I'm running 2.2.4 and I've been told I need to manually tweak mod_rewrite.c to fix CVE-2007-3008. I can't find any mention of this bug in the bug list.
Here's my info: Server version: Apache/2.2.4 (Unix) Server built: Jun 8 2007 08:19:28 Server's Module Magic Number: 20051115:4 Server loaded: APR 1.2.8, APR-Util 1.2.8 Compiled using: APR 1.2.8, APR-Util 1.2.8 Architecture: 32-bit Server MPM: Prefork threaded: no forked: yes (variable process count) Server compiled with.... -D APACHE_MPM_DIR="server/mpm/prefork" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT="/apps/apache/httpd-2.2.4" -D SUEXEC_BIN="/apps/apache/httpd-2.2.4/bin/suexec" -D DEFAULT_PIDLOG="logs/httpd.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_LOCKFILE="logs/accept.lock" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" Does anyone know if this bug has been antiquated by a higher version of 2 or by a bugfix? I checked the changelog, but, I didn't see anything. Thanks, John