logo
Apache Lounge
Webmasters

 

Home Downloads Changelog 2.2 Changelog 2.4





By donating you will help to keep this site alive and well.


If you find this site, and overall help useful, please consider donating to this effort.

Thank You! Steffen

Apache Lounge is not sponsored by anyone.

Your donations will help to keep this site alive and well, and continuing the building of the binaries.






Changelog Apache 2.2 (legacy, End Of Live)


11-July-2017 Changes with Apache 2.2.34 (last of the 2.2 series, No more development or maintenance to come)
Apache Lounge changes:

  *) Upgraded OpenSSL to 1.0.2l from 1.0.1u (Changelog) 

ASF changes:

  *) Allow single-char field names inadvertantly disallowed in 2.2.32.
     PR 61220. [Yann Ylavic]
23-June-2017 Changes with Apache 2.2.33 (not released)
ASF changes:

  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
     bug in token list parsing, which allows ap_find_token() to search past
     the end of its input string. By maliciously crafting a sequence of
     request headers, an attacker may be able to cause a segmentation fault,
     or to force ap_find_token() to return an incorrect value.
     [Jacob Champion]

  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
     mod_ssl may dereference a NULL pointer when third-party modules call
     ap_hook_process_connection() during an HTTP request to an HTTPS port.
     [Yann Ylavic]

  *) SECURITY: CVE-2017-3167 (cve.mitre.org)
     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
     authentication phase may lead to authentication requirements being
     bypassed.
     [Emmanuel Dreyfus < manu netbsd.org>, Jacob Champion, Eric Covener]

  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
     mod_mime can read one byte past the end of a buffer when sending a
     malicious Content-Type response header.  [Yann Ylavic]
  
  *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
     [Joe Orton]
18-Januari-2017 Changes with Apache 2.2.32
ASF changes:

  *) SECURITY: CVE-2016-8743 (cve.mitre.org)
     Enforce HTTP request grammar corresponding to RFC7230 for request lines
     and request headers, to prevent response splitting and cache pollution by
     malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]

  *) Validate HTTP response header grammar defined by RFC7230, resulting
     in a 500 error in the event that invalid response header contents are
     detected when serving the response, to avoid response splitting and cache
     pollution by malicious clients, upstream servers or faulty modules.
     [Stefan Fritsch, Eric Covener, Yann Ylavic]

  *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
     [Dominic Scheirlinck < dominic vendhq.com>, Yann Ylavic]

  *) core: Avoid a possible truncation of the faulty header included in the
     HTML response when LimitRequestFieldSize is reached.  [Yann Ylavic]

  *) core: Enforce LimitRequestFieldSize after multiple headers with the same
     name have been merged. [Stefan Fritsch]

  *) core: Drop Content-Length header and message-body from HTTP 204 responses.
     PR 51350 [Luca Toscano]

