The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.9 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed:
We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.9 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.9 provides the complete list of changes since 2.2.8. A summary of security vulnerabilities which were addressed in the previous 2.2.8 and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
Apache HTTP Server 1.3.41 and 2.0.63 legacy releases are also currently available. See the appropriate CHANGES from the url above. See the corresponding CHANGES files linked from the download page. The Apache HTTP Project developers strongly encourage all users to migrate to Apache 2.2, as only limited maintenance is performed on these legacy versions.
This release includes the Apache Portable Runtime (APR) version 1.3.0 bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv) must all be updated to ensure binary compatibility and address many known platform bugs.
This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
----
-- The Apache HTTP Server Project
Apache HTTP Server 2.2.8 Released
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.8 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed:
A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, a cross-site scripting attack against an authorized user is possible.
A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module.
A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.
A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.
We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.8 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.8 provides the complete list of changes since 2.2.6 (2.2.7 was not released). A summary of security vulnerabilities which were addressed in the previous 2.2.6 and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
Apache HTTP Server 1.3.41 and 2.0.63 legacy releases are also currently available. See the appropriate CHANGES from the url above. See the corresponding CHANGES files linked from the download page. The Apache HTTP Project developers strongly encourage all users to migrate to Apache 2.2, as only limited maintenance is performed on these legacy versions.
This release includes the Apache Portable Runtime (APR) version 1.2.12 bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv) must all be updated to ensure binary compatibility and address many known platform bugs.
This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
----
-- The Apache Software Foundation and the Apache HTTP Server Project
Apache HTTP Server 2.0.63 Released
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the legacy release of version 2.0.63 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.63 as compared to 2.0.61 (2.0.62 was not released). This Announcement 2.0 document may also be available in multiple languages at:
http://www.apache.org/dist/httpd/
This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed:
A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.
A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.
Please see the CHANGES_2.0.63 file in this directory for a full list of changes for this version.
This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache 2.0 available and encourage users of all prior versions to upgrade.
This release includes the Apache Portable Runtime library suite release version 0.9.17, bundled with the tar and zip distributions. These libraries; libapr, libaprutil, and on Win32, libapriconv must all be updated to ensure binary compatibility and address many known platform bugs.
Apache HTTP Server 2.0.63 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. A condensed list, CHANGES_2.0.63 provides the complete list of changes since 2.0.61.
Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see
http://httpd.apache.org/docs/2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please refer to the documentation of these modules and libraries to obtain this information.
Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced after 2.0 please see
http://httpd.apache.org/docs/2.2/new_features_2_2.html
We consider Apache 2.2 to be the best available version at the time of this release. We offer Apache 2.0.63 as the best legacy version of Apache 2.0 available. Users should first consider upgrading to the current release of Apache 2.2 instead.
----
-- The Apache Software Foundation and The Apache HTTP Server Project
Apache HTTP Server 1.3.41 Released
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 1.3.41 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 1.3.41 as compared to 1.3.39 (1.3.40 was not released).
This version of Apache is is principally a bug and security fix release. The following potential security flaws are addressed:
A flaw was found in the mod_status module. On sites where
mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.
A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.
Please see the CHANGES_1.3.41 file in this directory for a full list of changes for this version.
Apache 1.3.41 is the current stable release of the Apache 1.3 family. We strongly recommend that users of all earlier versions, including 1.3 family release, upgrade to to the current 2.2 version as soon as possible.
We recommend Apache 1.3.41 version for users who require a third party module that is not yet available as an Apache 2.x module. Modules compiled for Apache 2.x are not compatible with Apache 1.3, and modules compiled for Apache 1.3 are not compatible with Apache 2.x.
Apache 1.3.41 is available for download from
http://httpd.apache.org/download.cgi
This service utilizes the network of mirrors listed at:
http://www.apache.org/mirrors/
Binary distributions may be available for your specific platform from
http://www.apache.org/dist/httpd/binaries/
Binaries distributed by the Apache HTTP Server Project are provided as a courtesy by individual project contributors. The project makes no commitment to release the Apache HTTP Server in binary form for any particular platform, nor on any particular schedule.
IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS variants. While the ports to non-Unix platforms (such as Win32, Netware or OS2) will function for some applications, Apache 1.3 is not designed for these platforms. Apache 2 was designed from the ground up for security, stability, or performance issues across all modern operating systems.
Users of any non-Unix ports are strongly cautioned to move to Apache 2.
The Apache project no longer distributes non-Unix platform binaries from the main download pages for Apache 1.3. If absolutely necessary, a binary may be available at http://archive.apache.org/dist/httpd/.
Apache is the most popular web server in the known universe; about 2/3 of the servers on the Internet run Apache HTTP Server, or one of its variants.
----
Bugfixes addressed in 1.3.41 are:
More efficient implementation of the CVE-2007-3304 PID table patch. This fixes issues with excessive memory usage by the parent process if long-running and with a high number of child process forks during that timeframe. Also fixes bogus "Bad pid" errors.
----
-- The Apache Software Foundation and The Apache HTTP Server Project
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the 3.3.1 release of mod_python. Mod_python 3.3.1 is considered a stable release, suitable for production use.
Mod_python is an Apache HTTP Server module that embeds the Python language interpreter within the server. With mod_python you can write web-based applications in Python that will run many times faster than traditional CGI and will have access to advanced features such as ability to maintain objects between requests, access to httpd internals, content filters and connection handlers.
The 3.3.1 release has many new features, feature enhancements, fixed bugs and other improvements over the previous version. See Appendix A of mod_python documentation for more details.
Mod_python 3.3.1 is released under the new Apache License version 2.0.
Mod_python 3.3.1 is available for download from:
http://httpd.apache.org/modules/python-download.cgi
More infromation about mod_python is available at:
http://httpd.apache.org/modules/
Many thanks to everyone who contributed to and helped test this release, without your help it would not be possible.
Regards,
----
-- The Apache Mod_python team
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.2.4 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bugfix release.
We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.4 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A summary of security vulnerabilities which were addressed in the previous 2.2.3 and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also currently available. See the appropriate CHANGES from the url above. See the corresponding CHANGES files linked from the download page. The Apache HTTP Project developers strongly encourage all users to migrate to Apache 2.2, as only limited maintenance is performed on these legacy versions.
This release includes the Apache Portable Runtime (APR) version 1.2.8 bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv) must all be updated to ensure binary compatibility and address many known platform bugs.
This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
----
-- The Apache HTTP Server Project
-- The Apache Software Foundation
The Apache mod_python team is pleased to announce the 3.3.0b (Beta) release of mod_python.
Version 3.3.0b of mod_python features several new functions and attributes providing better access to apache internals, as well as many bug fixes and various performance and security improvements. A detailed description of the changes is available in Appendix A of the mod_python manual, also available here
http://www.modpython.org/live/mod_python-3.3.0b/doc-html/app-changes-from-3.2.10.html
Beta releases are NOT considered stable and usually contain bugs.
