Software Update: Apache httpd 2.4.38

The Apache HTTP Server Project development team has released a new version of the Apache web server with 2.4.38 as the version number. This server is using modules provide all kinds of additional functionality. For more information, please refer to this page. The announcement and list of changes for version 2.4.38 are as follows:

Apache httpd 2.4.38 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.38 of the Apache HTTP Server (“httpd”). This latest release from the 2.4.x stable branch represents the best available version of Apache HTTP Server.

Changes with Apache 2.4.38

• SECURITY: CVE-2018-17199 mod_session: mod_session_cookie does not respect expiry time allowing sessions to be reused.
• SECURITY: CVE-2018-17189 mod_http2: fixes a DoS attack vector. By sending slow request bodies to resources not consuming them, httpd cleanup code occupies a server thread unnecessarily. This was changed to an immediate stream reset which discards all stream state and incoming data.
• SECURITY: CVE-2019-0190 mod_ssl: Fix infinite loop triggered by a client-initiated renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and later. PR 63052.
• mod_ssl: Clear retry flag before aborting client-initiated renegotiation. PR 63052
• mod_negotiation: Treat LanguagePriority as case-insensitive to match AddLanguage behavior and HTTP specification. PR 39730
• mod_md: incorrect behavior when synchronizing ongoing ACME challenges have been fixed.
• mod_setenvif: We can have expressions that become true if a regex pattern in the expression does NOT match. In this case val is NULL and we should just set the value for the environment variable like in the pattern case.
• mod_session: Always decode session attributes early.
• core: Incorrect values ​​for environment variables are substituted when multiple environment variables are specified in a directive.
• mod_rewrite: Only create the global mutex used by “RewriteMap prg:” when this type of map is present in the configuration. PR62311.
• mod_dav: Fix invalid Location header when a resource is created by passing an absolute URI on the request line
• mod_session_cookie: avoid duplicate Set-Cookie header in the response.
• mod_ssl: clear *SSL errors before loading certificates and checking afterwards. Otherwise errors are reported when other SSL using modules are in play. Fixes PR 62880.
• mod_ssl: Fix the error code returned in an error path of ‘ssl_io_filter_handshake()’. This messes-up error handling performed in ‘ssl_io_filter_error()’
• mod_ssl: Fix $HTTPS definition for “SSLEngine optional” case, and fix authz provider so “Require ssl” works correctly in HTTP/2. PR 61519, 62654.
• mod_proxy: If ProxyPassReverse is used for reverse mapping of relative redirects, subsequent ProxyPassReverse statements, whether they are relative or absolute, may fail. PR 60408.
• mod_lua: Now marked as a stable module