Release Notes: This release is intended as the final release of version 1.3 of the Apache HTTP Server, which has reached end-of-life status. It fixes a security issue in mod_proxy in order to prevent chunk-size integer overflows on platforms where sizeof(int) < sizeof(long).
Release Notes: A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack was possible. A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack was possible.
Release Notes: This version of Apache is a security fix release only. A possible XSS attack against a site with a public server-status page and ExtendedStatus enabled was fixed. Apache now ensures that the parent process cannot be forced to kill non-child processes by checking scoreboard PID data with parent process privately stored PID data.
Release Notes: This version is principally a bug and security fix release.
Release Notes: This release fixes a potential buffer overflow with escaped characters in the SSI tag string. Responses from a remote server are rejected if sent an invalid (negative) Content-Length. Additionally, this release fixes query string handling for proxied URLs, a 0 bytes write into random memory position, nonce string calculation since 1.3.31 (which would force re-authentication for every connection if AuthDigestRealmSeed was not configured), and a trivial bug in mod_log_forensic that caused the child to segfault with certain invalid requests.
Release Notes: Fixes for the security vulnerability noted in CAN-2002-0839 regarding ownership permissions of System V shared memory-based scoreboards, the security vulnerability noted in CAN-2002-0840 regarding a cross-site scripting vulnerability in the default error page when using wildcard DNS, and the security vulnerability noted in CAN-2002-0843 regarding some possible overflows in ab.c which could be exploited by a malicious server.
Release Notes: A 5 year old potential NULL referencing problem was fixed in the CGI module. It is now ensured that a result value is set in ap_strtol before being returned. Additionally, changes were made to address and close the security issues in CAN-2002-0392 (mitre.org) [CERT VU#944335].