This release is intended to solicit widespread testing of the code. We strongly recommend that you try out your existing applications and experiment with new features in a non-production environment using this version and report any problems you may encounter so that they can be addressed before the final release.
Preferred method of reporting problems is the mod_python user list mod_python@modpython.org.
Mod_python 3.3.0b is available for download from:
http://httpd.apache.org/modules/python-download.cgi
For more information about mod_python visit http://www.modpython.org/
----
-- The Apache mod_python team
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the 2.08 release of libapreq2. This Announcement notes significant changes introduced by this release.
libapreq2-2.08 is released under the Apache License version 2.0. It is now available through the ASF mirrors
http://httpd.apache.org/apreq/download.cgi
and has entered the CPAN as
libapreq2 is an APR-based shared library used for parsing HTTP cookies, query-strings and POST data. This package provides
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the 3.2.10 release of mod_python. Mod_python 3.2.10 is considered a stable release, suitable for production use.
Mod_python is an Apache HTTP Server module that embeds the Python language interpreter within the server. With mod_python you can write web-based applications in Python that will run many times faster than traditional CGI and will have access to advanced features such as ability to maintain objects between requests, access to httpd internals, content filters and connection handlers.
The 3.2.10 release has many new features, feature enhancements, fixed bugs and other improvements over the previous version. 3.2.10 now works with Apache HTTP Server 2.2. See Appendix A of mod_python documentation for a complete list.
Mod_python 3.2.10 is released under Apache License version 2.0.
Mod_python 3.2.10 is available for download from:
http://httpd.apache.org/modules/python-download.cgi
More information about mod_python is available at:
http://httpd.apache.org/modules/
Many thanks to Jim Gallacher, Graham Dumpleton, Nicolas Lehuen and everyone else who contributed to and helped test this release, without your help it would not be possible
----
-- The Apache HTTP Server Project
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.2.3 of the Apache HTTP Server ("Apache").
This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed;
Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team.
This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:
Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.
The Apache HTTP Server project recommends that all users who have built Apache from source apply the patch or upgrade to the latest level and rebuild. Providers of Apache-based web servers in pre-compiled form will be able to determine if this vulnerability applies to their builds. That determination has no bearing on any other builds of Apache HTTP Server, and Apache HTTP Server users are urged to exercise caution and apply patches or upgrade unless they have specific instructions from the provider of their web server. Statements from vendors can be obtained from the US-CERT vulnerability note for this issue at:
http://www.kb.cert.org/vuls/id/395412
The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability.
We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.3 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes.
Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available with this security fix. See the appropriate CHANGES from the url above. The Apache HTTP Project developers strongly encourage all users to migrate to Apache 2.2, as only limited maintenance is performed on these legacy versions.
This release includes the Apache Portable Runtime (APR) version 1.2.7 bundled with the tar and zip distributions. The APR libraries libapr, libaprutil, and (on Win32) libapriconv must all be updated to ensure binary compatibility and address many known platform bugs.
This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, but no substantial reworking should be necessary.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs, you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
----
-- The Apache HTTP Server Project
-- The Apache Software Foundation
Apache HTTP Server 2.2.2 Released
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.2.2 of the Apache HTTP Server ("Apache").
We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.2 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes.
Apache HTTP Server 1.3.35 and 2.0.58 legacy releases are also available with minor bugfixes. See the appropriate CHANGES from the url above. The Apache HTTP Project developers strongly encourages all users to migrate to Apache 2.2, as only limited maintenance is performed on these legacy versions.
This release includes the Apache Portable Runtime (APR) version 1.2.7 bundled with the tar and zip distributions. The APR libraries libapr, libaprutil, and (on Win32) libapriconv must all be updated to ensure binary compatibility and address many known platform bugs.
This release has been through extensive testing, including live at some of the world's busiest sites, and is now considered stable. This means that modules and applications developed for Apache 2.2.2 will be both source- and binary-compatible with future 2.2.x releases. This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, but no substantial reworking should be necessary.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs, you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
----
-- The Apache Software Foundation
-- The Apache HTTP Server Project
Apache HTTP Server 2.2.0 Released
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.2.0 of the Apache HTTP Server ("Apache").
We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.0 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes.
This release includes the Apache Portable Runtime (APR) version 1.2.2 bundled with the tar and zip distributions. The APR libraries libapr, libaprutil, and (on Win32) libapriconv must all be updated to ensure binary compatibility and address many known platform bugs.
This release has been through extensive testing, including live at some of the world's busiest sites, and is now considered stable. This means that modules and applications developed for Apache 2.2.0 will be both source- and binary-compatible with future 2.2.x releases. This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, but no substantial reworking should be necessary.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
Known Issues
Some non-showstopping issues were found during the 2.2.0 release and testing cycle:
* mod_dbd and mod_authn_dbd are absent from the Windows build
environment. A patch to correct this is available from:
http://www.apache.org/dist/httpd/patches/apply_to_2.2.0/
* If you are installing on a system with apr/apr-util 1.0 or 1.1
installed, you must build apr/apr-util 1.2 manually. See:
http://httpd.apache.org/docs/2.2/install.html#requirements
When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs, you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
----
-- The Apache HTTP Server Project
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the 3.2.5 Beta release mod_python.
Version 3.2.5b of mod_python features several new functions and attributes providing better access to apache internals, file-based sessions and other session improvements, as well as many bug fixes and various performance and security improvements. A detailed description of the changes is available in Appendix A of the mod_python manual, also available here:
http://www.modpython.org/live/mod_python-3.2.5b/doc-html/node97.html
Beta releases are NOT considered stable and usually contain bugs.
This release is intended to solicit widespread testing of the code. We strongly recommend that you try out your existing applications and experiment with new features in a non-production environment using this version and report any problems you may encounter so that they can be addressed before the final release.
Preferred method of reporting problems is the mod_python user list : mod_python@modpython.org.
Mod_python 3.2.5b is available for download from: http://httpd.apache.org/modules/python-download.cgi
For more information about mod_python visit http://www.modpython.org/
----
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.1.9-beta of the Apache HTTP Server ("Apache"). This beta release should not be presumed to be compatible with binaries built against any prior or future version.
Apache HTTP Server 2.1.9-beta is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.1 file, linked from the above page, for a full list of changes.
Apache 2.1 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced after 2.0 please see:
http://httpd.apache.org/docs/2.1/new_features_2_2.html
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 1.3.34 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 1.3.34 as compared to 1.3.33. This Announcement1.3 document may also be available in multiple languages at:
This version of Apache is principally a bug and security fix release. A partial summary of the bug fixes is given at the end of this document. A full listing of changes can be found in the CHANGES file. Of particular note is that 1.3.34 addresses and fixes 2 potential security issues:
We consider Apache 1.3.34 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family.
Apache 1.3.34 is available for download from
Binary distributions are available from
This service utilizes the network of mirrors listed at:
Please see the CHANGES_1.3 file in the same directory for a full list of changes.
