Slashdot Mirror

← Back to Domains

Domain: apacheweek.com

Stories and comments across the archive that link to apacheweek.com.

Comments · 33

  1. Re:Ouch. Is RoundCube stable yet? by pongo000 · · Score: 1 · on SquirrelMail Repository Poisoned

    and this doesn't give me confidence in the SM team

    Then you should probably stay away from Debian, Sendmail, Apache, or...well, hell, just stay away from Open Source, period, if a server/distro compromise is the measuring stick you use to measure "confidence."

  2. Re:The report you are looking for should be called by dan_bethe · · Score: 2 · on Are Web Pages Getting Larger?

    You need a smart gateway. Your E1's border router, or a gateway immediately behind it, needs traffic shaping and queueing. Pretty much any circuit anywhere needs traffic queueing. Either side of your E1 could probably benefit from a compressed virtual circuit such as maybe a VPN. Compress all traffic that way. If you locally host your web servers, you can use a reverse proxy that includes mod_gzip and other stuff to strip whitespace from their content. You can also control your users' behaviors with caching proxies like squid and with a layer 7 packet filter. The layer 7 filter will protect against p2p and such. If you think the network is being abused but you want to encourage self-censorship, make the squid logs public. :)

  3. Re:IE attacked because it's common by ad0gg · · Score: 1 · on Microsoft Says Firefox Not a Threat to IE
    Because the press and slashdot doesn't care about Apache exploits. If you have a default install of 1.3 or 2.0, you could easily get exploited. You can't compare a web browser(100 millions of installs) to a webserver (a few million). And most web server operators know how to patch.

    Apache Week

  4. Patch for Security Regression in Apache 2.0.51 by dananderson · · Score: 1 · on Apache httpd 2.0.51 Released
    There's a patch for the security regression in 2.0.51. See CAN-2004-0811 and Apache Week for 9/23/2004 Another Apache release 2.0.52 is coming down the pike to fix this and some minor issues.

    To quote ApacheWeek: One of the new features included in [Apache 2.0.51] is that a container can now be used to limit the effect of a Satisfy directive to specific methods. Unfortunately, a bug in the implementation meant that merging of Satisfy directives did not work correctly. The result was that if "Satisfy Any" was used, for example, in directory /foo/bar/, it could also take effect in the higher context, /foo/. If directory /foo/ also had access control configured, this could then be bypassed.

  5. Vuln list; is Apache 1.3 effected as well? by molo · · Score: 5, Informative · on Apache httpd 2.0.51 Released
    Here is the list of vulnerabilities. For more information (including a list of effected versions), see the Apache Week listing.

    Does anyone have any information about whether the mod_ssl DoS vuln effects Apache 1.3.x as well? Thanks. -molo


    An input validation issue in IPv6 literal address parsing which can result in a negative length parameter being passed to memcpy.
    [CAN-2004-0786]

    A buffer overflow in configuration file parsing could allow a local user to gain the privileges of a httpd child if the server can be forced to parse a carefully crafted .htaccess file.
    [CAN-2004-0747]

    A segfault in mod_ssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured.
    [CAN-2004-0751]

    A potential infinite loop in mod_ssl which could be triggered given particular timing of a connection abort.
    [CAN-2004-0748]

    A segfault in mod_dav_fs which can be remotely triggered by an indirect lock refresh request.
    [CAN-2004-0809]
  6. Re:There is a solution for IIS by davegust · · Score: 1 · on CERT Recommends Mozilla, Firefox

    I was referring to the general practice of patching to avoid vulnerabilities.

  7. Re:Statistics by Anonymous Coward · · Score: 0 · on Mac OS X Trojan Horse Infects MP3s

    Ok, here is the list for 2.0.

    It doesn't look like any of those will root your server... just a couple of DOS attacks if your server is misconfigured.

  8. Something True by Deviate_X · · Score: 2, Insightful · on Linux Distributions Respond to Forrester

    Yeah! Its So Obvious Linux Is More Secure Than Windows!

