La Apache Software Foundation unveiled Some days ago the release of the new version of the HTTP server "Apache 2.4.43", which presents 34 changes and 3 vulnerabilities fixed, in addition to providing a series of improvements over version 2.2.
For those who are unfamiliar with Apache, they should know what it is an open source HTTP web server, which is available for Unix platforms (BSD, GNU / Linux, etc.), Microsoft Windows, Macintosh and others.
What's new in Apache 2.4.43?
This new version of the server is considered important as it marks the end of life of the 2.2x branch and that this version is based on and extends the Apache 2.2 API and the modules written for Apache 2.2 will have to be recompiled to run with Apache 2.4.
Among the main changes that stand out in this version is the adding a new module "mod_systemd", which provides integration with Systemd system administrator and that allows using httpd in services with the type »Type = notify».
In addition, mod_md module capabilities developed by the Let's Encrypt project to automate the receipt and maintenance of certificates using the ACME protocol (Automatic Certificate Management Environment) are expanded.
From the changes in the modules, we can find that for mod_authn_socache the limit on the size of the cached line has been increased from 100 to 256.
In mod_ssl, the TLS protocol is negotiated together with virtual hosts (compatible with compiling with OpenSSL-1.1.1 +.
Mod_ssl added support for using OpenSSL ENGINE private keys and certificates when specifying PKCS # 11 URI in SSLCertificateFile / KeyFile.
mod_proxy_hcheck added support for% {Content-Type} mask in test expressions.
CookieSameSite, CookieHTTPOnly and CookieSecure modes added to mod_usertrack to configure cookie processing usertrack.
Mod_proxy_ajp for proxy drivers implements the "secret" parameter to support the deprecated authentication protocol AJP13.
For commands defined in the MDMessageCmd directive, a call with the argument "installed" is provided when a new certificate is activated after restarting the server (for example, it can be used to copy or convert a new certificate for other applications).
The MDContactEmail directive was added, through which you can specify a contact email that does not overlap with the data in the ServerAdmin directive.
Of the other changes that stand out from this version:
- Cross compilation support has been added to apxs.
- For all virtual hosts, support is provided for the protocol used when negotiating a secure communication channel ("tls-alpn-01").
- Mod_md directives are allowed in blocks Y .
- Replaced previous settings when using MDCAC challenges again.
- Added ability to set url for CTLog Monitor.
- Added configuration set for OpenWRT.
- Tests implemented using the Travis CI continuous integration system.
- Parsed transfer encoding headers.
- Due to the use of hashing for command tables, the restart in "graceful" mode has been sped up (without interrupting the executed request handlers).
- Tables were added to mod_lua r: headers_in_table, r: headers_out_table, r: err_headers_out_table, r: notes_table and r: subprocess_env_table, available in read-only mode. Allow tables to be set to null.
For the part of the corrected errors in this new version:
- CVE-2020-1927: vulnerability in mod_rewrite, which allows the server to be used to forward calls to other resources (open redirect). Some mod_rewrite settings can take the user to another encoded link using the line feed character within the parameter used in the existing redirect.
- CVE-2020-1934: vulnerability in mod_proxy_ftp. Using uninitialized values can cause a memory leak when sending requests to an attacker-controlled FTP server.
- A memory leak in mod_ssl that occurs when OCSP requests are joined.
Finally if you want to know more about it about this new release, you can check the details in the following link.
Download
You can get the new version by going to the official Apache website and in its download section you will find the link to the new version.