As of Apache 1.3.12 binary distributions contain all standard Apache modules as shared objects (if supported by the platform) and include full source code. Installation is easily done by executing the included install script. See the README.bindist and INSTALL.bindist files for a complete explanation. Please note that the binary distributions are only provided for your convenience and current distributions for specific platforms are not always available. Win32 binary distributions are based on the Microsoft Installer (.MSI) technology. While development continues to make this installation method more robust, questions should be directed to the news:comp.infosystems.www.servers.ms-windows newsgroup.
For an overview of new features introduced after 1.2 please see
In general, Apache 1.3 offers several substantial improvements over version 1.2, including better performance, reliability and a wider range of supported platforms, including Windows 95/98 and NT (which fall under the "Win32" label), OS2, Netware, and TPE threaded platforms.
IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS variants. While the ports to non-Unix platforms (such as Win32, Netware or OS2) are of an acceptable quality, Apache 1.3 is not optimized for these platforms. Security, stability, or performance issues on these non-Unix ports do not generally apply to the Unix version, due to software's Unix origin.
Apache 2.0 has been structured for multiple operating systems from its inception, by introducing the Apache Portability Library and MPM modules. Users on Unix and non-Unix platforms are strongly encouraged to move up to Apache 2.0 for better performance, stability and security on their platforms. We consider Apache 2.0.55 to be the best available version at the time of this release. We offer Apache 1.3.34 as the best legacy version of Apache 1.3 available, and strongly recommend that users who require compatibility with existing Apache 1.3 installations should upgrade as soon as possible. Users should first consider upgrading to the current release of Apache 2 instead.
Apache is the most popular web server in the known universe; over half of the servers on the Internet are running Apache or one of its variants.
Apache 1.3.34 Major changes
Security vulnerabilities
The main security vulnerabilities addressed in 1.3.34 are:
New features
New features that relate to specific platforms:
New features that relate to specific platforms:
Bugs fixed
The following bugs were found in Apache 1.3.33 (or earlier) and have been fixed in Apache 1.3.34:
hsregex: Fix potential core dumping on 64 bit machines, such as AMD64. PR 31858.mod_digest: Fix another nonce string calculation issue.----
-- The Apache HTTP Server Project
----
Product Info |
|
| TLP (Top Level Project) Name | Apache HTTP Server Project |
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server software product for various modern desktop and server operating systems. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. |
|
| Product Name | Apache HTTP Server 1.x |
The Apache HTTP Server is an open-source HTTP server for modern operating systems including UNIX, MS-Windows, Macintosh and Netware. Apache has been the most popular web server on the Internet since April of 1996 |
|
| Downloads | http://httpd.apache.org/download.cgi |
| Bug Tracking | http://httpd.apache.org/bug_report.html |
| License | Apache License Version 2.0 |
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.0.55 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.55 as compared to 2.0.54. This Announcement2.0 document may also be available in multiple languages at:
This version of Apache is principally a security release. The following potential security flaws are addressed, the first three of which address several classes of HTTP Request and Response Splitting/Spoofing attacks;
The Apache HTTP Project thanks all of the reporters of these issues and vulnerabilities for the responsible reporting and thorough analysis of these vulnerabilities.
This release further addresses a number of cross-platform bugs, as well as specific issues on OS/X 10.4, Win32, AIX, and across all EBCDIC platforms, and adds compatibility with OpenSSL 0.9.8.
This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade.
This release includes the Apache Portable Runtime library suite release version 0.9.7, bundled with the tar and zip distributions. These libraries; libapr, libaprutil, and on Win32, libapriconv must all be updated to ensure binary compatibility and address many known platform bugs.
Apache 2.0.55 is available for download from
Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see
When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please refer to the documentation of these modules and libraries to obtain this information.
----
-- The Apache HTTP Server Project
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.1.8-beta of the Apache HTTP Server ("Apache"). This beta release should not be presumed to be compatible with binaries built against any prior or future version.
Apache HTTP Server 2.1.8-beta is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.1 file, linked from the above page, for a full list of changes.
Apache 2.1 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced after 2.0 please see:
http://httpd.apache.org/docs-2.1/new_features_2_2.html
----
-- The Apache HTTP Server Project
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.1.7-beta of the Apache HTTP Server ("Apache"). This beta release should not be presumed to be compatible with binaries built against any prior or future version.
Apache HTTP Server 2.1.7-beta is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.1 file, linked from the above page, for a full list of changes.
Known Issues
Several non-show-stopping issues were found during the 2.1.7-beta release cycle:
A patch that fixes these issues ia available at:
http://www.apache.org/dist/httpd/patches/apply_to_2.1.7/non-showstoppers.patch
In addition, mod_ldap in 2.1.7-beta does not compile on older version of Windows.
Apache 2.1 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced after 2.0 please see:
http://httpd.apache.org/docs-2.1/new_features_2_2.html
----
-- The Apache HTTP Server Project
libapreq2-2.05-dev Released
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the 2.05-dev release of libapreq2. This Announcement notes significant changes introduced by this release.
libapreq2-2.05-dev is released under the Apache License version 2.0. It is now available through the ASF mirrors
http://httpd.apache.org/apreq/download.cgi
and has entered the CPAN as
file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.05-dev.tar.gz
size: 702625 bytes
md5: 0985e102b6d2bc9c747a56b04a85cba6
libapreq2 is an APR-based shared library used for parsing HTTP cookies, query-strings and POST data. This package provides
Apache HTTP Server 2.0.54 Released
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.0.54 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.54 as compared to 2.0.53. The Announcement is also available in German and Japanese from:
http://www.apache.org/dist/httpd/Announcement2.txt.de
http://www.apache.org/dist/httpd/Announcement2.txt.ja
This version of Apache is principally a bug fix release.
This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.0.54 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information.
----
-- The Apache HTTP Server Project
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of versions 3.1.4 and 2.7.11 of mod_python.
This release addresses a vulnerability in mod_python's publisher handler whereby a carefully crafted URL would expose objects that should not be visible, leading to an information leak. The Common Vulnerabilities and Exposures project (http://cve.mitre.org/) has assigned the name CAN-2005-0088 to this issue.
Users of the publisher handler are urged to upgrade as soon as possible.
There are no other changes or improvements from the previous version in this release.
At this point the new version is only available as a source code archive. Users of mod_python on Win32 platform can update their installation by simply replacing the publisher.py file with the latest version from the source code archive.
Mod_python is available for download from:
http://httpd.apache.org/modules/python-download.cgi
For more information about mod_python visit
http://www.modpython.org/
Regards,
----
-- The Apache HTTP Server Project
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.0.53 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.53 as compared to 2.0.52. The Announcement is also available in German and Japanese from:
http://www.apache.org/dist/httpd/Announcement2.html.de
http://www.apache.org/dist/httpd/Announcement2.html.ja
This version of Apache is principally a bug fix release.
This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade.
Apache 2.0.53 is available for download from -- http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see -- http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information.
----
-- The Apache HTTP Server Project
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.0.52 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.52 as compared to 2.0.51. The Announcement is also available in German and Japanese from:
http://www.apache.org/dist/httpd/Announcement2.html.de
http://www.apache.org/dist/httpd/Announcement2.html.ja
This version of Apache is principally a bug fix release. Of particular note is that 2.0.52 addresses one new security related flaw introduced in 2.0.51:
Fix merging of the Satisfy directive, which was applied to the surrounding context and could allow access despite configured authentication. PR 31315.