*) core: Permit unencoded ';' characters to appear in proxy requests and Location: response headers. Corresponds to modern browser behavior. [William Rowe] *) core: ap_rgetline_core now pulls from r->proto_input_filters. *) core: Correctly parse an IPv6 literal host specification in an absolute URL in the request line. [Stefan Fritsch] *) core: New directive RegisterHttpMethod for registering non-standard HTTP methods. [Stefan Fritsch] *) core: Limit to ten the number of tolerated empty lines between request. [Yann Ylavic] *) core: reject NULLs in request line or request headers. PR 43039 [Nick Kew] *) mod_proxy: Use the correct server name for SNI in case the backend SSL connection itself is established via a proxy server. PR 57139 [Szabolcs Gyurko < szabolcs gyurko.org>] *) Fix potential rejection of valid MaxMemFree and ThreadStackSize directives. [Mike Rumph < mike.rumph oracle.com>] *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3. [Kaspar Brand] *) mod_proxy: Correctly consider error response codes by the backend when processing failonstatus. PR 59869 [Ruediger Pluem] *) mod_proxy: Play/restore the TLS-SNI on new backend connections which had to be issued because the remote closed the previous/reusable one during idle (keep-alive) time. [Yann Ylavic] *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params. [Jan Kaluza, Yann Ylavic] *) mod_proxy: Fix a regression with 2.2.31 that caused inherited workers to use a different scoreboard slot then the original one. PR 58267. [Ruediger Pluem] *) mod_proxy: Fix a race condition that caused a failed worker to be retried before the retry period is over. [Ruediger Pluem] *) mod_proxy: don't recyle backend announced "Connection: close" connections to avoid reusing it should the close be effective after some new request is ready to be sent. [Yann Ylavic] *) mod_mem_cache: Fix concurrent removal of stale entries which could lead to a crash. PR 43724. [Yann Ylavic] *) mime.types: add common extension "m4a" for MPEG 4 Audio. PR 57895 [Dylan Millikin < dylan.millikin gmail.com>] *) mod_substitute: Allow to configure the patterns merge order with the new SubstituteInheritBefore on|off directive. PR 57641 [Marc.Stern < Marc.Stern approach.be>, Yann Ylavic, William Rowe] *) mod_mem_cache: Don't cache incomplete responses when the client connection is aborted before the body is fully read. PR 45049. [Nick Pace < nick simplylogic.net>, Edward Lu, Yann Ylavic] *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve failures under Visual Studio 2015 and other mismatched MSVCRT flavors. PR59630 [Jan Ehrhardt < phpdev ehrhardt.nl>] *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes. PR 57167 [Edward Lu < Chaosed0 gmail.com>]
2-October-2016 Changes with Apache 2.2.31
Apache Lounge changes:

  *) Upgraded OpenSSL to 1.0.1u from 1.0.1t (Changelog) 
6-May-2016 Changes with Apache 2.2.31
Apache Lounge changes:

  *) Upgraded OpenSSL to 1.0.1t from 1.0.1s (Changelog) 
6-March-2016 Changes with Apache 2.2.31
Apache Lounge changes:

  *) Upgraded OpenSSL to 1.0.1s from 1.0.1p (Changelog) 
16-July-2015 Changes with Apache 2.2.31
Apache Lounge changes:

  *) Upgraded OpenSSL to 1.0.1p from 1.0.1m (Changelog) 

  *) Upgraded APR to 1.5.2 from 1.5.1 (Changelog)

  *) Upgraded APR-UTIL to 1.5.4 from 1.5.3 (Changelog)

ASF changes:

  *) Corrected docs/manual pages for new MergeTrailers directive and other
     out of date documentation. [William Rowe]

10-July-2015 Changes with Apache 2.2.30 (not released)
ASF changes:
  *) SECURITY: CVE-2015-3183 (cve.mitre.org)
     core: Fix chunk header parsing defect.
     Remove apr_brigade_flatten(), buffering and duplicated code from
     the HTTP_IN filter, parse chunks in a single pass with zero copy.
     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
     authorized characters.  [Graham Leggett, Yann Ylavic]

  *) http: Fix LimitRequestBody checks when there is no more bytes to read.
     [Michael Kaufmann < mail michael-kaufmann.ch >]

  *) core: Allow spaces after chunk-size for compatibility with implementations
     using a pre-filled buffer.  [Yann Ylavic, Jeff Trawick]

  *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
     no longer send warning-level unrecognized_name(112) alerts. PR 56241.
     [Kaspar Brand]

  *) http: Make ap_die() robust against any HTTP error code and not modify
     response status (finally logged) when nothing is to be done. PR 56035.
     [Yann Ylavic]

  *) core, modules: Avoid error response/document handling by the core if some
     handler or input filter already did it while reading the request (causing
     a double response body).  [Yann Ylavic]

  *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
     5+ instead of just for FreeBSD 5. PR 53824.  [Jeff Trawick,
     Olli Hauer < ohauer gmx de >]

  *) mod_proxy: use the original (non absolute) form of the request-line's URI
     for requests embedded in CONNECT payloads used to connect SSL backends via
     a ProxyRemote forward-proxy.  PR 55892.  [Hendrik Harms < hendrik.harms
     gmail com >, William Rowe, Yann Ylavic]

  *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
     internationalization.  [William Rowe]

