The Apache Software Foundation and the Apache HTTP Server Project have announced the availability of Apache HTTP Server 2.4.4. The update addresses several bugs, but also some cross-site scripting (XSS) vulnerabilities.
The first set of issues refers to various XSS vulnerabilities (CVE-2012-3499) caused by “unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.” These issues were reported back in July 2012.
Another XSS flaw (CVE-2012-4558), identified in October 2012, affects the mod_proxy_balancer manager interface.
All these security issues were reported to Apache by Niels Heinen of Google.
The flaws affect Apache HTTP Server 2.4.3, 2.4.2 and 2.4.1. Users are advised to update their installations as soon as possible.
The creators of Apache highlight the fact that this latest release represents 15 years of innovation by the project, which is why they recommend it over all previous releases.
Apache HTTP Server is available for download here