[CAN-2004-0811]
The Apache HTTP Server Project would like to thank Rici Lake for identification and a proposed fix of this flaw.
This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade.
Apache 2.0.52 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information.
----
-- Apache HTTP Server Project Team
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.0.51 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.51 as compared to 2.0.50.
This version of Apache is principally a bug fix release. Of particular note is that 2.0.51 addresses five security vulnerabilities:
The Apache HTTP Server Project would like to thank Codenomicon for supplying copies of their "HTTP Test Tool" used to discover CAN-2004-0786, and to SITIC for reporting the discovery of CAN-2004-0747.
This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.0.51 is available for download from
http://httpd.apache.org/download.cgi?update=200409150645
Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information.
----
-- The Apache HTTP Server Project Team
Apache HTTP Server Request Library 2.04-dev Released
The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.04-dev release of libapreq2. This
Announcement notes significant changes introduced by this release.
The package libapreq2-2.04_03-dev.tar.gz is released under the Apache License
version 2.0. It is now available through the ASF mirrors
http://httpd.apache.org/apreq/download.cgi
and has entered the CPAN as
file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.04_03-dev.tar.gz
size: 592748 bytes
md5: 1f5dd762c877b716f3774d502f575196
libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data. The package libapreq2-2.04_03-dev.tar.gz provides
1) version 2.0.20 of the libapreq2 library,
2) mod_apreq, a filter module necessary for using libapreq2
within the Apache HTTP Server,
3) the Apache::Request, Apache::Cookie, and Apache::Upload
perl modules for using libapreq2 with modperl-2.
========================================================================
Changes with libapreq2-2.04-dev (released August 30, 2004)
- Perl API [joes]
Add TAINT checks, marking all parsed data as tainted.
- C API [joes]
Add body_status attribute to apreq_request_t, to allow the both
environment and the parser to report any errors encountered.
- C API [randyk, joes]
Cookie parser was locking up on non-alphanumeric chars in cookie names.
Also RFC Cookie attributes are always checked for quotes during bake(2),
and the quotes are now stripped from incoming RFC cookies during parsing
(but they are never stripped from the actual cookie value).
- Perl API [joes]
Apache::Cookie::Jar->new accepts a VALUE_CLASS argument, which effectively
blesses all the jar's cookies into that class, which simplifies subclassing
Apache::Cookie. Accordingly Apache::Cookie->freeze($value) no longer accepts
a freeze()-able object in $value.
- C API [Markus Wichitill, randyk, joes]
Drop APR_DELONCLOSE from apreq_file_mktemp implementation and install
apreq_file_cleanup. When passed to apr_file_open on Win32, APR_DELONCLOSE
sets the FILE_SHARED_DELETE flag, which is, unfortunately, a property that
is preserved across NTFS "hard" links. This breaks apps that link()
the temp file to a permanent location, and subsequently expect to open it
without FILE_SHARED_DELETE before the original tempfile is closed+deleted.
In fact, even Apache::Upload does this, so it is a common enough event that
the apreq_file_cleanup workaround is necessary.
- C API [Ken Burcham, joes]
Fix bug in url parser that occurs when a %XX-encoded sequence
is split across multiple buckets. Added apreq_decode_decodev
to make this problem less inconvenient.
- Perl API [joes]
Exception objects inherit from the object which raised it,
which allows $@ to invoke its methods with impunity (exceptions
are disabled for objects which derive from an exception class).
- Perl API [joes]
Implement HOOK_DATA and UPLOAD_HOOK.
- Perl API [joes]
Add safe XS wrappers for $table->add, $table->set, $table->STORE,
and $table_class->new.
- Perl API [joes]
Add exceptions to $upload->link, $upload->tempname, $upload->slurp,
and $cookie->set_attr. Return value of $upload->slurp is now the
upload length. Also document new $upload->io.
- C API [joes]
Restrict all apr_status_t codes to APR_SUCCESS, APR_INCOMPLETE,
APR_EGENERAL, APR_EINIT, APR_ENOTIMPL, since any others will
generate confusing error messages from apr_strerror.
- Perl API [joes]
Added $upload->io with a TIEHANDLE API layered over APR::Brigade. $upload->fh
remains implemented as an APR::PerlIO object, which is seekable but less efficient
and currently suffers some portability issues associated with largefile support
in perl and apr.
- Perl API [joes]
Added apreq_xs_croak for throwing APR::Error exceptions and included
error-checking on $req->param, $req->args, $req->body, $req->upload,
and $jar->get.
- Perl API [joes]
Added $jar->status, $req->args_status and $req->body_status to report
parsing errors. Also add $upload->tempname per user request.
- C API [joes]
Dropped status attribute of apreq_value_t. Added status field to
apreq_jar_t and added args_status field to apreq_request_t. Parsers
also must return their public status code when a NULL brigade is passed.
apreq_hook_disable_uploads() is also added.
.
This is an ABI change affecting all versions of libapreq2 prior to 2.0.12.
- Perl API [joes]
$upload->info returns a proper APR::Table object now. Also implemented
$upload->size, $upload->fh, and $upload->type.
- C API [Jean-Fran輟is Meesse]
mfd parser fails to parse CRLF-terminated files when the terminating
boundary string is at the start of a new bucket. This is reportedly
a common event for PDF files uploaded with Netscape 7.
- Perl API [joes]
Add back-compat support for Apache::Cookie->fetch() via
Apache->request.
- C API [joes]
Add MaxBody, MaxBrigade, and TempDir per-dir directives to mod_apreq
filter.
- C API [joes]
Replace free/tempnam dependency in apreq_file_mktemp() with
apr_temp_dir_get(). Add additional gcc warning flags when
--enable-maintainer-mode is set.
- C API [joes, Scott Hutton]
Replace apreq_brigade_copy with more effective APREQ_BRIGADE_COPY
macro. Also introduce APREQ_BRIGADE_SETASIDE to deal with buckets
that need to be set aside for use in future function calls. mod_ssl
generates transient buckets which tickled this bug.
- Perl API [joes]
Separate Apache::Upload module from Apache::Request for
better organization.
Apache HTTP Server 2.0.50 Released
The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.0.50 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes
in 2.0.50 as compared to 2.0.49. The Announcement is also available in
German from:
http://www.apache.org/dist/httpd/Announcement2.txt.de
This version of Apache is principally a bug fix release. A summary of
the bug fixes is given at the end of this document. Of particular
note is that 2.0.50 addresses two security vulnerabilities:
A remotely triggered memory leak in http header parsing can allow a
denial of service attack due to excessive memory consumption.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493]
Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a
(trusted) client certificate subject DN which exceeds 6K in length.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488]
This release is compatible with modules compiled for 2.0.42 and later
versions. We consider this release to be the best version of Apache
available and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.0.50 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep
in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.