  *) mod_log_config: Implement logging for sub second timestamps and
     request end time.  [Rainer Jung]

  *) mod_log_config: Ensure that time data is consistent if multiple
     duration patterns are used in combination, e.g. %D and %{ms}T.
     [Rainer Jung]

  *) mod_log_config: Add "%{UNIT}T" format to output request duration in
     seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
     [Ben Reser, Rainer Jung]

  *) In alignment with RFC 7525, the default recommended SSLCipherSuite
     and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
     default recommended SSLProtocol and SSLProxyProtocol directives now
     exclude SSLv3. Existing configurations must be adjusted by the
     administrator. [William Rowe]

  *) core: Avoid potential use of uninitialized (NULL) request data in
     request line error path. [Yann Ylavic]
 
  *) mod_proxy_http: Use the "Connection: close" header for requests to
     backends not recycling connections (disablereuse), including the default
     reverse and forward proxies.  [Yann Ylavic]

  *) mod_proxy: Add ap_connection_reusable() for checking if a connection
     is reusable as of this point in processing.  [Jeff Trawick]

  *) mod_proxy: Reuse proxy/balancer workers' parameters and scores across
     graceful restarts, even if new workers are added, old ones removed, or
     the order changes.  [Jan Kaluza, Yann Ylavic]

  *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. 
     PR 57100.  [Michael Kaufmann < apache-bugzilla michael-kaufmann.ch >,
     Yann Ylavic]

  *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
     allowing custom parameters to be configured via SSLCertificateFile,
     and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
     Unless custom parameters are configured, the standardized parameters
     are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
 
  *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
     keys, and unconditionally disable aNULL, eNULL and EXP ciphers
     (not overridable via SSLCipherSuite). [Kaspar Brand]

  *) mod_ssl: Add support for configuring persistent TLS session ticket
     encryption/decryption keys (useful for clustered environments).
     [Paul Querna, Kaspar Brand]

  *) SSLProtocol and SSLCipherSuite recommendations in the example/default
     conf/extra/httpd-ssl.conf file are now global in scope, affecting all
     VirtualHosts (matching 2.4 default configuration). [William Rowe]

  *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the
     selected DB engine.  PR 46421.  [Jan Kaluza].

  *) Turn static function get_server_name_for_url() into public
     ap_get_server_name_for_url() and use it where appropriate. This
     fixes mod_rewrite generating invalid URLs for redirects to IPv6
     literal addresses. PR 52831 [Stefan Fritsch]

  *) dav_validate_request: avoid validating locks and ETags when there are
     no If headers providing them on a resource we aren't modifying.
     [Ben Reser]

  *) mod_ssl: New directive SSLSessionTickets (On|Off).
     The directive controls the use of TLS session tickets (RFC 5077),
     default value is "On" (unchanged behavior).
     Session ticket creation uses a random key created during web
     server startup and recreated during restarts. No other key
     recreation mechanism is available currently. Therefore using session
     tickets without restarting the web server with an appropriate frequency
     (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]

  *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
     compile against APR-1.2.x (minimum required version). [Yann Ylavic]

  *) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts
     computed for subsequent requests.  PR 56729.  [Eric Covener]

22-March-2015 Changes with Apache 2.2.29
Apache Lounge changes:

  *) Upgraded OpenSSL to 1.0.1m from 1.0.1l (Changelog)

  *) Upgraded OpenSSL to 0.9.8zf from 1.9.8ze (Changelog)

2-February-2015 Changes with Apache 2.2.29
Apache Lounge changes:

  *) Upgraded OpenSSL to 1.0.1l from 1.0.1j (Changelog) 

  *) Upgraded OpenSSL to 0.9.8ze from 1.9.8zc (Changelog)

20-October-2014 Changes with Apache 2.2.29
Apache Lounge changes:

  *) Upgraded OpenSSL to 1.0.1j from 1.0.1i (Changelog) 

  *) Upgraded OpenSSL to 0.9.8zc from 1.9.8zb (Changelog)

8-September-2014 Changes with Apache 2.2.29
Apache Lounge changes:

