Download Apache httpd 2.4.26

The Apache HTTP Server Project development team has released a new version of the Apache web server with 2.4.26 as the version number. This server is using modules provide all kinds of additional functionality. For more information, we refer you to this page. The announcement and list of changes for version 2.4.26 are as follows:

Apache HTTP Server 2.4.26 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.26 of the Apache HTTP Server (“Apache”). This version of Apache is our latest GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This release of Apache is a security, feature, and bug fix release.

We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.

This release requires the Apache Portable Runtime (APR), minimum version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may require the 1.6.x version of both APR and APR-Util. The APR libraries must be upgraded for all features of httpd to operate correctly.

Vulnerabilities fixed in Apache httpd 2.4.26

• important: ap_get_basic_auth_pw() Authentication Bypass CVE-2017-3167
• important: mod_ssl Null Pointer Dereference CVE-2017-3169
• important: mod_http2 Null Pointer Dereference CVE-2017-7659
• important: ap_find_token() Buffer Overread CVE-2017-7668
• important: mod_mime Buffer Overread CVE-2017-7679

Changes with Apache 2.4.26

• HTTP/2 support no longer tagged as “experimental” but is instead considered fully production ready.
• mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep the session in continuous check for state changes that never happen.
• mod_mime: Fix error checking for quoted pairs.
• mod_proxy_wstunnel: Add “upgrade” parameter to allow upgrade to other protocols.
• MPMs unix: Place signals handlers and helpers out of DSOs to avoid a possible crash if a signal is caught during (graceful) restart. PR 60487.
• core: Deprecate ap_get_basic_auth_pw() and add ap_get_basic_auth_components().
• mod_rewrite: When a substitution is a fully qualified URL, and the scheme/host/port matches the current virtual host, stop interpreting the path component as a local path just because the first component of the path exists in the filesystem. Adds RewriteOption “LegacyPrefixDocRoot” to revert to previous behavior. PR60009.
• core: ap_parse_form_data() URL decoding doesn’t work on EBCDIC platforms. PR61124.
• ab: enable option processing for setting a custom HTTP method also for non-SSL builds.
• core: EBCDIC fixes for interim responses with additional headers.
• mod_ssl: Consistently pass the expected bio_filter_in_ctx_t to ssl_io_filter_error().
• mod_env: when processing a ‘SetEnv’ directive, warn if the environment variable name includes a ‘=’. It is likely a configuration error. PR 60249
• Evaluate nested If/ElseIf/Else configuration blocks.
• mod_rewrite: Add ‘BNP’ (backreferences-no-plus) flag to RewriteRule to allow spaces in backreferences to be encoded as %20 instead of ‘+’.
• mod_rewrite: Add the possibility to limit the escaping to specific characters in backreferences by listing them in the B flag.
• mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC systems.
• mod_http2: fail requests without ERROR log in case we need to read interim responses and see only garbage. This can happen if proxied servers send data where none should be, eg a body for a HEAD request.
• mod_proxy_http2: adding support for Reverse Proxy Request headers.
• mod_http2: fixed possible deadlock that could occur when connections were terminated early with ongoing streams. Fixed possible hanger with timeout on race when connection considers itself idle.
• mod_http2: MaxKeepAliveRequests now limits the number of times a slave connection gets reused.
• mod_brotli: Add a new module for dynamic Brotli (RFC 7932) compression.
• mod_proxy_http2: Fixed bug in re-attempting proxy requests after connection error. Reliability of reconnect handling improved.
• mod_http2: better performance, eliminated need for nested locks and thread privates. Moving request setups from the main connection to the worker threads. Increase number of spare connections kept.
• mod_http2: input buffering and dynamic flow windows for increased throughput. Requires nghttp2 >= v1.5.0 features. Announced at startup in mod_http2 INFO log as feature ‘DWINS’.
• mod_http2: h2 workers with improved scalability for better scheduling performance. There are H2MaxWorkers threads created at start and the number is kept constant for now.
• mod_http2: obsoleted option H2SessionExtraFiles, will be ignored and just log a warning.
• mod_autoindex: Add IndexOptions UseOldDateFormat to allow the date format from 2.2 in the Last Modified column. PR60846.
• core: Add %{REMOTE_PORT} to the expression parser. PR59938
• mod_cache: Fix a regression in 2.4.25 for the forward proxy case by computing and using the same entity key according to when the cache checks, loads and saves the request. PR 60577.
• mod_proxy_hcheck: Don’t validate timed out responses.
• mod_proxy_hcheck: Ensure thread-safety when concurrent healthchecks are in use (ProxyHCTPsize > 0). PR 60071.
• core: %{DOCUMENT_URI} used in nested SSI expressions should point to the URI originally requsted by the user, not the nested documents URI. This restores the behavior of this variable to match the “legacy” SSI parser. PR60624.
• mod_proxy_fcgi: Add ProxyFCGISetEnvIf to fixup CGI environment variables just before invoking the FastCGI.
• mod_proxy: Allow the per-request environment variable “no-proxy” to be used as an alternative to ProxyPass /path !. This is primarily to set exceptions for ProxyPass specified in context. Use SetEnvIf, not SetEnv.
• mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving a “proxy:fcgi://” prefix in the SCRIPT_FILENAME environment variable by default. Add ProxyFCGIBackendType to allow the type of backend to be specified so these kinds of fixups can be restored without impacting FPM. PR60576
• mod_ssl: work around leaks on (graceful) restart.
• mod_ssl: Add support for OpenSSL 1.1.0.
• Don’t set SO_REUSEPORT unless ListenCoresBucketsRatio is greater than zero.
• mod_http2: moving session cleanup to pre_close hook to avoid races with modules already shut down and slave connections still operating.
• mod_lua: Support for Lua 5.3
• mod_proxy_http2: support for ProxyPreserverHost directive.
• mod_http2: fix for crash when running out of memory.
• mod_proxy_fcgi: Return HTTP 504 rather than 503 in case of proxy timeout.
• mod_http2: not counting file buckets again stream max buffer limits. Effectively transferring static files in one step from slave to master connection.
• mod_http2: comforting ap_check_pipeline() on slave connections to facilitate reuse (see
• mod_http2: http/2 streams now with state handling/transitions as defined in RFC7540. Stream cleanup/connection shutdown reworked to become easier to understand/maintain/debug. Added many asserts on state and cleanup transitions.
• mod_auth_digest: Use an anonymous shared memory segment by default, preventing startup failure after unclean shutdown. PR 54622.
• mod_filter: Fix AddOutputFilterByType with non-content-level filters. PR 58856.
• mod_watchdog: Fix semaphore leak about restarts.
• mod_http2: regression fix on PR 59348, on graceful restart, ongoing streams are finished normally before the final GOAWAY is sent.
• mod_proxy: Allow the per-request environment variable “no-proxy” to be used as an alternative to ProxyPass /path !. This is primarily to set exceptions for ProxyPass specified in context. Use SetEnvIf, not SetEnv. PR 60458.
• mod_http2: fixes PR60599, sending proper response for conditional requests answered by mod_cache.
• mod_http2: rework of stream resource cleanup to avoid a crash in a close of a lingering connection. Prohibit special file bucket beaming for shared buckets. Files sent in stream output now use the stream pool as read buffer, reducing memory footprint of connections.
• mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when modules add empty environment variables to the request. PR 60275.
• mod_http2: fix for possible page fault when stream is resumed during session shutdown.
• mod_http2: fix for h2 session ignoring new responses while already open streams continue to have data available.
• mod_http2: adding support for MergeTrailers directive.
• mod_http2: limiting DATA frame sizes by TLS record sizes in use on the connection. Flushing outgoing frames earlier.
• mod_http2: cleanup beamer registry on server reload. PR 60510.
• mod_proxy_{ajp,fcgi}: Fix a possible crash when reusing an established backend connection, happening with LogLevel trace2 or higher configured, or at any log level with compilers not detected as C99 compliant (eg MSVC on Windows).
• mod_ext_filter: Don’t interfere with “error buckets” issued by other modules. PR 60375.
• mod_http2: fixes eg beam bucket lifetime handling when data is sent over temporary pools.