The Apache Software Foundation and the Apache HTTP Server Project announce the release of version 2.4.49 of the Apache HTTP Server. According to the announcement, the latest release is the organization’s latest release of the new generation 2.4.x branch of Apache HTTPD. It also represents the project’s fifteen years of innovation and is recommended over all older releases.
Security, feature, and bug fix release
The Apache Software Foundation announced that the Apache HTTP Server 2.4.49 is a security, feature, and bug fix release. The latest release comes with various enhancements, improvements, and performance boosts over the 2.2 codebase.
The latest release requires the Apache Portable Runtime (APR), minimum version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may require the 1.6.x version of both APR and APR-Util. The APR libraries must be upgraded for all features of httpd to operate correctly. Some of the changes include:
- SECURITY: mod_proxy: Server Side Request Forgery
- SECURITY: core: ap_escape_quotes buffer overflow
- SECURITY:mod_proxy_uwsgi: Out of bound read vulnerability
- SECURITY: core: null pointer dereference on malformed request
- SECURITY: mod_http2: Request splitting vulnerability with mod_proxy
- mod_ssl: Support logging private key material for use with Wireshark via log file given by SSLKEYLOGFILE environment variable.
- mod_proxy: Do not canonicalize the proxied URL when both “nocanon” and “ProxyPassInterpolateEnv On” are configured.
- mpm_event: Fix children processes possibly not stopped on graceful restart.
- mod_proxy: Fix a potential infinite loop when tunneling Upgrade protocols from mod_proxy_http, and a timeout triggering falsely when using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with upgrade= setting.
- mod_unique_id: Reduce the time window where duplicates may be generated
- mpm_prefork: Block signals for child_init hooks to prevent potential threads created from there to catch MPM’s signals.
- Revert “mod_unique_id: Fix potential duplicated ID generation under heavy load.
- mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker.
- mod_proxy: Faster unix socket path parsing in the “proxy:”