Sorry Guest, you are banned from posting and sending personal messages on this forum.

Error: S4296

This ban is not set to expire.

Thanks a lot for building!

Announcing the release of Apache 2.4.39 with updated OpenSSL or LibreSSL

OpenSSL releases updated from 1.0.2r to 1.0.2s or 1.1.1b to 1.1.1c
LibreSSL releases updated from 2.8.3 to 2.9.2^*

Other dependency updates include;

APR 1.6.5 to 1.7.0
Libcurl from 7.63.0 tp 7.65.0
NGHTTP2 from 1.37.0 to 1.38.0
SQLite library from 3.27.2 to 3.28.0

You can get your copy of the new Apache HTTP Server from our download page.

* LibreSSL users, the DLL files crypto, ssl & tls have changed (every new minor version) so you can delete your lower numbered files.

Announcing the release of Apache 2.4.39

This release is a bug fix & stability release, the majority to mod_http2.

New module mod_socache_redis allow for storing anything that uses socache in a redis DB.

This release includes:
APR Version:        1.6.5
APU Version:        1.6.1
Brotli Version:    1.0.7
Jansson Version:    2.11
Libcurl Version:   7.63.0
LibXML2 Version:    2.9.9
LUA Version:        5.2.4
NGHTTP2 Version:    1.37.0
OpenSSL Version:    1.0.2q, 1.1.0j, 1.1.1a or LibreSSL 2.8.3
PCRE Version:       8.43
SQLite3 Version:    3.27.2
ZLib Version:       1.2.10

You can get your copy of the new Apache HTTP Server from our download page.

Change Log for Apache 2.4.39

To increase the speed of my server I'd like to use mod_socache_redis.
Is there a fresh version of redis server for windows? I found only crappy old versions for download.

You are our binary hero! 

OpenSSL updated to 1.0.2r or 1.1.1b

This update fixes a moderate severity padding oracle vulnerability (CVE-2019-1559) in OpenSSL 1.0.2-1.0.2q that could be used by a remote peer to decrypt data. It has caveats that required which it is why it is only rated as moderate? Stll, the possibility to decrypt the data is dangerous enough to want to plug that hole, no matter how remote.

For OpenSSL 1.1.1, this is simply a bug fix release. Squashing bugs is good no? If you have not read my post from yesterday you may be surprised to find Apache with OpenSSL 1.1.1 has moved to VC15, You can read about it at the link. Note that until I get the modules built in VC15, you can still use your vc14 modules. I wii start working on the tonight and should have them done by March 4 at the latest. You should be able to expect the same modules currently available to VC14 builds.

Sorry for the short notice but many changes have happened recently.

I've been delaying, trying to skip actually, going to VC15. We were easily able to skip VC10 & VC12 without a problem. There was not a VC13 (MS is superstitious I guess) and we use VC14. We have been getting away with not going to VC15. Sure you couldn't load php 7.2 as a module, but with mod_fcgid I run it, and I run it with just the VC14 redistributable. Why go 15? Just another 2 builds to add on the pile to make 10 different builds, or 5 x86 & x64 pairs. [1]

I have been wanting to reduce builds, even as automated as I have it, it still takes a lot of time even if everything goes without a flaw. [2] We just had the last VC11 builds with the end of php 5.6 and I haven't had a chance to enjoy an Apache release without it.

A recent bonus is php 7.2 has moved the OpenSSL version from 1.1.0 to 1.1.1. I guess it is because  OpenSSL 1.1.0 goes End Of Life (EOL) this September.  So I get to drop them. I admit they were not needed since a VC14 build cannot load the php7apache2_4.dll.  But this now makes OpenSSL 1.1.0 out of the picture.

While I can also run php 7.3 on my VC14 redistributable, it will not load any extensions. Might as well move into VC15 now. And it was so close with VC16 coming out later this year. I get this feeling we will not be able to skip every other VC version any longer. What a horrible thought.

Since OpenSSL/1.0.2r and 1.1.1b were released yesterday, here is what to expect before Thursday, February 28, 11:59pm Pacific Standard Time (UTC-7) provided everything goes smoothly:

Apache/2.4.38 OpenSSL/1.0.2r VC14 which will load php7apache2_4.dll from PHP 7.1
Note: This build will end when OpenSSL 1.0.2 goes EOL at New Year.

Apache/2.4.38 OpenSSL/1.1.1b VC15 which will load php7apache2.4.dll from both php 7.2 & 7.3. I have these built already.

Just went from 8 builds to 4, how wonderful. [1]

[1] These numbers do not include our LibreSSL builds.
[2] It's not just building but packaging, uploading and adding them all to the download page.

Announcing the release of Apache 2.4.38

This release is a bug fix & stability release with no new functions or modules.

This release includes:
APR Version:        1.6.5
APU Version:        1.6.1
Brotli Version:    1.0.7
Jansson Version:    2.11
Libcurl Version:   7.63.0
LibXML2 Version:    2.9.9
LUA Version:        5.1.5 (vc11), 5.2.4 (vc14)
NGHTTP2 Version:    1.36.0
OpenSSL Version:    1.0.2q, 1.1.0j, 1.1.1a or LibreSSL 2.8.3
PCRE Version:       8.42
SQLite3 Version:    3.26.0
ZLib Version:       1.2.10

VC14 builds;

I have finally moved on to LUA 5.2 so if you are upgrading from an older release you may remove the lua51.dll.

VC11 builds;

Since PHP put out one more 5.6 release we are doing one last VC11 release, This really is the last and all VC11 downloads well be removed from the download page around the beginning of February.

You can get your copy of the new Apache HTTP Server from our download page.

Change Log for Apache 2.4.38

It's been a long time since 2.9.2 came out and I was beginning to wonder about this module.

Changes in version 2.9.3;

 * Allow 0 length JSON requests.
 * Include unanmed JSON values in unnamed ARGS
 * Fix buffer size for utf8toUnicode transformation
 * Fix sanitizing JSON request bodies in native audit log format
 * Add sanity check for a couple malloc() and make code more resilient
 * Fix mpm-itk / mod_ruid2 compatibility
 * Code cosmetics: checks if actionset is not null before use it
 * Only generate SecHashKey when SecHashEngine is On
 * Docs: Reformat README to Markdown and update dependencies
 * good practices: Initialize variables before use it
 * Let body parsers observe SecRequestBodyNoFilesLimit
 * potential off by one in parse_arguments
 * Fix utf-8 character encoding conversion
 * Fix ip tree lookup on netmask content
 * modsecurity.conf-recommended: Fix spelling
 * Fix arabic charset in unicode_mapping file
 * Optionally preallocates memory when SecStreamInBodyInspection is on
 * Fixes SecConnWriteStateLimit
 * Added "empy chunk" check
 * Add capture action to @detectXSS operator
 * Uses LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH
 * Adds missing headers


You can get your copy of the new module from our download page.

Thanks!