logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.




Apache httpd 2.4.33 GA available

 
Post new topic   Reply to topic    Apache Forum Index -> News & Hangout



View previous topic :: View next topic  
Author Message
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2638
Location: Hilversum, NL, EU

PostPosted: Wed 21 Mar '18 18:11    Post subject: Apache httpd 2.4.33 GA available Reply with quote

Apache httpd 2.4.33 is released as GA.

28 March 2018: Update OpenSSL, see changelog

ASF and Apachelounge changes :

www.apachelounge.com/Changelog-2.4.html

See post below for the fixed CVE security vulnerabilities.

Highlights Changelog:

*) Includes fix for mod_proxy_balancer

*) 2.4.32 Was released but not announced by the ASF, because mod_proxy_balancer issue

*) Includes fix for crashing with modules like mod_security

*) mod_md is in 2.4.30 added as an experimental module, not advised to use in production yet, see www.apachelounge.com/viewtopic.php?t=7786

*) 2.4.30 and 2.4.31 not released.

Build with dependencies:

- VC15 openssl 1.1.0h, VC11/14 openssl 1.0.2o
- nghttp2 1.31.0
- jansson 2.11
- curl 7.59.0
- apr 1.6.3
- apr-util 1.6.1 with Crypto OpenSSL enabled
- apr-iconv 1.2.2
- zlib 1.2.11
- brotli lib 1.0.3
- pcre 8.42 with JIT, SUPPORT_UTF, SUPPORT_UNICODE_PROPERTIES, REBUILD_CHARTABLES
- httpd.exe with OPENSSL_Applink and VC14/15 SupportedOS Manifest
- libxml2 2.9.8
- lua 5.2.4
- expat 2.2.5

VC15 notes:
VC15 is backward compatible to VC14. That means, a VC14 module can be used inside a VC15 binary (for example PHP VC14 as module). Because this compatibility the version number of the Redistributable is 14.1x.xx and after you install, the Redistributable VS2015 is updated from 14.0x.xx to VS2017 14.1x.xx (you can still use VC14).

Documentation: http://httpd.apache.org/docs/2.4/

When you have hangs, slow traffic and/or when having in your log entries like Asynchronous AcceptEx failed. You can try the following settings:

AcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off

Enjoy,

Steffen


Last edited by Steffen on Wed 28 Mar '18 14:23; edited 2 times in total
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2638
Location: Hilversum, NL, EU

PostPosted: Sat 24 Mar '18 12:07    Post subject: Reply with quote

The ASF forgot tho mention security vulnerabilities fixed in 2.4.30.

Added now to www.apachelounge.com/Changelog-2.4.html

In 2.4.30:

*) SECURITY: CVE-2017-15710 (cve.mitre.org)
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
*) CVE-2018-1283 (cve.mitre.org)
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
*) SECURITY: CVE-2018-1303 (cve.mitre.org)
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
*) CVE-2018-1301 (cve.mitre.org)
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
*) CVE-2017-15715 (cve.mitre.org)
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
*) SECURITY: CVE-2018-1312 (cve.mitre.org)
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
*) CVE-2018-1302 (cve.mitre.org)
mod_http2: Potential crash w/ mod_http2.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2638
Location: Hilversum, NL, EU

PostPosted: Sun 01 Apr '18 15:59    Post subject: Reply with quote

Update to latest OpenSSL, see changelog entry 28 March 2018 www.apachelounge.com/Changelog-2.4.html
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2638
Location: Hilversum, NL, EU

PostPosted: Wed 09 May '18 11:56    Post subject: Reply with quote

Update available for Microsoft Visual C++ Redistributable for Visual Studio 2017.

See VC15 download page.


Now the version is 14.14.26405.0
Back to top


Post new topic   Reply to topic    Apache Forum Index -> News & Hangout
Page 1 of 1