For anyone not subscribed to announce@, sorry I hadn't passed this on... ---------- Forwarded message ---------- From: "William A Rowe Jr" <wr...@apache.org> Date: Oct 5, 2017 13:48 Subject: [Announcement] Apache HTTP Server 2.4.28 Released To: <annou...@apache.org> Cc:
Apache HTTP Server 2.4.28 Released > > October 5, 2017 > > The Apache Software Foundation and the Apache HTTP Server Project > are pleased to announce the release of version 2.4.28 of the Apache > HTTP Server ("Apache"). This version of Apache is our latest GA > release of the new generation 2.4.x branch of Apache HTTPD and > represents fifteen years of innovation by the project, and is > recommended over all previous releases. This release of Apache is > a security, feature, and bug fix release. > > We consider this release to be the best version of Apache available, and > encourage users of all prior versions to upgrade. > > Apache HTTP Server 2.4.28 is available for download from: > > http://httpd.apache.org/download.cgi > > Apache 2.4 offers numerous enhancements, improvements, and performance > boosts over the 2.2 codebase. For an overview of new features > introduced since 2.4 please see: > > http://httpd.apache.org/docs/trunk/new_features_2_4.html > > Please see the CHANGES_2.4 file, linked from the download page, for a > full list of changes. A condensed list, CHANGES_2.4.28 includes only > those changes introduced since the prior 2.4 release. A summary of all > of the security vulnerabilities addressed in this and earlier releases > is available: > > http://httpd.apache.org/security/vulnerabilities_24.html > > Of particular note in this release is 1 SECURITY item: > > o SECURITY: CVE-2017-9798 (cve.mitre.org) > Corrupted or freed memory access. <Limit[Except] > or the > RegisterHttpMethod directive must be given in the startup > configuration (httpd.conf) to register non-standard HTTP methods > before listing them in an .htaccess files. > > This release requires the Apache Portable Runtime (APR), minimum > version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may > require the 1.6.x version of both APR and APR-Util. The APR libraries > must be upgraded for all features of httpd to operate correctly. > > This release builds on and extends the Apache 2.2 API. Modules written > for Apache 2.2 will need to be recompiled in order to run with Apache > 2.4, and require minimal or no source code changes. > > http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING > > When upgrading or installing this version of Apache, please bear in mind > that if you intend to use Apache with one of the threaded MPMs (other > than the Prefork MPM), you must ensure that any modules you will be > using (and the libraries they depend on) are thread-safe. > > Please note that while the Apache HTTP Server Project may publish some > security patches to the 2.2.x flavor through at least December of 2017, > no further maintenance patches of 2.2.x will be considered and no further > releases will be distributed. The 2.2.x branch has now reached the end of > its maintenance, and users are strongly encouraged to promptly complete > their transitions to this 2.4.x flavor of httpd to benefit from security > and bug fixes, as well as new features. > >