2.0.62 (not released)

Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 2.0.62 (not released) Changelog
  • SECURITY: CVE-2007-6388 (cve.mitre.org) mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. [Mark Cox, Joe Orton]
  • SECURITY: CVE-2007-5000 (cve.mitre.org) mod_imap: Fix a cross-site scripting issue. Reported by JPCERT. [Joe Orton]
  • Introduce the ProxyFtpDirCharset directive, allowing the administrator to identify a default, or specific servers or paths which list their contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]
  • log.c: Ensure Win32 resurrects its lost robust logger processes. [William Rowe]
  • mpm_winnt: Eliminate wait_for_many_objects. Allows the clean shutdown of the server when the MaxClients is higher then 257, in a more responsive manner [Mladen Turk, William Rowe]
  • Add explicit charset to the output of various modules to work around possible cross-site scripting flaws affecting web browsers that do not derive the response character set as required by RFC2616. One of these reported by SecurityReason [Joe Orton]
  • http_protocol: Escape request method in 405 error reporting. This has no security impact since the browser cannot be tricked into sending arbitrary method strings. [Jeff Trawick]
  • http_protocol: Escape request method in 413 error reporting. Determined to be not generally exploitable, but a flaw in any case. PR 44014 [Victor Stinner ]