Apache HTTP Server / STATUS

APACHE 2.2 STATUS:                                              -*-text-*-
Last modified at [$Date$]

The current version of this file can be found at:


Documentation status is maintained separately and can be found at:

  * docs/STATUS in this source tree, or

The current development branch of this software can be found at:


Patches considered for backport are noted in their branches' STATUS:


Release history:
    [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
          while x.{even}.z versions are Stable/GA releases.]
    2.2.20  : Tagged August 29, 2011.
    2.2.19  : Tagged May 20, 2011. ABI restored.
    2.2.18  : Released May 11, 2011. ABI broken.
    2.2.17  : Released October 19, 2010.
    2.2.16  : Released July 25, 2010.
    2.2.15  : Released March 6, 2010.
    2.2.14  : Released October 3, 2009.
    2.2.13  : Released August 8, 2009.
    2.2.12  : Released July 28, 2009.
    2.2.11  : Released December 14, 2008.
    2.2.10  : Released October 14, 2008.
    2.2.9   : Released June 14, 2008.
    2.2.8   : Released January 19, 2008.
    2.2.7   : Tagged January 4, 2008. Not released.
    2.2.6   : Released September 7, 2007.
    2.2.5   : Tagged August 10, 2007, not released.
    2.2.4   : Released on January 9, 2007 as GA.
    2.2.3   : Released on July 28, 2006 as GA.
    2.2.2   : Released on May 1, 2006 as GA.
    2.2.1   : Tagged on April 1, 2006, not released.
    2.2.0   : Released on December 1, 2005 as GA.
    2.1.10  : Tagged on November 19, 2005, not released.
    2.1.9   : Released on November 5, 2005 as beta.
    2.1.8   : Released on October 1, 2005 as beta.
    2.1.7   : Released on September 12, 2005 as beta.
    2.1.6   : Released on June 27, 2005 as alpha.
    2.1.5   : Tagged on June 17, 2005.
    2.1.4   : not released.
    2.1.3   : Released on  February 22, 2005 as alpha.
    2.1.2   : Released on December 8, 2004 as alpha.
    2.1.1   : Released on November 19, 2004 as alpha.
    2.1.0   : not released.

Contributors looking for a mission:

  * Just do an egrep on "TODO" or "XXX" in the source.

  * Review the bug database at:

  * Review the "PatchAvailable" bugs in the bug database:

    After testing, you can append a comment saying "Reviewed and tested".

  * Open bugs in the bug database.


  * Forward binary compatibility is expected of Apache 2.2.x releases, such
    that no MMN major number changes will occur.  Such changes can only be
    made in the trunk.  Note 2.2.18 contained an incompatible ABI change,
    subsequently corrected, and should not be referenced.

  * All commits to branches/2.2.x must be reflected in SVN trunk,
    as well, if they apply.  Logical progression is commit to trunk,
    get feedback and votes on list or in STATUS, then merge into
    branches/2.2.x, as applicable.


  [ start all new proposals below, under PATCHES PROPOSED. ]

  * core: Fix CVE-2011-3192
    Trunk patch: All changes to modules/http/byterange_filter.c from r1161534 to
    2.2.x patch:
    +1: sf, jim (with r1162669 and r1162687 added), rpluem

  [ New proposals should be added at the end of the list ]

  * mod_cache: Realign the cache_quick_handler() to behave identically
    to the default_handler() when reacting to errors when writing to the
    filter stack. Stops APR errors appearing in access_log as result codes.
    Trunk patches:
    2.2.x patch:
    +1: minfrin
    trawick: any reason it shouldn't be completely aligned with default_handler's
             choice to return OK vs. 500?

