Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 3 Release Notes
For Use with the Red Hat JBoss Core Services Apache HTTP Server 2.4.37
Abstract
Preface
Welcome to the Red Hat JBoss Core Services version 2.4.37 Service Pack 3 release.
Red Hat JBoss Core Services Apache HTTP Server is an open source web server developed by the Apache Software Foundation. Features of Apache HTTP Server include:
- Implements the current HTTP standards, including HTTP/1.1 and HTTP/2.
- Transport Layer Security (TLS) encryption support though OpenSSL, providing secure connections between the web server and web clients.
- Extendable though modules, some of which are included with the Red Hat JBoss Core Services Apache HTTP Server.
Chapter 1. Installing the Red Hat JBoss Core Services 2.4.37
The Apache HTTP Server 2.4.37 can be installed using one of the following sections of the installation guide:
For installation instructions for Red Hat Enterprise Linux systems, see:
- For installation instructions for Microsoft Windows systems, see: Installing JBoss Core Services Apache HTTP Server on Microsoft Windows.
Chapter 2. Upgrading to the Red Hat JBoss Core Services Apache HTTP Server 2.4.37
Where a Red Hat JBoss Core Services Apache HTTP Server 2.4.29 or earlier was installed from RPMs packages using yum, the Apache HTTP Server can be upgraded with yum upgrade.
For systems where an earlier version of the Red Hat JBoss Core Services Apache HTTP Server was installed from a .zip archive, upgrading to the Apache HTTP Server 2.4.37 Service Pack 3 requires:
- Installing the Apache HTTP Server 2.4.37.
- Setting up the Apache HTTP Server 2.4.37.
- Removing the earlier version of Apache HTTP Server.
Prerequisites
- Root user access (Red Hat Enterprise Linux systems)
- Administrative access (Windows Server)
- A system where the Red Hat JBoss Core Services Apache HTTP Server 2.4.29 or earlier was installed from a .zip archive.
Procedure
For systems using the Red Hat JBoss Core Services Apache HTTP Server 2.4.29, the recommended procedure for upgrading to the Apache HTTP Server 2.4.37 is:
- Shutdown any running instances of Red Hat JBoss Core Services Apache HTTP Server 2.4.29.
- Backup the Red Hat JBoss Core Services Apache HTTP Server 2.4.29 installation and configuration files.
- Install the Red Hat JBoss Core Services Apache HTTP Server 2.4.37 using the .zip installation method for the current system (see Additional Resources below).
Migrate your configuration from the Red Hat JBoss Core Services Apache HTTP Server version 2.4.29 to version 2.4.37.
NoteThe Apache HTTP Server configuration files may have changed since the Apache HTTP Server 2.4.29 release. It is recommended that you update the 2.4.37 version configuration files, rather than overwrite them with the configuration files from a different version (such as the Apache HTTP Server 2.4.29).
- Remove the Red Hat JBoss Core Services Apache HTTP Server 2.4.29 root directory.
Additional Resources
For installation instructions for Red Hat Enterprise Linux systems, see:
- Installing JBoss Core Services Apache HTTP Server on Microsoft Windows.
Chapter 3. Security Fixes
This update includes fixes for the following security related issues:
| ID | Impact | Summary |
|---|---|---|
| Moderate | expat: large number of colons in input makes parser consume high amount of resources, leading to DoS | |
| Low | httpd: mod_http2: read-after-free on a string compare | |
| Low | httpd: mod_http2: possible crash on late upgrade | |
| Low | expat: heap-based buffer over-read via crafted XML input | |
| Moderate | libxml2: There’s a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c that could result in a crash | |
| Moderate | libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c | |
| Low | httpd: mod_proxy_ftp use of uninitialized value | |
| Moderate | libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations | |
| Important | nghttp2: overly large SETTINGS frames can lead to DoS |
Chapter 4. Resolved issues
The following are resolved issues for this release:
| Issue | Summary |
|---|---|
| JBCS-257 | graceful start failure due to wrong path to /sbin/apachectl |
| JBCS-425 | Mod_cluster EnableWsTunnel enables only ws comunication |
| JBCS-495 | Update references to 'the Apache HTTP' |
| JBCS-501 | Change instances of ZIP |
| JBCS-529 | Documentation for mod_security |
| JBCS-651 | mod_cluster does not properly disable session stickiness |
| JBCS-761 | Documentation error in naming jbcs-httpd2.4-httpd-selinux |
| JBCS-884 | Empty directories used by caching are still present on File System even after specifying "-t" to delete them with htcacheclean |
| JBCS-929 | Automatic resolution of JBCS_HOME in apxs |
| JBCS-931 | Rebase mod_http2 to 1.15.7 |
| JBCS-933 | fix health check for wss |
| JBCS-935 | cannot override default Virtualhost’s mod_reqtimeout |
| JBCS-936 | Tech Preview: Add openssl-pkcs11 to JBCS |
| JBCS-941 | Upgrade mod_cluster native to 1.3.14 |
| JBCS-946 | Setting smax results in very small max connection pool on mod_cluster |
| JBCS-948 | Upgrade mod_jk to 1.2.48 |
| JBCS-949 | Update libxml2 to use gerrit lookaside and sync with rhel-8.3.0 |
Chapter 5. Known issues
The following are known issues for this release:
| Issue | Summary |
|---|---|
| JBCS-589 | The mod_jk module needs more detailed documentation |
| JBCS-621 | Provide brief overview of the difference between Apache HTTPD on RHEL and JBCS Apache HTTP |
| JBCS-838 | Installation steps to upgrade 2.4.29 SP2 from 2.4.29 should be described. |
| JBCS-940 | ModJK and ModCluster Documentation: adding how to configure their respective secret directive |
Chapter 6. Upgraded components
This release includes upgraded versions of the following packages:
| Component | Version | Operating Systems |
|---|---|---|
| mod_jk | 1.2.48 | All |
| mod_cluster native | 1.3.14 | All |
| mod_http2 | 1.15.7 | All |
| openssl-pkcs11 | 0.4.10 | RHEL 7 and Windows |
