There are five vulnerabilities fixed in the latest release of the Apache Web server, including a buffer overflow and several denial-of-service vulnerabilities. Fixes for these flaws have landed in the developer release of the server, 2.4.10-dev.
The buffer overflow vulnerability is rated moderate by the Apache Software Foundation, but it could be used for remote code execution under the right circumstances. The flaw lies in the way that Apache handles updating the mod_status component. It’s caused by a race condition, and an attacker can exploit it without authentication.
Apache’s advisory says that an attacker would need the right conditions in order to exploit this vulnerability.
Apache 2.4.10, including these fixes, has now been released.
The Apache Software Foundation: http://www.apache.org/dist/httpd/CHANGES_2.4