The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the final 2.0 release version 2.0.65 of the Apache HTTP Server ("Apache"). This version of Apache will be the last 2.0 bug and security fix release, covering many but not all issues addressed in the stable 2.4 and legacy 2.2 released versions:
NOTE: it remains possible to exhaust all memory using a carefully crafted .htaccess rule, which will not be addressed in 2.0; enabling processing of .htaccess files authored by untrusted users is the root of such security risks. Upgrade to httpd 2.2.25 or later to limit this specific risk.
The Apache HTTP Project thanks Ramiro Molina, Norman Hippert, halfdog, and Context Information Security Ltd for bringing these issues to the attention of the project security team.
Apache HTTP Server 2.0.65, as well as the current stable release 2.4 and legacy release 2.2 are available for download from;
This release includes the Apache Portable Runtime (APR) release 0.9.20, and APR Utility Library (APR-util) release 0.9.19, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libiconv version 0.9.7) must all be updated to ensure binary compatibility and address many known platform bugs.
This release is compatible with modules compiled for 2.0.42 and later versions. The Apache HTTP Project developers strongly encourages all users to migrate to Apache stable release 2.4 or at minimum version the legacy release 2.2 as quickly as possible, as no further maintenance will be performed on this historical version 2.0.