Latest Stable
2.4.67
Released 04 May 2026
(30 days ago)
Software
Apache HTTP Server
IntroductionThe Apache HTTP Server, developed by the Apache Software Foundation, is a highly popular, open-source web server known for its security, flexibility, and robust performance. Written in C, it supports cross-platform environments and offers rich module systems, powering a significant portion of the global web infrastructure since 1995.
VendorApache Software Foundation
Designed byRobert McCool
Written inC
PlatformCross-platform
Operating systemCross-platform
TypeWeb server
Repositoryhttps://github.com/apache/httpd
Websitehttps://httpd.apache.org
Support policyhttps://httpd.apache.org/support.html
Security policyhttps://httpd.apache.org/security_report.html
LicenseApache License 2.0
SEE ALSO: NGINX OSS PostgreSQL Docker Engine HAProxy WordPress MariaDB MySQL Kubernetes
LATEST RELEASES:
2.4.67 04 May 2026 (30 days ago)
2.4.67-rc2-candidate 28 Apr 2026 (1 month ago)
2.4.67-rc1-candidate 26 Apr 2026 (1 month ago)
2.4.66 04 Dec 2025 (5 months ago)
2.4.66-rc1-candidate 01 Dec 2025 (6 months ago)

All Releases

Apache HTTP Server support lifecycle 2002 2005 2010 2015 2020 2025 2.4 Version: 2.4 Status: Supported Security support end: 2012-02-21 to TBD Version: 2.4 Status: Supported Security support end: TBD + Version: 2.4 Status: Supported Security support end: 2012-02-21 to TBD 2.2 Version: 2.2 Status: EOL Security support end: 2005-12-01 to 2017-07-11 Version: 2.2 Status: EOL Security support end: 2005-12-01 to 2017-07-11 2.0 Version: 2.0 Status: EOL Security support end: 2002-04-05 to 2013-07-10 Version: 2.0 Status: EOL Security support end: 2002-04-05 to 2013-07-10 Today: 2026-06-03 Today: 2026-06-03 Security support end + Ongoing (TBD)
VersionStatusInitial releaseLatest releaseSecurity support end
2.4
Supported		2.4.0
21 Feb 2012
(14 years ago)		2.4.67
04 May 2026
(30 days ago)		TBD
(Supported)
2.2
End of life		2.2.0
01 Dec 2005
(20 years ago)		2.2.34
06 Jul 2017
(8 years ago)		11 Jul 2017
(Ended 8 years, 10 months ago)
2.0
End of life		2.0.1
05 Apr 2002
(24 years ago)		2.0.65
28 Jun 2013
(12 years ago)		10 Jul 2013
(Ended 12 years, 10 months ago)
1.3
End of life		1.3.0
01 Jun 1998
(28 years ago)		1.3.42
02 Feb 2010
(16 years ago)		03 Feb 2010
(Ended 16 years, 4 months ago)

Apache HTTP Server Odd-Even Branch Strategy and GA Release Windows

Apache HTTP Server follows an odd-even minor version strategy: odd-numbered minor releases (2.1, 2.3, 2.5) are development branches, while even-numbered minor releases (2.2, 2.4, 2.6) are General Availability (GA) stable branches intended for production use. Only GA branches receive active maintenance and security patches.

Each development branch progresses through alpha and beta phases before stabilizing into its corresponding GA release. For example, the 2.5 development tree in trunk is slated to graduate as the 2.6 GA branch. This means operators should only track even-numbered minor versions when planning production deployments.

Apache does not publish a fixed support duration window or a rolling LTS program. A GA branch remains supported as long as the project actively maintains it -- as shown in the release table above, this can span well over a decade. A branch reaches End of Life when the project ceases issuing security advisories and patch releases for it.

Branch Type Minor Version Pattern Purpose Production Ready
Development Odd (2.1, 2.3, 2.5...) Alpha/Beta testing, new feature incubation No
General Availability Even (2.2, 2.4, 2.6...) Stable production releases with security support Yes

The patch version (the third number, e.g. 2.4.67) increments with each bugfix or security release within a GA branch. Apache does not retire patch releases -- the latest patch within the current stable branch is always the recommended version.

For official release policy details, see the Apache HTTP Server Release Guidelines.

Unpatched CVEs and Module Compatibility Decay on EOL httpd Branches

Running an EOL Apache httpd branch means accepting a growing backlog of unpatched CVEs, with no official fix path from the project. Apache's security team publishes advisories against the current stable branch only -- vulnerabilities disclosed after a branch's EOL date will never receive an official patch for that branch.

Apache httpd's module ecosystem (both bundled modules like mod_ssl, mod_proxy, and third-party DSOs) evolves alongside the active branch. Modules built against or dependent on APIs from an EOL branch may silently misbehave as upstream libraries (OpenSSL, APR, PCRE) release breaking changes. The Apache Portable Runtime (APR) and APR-util libraries that httpd depends on follow their own release cycle, and EOL httpd versions may fall out of compatibility with current APR releases.

