Apache got updated last week, finally got round to getting this tested. It’s now running on all my servers without a problem. Please note that the APR modules are not updated, you could copy them from the 2.4.1 directory.

For compiling read the last update and the additional notes that followed.

During the last week I’ve seen comments regarding the failing of the compilation. The first one was that I completely missed the dependency on PCRE. Because it’s also required for out Postfix installation I already had it installed and didn’t notice it. You can download it from the sourceforge PCRE site. The latest tested version is 8.30. Download it, unpack it and run the following commands in the source directory:

./configure
make
sudo make install

The other thing I missed was the new release of Xcode. Apple released a new version of Xcode 4.3.2 which has a new method of installing. Instead of downloading the Installer from the App Store you can now install Xcode directly from the App Store. However somehow i think they needed to make the package smaller and they left out some the for us essential parts. Luckily its all still free. If you install Xcode from the App Store you need to perform some follow up actions to make it work. Startup Xcode, then let Xcode uninstall the older version, go to the preferences and go for the download tab.

Then select to install the command line tools. Use your apple-id and password to make it happen. After this you’ll be up and running in no time.

Update: If you have a developer account and can login to http://developer.apple.com you can also download the command line tools as a standalone package. Go to the download section and try it there. I’ve got the full Xcode installation as I sometimes try to write that one iPhone app that will make me a millionaire. Let me know if this works for you.

The upgrade to 2.4.x was a bit more complicated then first expected as there is more to it then just a compilation and check if it works. This release has some more changes to it then just a bug fix and some new features.

First most apparent change is that the APR stuff is no longer included in the download. You now have go get it yourself from http://apr.apache.org/.

Download the APR and APR-util from the site, unpack them and copy them into the ‘./srclib‘ directory (after you downloaded Apache and unpacked the archive). Rename the directories to ‘./srclib/apr‘ and ‘./srclib/apr-util‘ (without the version number). For instance by using these commands:

cp -R apr-1.4.6 httpd-2.4.1/srclib/apr
cp -R apr-util-1.4.1 httpd-2.4.1/srclib/apr-util

From then on you can follow the regular instructions on Compiling Apache.

The only problem is the change in the modules that are compiled and included by this new version. Please comment the following list of modules out of the httpd.conf configuration file located in /etc/httpd/.

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so

We are not using the proxy anyway

You need to recompile PHP as well to get it working with this version of Apache. Next I will change the actual compilation instructions.

Note: this works on Snow Leopard and Leopard as well as PowerPC!

I feel the need to ask for patience as this week we got bombarders by a lot of updates. Dovecot did a major upgrade to 2.1, Apache released a major upgrade to 2.4, postfix released 2.9.1 a small bugfix and MySQL released 5.5.21.

I need to compile, test and adjust everything where necessary and as you might understand with major upgrade there is more going on then just a compile, run and test. There are new configuration options to be evaluated and older ones deprecated that might need a new one or a workaround for lost functionality.

So I’m working on it but it take a bit longer then usual…

The Apache team have released a security update to the popular webserver. This version of Apache is a security and bug fix release. I strongly suggest you should upgrade to this latest version as it solves the following securtiy issues:

• SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations.
• SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file.
• SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations.
• SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the ‘%{cookiename}C’ log format string is in use and a client sends a nameless, valueless cookie, causing
  a denial of service. The issue existed since version 2.2.17.
• SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly.
• SECURITY: CVE-2012-0053 (cve.mitre.org) Fixed an issue in error responses that could expose “httpOnly” cookies when no custom ErrorDocument is specified for status code 400.

If you’ve forgotten how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache