Software Update: Apache 2.2.12

The Apache HTTP Server Project development team has released a new version of the Apache web server. This server is used on many platforms and can be provided with all kinds of extra functionalities with the help of modules. The new version bears the serial number 2.2.12 and bears the following announcement and list of changes:

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.12 of the Apache HTTP Server (“Apache”). This version of Apache is principally a security and bug fix release. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.

Changes with Apache 2.2.12:

  • SECURITY: CVE-2009-1891 – Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. PR 39605.
  • SECURITY: CVE-2009-1195 – Prevent the “Includes” Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it.
  • SECURITY: CVE-2009-1890 – Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration, where a remote attacker can force a proxy process to consume CPU time indefinitely.
  • SECURITY: CVE-2009-1191 – mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. PR 46949
  • SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 – The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules.
  • mod_include: fix potential segfault when handling back references on an empty SSI variable.
  • mod_alias: check sanity in Redirect arguments. PR 44729
  • mod_proxy_http: fix Host: header for literal IPv6 addresses. PR 47177
  • mod_rewrite: Remove locking for writing to the rewritelog. PR 46942
  • mod_alias: Ensure Redirect emits HTTP-compliant URLs. PR 44020
  • mod_proxy_http: fix case sensitivity checking transfer encoding PR 47383
  • mod_rewrite: Fix the error string returned by RewriteRule. RewriteRule returned “RewriteCond: bad flag delimiters” when the 3rd argument of RewriteRule was not started with “[” or not ended with “]”. PR 45082
  • mod_proxy: Complete ProxyPassReverse to handle balancer URLs. given; BalancerMember balancer://alias ProxyPassReverse /bash balancer://alias/bar backend url is now translated /bash/that
  • New piped log syntax: Use “||process args” to launch the given process without invoking the shell/command interpreter. Use “|$command line” (the default behavior of “|command line” in 2.2) to invoke using shell, consuming an additional shell process for the lifetime of the logging pipe program but granting additional process invocation flexibility.
  • mod_ssl: Add server name indication support (RFC 4366) and better support for name based virtual hosts with SSL. PR 34607
  • mod_negotiation: Escape paths of filenames in 406 responses to avoid HTML injections and HTTP response splitting. PR 46837.
  • mod_include: Prevent a case of SSI timefmt-smashing with filter chains including multiple INCLUDES filters. PR 39369
  • mod_rewrite: When evaluating a proxy rule in directory context, do escape the filename by default. PR 46428
  • mod_proxy_ajp: Check more strictly that the backend follows the AJP protocol.
  • mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates.
  • mod_substitute: Fix a memory leak. PR 44948
  • mod_proxy_ajp: Forward remote port information by default.
  • mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders directive to correctly remove headers before storing them.
  • mod_deflate: revert changes in 2.2.8 that caused an invalid etag to be emitted for on-the-fly gzip content-encoding. PR 39727 will require larger fixes and this fix was far more harmful than the original code. PR 45023.
  • mod_disk_cache: The module now turns off sendfile support if ‘EnableSendfile off’ is defined globally. PR 41218.
  • prefork: Fix child process hang during graceful restart/stop in configurations with multiple listening sockets. PR 42829.
  • mod_ssl: Add SSLRenegBufferSize directive to allow changing the size of the buffer used for the request-body where necessary during a per-dir renegotiation. PR 39243.
  • mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome way that per-directory rewrites append the previous notion of PATH_INFO to each substitution before evaluating subsequent rules. PR 38642
  • mod_authnz_ldap: Reduce number of initialization debug messages and make information more clear. PR 46342
  • mod_cache: Introduce ‘no-cache’ per-request environment variable to prevent the saving of an otherwise cacheable response.
  • core: Translate the status line to ASCII on EBCDIC platforms in ap_send_interim_response() and for locally generated “100 Continue” responses.
  • CGI: return 504 (Gateway timeout) rather than 500 when a script times out before returning status line/headers. PR 42190
  • prefork: Log an error instead of segfaulting when child startup fails due to pollset creation failures. PR 46467.
  • mod_ext_filter: fix error handling when the filter prog fails to start, and introduce an onfail configuration option to abort the request or to remove the broken filter and continue. PR 41120
  • mod_include: support generating non-ASCII characters as entities in SSI. PR 25202
  • core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars
  • mod_rewrite: fix “B” flag breakage by reverting r589343. PR 45529
  • mod_cgid: fix segfault problem on solaris. PR 39332
  • mod_ldap: Avoid a segfault when result->rc is checked in uldap_connection_init when result is NULL. This could happen if LDAP initialization failed. PR 45994.
  • Set Listen protocol to “https” if port is set to 443 and no proto is specified (as documented but not implemented). PR 46066
  • mod_cache: Correctly save Content-Encoding of cacheable entity. PR 46401
  • Output -M and -S dumps (modules and vhosts) to stdout instead of stderr. PR 42571 and PR 44266 (dup).
  • mod_cache: When an explicit Expires or Cache-Control header is set, cache normally non-cacheable response statuses. PR 46346.

Version number 2.2.12
Release status Final
Operating systems Windows 9x, Windows 2000, Linux, BSD, Windows XP, macOS, OS/2, Solaris, UNIX, Windows Server 2003, Windows Vista, Windows Server 2008
Website Apache Software Foundation
License type Conditions (GNU/BSD/etc.)