Please see the recent bugtraq announcement.
apache-1.3.14 is out. This fixes this and other problems too, including a mass virtual hosting security issue.
apache 1.3.14 with mod_ssl 2.7.1-1.3.14 needs a new phhttpd-eapi patch and a
small change on apache.spec
both patches added as attachment.
a final RPM/SRPM build with those patches is available from :
Created attachment 4188 [details]
phhttpd-eapi patch fot apache 1.3.14 mod ssl 2.7.1