  * Adjust inflated log severity.
    PR: 44020
    Trunk patch: Was never in trunk.
    2.2.x patch:
    +1: sf
    +0: covener did you see Jim's initial concern on introducing the
        ap_construct_url() in maintenance?  This dissuaded me from
        proposing the same.
    sf replies: I think that was mainly refering to the fact that in the
                !ap_is_url(ret) case, the trunk version returns internal
                server error while the 2.2 version just does nothing.
                In that case, there is a log message with level error, but
                that is not the one I want to change.

  * mod_filter: fix parsing of regexps containing slashes
    PR 51434 (and 51435, which includes the fix)
    Trunk patch: N/A
    2.2.x patch:
    +1: niq

  * mod_win32: Invert logic for env var UTF-8 fixing.
    Now we exclude a list of vars which we know for sure they
    dont hold UTF-8 chars; all other vars will be fixed. This
    has the benefit that now also all vars from 3rd-party modules
    will be fixed. This fix is based on PR 13029 / 34985, and
    includes now the SSL_ and GEOIP_ vars; otherwise its impossible
    to run CGIs when mod_ssl and/or mod_geoip are loaded and those
    mods return UTF-8 chars in any var during a request.
    Trunk patch:
    2.2.x patch:
    +1: fuankg

  * mod_proxy_ajp: Respect "reuse" flag in END_RESPONSE
    Trunk patch:
    2.2.x patch:
    +1: rjung

  * mod_rewrite: validate RewriteMap int:foo even if RewriteEngine is "off" to avoid crash.
    Trunk patch:
    2.2.x patch: trunk works
    +1 covener

  * mod_proxy_ajp: Ignore flushing if headers have not been sent.
    Trunk patch:
    2.2.x patch:
    +1: rpluem, jim

  * mod_ssl: Add SSLProxyMachineCertificateChainFile directive
    Adds a new function in ssl_util_ssl.c SSL_X509_INFO_create_chain that will
    construct a chain of trusted certificates. When a remote server requests
    a client certificate that is NOT the direct issuer of any available client
    certificate, the chain for that certificate will be used to trace it to a
    known CA and that client certificate will be used.
    druggeri note: 2.2 documentation patch needed
    Trunk patch:
    2.2.x patch:

  * core: Add AllowOverrideList directive
    Discussed on mailing list
    druggeri note: 2.2 documentation patch needed from trunk patch
    Trunk patch:
    2.2.x patch:


  * core: Support wildcards in both the directory and file components of
    the path specified by the Include directive.
    Trunk patch:
    2.2.x patch:
    Submitted by: minfrin, poirier
    +1: minfrin, jim, poirier
    -1: wrowe [This introduces new invalid paths which do not resolve to any
               configuration file paths, increasing the probability of unreported
               syntax errors to further confuse the administrator.]

  * srclib/pcre and vendor/pcre

    update to pcre-7.8
    outcome: remove from trunk, leave alone in branches/2.2.x and branches/2.0.x

 * core, authn/z: Avoid calling access control hooks for internal requests
   with configurations which match those of initial request.  Revert to
   original behaviour (call access control hooks for internal requests
   with URIs different from initial request) if any access control hooks or
   providers are not registered as permitting this optimization.
   Introduce wrappers for access control hook and provider registration
   which can accept additional mode and flag data.  Convert common
   provider version strings to macros.
   The core purpose of this pile of patches is to avoid unnecessary
   authn/z hooks when a single request spawns large numbers of internal
   requests to which an identical set of httpd configurations apply.
   This permits modules such as mod_authn_dbd and mod_dav to work together
   Because certain external modules such as mod_authz_svn rely on the old
   behaviour, this optimization can be made only when all authn/z hooks and
   providers are registered with the appropriate flag.
   It would be excellent if Windows and NetWare people could ensure this
   builds correctly.
   In particular, mod_auth.h must be included into request.c and I've left
   mod_auth.h under modules/aaa rather than try to replicate wrowe's work
   in trunk moving all the include files around.
   I'm open to suggestions that this remain in trunk only, but in that case,
   it would be very helpful to know whether most people expect a 2.4 branch
   or just a 3.0 branch to be next.  If 3.0, some of the backwards
   compatibility work could potentially be ditched.
   Trunk version of patches: (trunk MMN bump) (reverted by r659160)
   Backport version for 2.2.x of patch:
   +1: chrisd
   -0: jim (would prefer to see in 2.4, and to push 2.4 out)

