According to http://svn.apache.org/viewvc?view=rev&rev=549159 "mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection". Reported by Stefan Esser. [Joe Orton]" Note that the default is not to have a public server-status page, and in itself making server-status public could leak sensitive information about your site.
This issue was addressed in: Red Hat Application Stack: http://rhn.redhat.com/errata/RHSA-2007-0557.html Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0532.html http://rhn.redhat.com/errata/RHSA-2007-0534.html http://rhn.redhat.com/errata/RHSA-2007-0556.html http://rhn.redhat.com/errata/RHSA-2007-0533.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0704
This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html