Download Apache 2.3.15 Beta

The Apache HTTP Server Project development team has released a new version of the Apache web server with 2.3.15 beta as the version number. This server is using modules provide all kinds of additional functionality. For an overview of the changes between the current 2.2x branch and the upcoming 2.4x branch, please refer to this page. The announcement and list of changes for version 2.3.15 beta are as follows:

Apache HTTP Server 2.3.15 beta

The Apache HTTP Server Project is pleased to announce the third Beta release of Apache HTTP Server 2.4: version 2.3.15-beta. This version of httpd is principally an beta release to test new technology and features that are incompatible or too large for the stable 2.2.x branch. This Beta release should not be presumed to be compatible with binaries built against any prior or future version although, as a Beta, the API is in a semi-frozen state.

All subsequent releases will be beta releases as we move towards 2.4.0-GA.

Changes with Apache 2.3.15

• SECURITY: CVE-2011-3348 (cve.mitre.org)
  mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized.
• SECURITY: CVE-2011-3192 (cve.mitre.org)
  core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714.
• SECURITY: CVE-2011-3607 (cve.mitre.org)
  core: Fix integer overflow in ap_pregsub. This can be triggered eg with mod_setenvif via a malicious .htaccess.
• configure: Load all modules in the generated default configuration when using –enable-load-all-modules.
• mod_reqtimeout: Change the default to set some reasonable timeout values.
• core, mod_dav_fs: Change default ETag to be “size mtime”, ie remove the inode. PR 49623.
• mod_lua: Expose SSL variables via r:ssl_var_lookup().
• mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName} can now additionally be run as “early” or “late” relative to other modules.
• configure: By default, only load those modules that are either required or explicitly selected by a configure –enable-foo argument. The LoadModule statements for modules enabled by –enable-mods-shared=most and friends will be commented out.
• mod_lua: Prevent early Lua hooks (LuaHookTranslateName and LuaHookQuickHandler) from being configured in , , and htaccess where the configuration would have been ignored.
• mod_lua: Resolve “attempt to index local ‘r’ (a userdata value)” errors in LuaMapHandler scripts
• mod_log_debug: Rename optional argument from if= to expr=, to be more in line with other config directives.
• mod_headers: Require an expression to be specified with expr=, to be more in line with other config directives.
• mod_substitute: To prevent overboarding memory usage, limit line length to 1MB.
• mod_lua: Make the query string (r.args) writable.
• mod_include: Add support for application/x-www-form-urlencoded encoding and decoding.
• rotatelogs: Add -c option to force logfile creation in every rotation interval, even if empty.
• core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings.
• mod_session_crypto: Refactor to support the new apr_crypto API.
• http: Add missing Location header if local URL-path is used as ErrorDocument for 30x.
• mod_buffer: Make sure we step down for subrequests, but not for internal redirects triggered by mod_rewrite.
• mod_lua: add r:construct_url as a wrapper for ap_construct_url.
• mod_remote_ip: Fix configuration of internal proxies. PR 49272.
• mpm_winnt: Handle AcceptFilter ‘none’ mode correctly; resolve specific server IP endpoint and remote client IP upon connection.
• mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with PeerExtList().
• mpm_prefork, mpm_worker, mpm_event: If a child is created just before graceful restart and then exits because of a missing lock file, don’t shutdown the whole server. PR 39311.
• mpm_event: Check the return value from ap_run_create_connection. PR: 41194.
• mod_mime_magic: Add signatures for PNG and SWF to the example config. PR: 48352.
• core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items from the parsed (or default) config. This is useful for init scripts that need to setup temporary directories and permissions.
• core, mod_actions, mod_asis: Downgrade error log messages which accompany a 404 request status from loglevel error to info. PR: 35768.
• core: Fix hook sorting with Perl modules. PR: 45076.
• core: Enforce LimitRequestFieldSize after multiple headers with the same name have been merged.
• mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory usage. PR 51618.
• mod_ssl: At startup, when checking a server certificate whether it matches the configured ServerName, also take dNSName entries in the subjectAltName extension into account. PR 32652, PR 47051.
• mod_substitute: Reduce memory usage and copying of data. PR 50559.
• mod_ssl/proxy: enable the SNI extension for backend TLS connections
• Add wrappers for malloc, calloc, realloc that check for out of memory situations and use them in many places. PR 51568, PR 51569, PR 51571.
• Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is false but RLIMIT_* are defined. PR51371.
• core: Correctly obey ServerName / ServerAlias ​​if the Host header from the request matches the VirtualHost address. PR 51709.
• mod_unique_id: Use random number generator to initialize counter. PR 45110.
• core: Add convenience API for apr_random.
• core: Add MaxRangeOverlaps and MaxRangeReversals directives to control the number of overlapping and reversing ranges (respectively) permitted before returning the entire resource, with a default limit of 20.
• mod_ldap: Optional function uldap_ssl_supported(r) always returned false if called from a virtual host with mod_ldap directives in it. Did not affect mod_authnz_ldap’s usage of mod_ldap.
• mod_filter: Instead of dropping the Accept-Ranges header when a filter registered with AP_FILTER_PROTO_NO_BYTERANGE is present, set the header value to “none”.
• core: Allow MaxRanges none|unlimited|default and set ‘Accept-Ranges: none’ in the case Ranges are being ignored with MaxRanges none.
• mod_ssl: revamp CRL-based revocation checking when validating certificates of clients or proxied servers. Completely delegate CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck directive for controlling the revocation checking mode.
• core: Add MaxRanges directive to control the number of ranges permitted before returning the entire resource, with a default limit of 200.
• mod_cache: Ensure that CacheDisable can correctly appear within a LocationMatch.
• mod_cache: Fix the moving of the CACHE filter, which erroneously stood down if the original filter was not added by configuration.
• mod_ssl: improve certificate error logging. PR 47408.
• mod_authz_groupfile: Increase length limit of lines in the group file to 16MB. PR 43084.
• core: Increase length limit of lines in the configuration file to 16MB. PR 45888. PR 50824.
• core: Add API for resizable buffers.
• mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such as Tivoli Directory Server 6.3 and later.
• mod_ldap: Change default number of retries from 10 to 3, and add an LDAPRetries and LDAPRetryDelay directives.
• mod_authnz_ldap: Don’t retry during authentication, because this just multiplies the ample retries already being done by mod_ldap.
• configure: Allow to explicitly disable modules even with module selection ‘reallyall’.
• mod_rewrite: Check validity of each internal (int:) RewriteMap even if the RewriteEngine is disabled in server context, avoiding a crash while referencing the invalid int: map at runtime. PR 50994.
• mod_ssl, configure: require OpenSSL 0.9.7 or later.
• mod_ssl: remove ssl_toolkit_compat layer.
• mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
• mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the cookie is set when modules such as mod_rewrite trigger a redirect. Also use r->err_headers_out for the cookie, for the same reason. PR29755.
• mod_proxy_http, mod_proxy_connect: Add ‘proxy-status’ and ‘proxy-source-port’ request notes for logging. PR 30195.
• configure: Enable ldap modules in ‘all’ and ‘most’ selections if ldap is compiled into apr-util.
• core: Add ap_check_cmd_context()-check if a command is executed in .htaccess file.
• mod_deflate: Fix endless loop if first bucket is metadata. PR 51590.
• mod_authn_socache: Fix to work in .htaccess if not configured anywhere in httpd.conf, and introduce an AuthnCacheEnable directive. PR 51991
• mod_xml2enc: new (formerly third-party) module supporting internationalization for filters via smart charset sniffing and conversion.
• mod_proxy_html: new (formerly third-party) module to fix up HTML links in a reverse proxy situation, where a backend generates URLs that are not resolvable by Clients.