Apache updates to 2.2.13 for security

From the ‘time to update Apache‘ files:

A new Apache HTTP server release is out, fixing at least 4 security issues in the popular open source web server. None of the fixed security issues look like show stoppers to me.

Only one of the listed security updates for Apache 2.2.13 actually has a CVE number attached to it (CVE-2009-2412). That issue fixes a potential overflow issue in  APR (Apache Portable Runtime).

The other issues fixed in 2.2.13 include improvements to the mod_ssl module to improve compatibility with OpenSSL 1.0.0. There is also a fix for mod_cgid, eliminating an empty argument when calling the CGI script (could potentially be a vulnerability).

Apache still maintains its older HTTP servers – the 2.x branch and the older 1.3.x branch – neither of which are affected by the new 2.2.13 update. The 1.3.41 and the 2.0.63 releases (the most recent for those branches) came out in January of 2008.

News Around the Web