httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <>
Subject [users@httpd] Fwd: [Announcement] Apache HTTP Server 2.4.28 Released
Date Mon, 09 Oct 2017 18:40:47 GMT
For anyone not subscribed to announce@, sorry I hadn't passed this on...

---------- Forwarded message ----------
From: "William A Rowe Jr" <>
Date: Oct 5, 2017 13:48
Subject: [Announcement] Apache HTTP Server 2.4.28 Released
To: <>

             Apache HTTP Server 2.4.28 Released
> October 5, 2017
> The Apache Software Foundation and the Apache HTTP Server Project
> are pleased to announce the release of version 2.4.28 of the Apache
> HTTP Server ("Apache").  This version of Apache is our latest GA
> release of the new generation 2.4.x branch of Apache HTTPD and
> represents fifteen years of innovation by the project, and is
> recommended over all previous releases. This release of Apache is
> a security, feature, and bug fix release.
> We consider this release to be the best version of Apache available, and
> encourage users of all prior versions to upgrade.
> Apache HTTP Server 2.4.28 is available for download from:
> Apache 2.4 offers numerous enhancements, improvements, and performance
> boosts over the 2.2 codebase.  For an overview of new features
> introduced since 2.4 please see:
> Please see the CHANGES_2.4 file, linked from the download page, for a
> full list of changes. A condensed list, CHANGES_2.4.28 includes only
> those changes introduced since the prior 2.4 release.  A summary of all
> of the security vulnerabilities addressed in this and earlier releases
> is available:
> Of particular note in this release is 1 SECURITY item:
>   o SECURITY: CVE-2017-9798 (
>     Corrupted or freed memory access. <Limit[Except] > or the
>     RegisterHttpMethod directive must be given in the startup
>     configuration (httpd.conf) to register non-standard HTTP methods
>     before listing them in an .htaccess files.
> This release requires the Apache Portable Runtime (APR), minimum
> version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
> require the 1.6.x version of both APR and APR-Util. The APR libraries
> must be upgraded for all features of httpd to operate correctly.
> This release builds on and extends the Apache 2.2 API.  Modules written
> for Apache 2.2 will need to be recompiled in order to run with Apache
> 2.4, and require minimal or no source code changes.
> When upgrading or installing this version of Apache, please bear in mind
> that if you intend to use Apache with one of the threaded MPMs (other
> than the Prefork MPM), you must ensure that any modules you will be
> using (and the libraries they depend on) are thread-safe.
> Please note that while the Apache HTTP Server Project may publish some
> security patches to the 2.2.x flavor through at least December of 2017,
> no further maintenance patches of 2.2.x will be considered and no further
> releases will be distributed. The 2.2.x branch has now reached the end of
> its maintenance, and users are strongly encouraged to promptly complete
> their transitions to this 2.4.x flavor of httpd to benefit from security
> and bug fixes, as well as new features.

View raw message