Skip to main content

Apache 2.4.68

Release Date: June 8, 2026

So Apache httpd 2.4.68 just dropped and honestly? It's a security release with some solid quality-of-life fixes baked in. I've been running it on a few staging boxes and here's what you need to know.

TL;DR: If you're serving anything over HTTP/2, upgrade NOW. There's a DoS vulnerability (CVE-2026-49975) that can take down your server with a single malicious request. Everything else is gravy.

The Big One — CVE-2026-49975

This is the headline fix. A memory allocation issue in mod_http2 means an attacker can send a crafted HTTP/2 request that causes excessive memory allocation, leading to a denial of service. It affects versions 2.4.55 through 2.4.67. The fix was released June 8 and it's patched in 2.4.68. If you're running HTTP/2 (and you probably are), this is a zero-day in the wild. Don't wait.

Other Security Fixes

  • CVE-2025-54090 — A RewriteCond expr bug that always evaluates to true in 2.4.64, potentially bypassing access controls. Fixed.
  • mod_proxy — Several edge cases where malformed backend responses could trigger a segfault. Cleaned up.
  • mod_auth_digest — Nonce validation tightened to prevent replay attacks in certain configurations.

What Else Changed

Beyond the CVEs, there are a handful of smaller fixes worth noting. The mod_rewrite module handles edge-case URL patterns more gracefully now — no more mysterious 500 errors when you've got a particularly gnarly regex. mod_cache got a fix for stale cache entries being served when CacheIgnoreNoLastMod was set. And mod_ssl no longer logs spurious warnings about ephemeral key sizes on renegotiation.

Upgrade Notes

The upgrade path is straightforward — drop the tarball, reconfigure if you're running a custom build, or just apt update && apt upgrade if you're on a distro that's already pushed it. No configuration changes needed between 2.4.67 and 2.4.68. If you're jumping multiple versions (say from 2.4.55), check the intermediate changelogs for any config deprecations.

Bottom line: this is a patch Tuesday-level release — fix the DoS, grab the stability improvements, move on with your day. Don't overthink it.

What is New?

By continuing to use the site, you agree to the use of cookies.