You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@httpd.apache.org by Jim Jagielski <ji...@apache.org> on 2008/01/19 18:02:17 UTC

[ANNOUNCEMENT] Apache HTTP Server 1.3.41 (2.2.8, 2.0.63) Released

                        Apache HTTP Server 1.3.41 Released

    The Apache Software Foundation and the Apache HTTP Server Project  
are
    pleased to announce the release of version 1.3.41 of the Apache HTTP
    Server ("Apache"). This Announcement notes the significant  
changes in
    1.3.41 as compared to 1.3.39 (1.3.40 was not released).

    This version of Apache is is principally a bug and security fix  
release.
    The following potential security flaws are addressed:

      * CVE-2007-6388 (cve.mitre.org)
        mod_status: Ensure refresh parameter is numeric to prevent
        a possible XSS attack caused by redirecting to other URLs.
        Reported by SecurityReason.

        A flaw was found in the mod_status module. On sites where  
mod_status
        is enabled and the status pages were publicly accessible, a
        cross-site scripting attack is possible. Note that the server- 
status
        page is not enabled by default and it is best practice to not  
make
        this publicly available.

      * CVE-2007-5000 (cve.mitre.org)
        mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.

        A flaw was found in the mod_imap module. On sites where
        mod_imap is enabled and an imagemap file is publicly  
available, a
        cross-site scripting attack is possible.

      * CVE-2007-3847 (cve.mitre.org)
        mod_proxy: Prevent reading past the end of a buffer when parsing
        date-related headers.  PR 41144.
        With Apache 1.3, the denial of service vulnerability applies  
only
        to the Windows and NetWare platforms.

    Please see the CHANGES_1.3.41 file in this directory for a full list
    of changes for this version.

    Apache 1.3.41 is the current stable release of the Apache 1.3  
family. We
    strongly recommend that users of all earlier versions, including 1.3
    family release, upgrade to to the current 2.2 version as soon as  
possible.

    We recommend Apache 1.3.41 version for users who require a third  
party
    module that is not yet available as an Apache 2.x module. Modules  
compiled
    for Apache 2.x are not compatible with Apache 1.3, and modules  
compiled
    for Apache 1.3 are not compatible with Apache 2.x.

    Apache 1.3.41 is available for download from

            http://httpd.apache.org/download.cgi

    This service utilizes the network of mirrors listed at:

            http://www.apache.org/mirrors/

    Binary distributions may be available for your specific platform  
from

            http://www.apache.org/dist/httpd/binaries/

    Binaries distributed by the Apache HTTP Server Project are  
provided as a
    courtesy by individual project contributors. The project makes no
    commitment to release the Apache HTTP Server in binary form for any
    particular platform, nor on any particular schedule.

    IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS
    variants. While the ports to non-Unix platforms (such as Win32,  
Netware or
    OS2) will function for some applications, Apache 1.3 is not  
designed for
    these platforms. Apache 2 was designed from the ground up for  
security,
    stability, or performance issues across all modern operating  
systems.
    Users of any non-Unix ports are strongly cautioned to move to  
Apache 2.

    The Apache project no longer distributes non-Unix platform  
binaries from
    the main download pages for Apache 1.3. If absolutely necessary,  
a binary
    may be available at http://archive.apache.org/dist/httpd/.

    Apache is the most popular web server in the known universe;  
about 2/3 of
    the servers on the Internet run Apache HTTP Server, or one of its
    variants.

Apache 1.3.41 Major changes

   Security vulnerabilities

    The main security vulnerabilities addressed in 1.3.41 are:

     CVE-2007-6388 (cve.mitre.org)
      mod_status: Ensure refresh parameter is numeric to prevent
      a possible XSS attack caused by redirecting to other URLs.
      Reported by SecurityReason.

     CVE-2007-5000 (cve.mitre.org)
      mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.

     CVE-2007-3847 (cve.mitre.org)
      mod_proxy: Prevent reading past the end of a buffer when parsing
      date-related headers.  PR 41144.
      With Apache 1.3, the denial of service vulnerability applies only
      to the Windows and NetWare platforms.

   Bugfixes addressed in 1.3.41 are:

     More efficient implementation of the CVE-2007-3304 PID table
     patch. This fixes issues with excessive memory usage by the
     parent process if long-running and with a high number of child
     process forks during that timeframe. Also fixes bogus "Bad pid"
     errors.