You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by William A Rowe Jr <wr...@rowe-clan.net> on 2017/07/11 16:02:09 UTC

[Announcement] Apache HTTP Server 2.2.34 Released

  July 11, 2017

   The Apache Software Foundation and the Apache HTTP Server Project
   announce the release of version 2.2.34 of the Apache HTTP Server
   ("Apache"), the final maintenance release of the 2.2 series. No
   further 2.2 releases are anticipated. This version of Apache is
   principally a security and bug fix maintenance release.

   We consider the current Apache HTTP Server 2.4 release to be the best
   version of Apache available, and encourage every user of 2.2 and all
   prior versions to upgrade. This final 2.2 release is offered for those
   unable to upgrade at this moment.

   Take note that Apache Web Server Project will provide no future release
   of the 2.2.x series, although some security patches may be published
   through December of 2017. These will be collected at the URL;

     http://www.apache.org/dist/httpd/patches/apply_to_2.2.34/

   No further maintenance patches of 2.2.x will be published. Users are
   strongly encouraged to promptly complete their transitions to the
   2.4.x flavor of httpd to receive any future benefit from the user
   community or the Apache HTTP Server project developers.

   For further details about the currently supported release, see:

     http://www.apache.org/dist/httpd/Announcement2.4.txt

   Apache HTTP Server 2.4 and 2.2.34 are available for download from:

     http://httpd.apache.org/download.cgi

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes. A condensed list, CHANGES_2.2.34 includes only
   those changes introduced since the prior 2.2 release. A summary of all
   of the security vulnerabilities addressed in this and earlier releases
   is available:

     http://httpd.apache.org/security/vulnerabilities_22.html

   Note that the Apache HTTP Server project will discontinue evaluations
   and corresponding advisories to this resource effective January, 2018.

   This release includes the Apache Portable Runtime (APR) version 1.5.2
   and APR Utility Library (APR-util) version 1.5.4, bundled with the tar
   and zip distributions. The APR libraries libapr and libaprutil (and
   on Win32, libapriconv version 1.2.1) must all be updated to ensure
   binary compatibility and address many known security and platform bugs.
   APR version 1.5 and APR-util version 1.5 represent minor version upgrades
   from earlier httpd 2.2 source distributions.

   Note this package also includes very stale and known-vulnerable versions
   of the Expat [http://expat.sourceforge.net/] and PCRE [http://www.pcre.org/]
   packages. Users are strongly encouraged to first install the most recent
   versions of these components (of PCRE 8.x, not PCRE2 10.x at this time.)

   This release builds on and extends the Apache 2.0 API and is superceeded
   by the Apache 2.4 API. Modules written for Apache 2.2 will need to be
   recompiled in order to run with Apache 2.4, and most will require minimal
   or no source code changes.