Please see the recent bugtraq announcement.
apache-1.3.14 is out. This fixes this and other problems too, including a mass virtual hosting security issue.
apache 1.3.14 with mod_ssl 2.7.1-1.3.14 needs a new phhttpd-eapi patch and a small change on apache.spec both patches added as attachment. a final RPM/SRPM build with those patches is available from : ftp://sajino.terra.com.pe/pub/linux/redhat/carenas/7.0/
Created attachment 4188 [details] phhttpd-eapi patch fot apache 1.3.14 mod ssl 2.7.1