Information regarding Project Releases and Project Resources. Note that the information here is a quote from Freecode.com page, and the downloads themselves may not be hosted on OSDN.
mod_proxy_http has been changed to better handle excessive interim responses from the origin server to prevent potential denial of service and high memory usage. mod_proxy_balancer has been changed to prevent CSRF attacks against the balancer-manager interface.
A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack was possible. A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack was possible.
A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack was possible. A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack was possible.
A flaw was found in the mod_proxy_balancer module that permitted a cross-site scripting attack against an authorized user. A flaw was found in the mod_proxy_balancer module that allowed an authorized user to send a carefully crafted request that would cause the Apache child process handling that request to crash. A flaw was found in the mod_status module that allowed a cross-site scripting attack. A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publically available, a cross-site scripting attack was possible.
This version of Apache is a security fix release only. A possible XSS attack against a site with a public server-status page and ExtendedStatus enabled was fixed. Apache now ensures that the parent process cannot be forced to kill non-child processes by checking scoreboard PID data with parent process privately stored PID data.