----
- Apache HTTP Server Project Team
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 1.3.31 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 1.3.31 as compared to 1.3.29 (1.3.30 was not released). The Announcement is also available in German, Spanish and Japanese from:
http://www.apache.org/dist/httpd/Announcement.html.de
http://www.apache.org/dist/httpd/Announcement.html.es
http://www.apache.org/dist/httpd/Announcement.html.ja
(Original: http://www.apache.org/dist/httpd/Announcement.html)
This version of Apache is principally a bug and security fix release. A partial summary of the bug fixes is given at the end of this document. A full listing of changes can be found in the CHANGES file. Of particular note is that 1.3.31 addresses and fixes 4 potential security issues:
o CAN-2003-0987 (cve.mitre.org)
In mod_digest, verify whether the nonce returned in the client response is one we issued ourselves. This problem does not affect mod_auth_digest.
o CAN-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog.
o CAN-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket.
This only affects some platforms, such as Solaris, AIX and IRIX. Linux is unaffected.
o CAN-2003-0993 (cve.mitre.org)
Fix parsing of Allow/Deny rules using IP addresses without a netmask; issue is only known to affect big-endian 64-bit platforms
We consider Apache 1.3.31 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family.
Apache 1.3.31 is available for download from:
http://httpd.apache.org/download.cgi
This service utilizes the network of mirrors listed at:
http://www.apache.org/mirrors/
Please consult the CHANGES_1.3 file for a full list of changes.
As of Apache 1.3.12 binary distributions contain all standard Apache modules as shared objects (if supported by the platform) and include full source code. Installation is easily done by executing the included install script. See the README.bindist and INSTALL.bindist files for a complete explanation. Please note that the binary distributions are only provided for your convenience and current distributions for specific platforms are not always available. Win32 binary distributions are based on the Microsoft Installer (.MSI) technology. While development continues to make this installation method more robust, questions should be directed to the news:comp.infosystems.www.servers.ms-windows newsgroup.
For an overview of new features introduced after 1.2 please see
http://httpd.apache.org/docs/new_features_1_3.html
In general, Apache 1.3 offers several substantial improvements over version 1.2, including better performance, reliability and a wider range of supported platforms, including Windows NT and 2000 (which fall under the "Win32" label), OS2, Netware, and TPF threaded platforms.
Apache is the most popular web server in the known universe; over half of the servers on the Internet are running Apache or one of its variants.
IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS variants. While the ports to non-Unix platforms (such as Win32, Netware or S2) are of an acceptable quality, Apache 1.3 is not optimized for these platforms. Security, stability, or performance issues on these non-Unix ports do not enerally apply to the Unix version, due to software's Unix origin.
Apache 2.0 has been structured for multiple operating systems from its inception, by introducing the Apache Portability Library and MPM modules.
Users on non-Unix platforms are strongly encouraged to move up to Apache 2.0 for better performance, stability and security on their platforms.
Apache 1.3.31 Major changes
Security vulnerabilities
* CAN-2003-0987 (cve.mitre.org)
In mod_digest, verify whether the nonce returned in the client response is one we issued ourselves. This problem does not affect mod_auth_digest.
* CAN-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog.
* CAN-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket.
* CAN-2003-0993 (cve.mitre.org)
Fix parsing of Allow/Deny rules using IP addresses without a netmask; issue is only known to affect big-endian 64-bit platforms
New features
New features that relate to specific platforms:
* Linux 2.4+: If Apache is started as root and you code CoreDumpDirectory, core dumps are enabled via the prctl() syscall.
New features that relate to all platforms:
* Add mod_whatkilledus and mod_backtrace (experimental) for reporting diagnostic information after a child process crash.
* Add fatal exception hook for running diagnostic code after a crash.
* Forensic logging module added (mod_log_forensic)
* '%X' is now accepted as an alias for '%c' in the LogFormat directive. This allows you to configure logging to still log the connection status even with mod_ssl
Bugs fixed
The following noteworthy bugs were found in Apache 1.3.29 (or earlier) and have been fixed in Apache 1.3.31:
* Fix memory corruption problem with ap_custom_response() function. The core per-dir config would later point to request pool data that would be reused for different purposes on different requests.
* mod_usertrack no longer inspects the Cookie2 header for the cookie name. It also no longer overwrites other cookies.
* Fix bug causing core dump when using CookieTracking without specifying a CookieName directly.
* UseCanonicalName off was ignoring the client provided port information.
----
Apache HTTP Server Project Team
Press Release: Apache HTTP Server Technical Leadership
Congratulations and kudos to the HTTP Server Project team for their hard work and accomplishments.
To commemorate, the ASF issued this press release today:
------
Apache HTTP Server Reaches Record Eight Consecutive Years of Technical Leadership.
San Francisco, CA (May 11, 2004) The Apache Software Foundation today announced that its HTTP Server platform has reached a milestone of eight consecutive years of World Wide Web technology leadership. Since its first release in April of 1995, the Apache HTTP Server has become as pervasive as the Web itself. According to two separate and independent surveys, the Apache HTTP Server, which originally established itself as the leading web server technology in April 1996, continues to acquire even greater market, growing faster than all other competing web server technologies.
We started the Apache project to provide the development community with a secure, efficient and extensible open source Web server platform. Our goal from the very beginning was to establish the Apache HTTP Server as the dialtone of the web a standards-compliant, commercial grade reference platform. Through collaboration with the community, we have continually improved upon and added modules to the core Apache HTTP Server platform, thereby evolving the quality and breadth of the technology, said Jim Jagielski, Executive Vice President and Secretary of the Apache Software Foundation. Our recent achievement is testament to the benefits of the process of open source software development itself. By collaborating with the community, we have been able to consistently deliver freely accessible, robust, feature-rich Web server technology.
Apache HTTP Server Leadership Continues to Grow
In an April 2004 Security Space survey of 14,174,836 Web sites, the Apache HTTP Server was recognized as the most widely implemented Web server platform, with 70.48% share, representing 9,990,804 deployed servers.
In an April 2004 Netcraft survey incorporating roughly 50 million Web sites, Apache again rose to the top for the 96th straight month, with 69.01% market share and 15,747,757 active servers. According to Netcraft, the number of sites deploying Apache has grown by over 30 percent in the last twelve months, from 25 million to 33 million. Apaches growth has outpaced that of competing products, as the overall number of deployed Web sites increased by 25 percent over the same twelve month period.
"The Apache project seized the momentum in http server development within weeks of its first release and has held it ever since, growing its user community from a few hundred sites in August 1995, to several tens of millions today," added Mike Prettejohn, Director of Netcraft.
Commitment to Continued Technical Leadership
Achieving eight straight years of technology leadership confirms that the open source model works. Apache is now successfully deployed in a diverse set of environments, from large commercial entities to small nonprofit organizations. We are grateful to the community for their continued support and participation in the development process, said Sander Striker, Vice President of the Apache HTTP Server Project. We are firmly committed to continuing to provide the most accessible and standards-compliant Web server platform in existence.
