publishing release httpd-2.4.65

covener · covener · commit 5b83e7d04fbf · 2025-07-23T12:06:16.000Z
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927439 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/CHANGES b/CHANGES
@@ -1,6 +1,15 @@
                                                          -*- coding: utf-8 -*-
+Changes with Apache 2.4.66
+
 Changes with Apache 2.4.65
 
+  *) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr'
+     always evaluates to true in 2.4.64 (cve.mitre.org)
+     A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond
+     expr ..." tests evaluating as "true".
+     Users are recommended to upgrade to version 2.4.65, which fixes
+     the issue.
+
 Changes with Apache 2.4.64
 
   *) SECURITY: CVE-2025-53020: Apache HTTP Server: HTTP/2 DoS by
diff --git a/STATUS b/STATUS
@@ -29,7 +29,8 @@ Release history:
     [NOTE that x.{odd}.z versions are strictly Alpha/Beta releases,
           while x.{even}.z versions are Stable/GA releases.]
 
-    2.4.65  : In development
+    2.4.66  : In development
+    2.4.65  : Released on July 23, 2025
     2.4.64  : Released on July 10, 2025
     2.4.63  : Released on January 23, 2025
     2.4.62  : Released on July 17, 2024
diff --git a/docs/manual/convenience.map b/docs/manual/convenience.map
@@ -29,6 +29,7 @@ addoutputfilterbytype	mod/mod_filter.html#addoutputfilterbytype
 addtype	mod/mod_mime.html#addtype
 alias	mod/mod_alias.html#alias
 aliasmatch	mod/mod_alias.html#aliasmatch
+aliaspreservepath	mod/mod_alias.html#aliaspreservepath
 allow	mod/mod_access_compat.html#allow
 allowconnect	mod/mod_proxy_connect.html#allowconnect
 allowencodedslashes	mod/core.html#allowencodedslashes
@@ -162,6 +163,7 @@ cachestoreprivate	mod/mod_cache.html#cachestoreprivate
 cgidscripttimeout	mod/mod_cgid.html#cgidscripttimeout
 cgimapextension	mod/core.html#cgimapextension
 cgipassauth	mod/core.html#cgipassauth
+cgiscripttimeout	mod/mod_cgi.html#cgiscripttimeout
 cgivar	mod/core.html#cgivar
 charsetdefault	mod/mod_charset_lite.html#charsetdefault
 charsetoptions	mod/mod_charset_lite.html#charsetoptions
@@ -182,9 +184,11 @@ cookietracking	mod/mod_usertrack.html#cookietracking
 coredumpdirectory	mod/mpm_common.html#coredumpdirectory
 customlog	mod/mod_log_config.html#customlog
 dav	mod/mod_dav.html#dav
+davbasepath	mod/mod_dav.html#davbasepath
 davdepthinfinity	mod/mod_dav.html#davdepthinfinity
 davgenericlockdb	mod/mod_dav_lock.html#davgenericlockdb
 davlockdb	mod/mod_dav_fs.html#davlockdb
+davlockdiscovery	mod/mod_dav_fs.html#davlockdiscovery
 davmintimeout	mod/mod_dav.html#davmintimeout
 dbdexptime	mod/mod_dbd.html#dbdexptime
 dbdinitsql	mod/mod_dbd.html#dbdinitsql
@@ -200,6 +204,7 @@ defaultlanguage	mod/mod_mime.html#defaultlanguage
 defaultruntimedir	mod/core.html#defaultruntimedir
 defaulttype	mod/core.html#defaulttype
 define	mod/core.html#define
+deflatealteretag	mod/mod_deflate.html#deflatealteretag
 deflatebuffersize	mod/mod_deflate.html#deflatebuffersize
 deflatecompressionlevel	mod/mod_deflate.html#deflatecompressionlevel
 deflatefilternote	mod/mod_deflate.html#deflatefilternote
@@ -255,23 +260,29 @@ gracefulshutdowntimeout	mod/mpm_common.html#gracefulshutdowntimeout
 group	mod/mod_unixd.html#group
 h2copyfiles	mod/mod_http2.html#h2copyfiles
 h2direct	mod/mod_http2.html#h2direct
+h2earlyhint	mod/mod_http2.html#h2earlyhint
 h2earlyhints	mod/mod_http2.html#h2earlyhints
+h2maxdataframelen	mod/mod_http2.html#h2maxdataframelen
+h2maxheaderblocklen	mod/mod_http2.html#h2maxheaderblocklen
 h2maxsessionstreams	mod/mod_http2.html#h2maxsessionstreams
 h2maxworkeridleseconds	mod/mod_http2.html#h2maxworkeridleseconds
 h2maxworkers	mod/mod_http2.html#h2maxworkers
 h2minworkers	mod/mod_http2.html#h2minworkers
 h2moderntlsonly	mod/mod_http2.html#h2moderntlsonly
 h2outputbuffering	mod/mod_http2.html#h2outputbuffering
 h2padding	mod/mod_http2.html#h2padding
+h2proxyrequests	mod/mod_http2.html#h2proxyrequests
 h2push	mod/mod_http2.html#h2push
 h2pushdiarysize	mod/mod_http2.html#h2pushdiarysize
 h2pushpriority	mod/mod_http2.html#h2pushpriority
 h2pushresource	mod/mod_http2.html#h2pushresource
 h2serializeheaders	mod/mod_http2.html#h2serializeheaders
 h2streammaxmemsize	mod/mod_http2.html#h2streammaxmemsize
+h2streamtimeout	mod/mod_http2.html#h2streamtimeout
 h2tlscooldownsecs	mod/mod_http2.html#h2tlscooldownsecs
