Sixth Iteration of Apache 2.0 Released
October 9, 2002
Apache 2.0.43 was released late last week. This sixth release of version 2.0 is a security, bug fix, and minor upgrade release.
It replaces v2.0.42, which was released on September 24.
Apache 2.0.43 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site. Due to security issues, any sites using versions prior to Apache 2.0.43 should upgrade to Apache 2.0.43.
The release fixes a security problem described in CAN-2002-0840 on cve.mitre.org. It also fixes some bugs from 2.0.42 (and earlier) as well as adding some additional capability. The Apache Software Foundation urges all users of Apache 2.0.42 and prior to upgrade as soon as possible.
Apache 2.0 add-in modules are not compatible with modules written or compiled for Apache 1.3. Users running third-party add-in modules will need to obtain new modules written for Apache 2.0 from that third party before attempting to upgrade from Apache 1.3.
Note: the -win32-src.zip versions of Apache are nearly identical to the .tar.gz versions. However, they offer the source files in DOS/Windows CR/LF text format, and include the Win32 build files. These -win32-src.zip files do NOT contain binaries. See the binaries/win32/ directory for the Windows binary distributions.
Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other Web page visitors via the Host: header.
In Apache 2.0.42, for a location where both WebDAV and CGI were enabled, a POST request to a CGI script would reveal the CGI source to a remote user. This issue does not affect any versions of Apache 2.0 other than 2.0.42.
Security Vulnerabilities Closed Since Apache 2.0.42
Bugs Fixed Since Apache 2.0.42