[Announce] Apache HTTP Server (httpd) 2.2.15 Released

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release and immediate availability of version
2.2.15 of the Apache HTTP Server ("httpd"). This version of httpd is
principally a security and bug fix release.

Notably, this release was updated to reflect the OpenSSL Project's
release 0.9.8m of the openssl library, and addresses CVE-2009-3555
(cve.mitre.org), the TLS renegotiation prefix injection attack.
This release further addresses the issues CVE-2010-0408, CVE-2010-0425
and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers
respectively.

We consider this release to be the best version of httpd available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.15 is available for download from:

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.15 provides the
complete list of changes since 2.2.14. A summary of security
vulnerabilities which were addressed in the previous 2.2.14 and earlier
releases is available:

http://httpd.apache.org/security/vulnerabilities_22.html

Apache HTTP Server 2.2.15 is compatible with Apache Portable Runtime
(APR) versions 1.3 and 1.4, APR-util library version 1.3, and
APR-iconv library version 1.2. The most current releases should
be used to address known security and platform bugs. At the time of
this httpd release, the recommended APR releases are:

* Apache Portable Runtime (APR) library version 1.4.2 (bundled),
or at minimum, version 1.3.12
* ARR-util library version 1.3.9 (bundled)
* APR-iconv library version 1.2.1 (only bundled in win32-src.zip)

Older releases of these libraries have known vulnerabilities or other
defects affecting httpd. For further information and downloads, visit:

http://apr.apache.org/

Apache HTTP Server 2.2 offers numerous enhancements, bug fixes, and
performance enhancements over the 2.0 codebase. For an overview of
new features introduced since 2.0 please see:

http://httpd.apache.org/docs/2.2/new_features_2_2.html

This release builds upon and extends the httpd 2.0 API. Modules written
for httpd 2.0 will need to be recompiled in order to run with httpd 2.2,
and may require minimal or no source code changes.

When upgrading or installing this version of httpd, please bear in mind
that if you intend to use httpd with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.

It should be uploaded to DA servers soon, but for those who want to update now:

Updated in custombuild.

John

I am running Apache 2.2.14, PHP 5.2.13, MySQL 5.0.90 on CentOS 5.4 final 64bit, and have the most recent version of DirectAdmin.

I want to upgrade to Apache 2.2.15 using custombuild, but have not upgraded Apache before, and therefore want to ask you what the safest way to upgrade Apache is? I am using custombuild version 1.2.12

I have read this: http://help.directadmin.com/item.php?id=1 But I think this only apply if I am using customapache, but I am not doing that, as this is a regular custombuild install.

In the custombuild FAQ at http://directadmin.com/forum/showthread.php?t=29824 I found this (but I don't understand):


I guess there is more to it then just type "./build apache" and hope everything magically works out without any problems?

If anybody would be so kind and describe all the necessary steps for me to upgrade from Apache 2.2.14 to 2.2.15 on my CentOS 5.4 box, I would be very thankful.

Hello,

It was my mistake, should have been "./build all_jail" there only

The following will do the job:

Good luck!

Thank you very much! But just to double-check: After I run your code, should I have to restart Apache myself, or will the custombuild script automatically try to do this for me?

Edit: Also I am not sure about the command "./build update", is that really necessary? Because to me it looks like in the FAQ that this will update everything, but I like to update things one by one, manually. And when upgrading Apache, I only like to upgrade the necessary things for the Apache upgrade. So, do I have to run ./build update, or can I just run ./build apache? Because I am afraid to break something by upgrading something that I should not ... I have never used the command ./build update before ...

Sorry. Now I think I understand what the ./build update does: It don't install anything, but it only make sure that custombuild have the most recent updates available?

Correct. "./build update" only grabs the new build script, new versions.txt, new configure files.. config file templates, etc. It doesn't take any action on your system.

John

Thank you for the confirmation!

Sorry to be nagging you all, but I have one more question:

I see that I am running "mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5" on my server. Is OpenSSL version something that will be upgraded automatically when I upgrade to Apache 2.2.15 using custombuild?

I think the OpenSSL version should be upgraded because when I check one of the SSL sertificates on my server using the latest Opera Browser (Opera 10.50), I get this warning when clicking on the sertificate in the browser adress field:

The server does not support secure TLS renegotiation. The site owner should upgrade the server.

Click to expand...

ditto said:

I see that I am running "mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5" on my server. Is OpenSSL version something that will be upgraded automatically when I upgrade to Apache 2.2.15 using custombuild?

Click to expand...

I have now upgraded to Apache 2.2.15 using custombuild, and the upgrade went fine without any problems!

I see that mod_ssl was automatically upgraded to mod_ssl 2.2.15, but the problem with SSL sertificate and the warning message in the Opera Browser is still present ("The server does not support secure TLS renegotiation. The site owner should upgrade the server.")

But I guess that it don't have anything to do with Apache/custombuild then, so I will have to investigate, and maybe start at new thread in the forum about this later when I have more knowledge about it.

I think you should be updating TLS.

Jeff

jlasman said:

I think you should be updating TLS.

Click to expand...

I don't know. But I think that it might be OpenSSL that need to be upgraded, because:

In the changelog for Apache 2.2.15 you can read more about security fixes related to this issue: http://www.apache.org/dist/httpd/CHANGES_2.2.15

"Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later."

Click to expand...

Also please see http://httpd.apache.org/ (beneath the heading "Apache HTTP server 2.2.15 Released"):

"Notably, this release was updated to reflect the OpenSSL Project's release 0.9.8m of the openssl library, and addresses CVE-2009-3555 (cve.mitre.org), the TLS renegotiation prefix injection attack..."

Click to expand...

Because my server uses "OpenSSL 0.9.8e-fips-rhel5", I think I have to upgrade to "Open SSL 0.9.8m" in order to fix the described problem. Please note that it only seems to be the Opera Browser that have warning about this.

Please also se http://www.openssl.org/ for information about "OpenSSL 0.9.8m" wich was released 25 february 2010.

But I am using CentOS 5.4 final 64bit, and according to the technicians at my datacenter, my OpenSSL version 0.9.8e-fips-rhel5 is the newest that is available from the CentOS repository. But I don't know if I can trust them on that. Does anybody know how I can check what version of OpenSSL that is in the CentOS repository on my server, what commands I can use in Putty for this?

Update: It was a browser-only problem, and it is fixed in Opera 10.52.