Apache 2.2.6 , 2.0.61 , 1.3.39 Released

Apache HTTP Server 2.2.6 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.6 of the Apache HTTP Server ("Apache").

This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed:

• CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144.
• CVE-2007-1863: mod_cache: Prevent a segmentation fault if attributes are listed in a Cache-Control header without any value.
• CVE-2007-3304: prefork, worker, event MPMs: Ensure that the parent process cannot be forced to kill processes outside its process group.
• CVE-2006-5752: mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection". Reported by Stefan Esser.
• CVE-2006-1862: mod_mem_cache: Copy headers into longer lived storage; header names and values could previously point to cleaned up storage. PR 41551.

We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.

 

 

Apache HTTP Server 2.0.61 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the legacy release of version 2.0.61 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.61 as compared to 2.0.59 (there was no 2.0.60). This Announcement2.0 document may also be available in multiple languages at:

http://www.apache.org/dist/httpd/

This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed:

• CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144.
• CVE-2007-1863: mod_cache: Prevent segmentation fault if a Cache-Control header has no value.
• CVE-2006-5752: mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection". Reported by Stefan Esser.
• CVE-2007-3304: prefork, worker MPMs: Ensure that the parent process cannot be forced to kill processes outside its process group.

This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade.

This release includes the Apache Portable Runtime library suite release version 0.9.16, bundled with the tar and zip distributions. These libraries; libapr, libaprutil, and on Win32, libapriconv must all be updated to ensure binary compatibility and address many known platform bugs.

 

 

 

Apache HTTP Server 1.3.39 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 1.3.39 of the Apache HTTP Server ("Apache"). This Announcement notes the significant change in 1.3.39 as compared to 1.3.37 (1.3.38 was not released).

This version of Apache is a security fix release only.

• CVE-2006-5752: mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection".
• CVE-2007-3304: Ensure that the parent process cannot be forced to kill non-child processes by checking scoreboard PID data with parent process privately stored PID data.

Please note that ability to exploit this issue is dependent on running untrusted 3rd party modules or untrusted server-side code.

Apache 1.3.39 is the current stable release of the Apache 1.3 family. We strongly recommend that users of all earlier versions, including 1.3 family release, upgrade to to the current 2.2 version as soon as possible.

We recommend Apache 1.3.39 version for users who require a third party module that is not yet available as an Apache 2.x module. Modules compiled for Apache 2.x are not compatible with Apache 1.3, and modules compiled for Apache 1.3 are not compatible with Apache 2.x.