This weekend, Apache 1.3.27 was released. I'll quote part of the announcement:

The Apache Software Foundation and The Apache Server Project are pleased to announce the release of version 1.3.27 of the Apache HTTP Server. This Announcement notes the significant changes in 1.3.27 as compared to 1.3.26.

This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 1.3.27 addresses and fixes 3 security vulnerabilities.

CAN-2002-0839 ( A vulnerability exists in all versions of Apache prior to 1.3.27 on platforms using System V shared memory based scoreboards. This vulnerability allows an attacker who can execute under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial of service attack. We thank iDefense for their responsible notification and disclosure of this issue.

CAN-2002-0840 ( Apache is susceptible to a cross site scripting vulnerability in the default 404 page of any web server hosted on a domain that allows wildcard DNS lookups. We thank Matthew Murphy for notification of this issue.

CAN-2002-0843 ( There were some possible overflows in ab.c which could be exploited by a malicious server. Note that this vulnerability is not in Apache itself, but rather one of the support programs bundled with Apache. We thank David Wagner for the responsible notification and disclosure of this issue.

We consider Apache 1.3.27 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family.

Apache 1.3.27 is available for download from
Please see the CHANGES_1.3 file in the same directory for a full list of changes.

Binary distributions are available from
The source and binary distributions are also available via any of the mirrors listed at