 h2tlswarmupsize	mod/mod_http2.html#h2tlswarmupsize
 h2upgrade	mod/mod_http2.html#h2upgrade
+h2websockets	mod/mod_http2.html#h2websockets
 h2windowsize	mod/mod_http2.html#h2windowsize
 header	mod/mod_headers.html#header
 headername	mod/mod_autoindex.html#headername
@@ -394,10 +405,13 @@ mdcertificatemonitor	mod/mod_md.html#mdcertificatemonitor
 mdcertificateprotocol	mod/mod_md.html#mdcertificateprotocol
 mdcertificatestatus	mod/mod_md.html#mdcertificatestatus
 mdchallengedns01	mod/mod_md.html#mdchallengedns01
+mdchallengedns01version	mod/mod_md.html#mdchallengedns01version
+mdcheckinterval	mod/mod_md.html#mdcheckinterval
 mdcontactemail	mod/mod_md.html#mdcontactemail
 mddrivemode	mod/mod_md.html#mddrivemode
 mdexternalaccountbinding	mod/mod_md.html#mdexternalaccountbinding
 mdhttpproxy	mod/mod_md.html#mdhttpproxy
+mdmatchnames	mod/mod_md.html#mdmatchnames
 mdmember	mod/mod_md.html#mdmember
 mdmembers	mod/mod_md.html#mdmembers
 mdmessagecmd	mod/mod_md.html#mdmessagecmd
@@ -407,15 +421,20 @@ mdomain	mod/mod_md.html#mdomain
 mdomainset	mod/mod_md.html#mdomainset
 mdportmap	mod/mod_md.html#mdportmap
 mdprivatekeys	mod/mod_md.html#mdprivatekeys
+mdprofile	mod/mod_md.html#mdprofile
+mdprofilemandatory	mod/mod_md.html#mdprofilemandatory
 mdrenewmode	mod/mod_md.html#mdrenewmode
 mdrenewwindow	mod/mod_md.html#mdrenewwindow
 mdrequirehttps	mod/mod_md.html#mdrequirehttps
+mdretrydelay	mod/mod_md.html#mdretrydelay
+mdretryfailover	mod/mod_md.html#mdretryfailover
 mdserverstatus	mod/mod_md.html#mdserverstatus
 mdstapleothers	mod/mod_md.html#mdstapleothers
 mdstapling	mod/mod_md.html#mdstapling
 mdstaplingkeepresponse	mod/mod_md.html#mdstaplingkeepresponse
 mdstaplingrenewwindow	mod/mod_md.html#mdstaplingrenewwindow
 mdstoredir	mod/mod_md.html#mdstoredir
+mdstorelocks	mod/mod_md.html#mdstorelocks
 mdwarnwindow	mod/mod_md.html#mdwarnwindow
 memcacheconnttl	mod/mod_socache_memcache.html#memcacheconnttl
 mergeslashes	mod/core.html#mergeslashes
@@ -505,6 +524,7 @@ receivebuffersize	mod/mpm_common.html#receivebuffersize
 redirect	mod/mod_alias.html#redirect
 redirectmatch	mod/mod_alias.html#redirectmatch
 redirectpermanent	mod/mod_alias.html#redirectpermanent
+redirectrelative	mod/mod_alias.html#redirectrelative
 redirecttemp	mod/mod_alias.html#redirecttemp
 redisconnpoolttl	mod/mod_socache_redis.html#redisconnpoolttl
 redistimeout	mod/mod_socache_redis.html#redistimeout
@@ -682,24 +702,10 @@ threadlimit	mod/mpm_common.html#threadlimit
 threadsperchild	mod/mpm_common.html#threadsperchild
 threadstacksize	mod/mpm_common.html#threadstacksize
 timeout	mod/core.html#timeout
-tlscertificate	mod/mod_tls.html#tlscertificate
-tlsciphersprefer	mod/mod_tls.html#tlsciphersprefer
-tlscipherssuppress	mod/mod_tls.html#tlscipherssuppress
-tlsengine	mod/mod_tls.html#tlsengine
-tlshonorclientorder	mod/mod_tls.html#tlshonorclientorder
-tlsoptions	mod/mod_tls.html#tlsoptions
-tlsprotocol	mod/mod_tls.html#tlsprotocol
-tlsproxyca	mod/mod_tls.html#tlsproxyca
-tlsproxyciphersprefer	mod/mod_tls.html#tlsproxyciphersprefer
-tlsproxycipherssuppress	mod/mod_tls.html#tlsproxycipherssuppress
-tlsproxyengine	mod/mod_tls.html#tlsproxyengine
-tlsproxymachinecertificate	mod/mod_tls.html#tlsproxymachinecertificate
-tlsproxyprotocol	mod/mod_tls.html#tlsproxyprotocol
-tlssessioncache	mod/mod_tls.html#tlssessioncache
-tlsstrictsni	mod/mod_tls.html#tlsstrictsni
 traceenable	mod/core.html#traceenable
 transferlog	mod/mod_log_config.html#transferlog
 typesconfig	mod/mod_mime.html#typesconfig
+unclist	mod/core.html#unclist
 undefine	mod/core.html#undefine
 undefmacro	mod/mod_macro.html#undefmacro
 unsetenv	mod/mod_env.html#unsetenv
diff --git a/docs/manual/mod/quickreference.html.de b/docs/manual/mod/quickreference.html.de
@@ -1087,7 +1087,7 @@ Client Auth</td></tr>
 handshake</td></tr>
 <tr><td><a href="mod_ssl.html#sslcompression">SSLCompression on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable compression on the SSL level</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslcryptodevice">SSLCryptoDevice <em>engine</em></a></td><td> builtin </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Enable use of a cryptographic hardware accelerator</td></tr>
-<tr><td><a href="mod_ssl.html#sslengine">SSLEngine on|off|optional</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">SSL Engine Operation Switch</td></tr>
