The Apache Software Foundation and the Apache HTTP Server Project has announced the release of version 2.4.2 of the Apache HTTP Server (“Apache”). This version of Apache is the second GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project. Apache HTTP Server 2.4.2 is recommended over all previous releases.
This version of Apache is principally a security and bug fix release, including the following security fix:
SECURITY: CVE-2012-0883 (cve.mitre.org) envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the current working directory to be searched for DSOs.
Apache 2.4 Enhancements and Improvements
Apache 2.4 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. This release requires the Apache Portable Runtime (APR) version 1.4.x and APR-Util version 1.4.x. The APR libraries must be upgraded for all features of httpd to operate correctly. This release also builds on and extends the Apache 2.2 API. Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.4, and require minimal or no source code changes.
When upgrading or installing this version of Apache, please remember that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
Notes for Windows Users
AcceptFilter None has replaced Win32DisableAcceptEx, and the feature appears to have interoperability issues with mod_ssl. Apache 2.4.2 may not yet be suitable for all Windows servers. There is not yet a Windows binary distribution of httpd 2.4, but this is expected to be remedied soon as various dependencies graduate from beta to GA.