Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Apache httpd 2.4.38 GA Available :: Updated |
|
Author |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3095 Location: Hilversum, NL, EU
|
Posted: Mon 21 Jan '19 17:13 Post subject: Apache httpd 2.4.38 GA Available :: Updated |
|
|
Apache httpd 2.4.38 is released as GA.
28 February 2019 - Update dependencies , see below
ASF and Apachelounge changes :
www.apachelounge.com/Changelog-2.4.html
Build with dependencies:
- VC15 openssl 1.1.1b, VC14 1.0.2r
- nghttp2 1.36.0
- jansson 2.12
- curl 7.64.0
- apr 1.6.5
- apr-util 1.6.1
- apr-iconv 1.2.2
- zlib 1.2.11
- brotli 1.0.7
- pcre 8.43
- libxml2 2.9.9
- lua 5.2.4
- expat 2.2.6
VC15 notes:
VC15 is backward compatible to VC14. That means, a VC14 module can be used inside a VC15 binary (for example PHP VC14 as module). Because this compatibility the version number of the Redistributable is 14.1x.xx and after you install, the Redistributable VS2015 is updated from 14.0x.xx to VS2017 14.1x.xx (you can still use VC14).
Documentation: http://httpd.apache.org/docs/2.4/
When you have hangs, slow traffic and/or when having in your log entries like Asynchronous AcceptEx failed. You can try the following settings:
AcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off
Enjoy,
Steffen
Last edited by Steffen on Fri 01 Mar '19 10:30; edited 7 times in total |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3095 Location: Hilversum, NL, EU
|
Posted: Tue 22 Jan '19 19:51 Post subject: |
|
|
The ASF forgot to mention security vulnerabilities fixed in the initial changelog 2.4.38.
Added now to www.apachelounge.com/Changelog-2.4.html
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowinesessions to be reused. [Hank Ibell]
*) SECURITY: CVE-2018-17189 (cve.mitre.org)
mod_http2: fixes a DoS attack vector. By sending slow request bodiesto resources not consuming them, httpd cleanup code occupies a serverthread unnecessarily. This was changed to an immediate stream resetwhich discards all stream state and incoming data. [Stefan Eissing]
*) SECURITY: CVE-2019-0190 (cve.mitre.org)
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later. PR 63052. [Joe Orton]
For details see https://httpd.apache.org/security/vulnerabilities_24.html |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 693
|
Posted: Tue 22 Jan '19 20:32 Post subject: |
|
|
This one is important, advise to upgrade !
CVE-2019-0190 : mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.37
Description:
A bug exists in the way mod_ssl handled client renegotiations.A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Serverversion 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.
Mitigation:
All httpd users consuming mod_ssl combined with OpenSSL 1.1.1 or later should upgrade to 2.4.38 or later.
Credit:
The issue was identified through user bug reports.
Last edited by admin on Wed 23 Jan '19 13:16; edited 4 times in total |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3095 Location: Hilversum, NL, EU
|
Posted: Thu 28 Feb '19 14:25 Post subject: |
|
|
Updated the dependencies PCRE, OpenSSL and Curl.
See www.apachelounge.com/Changelog-2.4.html
Also the C++ Redistributable Visual Studio 2017 is Updated to 14.16.27027.1, see download page.
Last edited by Steffen on Fri 01 Mar '19 10:35; edited 2 times in total |
|
Back to top |
|
|
|
|
|
|