Apache HTTP Server 2.0.63 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the legacy release of version 2.0.63 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.63 as compared to 2.0.61 (2.0.62 was not released). This Announcement2.0 document may also be available in multiple languages at: http://www.apache.org/dist/httpd/ This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed: * CVE-2007-6388 (cve.mitre.org) mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available. * CVE-2007-5000 (cve.mitre.org) mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT. A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible. Please see the CHANGES_2.0.63 file in this directory for a full list of changes for this version. This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache 2.0 available and encourage users of all prior versions to upgrade. This release includes the Apache Portable Runtime library suite release version 0.9.17, bundled with the tar and zip distributions. These libraries; libapr, libaprutil, and on Win32, libapriconv must all be updated to ensure binary compatibility and address many known platform bugs. Apache HTTP Server 2.0.63 is available for download from http://httpd.apache.org/download.cgi Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. A condensed list, CHANGES_2.0.63 provides the complete list of changes since 2.0.61. Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see http://httpd.apache.org/docs/2.0/new_features_2_0.html When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please refer to the documentation of these modules and libraries to obtain this information. Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced after 2.0 please see http://httpd.apache.org/docs/2.2/new_features_2_2.html We consider Apache 2.2 to be the best available version at the time of this release. We offer Apache 2.0.63 as the best legacy version of Apache 2.0 available. Users should first consider upgrading to the current release of Apache 2.2 instead.