  *) Upgraded OpenSSL to 1.0.1i from 1.0.1h (Changelog) 

  *) Upgraded OpenSSL to 0.9.8zb from 1.9.8za (Changelog)

  *) Upgraded APR to 1.5.1 from 1.5.0 (Changelog)

ASF changes:

  *) Corrected docs/manual pages for new MergeTrailers directive and other
     out of date documentation. [William Rowe]
22-August-2014 Changes with Apache 2.2.28 (not Released)

ASF changes:

  *) SECURITY: CVE-2014-0118 (cve.mitre.org)
     mod_deflate: The DEFLATE input filter (inflates request bodies) now
     limits the length and compression ratio of inflated request bodies to avoid
     denial of service via highly compressed bodies.  See directives
     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
     and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]

  *) SECURITY: CVE-2014-0231 (cve.mitre.org)
     mod_cgid: Fix a denial of service against CGI scripts that do
     not consume stdin that could lead to lingering HTTPD child processes
     filling up the scoreboard and eventually hanging the server.  By
     default, the client I/O timeout (Timeout directive) now applies to
     communication with scripts.  The CGIDScriptTimeout directive can be
     used to set a different timeout for communication with scripts.
     [Rainer Jung, Eric Covener, Yann Ylavic]

  *) SECURITY: CVE-2014-0226 (cve.mitre.org)
     Fix a race condition in scoreboard handling, which could lead to
     a heap buffer overflow.  [Joe Orton, Eric Covener, Jeff Trawick]
 
  *) SECURITY: CVE-2013-5704 (cve.mitre.org)
     core: HTTP trailers could be used to replace HTTP headers
     late during request processing, potentially undoing or
     otherwise confusing modules that examined or modified
     request headers earlier.  Adds "MergeTrailers" directive to restore
     legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]

  *) core: Detect incomplete request and response bodies, log an error and
     forward it to the underlying filters. PR 55475.  [Yann Ylavic]

  *) mod_deflate: Handle Zlib header and validation bytes received in multiple
     chunks. PR 46146. [Yann Ylavic]

  *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
     differs. PR 55782.  [Yann Ylavic]
 
  *) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
     [Lukas Bezdicka < social v3.sk>]

  *) mod_dav: Fix improper encoding in PROPFIND responses.  PR 56480.
     [Ben Reser]

  *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
     resumed by TLS session resumption (RFC 5077). [Rainer Jung]

  *) mod_proxy_ajp: Forward local IP address as a custom request attribute
     like we already do for the remote port. [Rainer Jung]

  *) mod_deflate: Don't fail when flushing inflated data to the user-agent
     and that coincides with the end of stream ("Zlib error flushing inflate
     buffer"). PR 56196. [Christoph Fausak < christoph fausak glueckkanja.com>]

  *) mod_cache, mod_disk_cache: With CacheLock enabled, responses with a Vary 
     header might not get the benefit of the thundering herd protection due to 
     an incorrect internal cache key.  PR 50317. 
     [Ruediger Pluem, Jan Kaluza, Yann Ylavic]

  *) mod_rewrite: Support session cookies with the CO= flag when later
     parameters are used.  The doc for this implied the feature had been
     backported for quite some time.  PR56014 [Eric Covener]

  *) mod_cache: Don't remove stale cache entries that cannot be conditionally
     revalidated. This prevents the thundering herd protection from serving
     stale responses during a revalidation. PR 50317.
     [Eric Covener, Jan Kaluza,  Ruediger Pluem]

  *) core: Increase TCP_DEFER_ACCEPT socket option to from 1 to 30 seconds. 
     PR 41270. [Dean Gaudet < dean arctic org>]
 
5-June-2014 Changes with Apache 2.2.27
Apache Lounge change:

  *) Upgraded OpenSSL to 1.0.1h from 1.0.1g (Changelog) 

  *) Upgraded OpenSSL to 0.9.8za from 1.9.8y (Changelog)
 
8-April-2014 Changes with Apache 2.2.27
Apache Lounge change:

  *) Upgraded OpenSSL to 1.0.1g from 1.0.1f (Changelog) 
 
20-March-2014 Changes with Apache 2.2.27 (legacy)
Apache Lounge change:

  *) Upgraded OpenSSL to 1.0.1f from 1.0.1e (Changelog) 

ASF changes:

  *) SECURITY: CVE-2014-0098 (cve.mitre.org)
     Clean up cookie logging with fewer redundant string parsing passes.
     Log only cookies with a value assignment. Prevents segfaults when
     logging truncated cookies.
     [William Rowe, Ruediger Pluem, Jim Jagielski]

  *) SECURITY: CVE-2013-6438 (cve.mitre.org)
     mod_dav: Keep track of length of cdata properly when removing
     leading spaces. Eliminates a potential denial of service from
     specifically crafted DAV WRITE requests
     [Amin Tora < Amin.Tora neustar.biz>]

  *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
     TE/CL conflicts. [Yann Ylavic < ylavic.dev gmail com>, Jim Jagielski]

  *) mod_proxy_http: Core dumped under high load. PR 50335.
     [Jan Kaluza < jkaluza redhat.com>]

  *) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
     [Christophe Jaillet]

  *) mod_proxy: Remove (never documented)  syntax which
     is equivalent to . [Christophe Jaillet]

  *) mod_ldap: Fix a potential memory leak or corruption.  PR 54936.
     [Zhenbo Xu ]

  *) mod_ssl: Do not perform SNI / Host header comparison in case of a
     forward proxy request. [Ruediger Pluem]

  *) mod_rewrite: Add mod_rewrite.h to the headers installed on Windows. 
     PR46679 [Bob Ionescu]
16-November-2013 Changes with Apache 2.2.26 (legacy)
Apache Lounge changes:

  *) Upgraded APR to 1.5.0 from 1.4.8 (Changelog)

  *) Upgraded APR-UTIL to 1.5.3 from 1.5.2 (Changelog)

ASF changes:

  *) mod_dav: dav_resource->uri treated as unencoded. This was an
     unnecessary ABI changed introduced in 2.2.25  PR 55397.  [Ben Reser]

  *) mod_dav: Do not validate locks against parent collection of COPY
     source URI.  PR 55304.  [Ben Reser]

  *) mod_ssl: Check SNI hostname against Host header case-insensitively.
     PR 49491.  [Mayank Agrawal ]

  *) mod_ssl: enable support for ECC keys and ECDH ciphers.  Tested against
     OpenSSL 1.0.0b3.  [Vipul Gupta, Sander Temme, Stefan Fritsch]

  *) mod_ssl: Change default for SSLCompression to off, as compression
     causes security issues in most setups. (The so called "CRIME" attack).
     [Stefan Fritsch]

  *) mod_ssl: Fix compilation error when OpenSSL does not contain
     support for SSLv2. Problem was introduced in 2.2.25. PR 55194.
     [Rainer Jung, Kaspar Brand]

  *) mod_dav: Fix double encoding of URIs in XML and Location header (caused
     by unintential ABI change in 2.2.25).  PR 55397.  [Ben Reser] 
29-June-2013 Changes with Apache 2.2.25 (legacy)
Apache Lounge changes:

  *) Upgraded zlib to 1.2.8 from 1.2.7 (Changelog)

  *) Upgraded APR to 1.4.8 from 1.4.6 (Changelog)

  *) Upgraded APR-UTIL to 1.5.2 from 1.4.1 (Changelog)

ASF changes:

  *) SECURITY: CVE-2013-1862 (cve.mitre.org)
     mod_rewrite: Ensure that client data written to the RewriteLog is
     escaped to prevent terminal escape sequences from entering the
     log file.  [Eric Covener, Jeff Trawick, Joe Orton]

  *) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
     strings.  The default limit for ap_pregsub() can be adjusted at compile
      time by defining AP_PREGSUB_MAXLEN.  [Stefan Fritsch, Jeff Trawick]

  *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
     on Linux kernel versions 3.x and above.  PR 55121.  [Bradley Heilbrun]

  *) mod_setenvif: Log error on substitution overflow.
     [Stefan Fritsch]

  *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
     [Kaspar Brand]

  *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
     forwarding to SSL backends. PR 53134.
     [Michael Weiser, Ruediger Pluem]

  *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
     in the error log to debug level.  [William Rowe]

  *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
     with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
     [Keith Burdis, Joe Orton, Kaspar Brand]

  *) mod_proxy_balancer: Added balancer parameter failontimeout to allow server
     admin to configure an IO timeout as an error in the balancer.
     [Daniel Ruggeri]

  *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
     password.  [Daniel Ruggeri]

  *) htdigest: Fix buffer overflow when reading digest password file
     with very long lines. PR 54893. [Rainer Jung]

  *) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
     the source href (sent as part of the request body as XML) pointing to a
     URI that is not configured for DAV will trigger a segfault. [Ben Reser]

  *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
     [Timothy Wood ]

  *) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
     we compare unencoded paths. PR 53910 [Timothy Wood]

  *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
     result in a 412 Precondition Failed for a COPY operation. PR54610
     [Timothy Wood]

  *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
     property on a resource for which there is no dead property in the same
     namespace httpd segfaults. PR 52559 [Diego Santa Cruz]

  *) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
     PR 52559 [Diego Santa Cruz]

  *) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
     PR 52559 [Diego Santa Cruz]

22-February-2013 Changes with Apache 2.2.24
Apache Lounge changes:

  *) Upgraded OpenSSL from 1.0.1c, 0.9.8x to 1.0.1e, 0.9.8y (Changelog) 

  *) Win64 Binary apr-1.4.6 patched (ASF PR: 49155) 
     WIN64 wasn't defined correctly in APR, resulting in crashes

  *) Upped the windows headers version to 502

ASF changes:

  *) SECURITY: CVE-2012-3499 (cve.mitre.org)
     Various XSS flaws due to unescaped hostnames and URIs HTML output in
     mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
     [Jim Jagielski, Stefan Fritsch, Niels Heinen ]

  *) SECURITY: CVE-2012-4558 (cve.mitre.org)
     XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
     Niels Heinen ]

  *) mod_rewrite: Stop merging RewriteBase down to subdirectories
     unless new option 'RewriteOptions MergeBase' is configured.
     Merging RewriteBase was unconditionally turned on in 2.2.23.
     PR 53963. [Eric Covener]

  *) mod_ssl: Send the error message for speaking http to an https port using
     HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
     using SNI. PR 50823. [Stefan Fritsch]

  *) mod_ssl: log revoked certificates at level INFO
     instead of DEBUG. PR 52162. [Stefan Fritsch]

  *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
     [Rainer Jung]

  *) mod_dir: Add support for the value 'disabled' in FallbackResource.
     [Vincent Deffontaines]

  *) mod_ldap: Fix regression in handling "server unavailable" errors on
     Windows.  PR 54140.  [Eric Covener]

  *) mod_ssl: fix a regression with the string rendering of the "UID" RDN
     introduced in 2.2.15. PR 54510. [Kaspar Brand]
     
  *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
     to more accurately report the negotiated protocol. PR 53916.
     [Nicolás Pernas Maradei , Kaspar Brand]

  *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
     Response if they so choose to do so. Previously an attempt to cache a 206
     was arbitrarily allowed if the response contained an Expires or
     Cache-Control header, and arbitrarily denied if both headers were missing.
     Currently the disk and memory cache providers do not cache 206 Partial
     Responses. [Graham Leggett]

  *) core: Remove unintentional APR 1.3 dependency introduced with
     Apache 2.2.22. [Eric Covener]

  *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
     the chosen listener is configured for https. [Joe Orton]

  *) mod_ssl: Add new directive SSLCompression to disable TLS-level
     compression. PR 53219. [Björn Jacke , Stefan Fritsch]
22-August-2012 Changes with Apache 2.2.23
Apache Lounge change:

  *) Win64 Binary apr-1.4.6 patched (ASF PR: 49155) 
     WIN64 wasn't defined correctly in APR, resulting in crashes

ASF changes:

  *) SECURITY: CVE-2012-0883 (cve.mitre.org)
     envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
     current working directory to be searched for DSOs. [Stefan Fritsch]

  *) SECURITY: CVE-2012-2687 (cve.mitre.org)
     mod_negotiation: Escape filenames in variant list to prevent a
     possible XSS for a site where untrusted users can upload files to
     a location with MultiViews enabled. [Niels Heinen ]

  *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). 
     [Paul Wouters , Joe Orton]

  *) mod_ldap: Treat the "server unavailable" condition as a transient
     error with all LDAP SDKs. [Filip Valder ]

  *) core: Add filesystem paths to access denied / access failed messages.
     [Eric Covener]

  *) core: Fix error handling in ap_scan_script_header_err_brigade() if there
     is no EOS bucket in the brigade. PR 48272. [Stefan Fritsch]

  *) core: Prevent "httpd -k restart" from killing server in presence of
     config error. [Joe Orton]

  *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
     control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive,
     adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'.
     [Kaspar Brand, William Rowe]

  *) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
     PR 53104. [Greg Ames]

  *) Unix MPMs: Fix small memory leak in parent process if connect()
     failed when waking up children.  [Joe Orton]

  *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
     [Peter Pramberger , Jim Jagielski]

  *) Added SSLProxyMachineCertificateChainFile directive so the proxy client
     can select the proper client certificate when using a chain and the
     remote server only lists the root CA as allowed.

  *) mpm_event, mpm_worker: Remain active amidst prevalent child process
     resource shortages.  [Jeff Trawick]

  *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]

  *) mod_rewrite: Fix the RewriteEngine directive to work within a
     location. Previously, once RewriteEngine was switched on globally,
     it was impossible to switch off. [Graham Leggett]

  *) mod_proxy_balancer: Restore balancing after a failed worker has
     recovered when using lbmethod_bybusyness.  PR 48735.  [Jeff Trawick]

  *) mod_dumpio: Properly handle errors from subsequent input filters.
     PR 52914. [Stefan Fritsch]

  *) mpm_worker: Fix cases where the spawn rate wasn't reduced after child
     process resource shortages.  [Jeff Trawick]

  *) mpm_prefork: Reduce spawn rate after a child process exits due to
     unexpected poll or accept failure.  [Jeff Trawick]

  *) core: Adjust ap_scan_script_header_err*() to prevent mod_cgi and mod_cgid
     from logging bogus data in case of errors. [Stefan Fritsch]

  *) mod_disk_cache, mod_mem_cache: Decline the opportunity to cache if the
     response is a 206 Partial Content. This stops a reverse proxied partial
     response from becoming cached, and then being served in subsequent
     responses. PR 49113. [Graham Leggett]

  *) configure: Fix usage with external apr and apu in non-default paths
     and recent gcc versions >= 4.6. [Jean-Frederic Clere]

  *) core: Fix building against PCRE 8.30 by switching from the obsolete
     pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]

  *) mod_proxy: Add the forcerecovery balancer parameter that determines if
     recovery for balancer workers is enforced. [Ruediger Pluem]
13-May-2012 Changes with Apache 2.2.22
Apache Lounge change:

  *) Upgraded zlib to 1.2.7 (Changelog)

  *) Upgraded OpenSSL to 1.0.1c and 0.9.8x (Changelog) 
20-April-2012 Changes with Apache 2.2.22
Apache Lounge change:

  *) Upgraded OpenSSL from 1.0.1 to 1.0.1a (Changelog) 
19-March-2012 Changes with Apache 2.2.22
Apache Lounge change:

  *) Upgraded OpenSSL from 1.0.0g to 1.0.1 (Changelog) 

  *) Include manual files from now on
6-March-2012 Changes with Apache 2.2.22
Apache Lounge change:

  *) Build with VC10 ( Win32 VC9 still available at the Additional Download page)

  *) Win64 apr-1.4.6 patched (ASF PR: 49155) 
     WIN64 wasn't defined correct, resulting in crashes.
     Now using _WIN64 instead of WIN64 (compiler define vs. SDK define) in .c/.h.
13-February-2012 Changes with Apache 2.2.22
Apache Lounge change:

