Apache Server 2.4.3 fixes over fifty bugs and two security holes
The Apache Software Foundation has released version 2.4.3 of the Apache HTTP Server, fixing over fifty bugs and closing two security holes. The two vulnerabilities are present in the mod_proxy_aip, mod_proxy_http and mod_negotiation modules.
The two gaps have been listed as CVE-2012-3502 and CVE-2012-2687, but there is little information available on the actual problems. The first bug happens with mod_proxy_sjp and mod_proxy_http in the backend when a connection is closing which "could lead to privacy issues due to a response mixup". The second problem, in mod_negotiation, concerns a possible XSS (cross-site scripting) where untrusted users are uploading files; it is fixed by escaping file names.
The updated version of the HTTP Server is available to download from the project's download page. Details of all the changes made in 2.4.3 can be found in the change log. Among those errors is a fix for an SSL issue which has affected the HTTP Server when run on Windows since version 2.4.2.