logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> News & Hangout View previous topic :: View next topic
Reply to topic   Topic: Apache httpd 2.4.38 GA Available :: Updated
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Mon 21 Jan '19 17:13    Post subject: Apache httpd 2.4.38 GA Available :: Updated Reply with quote

Apache httpd 2.4.38 is released as GA.

28 February 2019 - Update dependencies , see below

ASF and Apachelounge changes :

www.apachelounge.com/Changelog-2.4.html

Build with dependencies:

- VC15 openssl 1.1.1b, VC14 1.0.2r
- nghttp2 1.36.0
- jansson 2.12
- curl 7.64.0
- apr 1.6.5
- apr-util 1.6.1
- apr-iconv 1.2.2
- zlib 1.2.11
- brotli 1.0.7
- pcre 8.43
- libxml2 2.9.9
- lua 5.2.4
- expat 2.2.6

VC15 notes:
VC15 is backward compatible to VC14. That means, a VC14 module can be used inside a VC15 binary (for example PHP VC14 as module). Because this compatibility the version number of the Redistributable is 14.1x.xx and after you install, the Redistributable VS2015 is updated from 14.0x.xx to VS2017 14.1x.xx (you can still use VC14).

Documentation: http://httpd.apache.org/docs/2.4/

When you have hangs, slow traffic and/or when having in your log entries like Asynchronous AcceptEx failed. You can try the following settings:

AcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off

Enjoy,

Steffen


Last edited by Steffen on Fri 01 Mar '19 10:30; edited 7 times in total
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Tue 22 Jan '19 19:51    Post subject: Reply with quote

The ASF forgot to mention security vulnerabilities fixed in the initial changelog 2.4.38.

Added now to www.apachelounge.com/Changelog-2.4.html

*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowinesessions to be reused. [Hank Ibell]

*) SECURITY: CVE-2018-17189 (cve.mitre.org)
mod_http2: fixes a DoS attack vector. By sending slow request bodiesto resources not consuming them, httpd cleanup code occupies a serverthread unnecessarily. This was changed to an immediate stream resetwhich discards all stream state and incoming data. [Stefan Eissing]

*) SECURITY: CVE-2019-0190 (cve.mitre.org)
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later. PR 63052. [Joe Orton]

For details see https://httpd.apache.org/security/vulnerabilities_24.html
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 692

PostPosted: Tue 22 Jan '19 20:32    Post subject: Reply with quote

This one is important, advise to upgrade !

CVE-2019-0190 : mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.37

Description:
A bug exists in the way mod_ssl handled client renegotiations.A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Serverversion 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.

Mitigation:
All httpd users consuming mod_ssl combined with OpenSSL 1.1.1 or later should upgrade to 2.4.38 or later.

Credit:
The issue was identified through user bug reports.


Last edited by admin on Wed 23 Jan '19 13:16; edited 4 times in total
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Thu 28 Feb '19 14:25    Post subject: Reply with quote

Updated the dependencies PCRE, OpenSSL and Curl.

See www.apachelounge.com/Changelog-2.4.html

Also the C++ Redistributable Visual Studio 2017 is Updated to 14.16.27027.1, see download page.


Last edited by Steffen on Fri 01 Mar '19 10:35; edited 2 times in total
Back to top


Reply to topic   Topic: Apache httpd 2.4.38 GA Available :: Updated View previous topic :: View next topic
Post new topic   Forum Index -> News & Hangout