  *) Upgraded OpenSSL from 1.0.0e to 1.0.0g (Changelog) 

  *) Build OpenSSL with nasm 2.09.10 (was 2.05.01), see nasm home

  *) Upgraded zlib from 1.2.5 to 1.2.6 (Changelog)

  *) Upgraded APR from 1.4.5 to 1.4.6 (Changelog)

  *) Upgraded APR-Util from 1.3.12 to 1.4.1 (Changelog)

ASF changes:

  *) SECURITY: CVE-2011-3368 (cve.mitre.org)
     Reject requests where the request-URI does not match the HTTP
     specification, preventing unexpected expansion of target URLs in
     some reverse proxy configurations.  [Joe Orton]

  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
     is enabled, could allow local users to gain privileges via a .htaccess
     file. [Stefan Fritsch, Greg Ames]

  *) SECURITY: CVE-2011-4317 (cve.mitre.org)
     Resolve additional cases of URL rewriting with ProxyPassMatch or
     RewriteRule, where particular request-URIs could result in undesired
     backend network exposure in some configurations.
     [Joe Orton]

  *) SECURITY: CVE-2012-0021 (cve.mitre.org)
     mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
     string is in use and a client sends a nameless, valueless cookie, causing
     a denial of service. The issue existed since version 2.2.17. PR 52256.
     [Rainer Canavan ]

  *) SECURITY: CVE-2012-0031 (cve.mitre.org)
     Fix scoreboard issue which could allow an unprivileged child process 
     could cause the parent to crash at shutdown rather than terminate 
     cleanly.  [Joe Orton]

  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
     Fix an issue in error responses that could expose "httpOnly" cookies
     when no custom ErrorDocument is specified for status code 400.
     [Eric Covener]

  *) mod_proxy_ajp: Try to prevent a single long request from marking a worker
     in error. [Jean-Frederic Clere]

  *) config: Update the default mod_ssl configuration: Disable SSLv2, only
     allow >= 128bit ciphers, add commented example for speed optimized cipher
     list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]

  *) core: Fix segfault in ap_send_interim_response(). PR 52315.
     [Stefan Fritsch]

  *) mod_log_config: Prevent segfault. PR 50861. [Torsten Foertsch
     ]

  *) mod_win32: Invert logic for env var UTF-8 fixing.
     Now we exclude a list of vars which we know for sure they dont hold UTF-8
     chars; all other vars will be fixed. This has the benefit that now also
     all vars from 3rd-party modules will be fixed. PR 13029 / 34985.
     [Guenter Knauf]

  *) core: Fix hook sorting for Perl modules, a regression introduced in
     2.2.21. PR: 45076. [Torsten Foertsch ]

  *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
     A range of '0-' will now return 206 instead of 200. PR 51878.
     [Jim Jagielski]

  *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
     of "0").  [Rainer Jung]

  *) mod_substitute: Fix buffer overrun.  [Ruediger Pluem, Rainer Jung]
10-September-2011 Changes with Apache 2.2.21
  *) Upgraded OpenSSL to 1.0.0e (Changelog)

  *) SECURITY: CVE-2011-3348 (cve.mitre.org)
     mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
     recognized.  [Jean-Frederic Clere]

  *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20.
     PR 51748. []

  *) mod_filter: Instead of dropping the Accept-Ranges header when a filter
     registered with AP_FILTER_PROTO_NO_BYTERANGE is present,
     set the header value to "none". [Eric Covener, Ruediger Pluem]

  *) mod_proxy_ajp: Ignore flushing if headers have not been sent.
     PR 51608 [Ruediger Pluem]

  *) mod_dav_fs: Fix segfault if apr DBM driver cannot be loaded. PR 51751.
     [Stefan Fritsch]

  *) mod_alias: Adjust log severity of "incomplete redirection target"
     message. PR 44020.

  *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the
     RewriteEngine is disabled in server context, avoiding a crash while
     referencing the invalid int: map at runtime. PR 50994.
     [Ben Noordhuis ]

  *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'
     in the case Ranges are being ignored with MaxRanges none.
     [Eric Covener]

  *) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets.
     [Rainer Jung]