The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 1.3.37 of the Apache HTTP Server ("Apache"). This Announcement notes the significant change in 1.3.37 as compared to 1.3.36.
This version of Apache is security fix release only.
CVE-2006-3747: An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team.
This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:
Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.
The Apache HTTP Server project recommends that all users who have built Apache from source apply the patch or upgrade to the latest level and rebuild. Providers of Apache-based web servers in pre-compiled form will be able to determine if this vulnerability applies to their builds. That determination has no bearing on any other builds of Apache HTTP Server, and Apache HTTP Server users are urged to exercise caution and apply patches or upgrade unless they have specific instructions from the provider of their web server. Statements from vendors can be obtained from the US-CERT vulnerability note for this issue at:
The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability.
Apache 1.3.37 is the current stable release of the Apache 1.3 family. We strongly recommend that users of all earlier versions, including 1.3 family release, upgrade to to the current 2.2 version as soon as possible.
We recommend Apache 1.3.37 version for users who require a third party module that is not yet available as an Apache 2.x module. Modules compiled for Apache 2.x are not compatible with Apache 1.3, and modules compiled for Apache 1.3 are not compatible with Apache 2.x.
Apache 1.3.37 is available for download from
This service utilizes the network of mirrors listed at:
Binary distributions may be available for your specific platform from
Binaries distributed by the Apache HTTP Server Project are provided as a courtesy by individual project contributors. The project makes no commitment to release the Apache HTTP Server in binary form for any particular platform, nor on any particular schedule.
IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS variants. While the ports to non-Unix platforms (such as Win32, Netware or OS2) will function for some applications, Apache 1.3 is not designed for these platforms. Apache 2 was designed from the ground up for security, stability, or performance issues across all modern operating systems. Users of any non-Unix ports are strongly cautioned to move to Apache 2.
The Apache project no longer distributes non-Unix platform binaries from the main download pages for Apache 1.3. If absolutely necessary, a binary may be available at http://archive.apache.org/dist/httpd/.
Apache is the most popular web server in the known universe; about 2/3 of the servers on the Internet run Apache HTTP Server, or one of its variants.
The main security vulnerabilities addressed in 1.3.37 are: