10.288.2008 - Apache Group: Apache HTTP Server 2.2.10

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Changes with Apache 2.2.10: SECURITY: CVE-2008-2939 (cve.mitre.org) mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem] Allow for smax to be 0 for balancer members so that all idle connections are able to be dropped should they exceed ttl. PR 43371 [Phil Endecott , Jim Jagielski] mod_proxy_http: Don't trigger a retry by the client if a failure to read the response line was the result of a timeout. [Adam Woodworth ] Support chroot on Unix-family platforms PR 43596 [Dimitar Pashev ] mod_ssl: implement dynamic mutex callbacks for the benefit of OpenSSL. [Sander Temme] mod_proxy_balancer: Add 'bybusyness' load balance method. [Joel Gluth , Jim Jagielski] mod_authn_alias: Detect during startup when AuthDigestProvider is configured to use an incompatible provider via AuthnProviderAlias. PR 45196 [Eric Covener] mod_proxy: Add 'scolonpathdelim' parameter to allow for ';' to also be used as a session path separator/delim PR 45158. [Jim Jagielski] mod_charset_lite: Avoid dropping error responses by handling meta buckets correctly. PR 45687 [Dan Poirier ] mod_proxy_http: Introduce environment variable proxy-initial-not-pooled to avoid reusing pooled connections if the client connection is an initial connection. PR 37770. [Ruediger Pluem] mod_rewrite: Allow Cookie option to set secure and HttpOnly flags. PR 44799 [Christian Wenz ] mod_ssl: Rewrite shmcb to avoid memory alignment issues. PR 42101. [Geoff Thorpe] mod_proxy: Add connectiontimeout parameter for proxy workers in order to be able to set the timeout for connecting to the backend separately. PR 45445. [Ruediger Pluem, rahul ] mod_dav_fs: Retrieve minimal system information about directory entries when walking a DAV fs, resolving a performance degradation on Windows. PR 45464. [Joe Orton, Jeff Trawick] mod_cgid: Pass along empty command line arguments from an ISINDEX query that has consecutive '+' characters in the QUERY_STRING, matching the behavior of mod_cgi. [Eric Covener] mod_headers: Prevent Header edit from processing only the first header of possibly multiple headers with the same name and deleting the remaining ones. PR 45333. [Ruediger Pluem] mod_proxy_balancer: Move nonce field in the balancer manager page inside the html form where it belongs. PR 45578. [Ruediger Pluem] mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to known HTTP/1.0 servers. Return 'Expectation failed' (417) instead. [Ruediger Pluem] mod_rewrite: Preserve the query string when [proxy,noescape]. PR 45247. [Tom Donovan] - Download Apache HTTP Server - View Release Notes - View Additional Information - Visit Apache Group