Apache Lounge



Forum Index Downloads Search Register Log in  RSS Apache Lounge

Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.



A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.

Apache httpd 2.4.38 GA Available :: security update !!

Post new topic   Reply to topic    Apache Forum Index -> News & Hangout

View previous topic :: View next topic  
Author Message

Joined: 15 Oct 2005
Posts: 2706
Location: Hilversum, NL, EU

PostPosted: Mon 21 Jan '19 17:13    Post subject: Apache httpd 2.4.38 GA Available :: security update !! Reply with quote

Apache httpd 2.4.38 is released as GA.

ASF and Apachelounge changes :


Important security vulnerability, see below.

Build with dependencies:

- VC15 openssl 1.1.1a, VC14/11 1.0.2q
- nghttp2 1.36.0
- jansson 2.12
- curl 7.63.0
- apr 1.6.5
- apr-util 1.6.1
- apr-iconv 1.2.2
- zlib 1.2.11
- brotli 1.0.7
- pcre 8.42
- libxml2 2.9.9
- lua 5.2.4
- expat 2.2.6

VC15 notes:
VC15 is backward compatible to VC14. That means, a VC14 module can be used inside a VC15 binary (for example PHP VC14 as module). Because this compatibility the version number of the Redistributable is 14.1x.xx and after you install, the Redistributable VS2015 is updated from 14.0x.xx to VS2017 14.1x.xx (you can still use VC14).

Documentation: http://httpd.apache.org/docs/2.4/

When you have hangs, slow traffic and/or when having in your log entries like Asynchronous AcceptEx failed. You can try the following settings:

AcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off



Last edited by Steffen on Wed 23 Jan '19 14:28; edited 1 time in total
Back to top

Joined: 15 Oct 2005
Posts: 2706
Location: Hilversum, NL, EU

PostPosted: Tue 22 Jan '19 19:51    Post subject: Reply with quote

The ASF forgot to mention security vulnerabilities fixed in the initial changelog 2.4.38.

Added now to www.apachelounge.com/Changelog-2.4.html

*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowinesessions to be reused. [Hank Ibell]

*) SECURITY: CVE-2018-17189 (cve.mitre.org)
mod_http2: fixes a DoS attack vector. By sending slow request bodiesto resources not consuming them, httpd cleanup code occupies a serverthread unnecessarily. This was changed to an immediate stream resetwhich discards all stream state and incoming data. [Stefan Eissing]

*) SECURITY: CVE-2019-0190 (cve.mitre.org)
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later. PR 63052. [Joe Orton]

For details see https://httpd.apache.org/security/vulnerabilities_24.html
Back to top
Site Admin

Joined: 15 Oct 2005
Posts: 578

PostPosted: Tue 22 Jan '19 20:32    Post subject: Reply with quote

This one is important, advise to upgrade !

CVE-2019-0190 : mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.37

A bug exists in the way mod_ssl handled client renegotiations.A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Serverversion 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.

All httpd users consuming mod_ssl combined with OpenSSL 1.1.1 or later should upgrade to 2.4.38 or later.

The issue was identified through user bug reports.

Last edited by admin on Wed 23 Jan '19 13:16; edited 4 times in total
Back to top

Post new topic   Reply to topic    Apache Forum Index -> News & Hangout
Page 1 of 1