Apache HTTP Server 2.2.34 Released

The following information has been provided by the HTTPD announce mailing list.

The Apache Software Foundation and the Apache HTTP Server Project
announce the release of version 2.2.34 of the Apache HTTP Server
(“Apache”), the final maintenance release of the 2.2 series. No
further 2.2 releases are anticipated. This version of Apache is
principally a security and bug fix maintenance release.

We consider the current Apache HTTP Server 2.4 release to be the best
version of Apache available, and encourage every user of 2.2 and all
prior versions to upgrade. This final 2.2 release is offered for those
unable to upgrade at this moment.

Take note that Apache Web Server Project will provide no future release
of the 2.2.x series, although some security patches may be published
through December of 2017. These will be collected at the URL;

http://www.apache.org/dist/httpd/patches/apply_to_2.2.34/

No further maintenance patches of 2.2.x will be published. Users are
strongly encouraged to promptly complete their transitions to the
2.4.x flavor of httpd to receive any future benefit from the user
community or the Apache HTTP Server project developers.

For further details about the currently supported release, see:

http://www.apache.org/dist/httpd/Announcement2.4.txt

Apache HTTP Server 2.4 and 2.2.34 are available for download from:

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.34 includes only
those changes introduced since the prior 2.2 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:

http://httpd.apache.org/security/vulnerabilities_22.html

Note that the Apache HTTP Server project will discontinue evaluations
and corresponding advisories to this resource effective January, 2018.

This release includes the Apache Portable Runtime (APR) version 1.5.2
and APR Utility Library (APR-util) version 1.5.4, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
APR version 1.5 and APR-util version 1.5 represent minor version upgrades
from earlier httpd 2.2 source distributions.

Note this package also includes very stale and known-vulnerable versions
of the Expat [http://expat.sourceforge.net/] and PCRE [http://www.pcre.org/]
packages. Users are strongly encouraged to first install the most recent
versions of these components (of PCRE 8.x, not PCRE2 10.x at this time.)

This release builds on and extends the Apache 2.0 API and is superceeded
by the Apache 2.4 API. Modules written for Apache 2.2 will need to be
recompiled in order to run with Apache 2.4, and most will require minimal
or no source code changes.