TLS configuration is a concrete area of decay. An EOL httpd branch may lack support for current cipher suites, TLS 1.3 handshake behaviors, or certificate validation improvements introduced in newer OpenSSL versions. In practice, this creates a compound exposure: the web server itself is unpatched, and its TLS stack may silently negotiate weaker parameters than intended.

Reverse proxy and load balancing configurations (mod_proxy_balancer, mod_proxy_http2) are also affected -- backend protocol assumptions baked into older branches may diverge from current backend server expectations, producing subtle interoperability failures rather than hard errors.

Feature Freeze and Patch Cessation: What EOL Means for an httpd Branch

When an Apache httpd branch reaches End of Life, the project stops issuing security advisories, patch releases, and CVE fixes for that branch. There is no grace period, no commercial extended support from Apache itself, and no backporting of fixes from the current stable branch.

The source code remains available in the Apache SVN repository and GitHub mirror, but it is frozen in time. No commits flow into the EOL branch. If a new vulnerability is disclosed that affects both the EOL branch and the current stable branch, only the current stable branch receives the official fix.

Activity Active GA Branch EOL Branch
Security advisories Yes No
Bugfix patch releases Yes No
CVE acknowledgment Yes No
Module API compatibility Maintained within branch No guarantees
Source code availability Yes (active) Yes (frozen)

For migration, the upgrade path is to the current stable GA branch -- as shown in the release table above. Because Apache httpd maintains module API compatibility within a GA branch (e.g., modules compatible with 2.4.1 remain compatible with later 2.4.x releases), the main migration effort involves reviewing configuration syntax changes and deprecated directives between major branches. The official Upgrading to 2.4 from 2.2 guide documents the breaking directive changes between branches.

Some Linux distributions (RHEL, Ubuntu LTS) ship patched builds of older httpd branches with vendor-backported security fixes beyond the upstream EOL date. This is distribution-specific extended support, not Apache project support -- the vendor's patch set, not the upstream branch, defines what is actually fixed.

CLI and Server-Status Methods for Identifying Your Running httpd Version

The fastest way to check the Apache HTTP Server version is via the command line using the httpd or apache2 binary with the -v flag.

Standard version check

httpd -v
# or on Debian/Ubuntu-based systems:
apache2 -v

This outputs the server version and the build date. To also see compiled-in modules and build flags:

httpd -V
# or:
apache2 -V

Check version on a running server via mod_status

If mod_status is enabled, the server version appears in the Server header and in the status page:

curl -I http://localhost/
# Look for: Server: Apache/2.4.x (platform)

Check via package manager (Linux)

# RHEL / CentOS / Fedora
rpm -q httpd

# Debian / Ubuntu
dpkg -l apache2

Note that the package manager version reflects the distribution's packaged version, which may differ from upstream due to vendor backports. The binary -v flag reflects the actual compiled version string.

Windows (XAMPP / manual installs)

httpd.exe -v

FAQ -- Apache HTTP Server Support and EOL

Does Apache HTTP Server have an LTS (Long Term Support) program?
Apache HTTP Server does not have a formally named LTS program. Instead, a GA (General Availability) branch receives security patches and bugfixes for as long as the project actively maintains it -- which historically has been over a decade per branch, as shown in the release table above. There is only ever one actively supported GA branch at a time.

What is the difference between a development branch and a stable branch in Apache httpd?
Apache uses an odd-even minor version convention. Odd minor versions (2.3, 2.5) are development branches used for feature development and alpha/beta testing -- they are not production-ready. Even minor versions (2.2, 2.4) are stable GA branches suitable for production. Only GA branches receive official security patches.

How do I know if my Apache httpd version is still receiving security patches?
Check the release table on the official download page at httpd.apache.org/download.cgi or the endoflife.date tracker. If your minor version is not listed as the current stable branch, it is EOL. Also verify you are on the latest patch release within the stable branch, as older patch releases within an active branch are superseded.

Can I stay on an EOL Apache httpd version if my Linux distribution still patches it?
Some distributions (RHEL, Ubuntu LTS) backport security fixes to older httpd branches beyond upstream EOL, providing coverage within their own support lifecycle. If your distribution is still in active support and actively backporting httpd patches, you may have coverage -- but this is vendor-specific and should be confirmed with your distribution's security advisories, not assumed from upstream EOL status alone.

Do I need to reconfigure everything when upgrading between Apache httpd major branches?
Configuration syntax and available directives can change between GA branches. The Apache project documents breaking changes in the official upgrade guides -- for example, several directives changed behavior or were removed between the 2.2 and 2.4 branches. Within a GA branch (e.g., any 2.4.x to a later 2.4.y), the module API and directive compatibility is maintained, making patch-level upgrades straightforward.