ABOUT THE APACHE SOFTWARE FOUNDATION
The Apache Software Foundation provides organizational, legal, and financial support for the Apache open-source software projects. Formerly known as the Apache Group, the Foundation incorporated as a membership-based, not-for-profit corporation to ensure that the Apache projects continue to exist beyond the participation of individual volunteers, to enable contributions of intellectual property and financial support, and to provide a vehicle for limiting legal exposure while participating in open-source projects. For more information on the Apache Software Foundation, please see http://www.apache.org.
Media Contact:
Susan Wu
Marketing and Public Relations, Apache Software Foundation
susie@apache.org
Greg Stein
Chairman, Apache Software Foundation
gstein@apache.org
Apache HTTP Server 2.0.49 Released
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.0.49 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.49 as compared to 2.0.48.
This version of Apache is principally a bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.49 addresses three security vulnerabilities:
When using multiple listening sockets, a denial of service attack is possible on some platforms due to a race condition in the handling of short-lived connections. This issue is known to affect some versions of AIX, Solaris, and Tru64; it is known to not affect FreeBSD or Linux.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174]
Arbitrary client-supplied strings can be written to the error log which can allow exploits of certain terminal emulators.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020]
A remotely triggered memory leak in mod_ssl can allow a denial of service attack due to excessive memory consumption.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113]
This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.0.49 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information.
Apache 2.0.49 Major changes
Security vulnerabilities closed since Apache 2.0.48
*) SECURITY: CAN-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived
connection on a rarely-accessed listening socket will cause a
child to hold the accept mutex and block out new connections until
another connection arrives on that rarely-accessed listening socket.
With Apache 2.x there is no performance concern about enabling the
logic for platforms which don't need it, so it is enabled everywhere
except for Win32. [Jeff Trawick]
*) SECURITY: CAN-2004-0113 (cve.mitre.org)
mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
PR 27106. [Joe Orton]
*) SECURITY: CAN-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog. Unescaped
errorlogs are still possible using the compile time switch
"-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo]
Bugs fixed and features added since Apache 2.0.47
*) mod_cgid: Fix storage corruption caused by use of incorrect pool.
[Jeff Trawick]
*) Win32: find_read_listeners was not correctly handling multiple
listeners on the Win32DisableAcceptEx path. [Bill Stoddard]
*) Fix bug in mod_usertrack when no CookieName is set. PR 24483.
[Manni Wood
*) Fix some piped log problems: bogus "piped log program '(null)'
failed" messages during restart and problem with the logger
respawning again after Apache is stopped. PR 21648, PR 24805.
[Jeff Trawick]
*) Fixed file extensions for real media files and removed rpm extension
from mime.types. PR 26079. [Allan Sandfeld
*) Remove compile-time length limit on request strings. Length is
now enforced solely with the LimitRequestLine config directive.
[Paul J. Reder]
*) mod_ssl: Send the Close Alert message to the peer before closing
the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton]
*) mod_ssl: Fix bug in passphrase handling which could cause spurious
failures in SSL functions later. PR 21160. [Joe Orton]
*) mod_log_config: Fix corruption of buffered logs with threaded
MPMs. PR 25520. [Jeff Trawick]
*) Fix mod_include's expression parser to recognize strings correctly
even if they start with an escaped token. [André Malo]
*) Add fatal exception hook for use by diagnostic modules. The hook
is only available if the --enable-exception-hook configure parm
is used and the EnableExceptionHook directive has been set to
"on". [Jeff Trawick]
*) Allow mod_auth_digest to work with sub-requests with different
methods than the original request. PR 25040.
[Josh Dady
*) fix "Expected > but saw " errors in nested,
argumentless containers.
["Philippe M. Chiasson"
*) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
[Matthieu Estrade
*) mod_cgid: Restart the cgid daemon if it crashes. PR 19849
[Glenn Nielsen
*) The whole codebase was relicensed and is now available under
the Apache License, Version 2.0 (http://www.apache.org/licenses).
[Apache Software Foundation]
*) Fixed cache-removal order in mod_mem_cache.
[Jean-Jacques Clar, Cliff Woolley]
*) mod_setenvif: Fix the regex optimizer, which under circumstances
treated the supplied regex as literal string. PR 24219.
[André Malo]
*) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
instead of mmn. [André Malo]
*) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
could lead to a 400 (Bad Request) response. [André Malo]
*) Keep focus of ITERATE and ITERATE2 on the current module when
the module chooses to return DECLINE_CMD for the directive.
PR 22299. [Geoffrey Young
*) Add support for IMT minor-type wildcards (e.g., text/*) to
ExpiresByType. PR#7991 [Ken Coar]
*) Fix segfault in mod_mem_cache cache_insert() due to cache size
becoming negative. PR: 21285, 21287
[Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]
*) core.c: If large file support is enabled, allow any file that is
greater than AP_MAX_SENDFILE to be split into multiple buckets.
This allows Apache to send files that are greater than 2gig.
Otherwise we run into 32/64 bit type mismatches in the file size.
[Brad Nicholes]
*) proxy_http fix: mod_proxy hangs when both KeepAlive and
ProxyErrorOverride are enabled, and a non-200 response without a
body is generated by the backend server. (e.g.: a client makes a
request containing the "If-Modified-Since" and "If-None-Match"
headers, to which the backend server respond with status 304.)
[Graham Wiseman
*) mod_dav: Reject requests which include an unescaped fragment in the
Request-URI. PR 21779. [Amit Athavale
*) Build array of allowed methods with proper dimensions, fixing
possible memory corruption. [Jeff Trawick]
*) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
PR 15057. [Otmar Lendl
*) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
[Joe Orton]
*) mod_usertrack no longer inspects the Cookie2 header for
the cookie name. PR 11475. [Chris Darrochi
*) mod_usertrack no longer overwrites other cookies.
PR 26002. [Scott Moore
*) worker MPM: fix stack overlay bug that could cause the parent
process to crash. [Jeff Trawick]
*) Win32: Add Win32DisableAcceptEx directive. This Windows
NT/2000/XP directive is useful to work around bugs in some
third party layered service providers like virus scanners,
VPN and firewall products, that do not properly handle
WinSock 2 APIs. Use this directive if your server is issuing
AcceptEx failed messages.
[Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]
*) Make REMOTE_PORT variable available in mod_rewrite.
PR 25772. [André Malo]
*) Fix a long delay with CGI requests and keepalive connections on
AIX. [Jeff Trawick]
*) mod_autoindex: Add 'XHTML' option in order to allow switching between
HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo]
*) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
[André Malo]
*) mod_ssl: Advertise SSL library version as determined at run-time rather
than at compile-time. PR 23956. [Eric Seidel
*) mod_ssl: Fix segfault on a non-SSL request if the 'c' log
format code is used. PR 22741. [Gary E. Miller
*) Fix build with parallel make. PR 24643. [Joe Orton]
*) mod_rewrite: In external rewrite maps lookup keys containing
a newline now cause a lookup failure. PR 14453.
[Cedric Gavage
*) Backport major overhaul of mod_include's filter parser from 2.1.
