Apache HTTP Server 2.4.46 Released with Security Fixes and Enhancements

Apache HTTP Server 2.4.46 has been released, fixing security issues, bugs, and adding new features.

SECURITY: CVE‑2020‑11984 – mod_proxy_uwsgi: malicious requests could lead to information disclosure or remote code execution.

SECURITY: CVE‑2020‑11993 – mod_http2: when connection requests are limited, logging may cause unsafe concurrent memory‑pool usage.

SECURITY: mod_http2 – a crafted 'Cache‑Digest' header can cause the server to crash when attempting HTTP/2 PUSH.

mod_proxy_fcgi – fixed a build‑warning issue on the Windows platform.

Apache HTTP Server (Apache) is an open‑source web server that runs on most operating systems; its cross‑platform nature and security have made it one of the most popular server‑side software solutions.

The 2.4.x series requires Apache Portable Runtime (APR) version ≥ 1.5.x and APR‑Util version ≥ 1.5.x; some features need APR/ APR‑Util 1.6.x, so the APR libraries must be upgraded for full functionality.

This version is based on and extends the Apache 2.2 API. Modules written for Apache 2.2 can be recompiled for 2.4 with little or no source changes.

When upgrading or installing, ensure that any modules used with a threaded MPM (except Prefork) are thread‑safe.

The 2.2.x branch has reached end‑of‑life and will no longer receive changes, including security patches; users should transition to the 2.4.x series to benefit from future fixes and features.