Apache 2.4.25 released


Verified User
May 22, 2014
Netherlands Germany

Seems already in Custombuild 2.0 2.0.0 (rev: 1630)

But take care if you use this http2 maybe you have the same isue is me.

he Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.25 of the Apache HTTP Server ("Apache"). This version of Apache is our latest GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This release of Apache is a security, feature, and bug fix release, and addresses these specific security defects as well as other fixes:

CVE-2016-0736 mod_session_crypto: Authenticate the session data/cookie with a MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack.
CVE-2016-2161 mod_auth_digest: Prevent segfaults during client entry allocation when the shared memory space is exhausted.
CVE-2016-5387 core: Mitigate [f]cgi "httpoxy" issues.
CVE-2016-8740 mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
CVE-2016-8743 Enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies.

NOTE: version 2.4.24 was not released.
See therefore with http2
Last edited: