Topic: Apache httpd 2.4.33 GA available

[Steffen]

Apache httpd 2.4.33 is released as GA.

28 March 2018: Update OpenSSL, see changelog

ASF and Apachelounge changes :

www.apachelounge.com/Changelog-2.4.html

See post below for the fixed CVE security vulnerabilities.

Highlights Changelog:

*) Includes fix for mod_proxy_balancer

*) 2.4.32 Was released but not announced by the ASF, because mod_proxy_balancer issue

*) Includes fix for crashing with modules like mod_security

*) mod_md is in 2.4.30 added as an experimental module, not advised to use in production yet, see www.apachelounge.com/viewtopic.php?t=7786

*) 2.4.30 and 2.4.31 not released.

Build with dependencies:

- VC15 openssl 1.1.0h, VC11/14 openssl 1.0.2o
- nghttp2 1.31.0
- jansson 2.11
- curl 7.59.0
- apr 1.6.3
- apr-util 1.6.1 with Crypto OpenSSL enabled
- apr-iconv 1.2.2
- zlib 1.2.11
- brotli lib 1.0.3
- pcre 8.42 with JIT, SUPPORT_UTF, SUPPORT_UNICODE_PROPERTIES, REBUILD_CHARTABLES
- httpd.exe with OPENSSL_Applink and VC14/15 SupportedOS Manifest
- libxml2 2.9.8
- lua 5.2.4
- expat 2.2.5

VC15 notes:
VC15 is backward compatible to VC14. That means, a VC14 module can be used inside a VC15 binary (for example PHP VC14 as module). Because this compatibility the version number of the Redistributable is 14.1x.xx and after you install, the Redistributable VS2015 is updated from 14.0x.xx to VS2017 14.1x.xx (you can still use VC14).

Documentation: http://httpd.apache.org/docs/2.4/

When you have hangs, slow traffic and/or when having in your log entries like Asynchronous AcceptEx failed. You can try the following settings:

AcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off

Enjoy,

Steffen

[Steffen]

The ASF forgot tho mention security vulnerabilities fixed in 2.4.30.

Added now to www.apachelounge.com/Changelog-2.4.html

In 2.4.30:

*) SECURITY: CVE-2017-15710 (cve.mitre.org)
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
*) CVE-2018-1283 (cve.mitre.org)
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
*) SECURITY: CVE-2018-1303 (cve.mitre.org)
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
*) CVE-2018-1301 (cve.mitre.org)
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
*) CVE-2017-15715 (cve.mitre.org)
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
*) SECURITY: CVE-2018-1312 (cve.mitre.org)
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
*) CVE-2018-1302 (cve.mitre.org)
mod_http2: Potential crash w/ mod_http2.

[Steffen]

Update to latest OpenSSL, see changelog entry 28 March 2018 www.apachelounge.com/Changelog-2.4.html

[Steffen]

Update available for Microsoft Visual C++ Redistributable for Visual Studio 2017.

See VC15 download page.


Now the version is 14.14.26405.0

[admin]

New version 14.14.26429.4 Microsoft Visual C++ Redistributable for Visual Studio 2017

To update use the link on the VC15 download page.