Apache HTTP Server 2.0.63 Released
The Apache Software Foundation and the Apache HTTP Server Project
are
pleased to announce the legacy release of version 2.0.63 of the
Apache
HTTP Server ("Apache"). This Announcement notes the significant
changes in
2.0.63 as compared to 2.0.61 (2.0.62 was not released). This
Announcement2.0 document may also be available in multiple
languages at:
http://www.apache.org/dist/httpd/
This version of Apache is principally a bug and security fix
release. The
following potential security flaws are addressed:
* CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason.
A flaw was found in the mod_status module. On sites where
mod_status
is enabled and the status pages were publicly accessible, a
cross-site scripting attack is possible. Note that the server-
status
page is not enabled by default and it is best practice to not
make
this publicly available.
* CVE-2007-5000 (cve.mitre.org)
mod_imagemap: Fix a cross-site scripting issue. Reported by
JPCERT.
A flaw was found in the mod_imap module. On sites where
mod_imap is enabled and an imagemap file is publicly
available, a
cross-site scripting attack is possible.
Please see the CHANGES_2.0.63 file in this directory for a full list
of changes for this version.
This release is compatible with modules compiled for 2.0.42 and
later
versions. We consider this release to be the best version of
Apache 2.0
available and encourage users of all prior versions to upgrade.
This release includes the Apache Portable Runtime library suite
release
version 0.9.17, bundled with the tar and zip distributions. These
libraries; libapr, libaprutil, and on Win32, libapriconv must all be
updated to ensure binary compatibility and address many known
platform
bugs.
Apache HTTP Server 2.0.63 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for
a full
list of changes. A condensed list, CHANGES_2.0.63 provides the
complete
list of changes since 2.0.61.
Apache 2.0 offers numerous enhancements, improvements, and
performance
boosts over the 1.3 codebase. For an overview of new features
introduced
after 1.3 please see
http://httpd.apache.org/docs/2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep
in mind
the following: If you intend to use Apache with one of the
threaded MPMs,
you must ensure that the modules (and the libraries they depend
on) that
you will be using are thread-safe. Please refer to the
documentation of
these modules and libraries to obtain this information.
Apache 2.2 offers numerous enhancements, improvements, and
performance
boosts over the 2.0 codebase. For an overview of new features
introduced
after 2.0 please see
http://httpd.apache.org/docs/2.2/new_features_2_2.html
We consider Apache 2.2 to be the best available version at the
time of
this release. We offer Apache 2.0.63 as the best legacy version
of Apache
2.0 available. Users should first consider upgrading to the current
release of Apache 2.2 instead.
The Apache Software Foundation and the Apache HTTP Server Project
are
pleased to announce the legacy release of version 2.0.63 of the
Apache
HTTP Server ("Apache"). This Announcement notes the significant
changes in
2.0.63 as compared to 2.0.61 (2.0.62 was not released). This
Announcement2.0 document may also be available in multiple
languages at:
http://www.apache.org/dist/httpd/
This version of Apache is principally a bug and security fix
release. The
following potential security flaws are addressed:
* CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason.
A flaw was found in the mod_status module. On sites where
mod_status
is enabled and the status pages were publicly accessible, a
cross-site scripting attack is possible. Note that the server-
status
page is not enabled by default and it is best practice to not
make
this publicly available.
* CVE-2007-5000 (cve.mitre.org)
mod_imagemap: Fix a cross-site scripting issue. Reported by
JPCERT.
A flaw was found in the mod_imap module. On sites where
mod_imap is enabled and an imagemap file is publicly
available, a
cross-site scripting attack is possible.
Please see the CHANGES_2.0.63 file in this directory for a full list
of changes for this version.
This release is compatible with modules compiled for 2.0.42 and
later
versions. We consider this release to be the best version of
Apache 2.0
available and encourage users of all prior versions to upgrade.
This release includes the Apache Portable Runtime library suite
release
version 0.9.17, bundled with the tar and zip distributions. These
libraries; libapr, libaprutil, and on Win32, libapriconv must all be
updated to ensure binary compatibility and address many known
platform
bugs.
Apache HTTP Server 2.0.63 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for
a full
list of changes. A condensed list, CHANGES_2.0.63 provides the
complete
list of changes since 2.0.61.
Apache 2.0 offers numerous enhancements, improvements, and
performance
boosts over the 1.3 codebase. For an overview of new features
introduced
after 1.3 please see
http://httpd.apache.org/docs/2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep
in mind
the following: If you intend to use Apache with one of the
threaded MPMs,
you must ensure that the modules (and the libraries they depend
on) that
you will be using are thread-safe. Please refer to the
documentation of
these modules and libraries to obtain this information.
Apache 2.2 offers numerous enhancements, improvements, and
performance
boosts over the 2.0 codebase. For an overview of new features
introduced
after 2.0 please see
http://httpd.apache.org/docs/2.2/new_features_2_2.html
We consider Apache 2.2 to be the best available version at the
time of
this release. We offer Apache 2.0.63 as the best legacy version
of Apache
2.0 available. Users should first consider upgrading to the current
release of Apache 2.2 instead.