This release updates Apache HTTP Server to v2.4.67, addressing multiple security vulnerabilities and shipping dependency upgrades.

Security Fixes

• CVE-2026-34059: Heap over-read and memory disclosure in mod_proxy_ajp via ajp_parse_data()
• CVE-2026-34032: Heap buffer over-read in mod_proxy_ajp due to missing null-termination check in ajp_msg_get_string()
• CVE-2026-33857: Off-by-one out-of-bounds reads in AJP getter functions (mod_proxy_ajp)
• CVE-2026-33523: HTTP response splitting via malicious status line forwarding across multiple modules
• CVE-2026-33007: Crash in mod_authn_socache via NULL pointer dereference (forward proxy configurations)
• CVE-2026-33006: Timing attack bypass against mod_auth_digest authentication
• CVE-2026-29169: Crash via NULL pointer dereference in mod_dav_lock (indirect lock handling)
• CVE-2026-29168: Unrestricted OCSP response processing in mod_md (resource exhaustion)
• CVE-2026-28780: Heap-based buffer overflow in mod_proxy_ajp via ajp_msg_check_header()
• CVE-2026-24072: Privilege escalation via ap_expr in mod_rewrite (.htaccess)
• CVE-2026-23918: Double free and possible RCE in HTTP/2 on early stream reset

Module updates:

• mod_md updated to v2.6.10 (fixes ARI compatibility, OCSP handling, and certificate renewal reliability)
• mod_http2 updated to v2.0.39 (removes custom memory allocator that caused issues with third-party modules; fixes double-free on stream purge)

Fixed

• Resolved missing ${SRVROOT} entries in conf\extra\httpd-ssl.conf