Ory Segal from sanctuminc.com has found a
hole in apache versions prior to 1.3.24 which allows
an attacker to execute commands on win 32 versions
of apache. This is considered a serious threat and you
should upgrade immediately. On another note a minor
hole in every version was fixed. I have included that
change log snippet below.
--- Snippet from change log ---
*) [Security] Prevent invalid client hostnames from appearing in
the log file. If a double-reverse lookup was performed (e.g.,
for an "Allow from .my.domain" directive) but failed, then
a spoofed dns-reverse-address could appear in the logs. Now
the numeric address is logged instead. Note that
reverse-address-spoofing did NOT actually allow access
to any protected resource! [Martin Kraemer]
--- end snippet from change log ---
Further information is provided in the links below.
Upgrade to 1.3.24
