The Apache Software Foundation and the Apache HTTP Server Project announced the release of new Apache HTTP servers, versions 1.3.41, 2.0.63 and 2.2.8. The new releases fix a number of security issues.
Apache HTTP Server 1.3.41 issues:
CVE-2007-6388
mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.
CVE-2007-5000
mod_imap: Fix cross-site scripting issue. A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.
CVE-2007-3847
mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. With Apache 1.3, the denial of service vulnerability applies only to the Windows and NetWare platforms.
Apache HTTP Server 2.0.63 issues:
CVE-2007-6388
mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.
CVE-2007-5000
mod_imap: Fix cross-site scripting issue. A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.
Apache HTTP Server 2.2.8 issues:
CVE-2007-6421
mod_proxy_balancer: Correctly escape the worker route and the worker redirect string in the HTML output of the balancer manager. Reported by SecurityReason.
A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, a cross-site scripting attack against an authorized user is possible.
CVE-2007-6422
Prevent crash in balancer manager if invalid balancer name is passed as parameter. Reported by SecurityReason.
A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module.
CVE-2007-6388
mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.
CVE-2007-5000
mod_imap: Fix cross-site scripting issue. A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.