   * beos MPM: Create pmain pool and run modules' child_init hooks when
     entering ap_mpm_run(), then destroy pmain when exiting ap_mpm_run().
     Otherwise modules' child_init hooks appear to never be executed.
     Also, destroying pmain ensures that cleanups registered in modules'
     child_init hooks are performed (e.g., mod_log_config and mod_dbd).
     Trunk version of patch:
     2.2.x version of patch:
     +0: chrisd (abstaining; unable to test)

    * PKCS#7: backport PCKS#7 patches from trunk.
      +1 ben
      jerenkrantz: What's the revision number to backport?
      wrowe asks: ditto jerenkrantz
      sctemme: svn blame suggests r424707
      rpluem: Digging through the history suggests that
              need to be added to this. See also
              and follow ups for more details.
      needs r930063 to avoid a memory leak, +1 with r930063.

 * prefork MPM: simple patch to enable mod_privileges.
   trunk: N/A (this patch substitutes for the availability of
               drop_privileges hook).
   2.2.x patch:
   +1: niq, igalic

 * unixd: set suexec_enabled correctly when httpd is run by non-root
   PR 42175
   Trunk Patch:
   2.2.x Patch:
   +1: niq
   -0: wrowe; Please refer to man 'access' BUGS section about linux 2.4
              vs 2.6 kernels, potentially a suspect test for root.
   sf:        Couldn't the linux 2.4 bug be worked around by calling access
              twice? Once with R_OK and once with X_OK.
   wrowe:     It would seem we only need to test for X_OK?

 * mod_disk_cache: Decline the opportunity to cache if the response is
    a 206 Partial Content. This stops a reverse proxied partial response
    from becoming cached, and then being served in subsequent responses.
    Trunk patch:
    2.2.x patch:
    +1: minfrin
    niq asks: I can see the logic of not cacheing partial responses,
    but why should mod_disk_cache worry about them if mod_cache allows
    them, as in the following proposal?
    rpluem says: As poirier correctly mentions, the same must be done for mod_mem_cache
    as well.

  *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
     Response if they so choose to do so. Previously an attempt to cache a 206
     was arbitrarily allowed if the response contained an Expires or
     Cache-Control header, and arbitrarily denied if both headers were missing.
     Trunk patch:
     2.2.x Patch:
     +1: minfrin
     -1: rpluem: Until the patch proposal above for mod_disk_cache is backported
                 and a similar patch for mod_mem_cache is proposed (no backport
                 possible since mod_mem_cache is no longer in trunk) and

   * config: fix/optimize SSL connections for IE6 browsers
     PR 49484
     Trunk patch:
     2.2 patch: should apply cleanly
     +1: gstein
     -0: sf: If we change it, then change it to something that will be OK for
         MSIE 10, too. Also, some people recommend keeping ssl-unclean-shutdown
         for newer versions of MSIE.
         See and
         the links therein.

   * mod_proxy: Release the backend connection as soon as EOS is detected,
     so the backend isn't forced to wait for the client to eventually
     acknowledge the data.
     Trunk patch:
     2.2.x patch:
     +1: minfrin
     +1: jim (requires mmn bump due to proxy_conn_rec)
     rpluem says: r1052224 r1052314 need to be added as well as the patch above
                  has a thread safety issue.
     minfrin: r1055246 needs to be added to r1052314 to ensure the cleanup
              isn't attempted twice.
     rpluem says: Mind to update the 2.2.x version of the patch with r1052224,
                  r1052314, r1055246 and r1055570 (Comment fix by Jim)?