The new parser code is expected to be more robust and should
catch all of the edge cases that were not handled by the previous one.
The 2.1 external API changes were hidden by a wrapper which is
expected to keep the API backwards compatible. [André Malo]
*) Add a hook (insert_error_filter) to allow filters to re-insert
themselves during processing of error responses. Enable mod_expires
to use the new hook to include Expires headers in valid error
responses. This addresses an RFC violation. It fixes PRs 19794,
24884, and 25123. [Paul J. Reder]
*) Add Polish translation of error messages. PR 25101.
[Tomasz Kepczynski
*) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes,
Bill Stoddard]
*) Add mod_status hook to allow modules to add to the mod_status
report. [Joe Orton]
*) Fix htdbm to generate comment fields in DBM files correctly.
[Justin Erenkrantz]
*) mod_dav: Use bucket brigades when reading PUT data. This avoids
problems if the data stream is modified by an input filter. PR 22104.
[Tim Robbins
*) Fix RewriteBase directive to not add double slashes. [André Malo]
*) Improve 'configure --help' output for some modules. [Astrid Keßler]
*) Correct UseCanonicalName Off to properly check incoming port number.
[Jim Jagielski]
*) Fix slow graceful restarts with prefork MPM. [Joe Orton]
*) Fix a problem with namespace mappings being dropped in mod_dav_fs;
if any property values were set which defined namespaces these
came out mangled in the PROPFIND response. PR 11637.
[Amit Athavale
*) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
the destination resource gives a 401. PR 15571. [Joe Orton]
*) mod_autoindex / core: Don't fail to show filenames containing
special characters like '%'. PR 13598. [André Malo]
*) mod_status: Report total CPU time accurately when using a threaded
MPM. PR 23795. [Jeff Trawick]
*) Fix memory leak in handling of request bodies during reverse
proxy operations. PR 24991. [Larry Toppi
*) Win32 MPM: Implement MaxMemFree to enable setting an upper
limit on the amount of storage used by the bucket brigades
in each server thread. [Bill Stoddard]
*) Modified the cache code to be header-location agnostic. Also
fixed a number of other cache code bugs related to PR 15852.
Includes a patch submitted by Sushma Rai
This fixes mod_mem_cache but not mod_disk_cache yet so I'm not
closing the PR since that is what they are using. [Paul J. Reder]
*) complain via error_log when mod_include's INCLUDES filter is
enabled, but the relevant Options flag allowing the filter to run
for the specific resource wasn't set, so that the filter won't
silently get skipped. next remove itself, so the warning will be
logged only once [Stas Bekman, Jeff Trawick, Bill Rowe]
*) mod_info: HTML escape configuration information so it displays
correctly. PR 24232. [Thom May]
*) Restore the ability to add a description for directories that
don't contain an index file. (Broken in 2.0.48) [André Malo]
*) Fix a problem with the display of empty variables ("SetEnv foo") in
mod_include. PR 24734 [Markus Julen
*) mod_log_config: Log the minutes component of the timezone correctly.
PR 23642. [Hong-Gunn Chew
*) mod_proxy: Fix cases where an invalid status-line could be sent
to the client. PR 23998. [Joe Orton]
*) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL
are also loaded. [Joe Orton]
*) mod_ssl: Use human-readable OpenSSL error strings in logs; use
thread-safe interface for retrieving error strings. [Joe Orton]
*) mod_expires: Initialize ExpiresDefault to NULL instead of "" to
avoid reporting an Internal Server error if it is used without
having been set in the httpd.conf file. PR: 23748, 24459
[André Malo, Liam Quinn
*) mod_autoindex: Don't omit the
*) mod_include no longer allows an ETag header on 304 responses.
PR 19355. [Geoffrey Young
*) EBCDIC: Convert header fields to ASCII before sending (broken
since 2.0.44). [Martin Kraemer]
*) Fix the inability to log errors like exec failure in
mod_ext_filter/mod_cgi script children. This was broken after
such children stopped inheriting the error log handle.
[Jeff Trawick]
*) Fix mod_info to use the real config file name, not the default
config file name. [Aryeh Katz
*) Set the scoreboard state to indicate logging prior to running
logging hooks so that server-status will show 'L' for hung loggers
instead of 'W'. [Jeff Trawick]
The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the 3.1.3 release of mod_python. Mod_python 3.1.3 is
considered a stable release, suitable for production use.
Mod_python is an Apache HTTP Server module that embeds the Python language
interpreter within the server. With mod_python you can write web-based
applications in Python that will run many times faster than traditional
CGI and will have access to advanced features such as ability to maintain
objects between requests, access to httpd internals, content filters and
connection handlers.
This release includes several features not available in the previous
stable release (3.0.x). Some feature highlights:
* Native cookie support, including support for automatic cryptographic
cookie signing and marshalling.
* Server-side sessions with memory or dbm-based storage and session
locking support.
* PSP - a fast flex-based scanner which allows embedding Python code
within HTML.
Mod_python 3.1.3 is released under the new Apache License version 2.0.
Mod_python 3.1.3 is available for download from:
http://httpd.apache.org/modules/python-download.cgi
More infromation about mod_python is available at:
http://httpd.apache.org/modules/
The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.7.10 of mod_python.
This release addresses a vulnerability in mod_python 2.7.9 whereby a
specific query string processed by mod_python would cause the httpd
process to crash.
The previously released version 2.7.9 was supposed to correct this issue,
but is still vulnerable.
There are no other changes or improvements from the previous version in
this release.
If you are currently using mod_python 2.7.9 or earlier, it is highly
recommended that you upgrade to 2.7.10 as soon as possible.
If you are using mod_python 3.0.4, no action is necessary.
Mod_python is available for download from:
http://httpd.apache.org/modules/python-download.cgi
For more information about mod_python visit
http://www.modpython.org/
The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of versions 3.0.4 and 2.7.9 of mod_python.
These two releases (for HTTP Server 2.0 and 1.3 respectively) address an
issue whereby a specific query string processed by mod_python would cause
the httpd process to crash.
These two releases have also been patched to compile against Python 2.3
cleanly.
There are no other changes or improvements from the previous version in
these releases.
Both of these releases are considered stable. If you are currently using
mod_python 3.0.3 or 2.7.8, it is highly recommended that you upgrade to
3.0.4 or 2.7.9.
Mod_python is available for download from:
http://httpd.apache.org/modules/python-download.cgi
For more information about mod_python visit
http://www.modpython.org/
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 1.3.29 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 1.3.29 as compared to 1.3.28. The Announcement is also available in German from http://www.apache.org/dist/httpd/Announcement.html.de.
This version of Apache is principally a bug and security fix release. A partial summary of the bug fixes is given at the end of this document.
A full listing of changes can be found in the CHANGES file. Of particular note is that 1.3.29 addresses and fixes 1 potential security issue:
o CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures.
We consider Apache 1.3.29 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family.
Apache 1.3.29 is available for download from:
http://httpd.apache.org/download.cgi
This service utilizes the network of mirrors listed at:
http://www.apache.org/mirrors/
Please consult the CHANGES_1.3 file for a full list of changes.
