We've a few security issues fixed recently that haven't made it out into releases from the ASF, but have made it out into releases from the various OS vendors. One issue is "important" severity, and public now for 10 days.
I don't watch this list much, are there other things holding up a release? If so we ought to consider doing a 2.0.55 with just fixes for these issues over 2.0.54: CAN-2005-2700 important: SSLVerifyClient bypass A flaw in the mod_ssl handling of the "SSLVerifyClient" directive. This flaw would occur if a virtual host has been configured using "SSLVerifyClient optional" and further a directive "SSLVerifyClient required" is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected, by not supplying a client certificate when connecting. public=20050830 [*** needs committing] CAN-2005-2728 moderate: Byterange filter DoS A flaw in the byterange filter would cause some responses to be buffered into memory. If a server has a dynamic resource such as a CGI script or PHP script which generates a large amount of data, an attacker could send carefully crafted requests in order to consume resources, potentially leading to a Denial of Service. public=20050707 [committed] CAN-2005-2088 moderate: HTTP Request Spoofing A flaw occured when using the Apache server as a HTTP proxy. A remote attacker could send a HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, causing Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request. This could allow the bypass of web application firewall protection or lead to cross-site scripting (XSS) attacks. public=20050611 [committed] CAN-2005-1268 low: Malicious CRL off-by-one An off-by-one stack overflow was discovered in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL) public=200506085~ [committed] CAN-2005-2491 low: PCRE overflow An integer overflow flaw was found in PCRE, a Perl-compatible regular expression library included within httpd. A local user who has the ability to create .htaccess files could create a maliciously crafted regular expression in such as way that they could gain the privileges of a httpd child. public=20050801 [*** needs committing]