Apache HTTP Server 2.4.28 ReleasedOctober 5, 2017The Apache Software Foundation and the Apache HTTP Server Projectare pleased to announce the release of version 2.4.28 of the ApacheHTTP Server ("Apache"). This version of Apache is our latest GArelease of the new generation 2.4.x branch of Apache HTTPD andrepresents fifteen years of innovation by the project, and isrecommended over all previous releases. This release of Apache isa security, feature, and bug fix release.We consider this release to be the best version of Apache available, andencourage users of all prior versions to upgrade.Apache HTTP Server 2.4.28 is available for download from:Apache 2.4 offers numerous enhancements, improvements, and performanceboosts over the 2.2 codebase. For an overview of new featuresintroduced since 2.4 please see:Please see the CHANGES_2.4 file, linked from the download page, for afull list of changes. A condensed list, CHANGES_2.4.28 includes onlythose changes introduced since the prior 2.4 release. A summary of allof the security vulnerabilities addressed in this and earlier releasesis available:Of particular note in this release is 1 SECURITY item:o SECURITY: CVE-2017-9798 (cve.mitre.org)Corrupted or freed memory access. <Limit[Except] > or theRegisterHttpMethod directive must be given in the startupconfiguration (httpd.conf) to register non-standard HTTP methodsbefore listing them in an .htaccess files.This release requires the Apache Portable Runtime (APR), minimumversion 1.5.x, and APR-Util, minimum version 1.5.x. Some features mayrequire the 1.6.x version of both APR and APR-Util. The APR librariesmust be upgraded for all features of httpd to operate correctly.This release builds on and extends the Apache 2.2 API. Modules writtenfor Apache 2.2 will need to be recompiled in order to run with Apache2.4, and require minimal or no source code changes.When upgrading or installing this version of Apache, please bear in mindthat if you intend to use Apache with one of the threaded MPMs (otherthan the Prefork MPM), you must ensure that any modules you will beusing (and the libraries they depend on) are thread-safe.Please note that while the Apache HTTP Server Project may publish somesecurity patches to the 2.2.x flavor through at least December of 2017,no further maintenance patches of 2.2.x will be considered and no furtherreleases will be distributed. The 2.2.x branch has now reached the end ofits maintenance, and users are strongly encouraged to promptly completetheir transitions to this 2.4.x flavor of httpd to benefit from securityand bug fixes, as well as new features.
|