    Just Don't Store Your Important Source Code On It.... :))))))))))))

  9. Re:I run apache 2 and PHP in production by jmt9581 · · Score: 2, Informative · on Apache 1.3.x vs. 2.0.x: The Debate Returns

    From what I understand, It's all about the performance. Apache 1.3.x supposedly has better performance with PHP when compared to the corresponding Apache 2.0.x release.

  10. Re:*gasp* by Anonymous Coward · · Score: 0 · on Microsoft Rereleases Patch to Fix Problems

    Could you provide any info about the Apache exploit? I checked here but I don't see anything recent that looks like a big deal.

  11. Re:Not just monopolies by bstil · · Score: 1 · on The Software Monoculture

    Apache for Linux isn't the same as Apache for BSD isn't the same as Apache for Solaris isn't the same as Apache for Windows isn't the same as...

    The following Apache Week article documents the "monoculture" of Apache, complete with a listing of security vulnerabilities affecting different Linux distributions differently.
    Vendor patches to Apache

    I think it's safe to say that Linux/Apache isn't vulnerable in the same way as a million IIS servers.

  12. ApachePDA by lplatypus · · Score: 1 · on Treo 600 Photos And Comparison To Treo 300

    Wow the website has been slashdotted already. Come on, Alex, just because ApachePDA can run on your new Treo 600, you shouldn't have thrown away your server just yet...

  13. Also according to NetCraft... by GeorgeH · · Score: 4, Funny · on Windows 2003 takes 5% away from Linux

    ...100% of web servers run Apache on Linux, thanks to VeriSign's DNS wildcard being hosted on Apache/Linux.

  14. ApacheWeek no more? by cant_get_a_good_nick · · Score: 1 · on The Apache Newsletter

    I used to read http://www.apacheweek.com/ fairly regularly. Now seems to be not maintained as well.

  15. Lies, damned lies, and statistics by UnknowingFool · · Score: 4, Insightful · on Software Code Quality Of Apache Analyzed
    Numbers can mean anything. It's the interpretation that matters. 31 errors in 58,944 lines. Hmmm. Even if we take Reasoning's word that these are errors and not "features", that's 0.53 error rate. The unnamed commercial software had an error of 0.51. So what does that prove?

    1) Apache 2.1 has more bugs than some unknown commercial competitor. If the version is correct, a development (not-ready-for-release) build was pitted against a released commercial build. Not fair playing ground.

    2) Reasoning does not detail the severity or kind of the bugs. Certainly, a web server not being able to handle a type of format (pdf, csv, ogg vorbis) is less severe than a security hole. Pitted against IIS, I would trust Apache even if it had more bugs, because historically it has had fewer security patches. Check out Apache's 2.0 known patches vs IIS 5.0

  16. Email SCO CEO... by Anonymous Coward · · Score: 0 · on SCO DOS'ed

    From Netcraft: "The site www.sco.com is running Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.6 PHP/4.0.3pl1 on Linux."

    Wow they're even running a vulnerable version of Apache... ON LINUX...

    1.3.14 has had SERIOUS issues fixed since its release...

    http://www.apacheweek.com/features/security-13

  17. Re:Not overly suprising by stevey · · Score: 1 · on Weekly Microsoft Critical Security Issue

    Being open source is no silver bullet; for example see this thread about Exhausting all your memory - the latest reported bug in Apache.

    This is a remote denial of service attack which could be carried out fairly easily upon a LAN, or with a decent connection/zombie network over the net.

  18. Apache security alerts? by burgburgburg · · Score: 4, Insightful · on WebDAV Buffer Overflow Attack Compromises IIS 5.0
    Would you also send them the list of Apache security alerts? Or is that too much truth for you?

    All seven of them? All long fixed? Page not updated since January 23, 2003? I'd LOVE to send them that. Comparing that to the long and varied string of IIS compromises/failures/destruction would be enough to get even the pointiest headed boss to make the switch. Good idea. Thanks!

