The Apache Software Foundation has released version 2.4.3 of the Apache HTTP Server, fixing two vulnerabilities in its ubiquitous Web server, including a cross-site scripting bug that could enable an attacker to upload files to a remote server.
The new version of the Apache HTTP Server also includes updates that resolve dozens of other, non-security related bugs.
The following vulnerability has been fixed in the latest version:
The updated version of the HTTP Server is available to download from the project's download page. Details of all the changes made in 2.4.3 can be found in the change log. Among those errors is a fix for an SSL issue which has affected the HTTP Server when run on Windows since version 2.4.2.
The new version of the Apache HTTP Server also includes updates that resolve dozens of other, non-security related bugs.
The following vulnerability has been fixed in the latest version:
- CVE-2012-3502 : mod_proxy_ajp, mod_proxy_http: Fix an issue in back end connection closing which could lead to privacy issues due to a response mixup. PR 53727.
- CVE-2012-2687: mod_negotiation: Escape filenames in variant list to prevent a possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled.
The updated version of the HTTP Server is available to download from the project's download page. Details of all the changes made in 2.4.3 can be found in the change log. Among those errors is a fix for an SSL issue which has affected the HTTP Server when run on Windows since version 2.4.2.