Apache HTTP Server 1.3.41 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 1.3.41 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 1.3.41 as compared to 1.3.39 (1.3.40 was not released).

This version of Apache is a security fix release only.

• CVE-2007-6388: mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason.
  A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.
• CVE-2007-5000: mod_imap: Fix cross-site scripting issue. Reported by JPCERT.
  A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.
• CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. With Apache 1.3, the denial of service vulnerability applies only to the Windows and NetWare platforms.

Please note that ability to exploit this issue is dependent on running untrusted 3rd party modules or untrusted server-side code.

Apache 1.3.41 is the current stable release of the Apache 1.3 family. We strongly recommend that users of all earlier versions, including 1.3 family release, upgrade to to the current 2.2 version as soon as possible.

We recommend Apache 1.3.41 version for users who require a third party module that is not yet available as an Apache 2.x module. Modules compiled for Apache 2.x are not compatible with Apache 1.3, and modules compiled for Apache 1.3 are not compatible with Apache 2.x.

Apache 1.3.41 is available for download from

http://httpd.apache.org/download.cgi

Please see the CHANGES_1.3 file, linked from the above page, for a full list of changes. A condensed list, CHANGES_1.3.41 provides the complete list of changes since 1.3.39.

This service utilizes the network of mirrors listed at:

http://www.apache.org/mirrors/

Binary distributions may be available for your specific platform from

http://www.apache.org/dist/httpd/binaries/

Binaries distributed by the Apache HTTP Server Project are provided as a courtesy by individual project contributors. The project makes no commitment to release the Apache HTTP Server in binary form for any particular platform, nor on any particular schedule.

IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS variants. While the ports to non-Unix platforms (such as Win32, Netware or OS2) will function for some applications, Apache 1.3 is not designed for these platforms. Apache 2 was designed from the ground up for security, stability, or performance issues across all modern operating systems. Users of any non-Unix ports are strongly cautioned to move to Apache 2.

The Apache project no longer distributes non-Unix platform binaries from the main download pages for Apache 1.3. If absolutely necessary, a binary may be available at http://archive.apache.org/dist/httpd/.

Apache is the most popular web server in the known universe; over 2/3 of the servers on the Internet run Apache HTTP Server, or one of its variants.

Apache 1.3.41 Major changes

Security vulnerabilities

The main security vulnerabilities addressed in 1.3.41 are:

CVE-2007-6388 (cve.mitre.org)

mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason.

CVE-2007-5000 (cve.mitre.org)

mod_imap: Fix cross-site scripting issue. Reported by JPCERT.

CVE-2007-3847 (cve.mitre.org)

mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. With Apache 1.3, the denial of service vulnerability applies only to the Windows and NetWare platforms.