You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by William A Rowe Jr <wr...@apache.org> on 2017/10/09 18:40:47 UTC
[users@httpd] Fwd: [Announcement] Apache HTTP Server 2.4.28 Released
For anyone not subscribed to announce@, sorry I hadn't passed this on...
---------- Forwarded message ----------
From: "William A Rowe Jr" <wr...@apache.org>
Date: Oct 5, 2017 13:48
Subject: [Announcement] Apache HTTP Server 2.4.28 Released
To: <an...@apache.org>
Cc:
Apache HTTP Server 2.4.28 Released
>
> October 5, 2017
>
> The Apache Software Foundation and the Apache HTTP Server Project
> are pleased to announce the release of version 2.4.28 of the Apache
> HTTP Server ("Apache"). This version of Apache is our latest GA
> release of the new generation 2.4.x branch of Apache HTTPD and
> represents fifteen years of innovation by the project, and is
> recommended over all previous releases. This release of Apache is
> a security, feature, and bug fix release.
>
> We consider this release to be the best version of Apache available, and
> encourage users of all prior versions to upgrade.
>
> Apache HTTP Server 2.4.28 is available for download from:
>
> http://httpd.apache.org/download.cgi
>
> Apache 2.4 offers numerous enhancements, improvements, and performance
> boosts over the 2.2 codebase. For an overview of new features
> introduced since 2.4 please see:
>
> http://httpd.apache.org/docs/trunk/new_features_2_4.html
>
> Please see the CHANGES_2.4 file, linked from the download page, for a
> full list of changes. A condensed list, CHANGES_2.4.28 includes only
> those changes introduced since the prior 2.4 release. A summary of all
> of the security vulnerabilities addressed in this and earlier releases
> is available:
>
> http://httpd.apache.org/security/vulnerabilities_24.html
>
> Of particular note in this release is 1 SECURITY item:
>
> o SECURITY: CVE-2017-9798 (cve.mitre.org)
> Corrupted or freed memory access. <Limit[Except] > or the
> RegisterHttpMethod directive must be given in the startup
> configuration (httpd.conf) to register non-standard HTTP methods
> before listing them in an .htaccess files.
>
> This release requires the Apache Portable Runtime (APR), minimum
> version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
> require the 1.6.x version of both APR and APR-Util. The APR libraries
> must be upgraded for all features of httpd to operate correctly.
>
> This release builds on and extends the Apache 2.2 API. Modules written
> for Apache 2.2 will need to be recompiled in order to run with Apache
> 2.4, and require minimal or no source code changes.
>
> http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
>
> When upgrading or installing this version of Apache, please bear in mind
> that if you intend to use Apache with one of the threaded MPMs (other
> than the Prefork MPM), you must ensure that any modules you will be
> using (and the libraries they depend on) are thread-safe.
>
> Please note that while the Apache HTTP Server Project may publish some
> security patches to the 2.2.x flavor through at least December of 2017,
> no further maintenance patches of 2.2.x will be considered and no further
> releases will be distributed. The 2.2.x branch has now reached the end of
> its maintenance, and users are strongly encouraged to promptly complete
> their transitions to this 2.4.x flavor of httpd to benefit from security
> and bug fixes, as well as new features.
>
>