Topic: Apache httpd 2.4.38 GA Available :: Updated

[Steffen]

Apache httpd 2.4.38 is released as GA.

28 February 2019 - Update dependencies , see below

ASF and Apachelounge changes :

www.apachelounge.com/Changelog-2.4.html

Build with dependencies:

- VC15 openssl 1.1.1b, VC14 1.0.2r
- nghttp2 1.36.0
- jansson 2.12
- curl 7.64.0
- apr 1.6.5
- apr-util 1.6.1
- apr-iconv 1.2.2
- zlib 1.2.11
- brotli 1.0.7
- pcre 8.43
- libxml2 2.9.9
- lua 5.2.4
- expat 2.2.6

VC15 notes:
VC15 is backward compatible to VC14. That means, a VC14 module can be used inside a VC15 binary (for example PHP VC14 as module). Because this compatibility the version number of the Redistributable is 14.1x.xx and after you install, the Redistributable VS2015 is updated from 14.0x.xx to VS2017 14.1x.xx (you can still use VC14).

Documentation: http://httpd.apache.org/docs/2.4/

When you have hangs, slow traffic and/or when having in your log entries like Asynchronous AcceptEx failed. You can try the following settings:

AcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off

Enjoy,

Steffen

[Steffen]

The ASF forgot to mention security vulnerabilities fixed in the initial changelog 2.4.38.

Added now to www.apachelounge.com/Changelog-2.4.html

*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowinesessions to be reused. [Hank Ibell]

*) SECURITY: CVE-2018-17189 (cve.mitre.org)
mod_http2: fixes a DoS attack vector. By sending slow request bodiesto resources not consuming them, httpd cleanup code occupies a serverthread unnecessarily. This was changed to an immediate stream resetwhich discards all stream state and incoming data. [Stefan Eissing]

*) SECURITY: CVE-2019-0190 (cve.mitre.org)
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later. PR 63052. [Joe Orton]

For details see https://httpd.apache.org/security/vulnerabilities_24.html

[admin]

This one is important, advise to upgrade !

CVE-2019-0190 : mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.37

Description:
A bug exists in the way mod_ssl handled client renegotiations.A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Serverversion 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.

Mitigation:
All httpd users consuming mod_ssl combined with OpenSSL 1.1.1 or later should upgrade to 2.4.38 or later.

Credit:
The issue was identified through user bug reports.

[Steffen]

Updated the dependencies PCRE, OpenSSL and Curl.

See www.apachelounge.com/Changelog-2.4.html

Also the C++ Redistributable Visual Studio 2017 is Updated to 14.16.27027.1, see download page.