From the 'yum-update/apt-get upgrade RIGHT NOW' files:

The Apache Software Foundation is out with a pair of important updates to its namesake Apache HTTP Server.

The new updates are the Apache 2.0.65 and Apache 2.2.25 releases. Of particular note is the fact that the Apache 2.0.65 release is the final release of the Apache 2.0.x line of HTTP server.

Apache 2.0 was first released back in April of 2002, giving this open source web server platform an astonishing 11 years of support.

The final Apache 2.0.x release is number 2.0.65 and includes fixes for at least six security flaws. Those flaws include:

CVE-2013-1862 (cve.mitre.org)

mod_rewrite: Ensure that client data written to the RewriteLog is

escaped to prevent terminal escape sequences from entering the

log file.

CVE-2012-0053 (cve.mitre.org)

Fix an issue in error responses that could expose "httpOnly"

cookies when no custom ErrorDocument is specified for status code

400.

CVE-2012-0031 (cve.mitre.org)

Fix scoreboard issue which could allow an unprivileged child

process to cause the parent to crash at shutdown rather than

terminate cleanly.

CVE-2011-3368 (cve.mitre.org)

Reject requests where the request-URI does not match the HTTP

specification, preventing unexpected expansion of target URLs in

some reverse proxy configurations.

CVE-2011-3192 (cve.mitre.org)

core: Fix handling of byte-range requests to use less memory, to

avoid denial of service. If the sum of all ranges in a request is

larger than the original file, ignore the ranges and send the

complete file.

CVE-2011-3607 (cve.mitre.org)

Fix integer overflow in ap_pregsub() which, when the mod_setenvif

module is enabled, could allow local users to gain privileges via

a .htaccess file.

Apache is also updating its new Apache 2.2.x web server to version 2.2.25 for a pair of vulnerabilities including:

* SECURITY: CVE-2013-1896 (cve.mitre.org)

mod_dav: Sending a MERGE request against a URI handled by

mod_dav_svn with the source href (sent as part of the request body

as XML) pointing to a URI that is not configured for DAV will

trigger a segfault.

* SECURITY: CVE-2013-1862 (cve.mitre.org)

mod_rewrite: Ensure that client data written to the RewriteLog is

escaped to prevent terminal escape sequences from entering the

log file.

While Apache 2.2.x is likely more widely deployed at this point, the Apache 2.4.x branch is currently the leading edge of Apache Web Server production code. Apache 2.4.x is still relatively news having only first debuted in February of 2012.





Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.