Apache HTTP Server 2.4.67 Release Fixes Critical AJP and HTTP/2 Vulnerabilities
Apache HTTP Server 2.4.67 drops today with a heavy focus on patching memory safety flaws in the AJP proxy module and fixing a dangerous double free bug in HTTP/2. Operators running reverse proxies or handling client certificates should update immediately to stop remote attackers from triggering crashes or bypassing authentication. The release also brings updated submodule versions and fixes for older APR builds that frequently break during custom compilations.
The AJP Proxy Memory Safety Fixes
The bulk of the security patches target mod_proxy_ajp, which handles communication between Apache and backend servers like Tomcat or JBoss. Multiple heap over reads and off by one errors in the AJP parsing functions allow attackers to leak memory contents when a compromised or malicious backend sends crafted responses. This is not a theoretical edge case since many legacy setups still route traffic through AJP for performance reasons. Operators running reverse proxies often see AJP connections drop when backend servers send malformed status codes, which directly ties into these new parsing fixes. The null termination check correction specifically addresses cases where string handling skips boundary validation, a routine trigger for information disclosure during high traffic proxy operations.
How Apache HTTP Server 2.4.67 Handles Authentication and Protocol Flaws
HTTP/2 receives a critical double free correction that prevents remote code execution when clients send early reset frames under heavy load. The update also removes the stream specific memory allocator after reports of conflicts with third party modules, which routinely causes subtle segmentation faults in custom proxy setups. Digest authentication gets a timing attack patch that stops attackers from bypassing credentials by measuring response delays across repeated requests. Operators relying on cached authentication backends will appreciate the NULL pointer dereference fix for mod_authn_socache, which previously allowed unauthenticated users to crash child processes in forward proxy configurations. The release also addresses HTTP response splitting vulnerabilities that occur when multiple modules forward malicious status lines from compromised upstream servers.
Module Updates and Compatibility Adjustments
The release bumps mod_md to version 2.6.10 with corrections for certificate renewal job files that falsely report completion without generating the required output. A regression in MDStapleOthers gets corrected so stapling applies correctly regardless of configuration state. mod_http2 moves to version 2.0.39, which strips out the stream specific memory allocator after third party module conflicts caused widespread instability. The mime types file gains support for vnd.sqlite3 and modern media formats like HEIC and HEIF, which helps servers serve updated content without manual configuration overrides. Older systems running APR versions before 1.6.0 will also find compatibility adjustments that swap missing string comparison functions with their native equivalents.
Upgrade Path and Verification Steps
Updating requires replacing the existing binary or pulling the new package through the standard distribution repository. Operators should verify the running version after restart by checking the server signature or running a status query against the built in module handler. Custom compiled installations need to rebuild with the updated source tree since submodule changes affect internal headers and linker dependencies. Backing up the current configuration directory before applying the patch prevents rollback issues if custom directives conflict with the new submodule expectations. The process stays straightforward, but skipping the backup step routinely leads to extended downtime when legacy rewrite rules clash with the updated parser logic.
Release Apache 2.4.67
2.4.67
Keep the server running clean and check those proxy logs for any lingering AJP anomalies after the switch. The update cycle moves fast, so staying ahead of these memory safety patches saves a lot of troubleshooting headaches down the road.
