You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jim Jagielski <ji...@jaguNET.com> on 2008/01/19 18:03:59 UTC

[ANNOUNCEMENT] Apache HTTP Server 2.0.63 (2.2.8, 1.3.41) Released

                        Apache HTTP Server 2.0.63 Released

    The Apache Software Foundation and the Apache HTTP Server Project  
are
    pleased to announce the legacy release of version 2.0.63 of the  
Apache
    HTTP Server ("Apache"). This Announcement notes the significant  
changes in
    2.0.63 as compared to 2.0.61 (2.0.62 was not released). This
    Announcement2.0 document may also be available in multiple  
languages at:

            http://www.apache.org/dist/httpd/

    This version of Apache is principally a bug and security fix  
release. The
    following potential security flaws are addressed:

      * CVE-2007-6388 (cve.mitre.org)
        mod_status: Ensure refresh parameter is numeric to prevent
        a possible XSS attack caused by redirecting to other URLs.
        Reported by SecurityReason.

        A flaw was found in the mod_status module. On sites where  
mod_status
        is enabled and the status pages were publicly accessible, a
        cross-site scripting attack is possible. Note that the server- 
status
        page is not enabled by default and it is best practice to not  
make
        this publicly available.

      * CVE-2007-5000 (cve.mitre.org)
        mod_imagemap: Fix a cross-site scripting issue.  Reported by  
JPCERT.

        A flaw was found in the mod_imap module. On sites where
        mod_imap is enabled and an imagemap file is publicly  
available, a
        cross-site scripting attack is possible.

    Please see the CHANGES_2.0.63 file in this directory for a full list
    of changes for this version.

    This release is compatible with modules compiled for 2.0.42 and  
later
    versions. We consider this release to be the best version of  
Apache 2.0
    available and encourage users of all prior versions to upgrade.

    This release includes the Apache Portable Runtime library suite  
release
    version 0.9.17, bundled with the tar and zip distributions. These
    libraries; libapr, libaprutil, and on Win32, libapriconv must all be
    updated to ensure binary compatibility and address many known  
platform
    bugs.

    Apache HTTP Server 2.0.63 is available for download from

            http://httpd.apache.org/download.cgi

    Please see the CHANGES_2.0 file, linked from the above page, for  
a full
    list of changes. A condensed list, CHANGES_2.0.63 provides the  
complete
    list of changes since 2.0.61.

    Apache 2.0 offers numerous enhancements, improvements, and  
performance
    boosts over the 1.3 codebase. For an overview of new features  
introduced
    after 1.3 please see

            http://httpd.apache.org/docs/2.0/new_features_2_0.html

    When upgrading or installing this version of Apache, please keep  
in mind
    the following: If you intend to use Apache with one of the  
threaded MPMs,
    you must ensure that the modules (and the libraries they depend  
on) that
    you will be using are thread-safe. Please refer to the  
documentation of
    these modules and libraries to obtain this information.

    Apache 2.2 offers numerous enhancements, improvements, and  
performance
    boosts over the 2.0 codebase. For an overview of new features  
introduced
    after 2.0 please see

            http://httpd.apache.org/docs/2.2/new_features_2_2.html

    We consider Apache 2.2 to be the best available version at the  
time of
    this release. We offer Apache 2.0.63 as the best legacy version  
of Apache
    2.0 available. Users should first consider upgrading to the current
    release of Apache 2.2 instead.