Apache 1.3.27 Released http://www.apache.org/dist/httpd/Announcement.html
The Apache Software Foundation and The Apache Server Project are pleased to announce the release of version 1.3.27 of the Apache HTTP Server. This Announcement notes the significant changes in 1.3.27 as compared to 1.3.26. This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 1.3.27 addresses and fixes 3 security vulnerabilities. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839 CAN-2002-0839 (cve.mitre.org): A vulnerability exists in all versions of Apache prior to 1.3.27 on platforms using System V shared memory based scoreboards. This vulnerability allows an attacker who can execute under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial of service attack. We thank iDefense for their responsible notification and disclosure of this issue. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840 CAN-2002-0840 (cve.mitre.org): Apache is susceptible to a cross site scripting vulnerability in the default 404 page of any web server hosted on a domain that allows wildcard DNS lookups. We thank Matthew Murphy for notification of this issue. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0843 CAN-2002-0843 (cve.mitre.org): There were some possible overflows in ab.c which could be exploited by a malicious server. Note that this vulnerability is not in Apache itself, but rather one of the support programs bundled with Apache. We thank David Wagner for the responsible notification and disclosure of this issue.