+<tr><td><a href="mod_ssl.html#sslengine">SSLEngine on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">SSL Engine Operation Switch</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslfips">SSLFIPS on|off</a></td><td> off </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">SSL FIPS mode Switch</td></tr>
 <tr><td><a href="mod_ssl.html#sslhonorcipherorder">SSLHonorCipherOrder on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Option to prefer the server's cipher preference order</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslinsecurerenegotiation">SSLInsecureRenegotiation on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Option to enable support for insecure renegotiation</td></tr>
diff --git a/docs/manual/mod/quickreference.html.es b/docs/manual/mod/quickreference.html.es
@@ -1078,7 +1078,7 @@ Client Auth</td></tr>
 handshake</td></tr>
 <tr><td><a href="mod_ssl.html#sslcompression">SSLCompression on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable compression on the SSL level</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslcryptodevice">SSLCryptoDevice <em>engine</em></a></td><td> builtin </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Enable use of a cryptographic hardware accelerator</td></tr>
-<tr><td><a href="mod_ssl.html#sslengine">SSLEngine on|off|optional</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">SSL Engine Operation Switch</td></tr>
+<tr><td><a href="mod_ssl.html#sslengine">SSLEngine on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">SSL Engine Operation Switch</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslfips">SSLFIPS on|off</a></td><td> off </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">SSL FIPS mode Switch</td></tr>
 <tr><td><a href="mod_ssl.html#sslhonorcipherorder">SSLHonorCipherOrder on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Option to prefer the server's cipher preference order</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslinsecurerenegotiation">SSLInsecureRenegotiation on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Option to enable support for insecure renegotiation</td></tr>
diff --git a/docs/manual/mod/quickreference.html.ja.utf8 b/docs/manual/mod/quickreference.html.ja.utf8
@@ -1005,7 +1005,7 @@ Client Auth</td></tr>
 handshake</td></tr>
 <tr><td><a href="mod_ssl.html#sslcompression">SSLCompression on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable compression on the SSL level</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslcryptodevice">SSLCryptoDevice <em>engine</em></a></td><td> builtin </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Enable use of a cryptographic hardware accelerator</td></tr>
-<tr><td><a href="mod_ssl.html#sslengine">SSLEngine on|off|optional</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">SSL Engine Operation Switch</td></tr>
+<tr><td><a href="mod_ssl.html#sslengine">SSLEngine on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">SSL Engine Operation Switch</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslfips">SSLFIPS on|off</a></td><td> off </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">SSL FIPS mode Switch</td></tr>
 <tr><td><a href="mod_ssl.html#sslhonorcipherorder">SSLHonorCipherOrder on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Option to prefer the server's cipher preference order</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslinsecurerenegotiation">SSLInsecureRenegotiation on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Option to enable support for insecure renegotiation</td></tr>
diff --git a/docs/manual/mod/quickreference.html.ko.euc-kr b/docs/manual/mod/quickreference.html.ko.euc-kr
@@ -1034,7 +1034,7 @@ Client Auth</td></tr>
 handshake</td></tr>
 <tr><td><a href="mod_ssl.html#sslcompression">SSLCompression on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable compression on the SSL level</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslcryptodevice">SSLCryptoDevice <em>engine</em></a></td><td> builtin </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Enable use of a cryptographic hardware accelerator</td></tr>
-<tr><td><a href="mod_ssl.html#sslengine">SSLEngine on|off|optional</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">SSL Engine Operation Switch</td></tr>
