Apache HTTP Server 2.0.63 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the legacy release of version 2.0.63 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in
   2.0.63 as compared to 2.0.61 (2.0.62 was not released). This
Announcement2.0 document may also be available in multiple languages at:


This version of Apache is principally a bug and security fix release. The
   following potential security flaws are addressed:

     * CVE-2007-6388 (cve.mitre.org)
       mod_status: Ensure refresh parameter is numeric to prevent
       a possible XSS attack caused by redirecting to other URLs.
       Reported by SecurityReason.

A flaw was found in the mod_status module. On sites where mod_status
       is enabled and the status pages were publicly accessible, a
cross-site scripting attack is possible. Note that the server- status page is not enabled by default and it is best practice to not make
       this publicly available.

     * CVE-2007-5000 (cve.mitre.org)
mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.

       A flaw was found in the mod_imap module. On sites where
mod_imap is enabled and an imagemap file is publicly available, a
       cross-site scripting attack is possible.

   Please see the CHANGES_2.0.63 file in this directory for a full list
   of changes for this version.

This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache 2.0
   available and encourage users of all prior versions to upgrade.

This release includes the Apache Portable Runtime library suite release
   version 0.9.17, bundled with the tar and zip distributions. These
   libraries; libapr, libaprutil, and on Win32, libapriconv must all be
updated to ensure binary compatibility and address many known platform

   Apache HTTP Server 2.0.63 is available for download from


Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. A condensed list, CHANGES_2.0.63 provides the complete
   list of changes since 2.0.61.

Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced
   after 1.3 please see


When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please refer to the documentation of
   these modules and libraries to obtain this information.

Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced
   after 2.0 please see


We consider Apache 2.2 to be the best available version at the time of this release. We offer Apache 2.0.63 as the best legacy version of Apache
   2.0 available. Users should first consider upgrading to the current
   release of Apache 2.2 instead.

Reply via email to