution when the URL parameter interpolates to an empty string.
  • core: Fix -D[efined] or Define[d] variables lifetime accross restarts..
  • mod_proxy: Preserve original request headers even if they differ from the ones to be forwarded to the backend.
  • mod_ssl: dump SSL IO/state for the write side of the connection(s), like reads (level TRACE4).
  • mod_proxy_fcgi: Ignore body data from backend for 304 responses.
  • mod_ssl: Do not crash when looking up SSL related variables during expression evaluation on non SSL connections. PR 57070
  • mod_proxy_ajp: Fix handling of the default port (8009) in the ProxyPass and Proxy configurations.
  • mpm_event: Avoid a possible use after free when notifying the end of connection during lingering close.
  • mod_ssl: Fix recognition of OCSP stapling responses that are encoded improperly or too large.
  • core: Add ap_log_data(), ap_log_rdata(), etc. for logging buffers.
  • mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an error when parsing or forwarding the response fails.
  • mod_ssl: Fix a memory leak in case of graceful restarts with OpenSSL >= 0.9.8e PR 53435
  • mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read determine whether it is a normal close or a real error.
  • mod_proxy_wstunnel: abort backend connection on polling error to avoid further processing.
  • core: Support custom ErrorDocuments for HTTP 501 and 414 status codes. PR 57167
  • mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC systems. PR 57092
  • mod_cache: Avoid a 304 response to an unconditional requst when an AH00752 CacheLock error occurs during cache revalidation.
  • mod_ssl: Move OCSP stapling information from a per-certificate store to a per-server hash. PR 54357,
  • mod_cache_socache: Change average object size hint from 32 bytes to 2048 bytes.
  • mod_cache_socache: Add cache status to server-status.
  • event: Fix worker-listener deadlock in graceful restart.
  • Concat strings at compile time when possible.
  • mod_substitute: Restrict configuration in .htaccess to FileInfo as documented.
  • mod_substitute: Make maximum line length configurable.
  • mod_substitute: Fix line length limitation in case of regexp plus flatten.
  • mod_proxy: Truncated character worker names are no longer fatal errors.
  • mod_dav: Set r->status_line in dav_error_response.
  • mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory.
  • http_protocol: fix logic in ap_method_list_(addremove) in order:
    • - to correctly reset bits
    • - not to modify the 'method_mask' bitfield unnecessarily
  • mod_slotmem_shm: Increase log level for some originally debug messages.
  • mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with the wrong credentials when a backend connection is reused.
  • mod_macro: Add missing APLOGNO for some Warning log messages.
  • mod_cache: Avoid sending 304 responses during failed revalidations
  • mod_status: Honor client IP address using mod_remoteip.
  • cmake-based build for Windows: Fix incompatibility with cmake 2.8.12 and later.
  • mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade failed) messages from ERROR to TRACE1. Other filters do not bother re-reporting failures from lower level filters.
  • core: Avoid useless warning message when parsing a section guarded by IfDefine foo if $(foo) is used within the section. PR 56503
  • mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the application.
  • mod_proxy_http: Proxy responses with error status and "ProxyErrorOverride On" hang until proxy timeout. PR53420
  • mod_log_config: Allow three character log formats to be registered. For backwards compatibility, the first character of a three-character format must be the '^' (caret) character.
  • mod_lua: Don't quote Expires and Path values.
  • mod_authz_core: Allow AuthzProviderAlias'es to be seen from auth stanzas under virtual hosts.

ApacheInformation

Version
2.4.16
Date
07.17.15
License
Free
Language
English
File Size
6.9 MB
Operating Systems
Mac OS X
System Requirements
  • OS X 10.1 or later
Apache OpenOffice Icon
Free and open-source office suite.
Free
Tomcat Icon
Implementation of the Java Servlet and JavaServer Pages technologies.
Free
More
MAMP Icon
Create a local server environment.
Free
SHOUTcast Icon
Welcome to SHOUTcast Radio, the home of free Internet Radio.
Free
Apple OS X Server Icon
The OS X Server brings more power to your business, home office or school.
Paid
MAMP PRO Icon
Create a local server environment for Web development and more.
Trial
PureFTPd Manager Icon
PureFTPd Cocoa front end.
Free
Navicat Premium Icon
Combines all Navicat versions in an ultimate version.
Trial
MailServe Icon
MailServe sets up a totally buzzword-compliant mail server on Mac OS X.
Trial
DNS Performance Test Icon
test the performance of your dns server and show the results in a handy chart.
Free
More