Apache 2.4.25 released

ikkeben

Verified User
Joined
May 22, 2014
Messages
713
Location
Netherlands Germany
http://www.apache.org/dist/httpd/Announcement2.4.html

Seems already in Custombuild 2.0 2.0.0 (rev: 1630)


But take care if you use this http2 maybe you have the same isue is me.
http://forum.directadmin.com/showthread.php?t=48989&page=17&p=277732#post277732

he Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.25 of the Apache HTTP Server ("Apache"). This version of Apache is our latest GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This release of Apache is a security, feature, and bug fix release, and addresses these specific security defects as well as other fixes:

CVE-2016-0736 mod_session_crypto: Authenticate the session data/cookie with a MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack.
CVE-2016-2161 mod_auth_digest: Prevent segfaults during client entry allocation when the shared memory space is exhausted.
CVE-2016-5387 core: Mitigate [f]cgi "httpoxy" issues.
CVE-2016-8740 mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
CVE-2016-8743 Enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies.

NOTE: version 2.4.24 was not released.
See therefore with http2
http://forum.directadmin.com/showthread.php?t=52590&page=3&p=277987#post277987
 
Last edited:
Top