See https://forum.apachehaus.com/index.php?topic=1574.0 for the details.

Isn't that special!

Not 24 hours after Apache 2.4.41 released nghttp2 released version 1.39.2 to fix these vulnerabilities. Argh!

Normally I just let it go because it's usually some minor bug fix but NO, it fixes a remotely exploitable Denial of Service vulnerability that I would classify as "High Severity" if using mod_http2.

I found out about it not from the usual places I get information like this but from El Reg of all places. If you look at this list of applications affected you will notice it says Apache is not affected, but nghttp2 is which mod_http2 uses. I think it's best to just play it safe and update.

I've already put new downloads on the download page but anyone who downloaded a non-r2 package (within last 36 hours +/- as of this post) should update the nghttp2.dll file in Apache's bin folder.

Replacement DLL Apache 2.4.41 VC14 (with OpenSSL 1.0.2s or LibreSSL 2.9.2)

x86: https://www.apachehaus.net/temp/nghttp2-1.39.2-x86-vc14.zip
x64: https://www.apachehaus.net/temp/nghttp2-1.39.2-x64-vc14.zip

Replacement DLL Apache 2.4.41 VC15 (with OpenSSL 1.1.1c)

x86: https://www.apachehaus.net/temp/nghttp2-1.39.2-x86-vc15.zip
x64: https://www.apachehaus.net/temp/nghttp2-1.39.2-x64-vc15.zip

Instructions:

• Download the proper zip file for your version of Apache
• Shutdown Apache
• Copy DLL from the zip file into Apache's bin folder overwriting the existing dll
• Start Apache

Announcing the release of Apache 2.4.41

The big news for this release is mod_md 2.0. A good amount of bugs fixed as well.

As for mod_md, a small list of the many changes and new features;

now supports the ACMEv2 protocol
new challenge method 'tls-alpn-01' implemented
challenge type 'tls-sni-01' has been removed
managed domains are now in Apache's 'server-status' page

If you use mod_md it's probably a good idea to review the change log and mod_md's manual page.

Versioning Information;

APR Version:        1.7.0
APU Version:        1.6.1
Brotli Version:    1.0.7
Jansson Version:    2.12
Libcurl Version:   7.65.3
LibXML2 Version:    2.9.9
LUA Version:        5.2.4
NGHTTP2 Version:    1.37.0
OpenSSL Version:    1.0.2s, 1.1.1c or LibreSSL 2.9.2
PCRE Version:       8.43
SQLite3 Version:    3.29.0
ZLib Version:       1.2.10

You can get your copy of the new Apache HTTP Server from our download page.

Change Log for Apache 2.4.41

Thanks a lot for building!

Announcing the release of Apache 2.4.39 with updated OpenSSL or LibreSSL

OpenSSL releases updated from 1.0.2r to 1.0.2s or 1.1.1b to 1.1.1c
LibreSSL releases updated from 2.8.3 to 2.9.2^*

Other dependency updates include;

APR 1.6.5 to 1.7.0
Libcurl from 7.63.0 tp 7.65.0
NGHTTP2 from 1.37.0 to 1.38.0
SQLite library from 3.27.2 to 3.28.0

You can get your copy of the new Apache HTTP Server from our download page.

* LibreSSL users, the DLL files crypto, ssl & tls have changed (every new minor version) so you can delete your lower numbered files.

Announcing the release of Apache 2.4.39

This release is a bug fix & stability release, the majority to mod_http2.

New module mod_socache_redis allow for storing anything that uses socache in a redis DB.

This release includes:
APR Version:        1.6.5
APU Version:        1.6.1
Brotli Version:    1.0.7
Jansson Version:    2.11
Libcurl Version:   7.63.0
LibXML2 Version:    2.9.9
LUA Version:        5.2.4
NGHTTP2 Version:    1.37.0
OpenSSL Version:    1.0.2q, 1.1.0j, 1.1.1a or LibreSSL 2.8.3
PCRE Version:       8.43
SQLite3 Version:    3.27.2
ZLib Version:       1.2.10

You can get your copy of the new Apache HTTP Server from our download page.

Change Log for Apache 2.4.39

To increase the speed of my server I'd like to use mod_socache_redis.
Is there a fresh version of redis server for windows? I found only crappy old versions for download.

You are our binary hero! 

OpenSSL updated to 1.0.2r or 1.1.1b

This update fixes a moderate severity padding oracle vulnerability (CVE-2019-1559) in OpenSSL 1.0.2-1.0.2q that could be used by a remote peer to decrypt data. It has caveats that required which it is why it is only rated as moderate? Stll, the possibility to decrypt the data is dangerous enough to want to plug that hole, no matter how remote.

For OpenSSL 1.1.1, this is simply a bug fix release. Squashing bugs is good no? If you have not read my post from yesterday you may be surprised to find Apache with OpenSSL 1.1.1 has moved to VC15, You can read about it at the link. Note that until I get the modules built in VC15, you can still use your vc14 modules. I wii start working on the tonight and should have them done by March 4 at the latest. You should be able to expect the same modules currently available to VC14 builds.

Sorry for the short notice but many changes have happened recently.

I've been delaying, trying to skip actually, going to VC15. We were easily able to skip VC10 & VC12 without a problem. There was not a VC13 (MS is superstitious I guess) and we use VC14. We have been getting away with not going to VC15. Sure you couldn't load php 7.2 as a module, but with mod_fcgid I run it, and I run it with just the VC14 redistributable. Why go 15? Just another 2 builds to add on the pile to make 10 different builds, or 5 x86 & x64 pairs. [1]

I have been wanting to reduce builds, even as automated as I have it, it still takes a lot of time even if everything goes without a flaw. [2] We just had the last VC11 builds with the end of php 5.6 and I haven't had a chance to enjoy an Apache release without it.

A recent bonus is php 7.2 has moved the OpenSSL version from 1.1.0 to 1.1.1. I guess it is because  OpenSSL 1.1.0 goes End Of Life (EOL) this September.  So I get to drop them. I admit they were not needed since a VC14 build cannot load the php7apache2_4.dll.  But this now makes OpenSSL 1.1.0 out of the picture.

While I can also run php 7.3 on my VC14 redistributable, it will not load any extensions. Might as well move into VC15 now. And it was so close with VC16 coming out later this year. I get this feeling we will not be able to skip every other VC version any longer. What a horrible thought.

Since OpenSSL/1.0.2r and 1.1.1b were released yesterday, here is what to expect before Thursday, February 28, 11:59pm Pacific Standard Time (UTC-7) provided everything goes smoothly:

Apache/2.4.38 OpenSSL/1.0.2r VC14 which will load php7apache2_4.dll from PHP 7.1
Note: This build will end when OpenSSL 1.0.2 goes EOL at New Year.

Apache/2.4.38 OpenSSL/1.1.1b VC15 which will load php7apache2.4.dll from both php 7.2 & 7.3. I have these built already.

Just went from 8 builds to 4, how wonderful. [1]

[1] These numbers do not include our LibreSSL builds.
[2] It's not just building but packaging, uploading and adding them all to the download page.