Security fixes in new Apache HTTP Server versions 1.3.41, 2.0.63 and 2.2.8

The Apache Software Foundation and the Apache HTTP Server Project announced the release of new Apache HTTP servers, versions 1.3.41, 2.0.63 and 2.2.8. The new releases fix a number of security issues.

Apache HTTP Server 1.3.41 issues:

CVE-2007-6388

mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.

CVE-2007-5000

mod_imap: Fix cross-site scripting issue. A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.

CVE-2007-3847

mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. With Apache 1.3, the denial of service vulnerability applies only to the Windows and NetWare platforms.

Apache HTTP Server 2.0.63 issues:

CVE-2007-6388

mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.

CVE-2007-5000

mod_imap: Fix cross-site scripting issue. A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.

Apache HTTP Server 2.2.8 issues:

CVE-2007-6421

mod_proxy_balancer: Correctly escape the worker route and the worker redirect string in the HTML output of the balancer manager. Reported by SecurityReason.

A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, a cross-site scripting attack against an authorized user is possible.

CVE-2007-6422

Prevent crash in balancer manager if invalid balancer name is passed as parameter. Reported by SecurityReason.

A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module.

CVE-2007-6388

mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.

CVE-2007-5000

mod_imap: Fix cross-site scripting issue. A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.