  19. Re:Why use IIS? by Len · · Score: 3, Flamebait · on WebDAV Buffer Overflow Attack Compromises IIS 5.0

    Would you also send them the list of Apache security alerts? Or is that too much truth for you?

  20. Disabling the Use of Trace in Apache by EkiM+in+De · · Score: 3, Informative · on Cross-Site-TRACE
    Apache Week has a short piece on this "vulnerability". It also includes this short snippet of configuration code to stop traces against your webserver.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
    I haven't tried this yet!
  21. Disabling the Use of Trace in Apache by EkiM+in+De · · Score: 3, Informative · on Cross-Site-TRACE
    Apache Week has a short piece on this "vulnerability". It also includes this short snippet of configuration code to stop traces against your webserver.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
    I haven't tried this yet!
  22. Review from ApacheWeek by Styros · · Score: 4, Informative · on Professional Apache 2.0

    ApacheWeek also has a review of this book found here, link

  23. Apache Week review by Anonymous Coward · · Score: 0 · on Professional Apache 2.0

    Also see Apache Week Pro Apache 2 review

  24. Re:oxymoronic by groomed · · Score: 1 · on OpenSSH Gets Even More Suspicious
    Security? A comparison of 2001 CERT advisories shows that closed source software constituted 72%.
    So what? That might mean that closed source software has wider deployment. It might mean that closed source software is scrutinized more closely. It might even mean that closed source software is used in more places where security matters.

    alldas.org defacement statistics per OS place Linux, an open source OS, at 22%, while Solaris, which is closed source, clocks in at 4%.

    I also note that you failed to answer my question: if open source makes for secure software, then why do we need something like OpenBSD at all? Why are not all open source OS's as secure as OpenBSD?

    The bottom line is that the distinction closed/open should make very little difference when evaluating the security aspect of any particular installation.

    Stability? Netcraft shows that the web servers with the top 10 average [netcraft.com] and the top 19 maximum [netcraft.com] uptimes are Open Source.
    Again, irrelevant. It might mean that open source people will go to great lengths to avoid rebooting their machines. It might even mean that open source software is conservative/stagnant. Unless the reboots actually hurt business there is no inherent advantage to long uptimes.

    They get great stability and security through honest desire and mass co-operation.
    Great stability and security are achieved by paying a lot of attention to stability and security. The development method is strictly secondary.

    Linux, FreeBSD and OpenBSD has NEVER crashed on me in normal circumstances
    What can I say. Try harder. For example take a look at how Linux MM will happily let a process run amok with a high probability of wrecking the box.

    Learning OpenBSD for someone who is knowledgable about network security is far from steep learning.
    That might be true, but is hardly any consolation if OpenBSD does not do what you need it to do.

    Even in light of the recent vulnerability, Apache actually has a good security history. The last time it was mentioned in a CERT advisory was 1996. IIS has been mentioned 8 times since.
    What about the 13 Apache vulnerabilities since 1999?

    Can you find a closed source hole that was fixed in hours?
    Easy. Ping of death was fixed within 48 hours on Windows. I'll grant that the Linux fix got there faster. So what?
  25. Re:I switched! by Pinball+Wizard · · Score: 2 · on New "SQLsnake" Microsoft Worm
    I call bullshit. There may be patches, but they aren't the kind that patched remote root exploits.


    Incidentally, most of the (relatively few)problems that Apache has had since version 1.3 are on the Windows version of Apache.

  26. Also Apache Related... by BoarderPhreak · · Score: -1, Offtopic · on W3C Recommends XML Signature Syntax
    Everything Solaris posted a nice article, mentioned on the Apache Week site, entitled "Apache: The Basics" which is a good beginner's read.

    Future articles promise to delve into greater detail about other aspects of Apache.

  27. -1 FUD by jslag · · Score: 2, Informative · on Covalent's Version of Apache 2.0 To Drop Monday
    Look at Ken Coar's editorial in the last Apache Week. The ASF is spinning their wheels at this point.