+<tr><td><a href="mod_ssl.html#sslengine">SSLEngine on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">SSL Engine Operation Switch</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslfips">SSLFIPS on|off</a></td><td> off </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">SSL FIPS mode Switch</td></tr>
 <tr><td><a href="mod_ssl.html#sslhonorcipherorder">SSLHonorCipherOrder on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Option to prefer the server's cipher preference order</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslinsecurerenegotiation">SSLInsecureRenegotiation on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Option to enable support for insecure renegotiation</td></tr>
diff --git a/docs/manual/mod/quickreference.html.tr.utf8 b/docs/manual/mod/quickreference.html.tr.utf8
@@ -1068,7 +1068,7 @@ Client Auth</td></tr>
 handshake</td></tr>
 <tr><td><a href="mod_ssl.html#sslcompression">SSLCompression on|off</a></td><td> off </td><td>sk</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable compression on the SSL level</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslcryptodevice">SSLCryptoDevice <em>engine</em></a></td><td> builtin </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Enable use of a cryptographic hardware accelerator</td></tr>
-<tr><td><a href="mod_ssl.html#sslengine">SSLEngine on|off|optional</a></td><td> off </td><td>sk</td><td>E</td></tr><tr><td class="descr" colspan="4">SSL Engine Operation Switch</td></tr>
+<tr><td><a href="mod_ssl.html#sslengine">SSLEngine on|off</a></td><td> off </td><td>sk</td><td>E</td></tr><tr><td class="descr" colspan="4">SSL Engine Operation Switch</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslfips">SSLFIPS on|off</a></td><td> off </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">SSL FIPS mode Switch</td></tr>
 <tr><td><a href="mod_ssl.html#sslhonorcipherorder">SSLHonorCipherOrder on|off</a></td><td> off </td><td>sk</td><td>E</td></tr><tr><td class="descr" colspan="4">Option to prefer the server's cipher preference order</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslinsecurerenegotiation">SSLInsecureRenegotiation on|off</a></td><td> off </td><td>sk</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Option to enable support for insecure renegotiation</td></tr>
diff --git a/docs/manual/mod/quickreference.html.zh-cn.utf8 b/docs/manual/mod/quickreference.html.zh-cn.utf8
@@ -1070,7 +1070,7 @@ Client Auth</td></tr>
 handshake</td></tr>
 <tr><td><a href="mod_ssl.html#sslcompression">SSLCompression on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable compression on the SSL level</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslcryptodevice">SSLCryptoDevice <em>engine</em></a></td><td> builtin </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Enable use of a cryptographic hardware accelerator</td></tr>
-<tr><td><a href="mod_ssl.html#sslengine">SSLEngine on|off|optional</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">SSL Engine Operation Switch</td></tr>
+<tr><td><a href="mod_ssl.html#sslengine">SSLEngine on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">SSL Engine Operation Switch</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslfips">SSLFIPS on|off</a></td><td> off </td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">SSL FIPS mode Switch</td></tr>
 <tr><td><a href="mod_ssl.html#sslhonorcipherorder">SSLHonorCipherOrder on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Option to prefer the server's cipher preference order</td></tr>
 <tr class="odd"><td><a href="mod_ssl.html#sslinsecurerenegotiation">SSLInsecureRenegotiation on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Option to enable support for insecure renegotiation</td></tr>
diff --git a/docs/manual/style/version.ent b/docs/manual/style/version.ent
@@ -19,6 +19,6 @@
 
 <!ENTITY httpd.major "2">
 <!ENTITY httpd.minor "4">
-<!ENTITY httpd.patch "65">
+<!ENTITY httpd.patch "66">
 
 <!ENTITY httpd.docs "2.4">
diff --git a/include/ap_release.h b/include/ap_release.h
@@ -43,7 +43,7 @@
 
 #define AP_SERVER_MAJORVERSION_NUMBER 2
 #define AP_SERVER_MINORVERSION_NUMBER 4
-#define AP_SERVER_PATCHLEVEL_NUMBER   65
+#define AP_SERVER_PATCHLEVEL_NUMBER   66
 #define AP_SERVER_DEVBUILD_BOOLEAN    1
 
 /* Synchronize the above with docs/manual/style/version.ent */
