httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@apache.org>
Subject [users@httpd] Fwd: [Announcement] Apache HTTP Server 2.4.28 Released
Date Mon, 09 Oct 2017 18:40:47 GMT
For anyone not subscribed to announce@, sorry I hadn't passed this on...

---------- Forwarded message ----------
From: "William A Rowe Jr" <wrowe@apache.org>
Date: Oct 5, 2017 13:48
Subject: [Announcement] Apache HTTP Server 2.4.28 Released
To: <announce@apache.org>
Cc:

             Apache HTTP Server 2.4.28 Released
>
> October 5, 2017
>
> The Apache Software Foundation and the Apache HTTP Server Project
> are pleased to announce the release of version 2.4.28 of the Apache
> HTTP Server ("Apache").  This version of Apache is our latest GA
> release of the new generation 2.4.x branch of Apache HTTPD and
> represents fifteen years of innovation by the project, and is
> recommended over all previous releases. This release of Apache is
> a security, feature, and bug fix release.
>
> We consider this release to be the best version of Apache available, and
> encourage users of all prior versions to upgrade.
>
> Apache HTTP Server 2.4.28 is available for download from:
>
>   http://httpd.apache.org/download.cgi
>
> Apache 2.4 offers numerous enhancements, improvements, and performance
> boosts over the 2.2 codebase.  For an overview of new features
> introduced since 2.4 please see:
>
>   http://httpd.apache.org/docs/trunk/new_features_2_4.html
>
> Please see the CHANGES_2.4 file, linked from the download page, for a
> full list of changes. A condensed list, CHANGES_2.4.28 includes only
> those changes introduced since the prior 2.4 release.  A summary of all
> of the security vulnerabilities addressed in this and earlier releases
> is available:
>
>   http://httpd.apache.org/security/vulnerabilities_24.html
>
> Of particular note in this release is 1 SECURITY item:
>
>   o SECURITY: CVE-2017-9798 (cve.mitre.org)
>     Corrupted or freed memory access. <Limit[Except] > or the
>     RegisterHttpMethod directive must be given in the startup
>     configuration (httpd.conf) to register non-standard HTTP methods
>     before listing them in an .htaccess files.
>
> This release requires the Apache Portable Runtime (APR), minimum
> version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
> require the 1.6.x version of both APR and APR-Util. The APR libraries
> must be upgraded for all features of httpd to operate correctly.
>
> This release builds on and extends the Apache 2.2 API.  Modules written
> for Apache 2.2 will need to be recompiled in order to run with Apache
> 2.4, and require minimal or no source code changes.
>
>   http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
>
> When upgrading or installing this version of Apache, please bear in mind
> that if you intend to use Apache with one of the threaded MPMs (other
> than the Prefork MPM), you must ensure that any modules you will be
> using (and the libraries they depend on) are thread-safe.
>
> Please note that while the Apache HTTP Server Project may publish some
> security patches to the 2.2.x flavor through at least December of 2017,
> no further maintenance patches of 2.2.x will be considered and no further
> releases will be distributed. The 2.2.x branch has now reached the end of
> its maintenance, and users are strongly encouraged to promptly complete
> their transitions to this 2.4.x flavor of httpd to benefit from security
> and bug fixes, as well as new features.
>
>

Mime
View raw message