    The article
    in question says nothing of the sort. It notes that the development processes of apache have changed over the years, with associated wins and losses.


    Why has IIS taken over the SSL market? Because it ships with EAPI.


    Thanks for the laugh.

  28. Re:Apache has released 2.0 betas by huftis · · Score: 5, Informative · on Covalent's Version of Apache 2.0 To Drop Monday
    It's not clear when the Open Source Edition (or whatever) will come out and I didn't find anything at the official Apache Site.

    Apache Week has more information on this:

    Those waiting since April for a new 2.0 beta will have to keep on waiting after another release candidate, 2.0.27, was abandoned this week when a bug was discovered while running the code on the live apache.org server. Some httpd processes were found to be stuck in infinite loops while reading POST requests; the bug was traced to the code handling request bodies. After fixes for this bug and a build problem on BSD/OS were checked in, the tree was tagged ready for a 2.0.28 release.
  29. Fixes 3 server vulnerabilities by markcox · · Score: 3, Informative · on Apache 1.3.22 Now Available

    Apache Week explains the changes and highlights the 3 security vulnerabilities fixed by this release

  30. Re:Specificity (perhaps a site on spelling?) by dlc · · Score: 2 · on What Does the Open Source Community Need?

    For example, a site dedicated to a specific topic, such as Apache, or book reviews? Is there enough of a market, or interest, in any one of these categories? How many new stories are there every day about, e.g., Apache, that would interest readers without becoming ApacheWeek, an Apache mirror, or a site dedicated to programming Apache? (not that those are not all great ideas!) I'm definitely OK with being that technical, but the question is, would there be enough reader interest for it to be worthwhile? (i ran with the Apache topic here, but it could apply to a lot of other topics.)

    darren


    Cthulhu for President!
  31. And a link... by orcrist · · Score: 1 · on Web Server Comparisons

    Here's the link to info about Apache 2.0 which I actually wanted to include in my post above:

    http://www.apacheweek.com/features/apac he20

    Chris

  32. Check out the optimization tips page at apache.org by Anonymous Coward · · Score: 4 · on Ask Slashdot: Optimizing Apache/MySQL for a Production Environment
    At the Apache.org web site there is a guide to optimize Apache's performance.

    Also Dan Kegel wrote an interesting web page in response to the whole Mindcraft NT/IIS vs. Apache/Linux fiasco and on that page are several detailed measures to improve Apache's performance under Linux:

    Dan Kegel's Mindcraft Redux page
    Apache Week 'zine

    ...as for my own personal experience w/ Apache I learned that when compile Apache, remove any Apache modules you won't be needing saves plenty of RAM, and in the httpd.conf file you want to set StartServers, MaxClients, and MaxRequestsPerChild so that Apache does not spawn new children too often -- the trick is before you start Apache look at "top" count the number of processes, now start Apache under normal traffic conditions, look at number of processes you're running now to see how many http children are running -- whatever that number is add 10, and that should be your StartServers setting. The MaxRequestsPerChild default is 30 but I like to crank it up to 300 or more so that http children are not being killed and recreated too often (the reason for that setting was to avoid possible memory leaks from sucking up all your RAM which hasn't been a problem with the httpd's I've worked with)

  33. Questions... by droid · · Score: 1 · on Mindcraft Study Validated

    Hmm...
    I'm reading the PCMag test and I see that they are using a kernel 2.0.35 and a Stronghold Webserver...

    How good was the 2.0.* series at Multiprocessing?
    and, Isn't Stronghold slower than Apache due to the security issues?

    And why do they only test (as it seems to me) static webpages... aren't dynamic ones a better way of showing what the server/OS is good for?
    (I think I saw a note on apacheweek ( http://www.apacheweek.com) that Apache in fact did perform better than other servers w. dynamic pages than static ones... (I might be wrong here))

    I also see much people saying that Apache is slow (I know it wasn't made for performance) Therefore I'd like to see a test comparing Apache under different OSes... Linux, *BSD, Solaris, NT (when the NT version is stable) and so on...

    /Droid