Open Source Apache Server 2.0.x Updated for the Last Time

From the ‘yum-update/apt-get upgrade RIGHT NOW’ files:

The Apache Software Foundation is out with a pair of important updates to its namesake Apache HTTP Server.

The new updates are the Apache 2.0.65 and Apache 2.2.25 releases. Of particular note is the fact that the Apache 2.0.65 release is the final release of the Apache 2.0.x line of HTTP server.

Apache 2.0 was first released back in April of 2002, giving this open source web server platform an astonishing 11 years of support.

The final Apache 2.0.x release is number 2.0.65 and includes fixes for at least six security flaws. Those flaws include:

•  CVE-2013-1862 (cve.mitre.org)      
  mod_rewrite: Ensure that client data written to the RewriteLog is      
  escaped to prevent terminal escape sequences from entering the      
  log file.    
• CVE-2012-0053 (cve.mitre.org)    
   Fix an issue in error responses that could expose “httpOnly”    
  cookies when no custom ErrorDocument is specified for status code    
  400.  
•   CVE-2012-0031 (cve.mitre.org)      
  Fix scoreboard issue which could allow an unprivileged child    
  process to cause the parent to crash at shutdown rather than    
  terminate cleanly.
•     CVE-2011-3368 (cve.mitre.org)    
   Reject requests where the request-URI does not match the HTTP      
  specification, preventing unexpected expansion of target URLs in      
  some reverse proxy configurations.
•     CVE-2011-3192 (cve.mitre.org)    
   core: Fix handling of byte-range requests to use less memory, to    
  avoid denial of service. If the sum of all ranges in a request is    
  larger than the original file, ignore the ranges and send the    
  complete file.
•     CVE-2011-3607 (cve.mitre.org)    
   Fix integer overflow in ap_pregsub() which, when the mod_setenvif    
  module is enabled, could allow local users to gain privileges via    
  a .htaccess file.

Apache is also updating its new Apache 2.2.x web server to version 2.2.25 for a pair of vulnerabilities including:      

•    * SECURITY: CVE-2013-1896 (cve.mitre.org)    
   mod_dav: Sending a MERGE request against a URI handled by      
  mod_dav_svn with the source href (sent as part of the request body      
  as XML) pointing to a URI that is not configured for DAV will      
  trigger a segfault.
•    * SECURITY: CVE-2013-1862 (cve.mitre.org)    
   mod_rewrite: Ensure that client data written to the RewriteLog is      
  escaped to prevent terminal escape sequences from entering the      
  log file.

While Apache 2.2.x is likely more widely deployed at this point, the Apache 2.4.x branch is currently the leading edge of Apache Web Server production code. Apache 2.4.x is still relatively news having only first debuted in February of 2012.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.