httpd-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject [ANNOUNCEMENT] Apache HTTP Server 2.0.63 (2.2.8, 1.3.41) Released
Date Sat, 19 Jan 2008 17:02:21 GMT
                        Apache HTTP Server 2.0.63 Released

    The Apache Software Foundation and the Apache HTTP Server Project  
    pleased to announce the legacy release of version 2.0.63 of the  
    HTTP Server ("Apache"). This Announcement notes the significant  
changes in
    2.0.63 as compared to 2.0.61 (2.0.62 was not released). This
    Announcement2.0 document may also be available in multiple  
languages at:


    This version of Apache is principally a bug and security fix  
release. The
    following potential security flaws are addressed:

      * CVE-2007-6388 (
        mod_status: Ensure refresh parameter is numeric to prevent
        a possible XSS attack caused by redirecting to other URLs.
        Reported by SecurityReason.

        A flaw was found in the mod_status module. On sites where  
        is enabled and the status pages were publicly accessible, a
        cross-site scripting attack is possible. Note that the server- 
        page is not enabled by default and it is best practice to not  
        this publicly available.

      * CVE-2007-5000 (
        mod_imagemap: Fix a cross-site scripting issue.  Reported by  

        A flaw was found in the mod_imap module. On sites where
        mod_imap is enabled and an imagemap file is publicly  
available, a
        cross-site scripting attack is possible.

    Please see the CHANGES_2.0.63 file in this directory for a full list
    of changes for this version.

    This release is compatible with modules compiled for 2.0.42 and  
    versions. We consider this release to be the best version of  
Apache 2.0
    available and encourage users of all prior versions to upgrade.

    This release includes the Apache Portable Runtime library suite  
    version 0.9.17, bundled with the tar and zip distributions. These
    libraries; libapr, libaprutil, and on Win32, libapriconv must all be
    updated to ensure binary compatibility and address many known  

    Apache HTTP Server 2.0.63 is available for download from


    Please see the CHANGES_2.0 file, linked from the above page, for  
a full
    list of changes. A condensed list, CHANGES_2.0.63 provides the  
    list of changes since 2.0.61.

    Apache 2.0 offers numerous enhancements, improvements, and  
    boosts over the 1.3 codebase. For an overview of new features  
    after 1.3 please see


    When upgrading or installing this version of Apache, please keep  
in mind
    the following: If you intend to use Apache with one of the  
threaded MPMs,
    you must ensure that the modules (and the libraries they depend  
on) that
    you will be using are thread-safe. Please refer to the  
documentation of
    these modules and libraries to obtain this information.

    Apache 2.2 offers numerous enhancements, improvements, and  
    boosts over the 2.0 codebase. For an overview of new features  
    after 2.0 please see


    We consider Apache 2.2 to be the best available version at the  
time of
    this release. We offer Apache 2.0.63 as the best legacy version  
of Apache
    2.0 available. Users should first consider upgrading to the current
    release of Apache 2.2 instead.

View raw message