1.81.  httpd

Apache's mod_mime_magic module attempts to determine the MIME type of files using heuristic tests. However, the "magic" file used by the mod_mime_magic module was unable to detect PNG images correctly as being of MIME type "image/png", which this update corrects. (BZ#240844)

when using a reverse-proxy configuration with the mod_nss module being used in place of the usual mod_ssl module, the mod_proxy module failed to pass the hostname, which resulted in this error message: "Requested domain name does not match the server's certificate". The hostname is now passed correctly so that secure HTTP (https) connections no longer fail due to this error. (BZ#479410)

the "mod_ssl" module placed a hard-coded 128K limit on the amount of request body data which would be buffered if an SSL renegotiation was required in a Location or Directory context. This could occur if a POST request was made to a Directory or Location which required client certificate authentication. The limit on the amount of data to buffer is now configurable using the "SSLRenegBufferSize" directive. (BZ#479806)

when configuring a reverse proxy using an .htaccess file (instead of httpd.conf) by using a "RewriteRule" to proxy requests using the "[P]" flag, space characters in URIs would not be correctly escaped in remote server requests, resulting in "404 Not Found" response codes. This has been fixed so that .htaccess-configured reverse proxies perform proper character-escaping. (BZ#480604)

if an error occurred when invoking a CGI script, the "500 Internal Server Error" error document was not generated. (BZ#480932)

the mod_speling module attempts to correct misspellings of URLs. When the "AcceptPathInfo" directive was not enabled, then mod_speling did not handle and correct misspelled directory names. This has been fixed so that directory names are always handled, and possibly corrected, by the mod_speling module, regardless of the value that "AcceptPathInfo" is set to. (BZ#485524)

if request body data was buffered when an SSL renegotiation was required in a Location or Directory context, then the buffered data was discarded if an internal redirect occurred. (BZ#488886)

the httpd init script did not reference the process ID stored by a running daemon, and invocations could affect other httpd processes running on the system. (BZ#491135)

during a graceful restart, a spurious "Bad file descriptor" error message was sometimes logged. The error, though harmless, occurred because the socket on which the server called the accept() function was immediately closed in child processes upon receipt of the graceful restart signal. This error message is no longer logged. (BZ#233955)

during a graceful restart, the following spurious error messages were logged by the mod_rewrite module if the "RewriteLog" directive was configured: "apr_global_mutex_lock(rewrite_log_lock) failed". (BZ#493023)

Apache's mod_ext_filter module sometimes logged this spurious error message if an input filter was configured and an error response was sent: "Bad file descriptor: apr_file_close(child input)". (BZ#479463)

the "%p" format option in the "CustomLog" directive, used to log a port number in a request, did not respect the "remote" and "local" specifiers. (BZ#493070)

the httpd package inappropriately obsoleted the "mod_jk" package; it no longer does so. (BZ#493592)

an invalid HTTP status code—such as 70007—was logged to the access log if a timeout or other input error occurred while reading the request body during processing of a CGI script. (BZ#498170)

a security issue fix (CVE-2009-1195) in Server-Side Include (SSI) Options-handling inadvertently broke backwards-compatibility with the mod_perl module. (BZ#502998)