As of Apache 1.3.12 binary distributions contain all standard Apache modules as shared objects (if supported by the platform) and include full source code. Installation is easily done by executing the included install script. See the README.bindist and INSTALL.bindist files for a complete explanation. Please note that the binary distributions are only provided for your convenience and current distributions for specific platforms are not always available. Win32 binary distributions are based on the Microsoft Installer (.MSI) technology. While development continues to make this installation method more robust, questions should be directed to the news:comp.infosystems.www.servers.ms-windows newsgroup.
For an overview of new features introduced after 1.2 please see
http://httpd.apache.org/docs/new_features_1_3.html
In general, Apache 1.3 offers several substantial improvements over version 1.2, including better performance, reliability and a wider range of supported platforms, including Windows NT and 2000 (which fall under the "Win32" label), OS2, Netware, and TPF threaded platforms.
Apache is the most popular web server in the known universe; over half of the servers on the Internet are running Apache or one of its variants.
IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS variants. While the ports to non-Unix platforms (such as Win32, Netware or OS2) are of an acceptable quality, Apache 1.3 is not optimized for these platforms. Security, stability, or performance issues on these non-Unix ports do not generally apply to the Unix version, due to software's Unix origin.
Apache 2.0 has been structured for multiple operating systems from its inception, by introducing the Apache Portability Library and MPM modules. Users on non-Unix platforms are strongly encouraged to move up to Apache 2.0 for better performance, stability and security on their platforms.
For more information, see the Apache HTTP Server Project WebSite.
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the eleventh public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.48 as compared to 2.0.47.
This version of Apache is principally a bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.48 addresses two security vulnerabilities:
mod_cgid mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789]
A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression with more than 9 captures is configured.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542]
This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade.
Apache 2.0.48 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information.
For more information, see the Apache HTTP Server Project WebSite.
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the 3.1.2 Beta release mod_python.
Some feature highlights:
* Server-side sessions with memory or dbm-based storage and session
locking support.
* PSP - a fast flex-based scanner which allows embedding Python code
within HTML.
* Native cookie support, including support for automatic cryptographic
cookie signing and marshalling.
* Compatibility with Python 2.3, as well as many other enhancements.
Beta releases are NOT considered stable and may contain bugs.
This release is intended to solicit widespread testing of the code. We
strongly recommend that you try out your existing applications and
experiment with new features in a non-production environment using this
version and report any problems you may encounter so that they can be
addressed before the final release.
Preferred method of reporting problems is the mod_python user list
mod_python@modpython.org.
Mod_python 3.1.2b is available for download from:
http://httpd.apache.org/modules/python-download.cgi
For more information about mod_python visit
http://www.modpython.org/
The Apache Software Foundation and The Apache Server Project are pleased to announce the release of version 1.3.28 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 1.3.28 as compared to 1.3.27. The Announcement is also available in German from http://www.apache.org/dyn/closer.cgi/httpd/Announcement.txt.de.
This version of Apache is principally a bug and security fix release. A partial summary of the bug fixes is given at the end of the release note document. A full listing of changes can be found in the CHANGES file. Of particular note is that 1.3.28 addresses and fixes 3 potential security issues:
Apache HTTP Server 2.0.47 is available for download from http://httpd.apache.org/download.cgi - or - http://www.apache.org/dyn/closer.cgi/httpd/
Apache is the most popular web server in the known universe; over half of the servers on the Internet are running Apache or one of its variants.
IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS variants. While the ports to non-Unix platforms (such as Win32, Netware or OS2) are of an acceptable quality, Apache 1.3 is not optimized for these platforms. Security, stability, or performance issues on these non-Unix ports do not generally apply to the Unix version, due to software's Unix origin.
Apache 2.0 has been structured for multiple operating systems from its inception, by introducing the Apache Portability Library and MPM modules. Users on non-Unix platforms are strongly encouraged to move up to Apache 2.0 for better performance, stability and security on their platforms.
See The Apache HTTP Server Home Page for more details.
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the tenth public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.47 as compared to 2.0.46.
Apache Httpd WebServer 2.0.47 is available for download from http://httpd.apache.org/download.cgi.
This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.47 addresses four security vulnerabilities.
See The Apache HTTP Server Home Page for more details.
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the ninth public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.46 as compared to 2.0.45.
This version of Apache is principally a security and bug fix release. This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade.
See The Apache HTTP Server Home Page for more details.
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the eighth public release of the Apache 2.0 HTTP Server.
This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.45 addresses two security vulnerabilities, both affecting all platforms.
We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade.
Apache 2.0.45 source code is available for download from here.
Apache 2.0.45 binary releases will become available for download from here
Please remember to check the signature when downloading from a mirror.
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of mod_python 3.0.3.
Mod_python is an Apache HTTP Server module that embeds the Python
interpreter within the server. With mod_python you can write web-based
applications in Python that will run many times faster than traditional
CGI and will have access to advanced features such as ability to retain
database connections between requests, access to httpd internals and
provide content filter as well as connection handlers.
This release fixes numerous bugs identified after last release (3.0.1). It
is highly recommended that you upgrade to version 3.0.3 for improved
stability and performance.
Mod_python is available for download from:
http://httpd.apache.org/modules/python-download.cgi
For more information about mod_python visit:
The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of mod_python 3.0.1.
Mod_python is an Apache HTTP Server module that embeds the Python
interpreter within the server. With mod_python you can write web-based
applications in Python that will run many times faster than traditional
CGI and will have access to advanced features such as ability to retain
database connections between requests, access to httpd internals and
provide content filter as well as connection handlers.
This is the first release of mod_python as a subproject of the Apache HTTP
Server Project, as well as a major milestone accomplishment finally
bringing compatibility with Apache 2.0.
This release increments the major version to 3. The major version
increment is to denote that this release is only compatible with Apache
httpd server 2.0 and Python 2.2 or later and is not fully backwards
compatible with previous versions of mod_python. For details on migrating
code from previous versions of mod_python, as well as a list of new
featurs, see the README file in the distribution.
Mod_python is available for download from:
http://www.apache.org/dist/httpd/modpython/
For more information about mod_python visit
http://www.modpython.org/
Enjoy, and Happy Thanksgiving to those in the US!
It is my pleasure to announce that Mod_Python has been donated to the Apache Software Foundation, and is now a subproject of the httpd server project (see http://httpd.apache.org/).
I am grateful to ASF for accepting this donation and committing resources to further the support of Mod_Python. I believe that this action will advance the development of Mod_Python, resulting in an ultimately better and more popular tool for Python developers. I also believe it will serve to better position Python as a language of choice for web development, a need that has been expressed by many.
There are no implications to the current Mod_Python users - the license is the same with the sole difference in that the copyright belongs to ASF now.
As a consequense of the donation, the CVS repository is now hosted on cvs.apache.org. Do not use the SourceForge repository anymore, it will soon be removed.
There will also be website and mailing changes, but the details are still being finalized and will be announced when ready.