Apache HTTP Server 2.2.34 Released

July 11, 2017

The Apache Software Foundation and the Apache HTTP Server Project announce the release of version 2.2.34 of the Apache HTTP Server ("Apache"), the final maintenance release of the 2.2 series. No further 2.2 releases are anticipated. This version of Apache is principally a security and bug fix maintenance release.

We consider the current Apache HTTP Server 2.4 release to be the best version of Apache available, and encourage every user of 2.2 and all prior versions to upgrade. This final 2.2 release is offered for those unable to upgrade at this moment.

Take note that Apache Web Server Project will provide no future release of the 2.2.x series, although some security patches may be published through December of 2017. These will be collected at the URL;

http://www.apache.org/dist/httpd/patches/apply_to_2.2.34/

No further maintenance patches of 2.2.x will be published. Users are strongly encouraged to promptly complete their transitions to the 2.4.x flavor of httpd to receive any future benefit from the user community or the Apache HTTP Server project developers.

For further details about the currently supported release, see:

http://www.apache.org/dist/httpd/Announcement2.4.html

Apache HTTP Server 2.4 and 2.2.34 are available for download from:

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.34 includes only those changes introduced since the prior 2.2 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available:

http://httpd.apache.org/security/vulnerabilities_22.html

Note that the Apache HTTP Server project will discontinue evaluations and corresponding advisories to this resource effective January, 2018.

This release includes the Apache Portable Runtime (APR) version 1.5.2 and APR Utility Library (APR-util) version 1.5.4, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs. APR version 1.5 and APR-util version 1.5 represent minor version upgrades from earlier httpd 2.2 source distributions.

Note this package also includes very stale and known-vulnerable versions of the Expat [http://expat.sourceforge.net/] and PCRE [http://www.pcre.org/] packages. Users are strongly encouraged to first install the most recent versions of these components (of PCRE 8.x, not PCRE2 10.x at this time.)

This release builds on and extends the Apache 2.0 API and is superceeded by the Apache 2.4 API. Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.4, and most will require minimal or no source code changes.