Topic: Apache httpd 2.4.16 available

[Steffen]

Apache 2.4.16 GA is now available here at the download pages, see ASF announcement below.

22 July 2015:
Build VC14 with Visual Studio 2015 RTM, see www.apachelounge.com/viewtopic.php?t=6664

Build with:
apr 1.5.2 with IPv6 enabled
apr-util 1.5.4 with Crypto OpenSSL enabled
apr-iconv 1.2.1
openssl VC14 1.0.2d +asm , VC10/11 1.0.1p +asm
zlib 1.2.8 +asm
pcre 8.37 with JIT, SUPPORT_UTF8 and REBUILD_CHARTABLES enabled
httpd.exe with OPENSSL_Applink and VC14 has SupportedOS Manifest
libxml2 2.9.2
lua 5.1.5
expat 2.1.0

For the ASF and Apachelounge changes over 2.4.12 :

www.apachelounge.com/Changelog-2.4.html

Notable Changes:

The OpenSSL default recommendation in httpd-ssl.conf :
*) In alignment with RFC 7525, the default recommended SSLCipherSuite and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the default recommended SSLProtocol and SSLProxyProtocol directives now exclude SSLv3. Existing configurations must be adjusted by the administrator.

*) core: Add CGIPassAuth directive to control whether HTTP authorization headers are passed to scripts as CGI variables.

VC11 and VC14 versions do not run with XP and 2003, use the VC10 version.

Documentation: http://httpd.apache.org/docs/2.4/ attention there when you want to Upgrade to 2.4 from 2.2

When you have hangs, slow traffic and/or when having in your log entries like Asynchronous AcceptEx failed. You can try the following settings:

AcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off

Enjoy,

Steffen

------------------------ ASF Announcement ---------------------

Apache HTTP Server 2.4.16 Released

The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.16 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
principally a security, feature and bug fix release. NOTE: versions
2.4.13, 2.4.14 and 2.4.15 were not released.

CVE-2015-3183 (cve.mitre.org)
core: Fix chunk header parsing defect.
Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters.

CVE-2015-3185 (cve.mitre.org)
Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
with new ap_some_authn_required and ap_force_authn hook.

CVE-2015-0253 (cve.mitre.org)
core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
with the INCLUDES filter active, introduced in 2.4.11. PR 57531.

CVE-2015-0228 (cve.mitre.org)
mod_lua: A maliciously crafted websockets PING after a script
calls r:wsupgrade() can cause a child process crash.

Also in this release are some exciting new features including:

*) Better default recommended SSLCipherSuite and SSLProxyCipherSuite
*) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
response header to be used by the application
*) Event MPM improvements
*) Various mod_proxy_* improvements
*) mod_log_config: Add "%{UNIT}T" format to output request duration in
seconds, milliseconds or microseconds depending on UNIT ("s", "ms",
"us")

We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.

[puertoblack2003]

should i stay with rc version?

[Steffen]

The 2.4.16 RC is the same as the 2.4.16 GA, so you can stay with it.

[Firewave]

Is it still possible to get previous versions? Because of an internal approval process I am not able to use 2.4.16 yet and I was about to download the 2.4.12 VC14 version yesterday when the website was changed to the latest version.

[Steffen]

We are not offering previous versions.