upstream released 2.0.61 and 2.2.6. From release notes 2.2: CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. CVE-2007-1863: mod_cache: Prevent a segmentation fault if attributes are listed in a Cache-Control header without any value. CVE-2007-3304: prefork, worker, event MPMs: Ensure that the parent process cannot be forced to kill processes outside its process group. CVE-2006-5752: mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection". Reported by Stefan Esser. CVE-2006-1862: mod_mem_cache: Copy headers into longer lived storage; header names and values could previously point to cleaned up storage. PR 41551. release notes 2.0: CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. CVE-2007-1863: mod_cache: Prevent segmentation fault if a Cache-Control header has no value. CVE-2006-5752: mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection". Reported by Stefan Esser. CVE-2007-3304: prefork, worker MPMs: Ensure that the parent process cannot be forced to kill processes outside its process group.
2.0.61 and 2.2.6 now in cvs, fixes all security issues. see also #187258 and #186219
*** This bug has been marked as a duplicate of bug 186219 ***