I was just updating PR 63212 and could not point the user at a top-level, definitive statement that they were trying to accomplish something very unwise and which they should have known better. Apparently there are few sources of this information. From http://httpd.apache.org/ ...
Apache httpd 2.4.38 Released 2019-01-22 <http://httpd.apache.org/#apache-httpd-2438-released-2019-01-22> The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce <http://www.apache.org/dist/httpd/Announcement2.4.html> the release of version 2.4.38 of the Apache HTTP Server ("httpd"). This latest release from the 2.4.x stable branch represents the best available version of Apache HTTP Server. This seems to be somewhat unhelpful from a top-level knowledge point of view, it doesn't indicate that they should choose 2.4.38 over 2.4.37 for any particular reason, or that they would *need* to choose 2.4.38 if they wished to have a server running against OpenSSL 1.1.1 and later. Is there a way to improve communication of "do not use" guidance, outside of information at http://httpd.apache.org/security/vulnerabilities_24.html nested two-clicks deep? I do not see such guidance at http://www.apache.org/dist/httpd/ either, the Announcement does not suggest anything. Also finding the offending 2.4.37 release still available for download (surely just an oversight.) Note PR 63212 may be entirely specific to AIX, and may be a side effect of build schema changes of OpenSSL 1.1.1 itself. Sorry I no longer have the hardware to explore such issues.
