Slashdot Mirror
Apache 1.3.26 and 2.0.39 Released
cliffwoolley writes "The Apache Software Foundation has released new versions of both Apache 1.3 and 2.0. These versions are both security and bug-fix releases. They address and fix the issues noted in CAN-2002-0392 [CERT VU#944335] regarding a vulnerability in the handling of chunked transfer encoding. You can download the new releases here." This of course is for the exploit that we reported yesterday. It is hard to complain about a 24-hour response time for a bug.
... but it certainly would've been better if ISS had allowed it, or even writeup a proper patch or give the right info on who's vulnerable.
Personally, their argument about not contacting the Apache Foundation because some of them work for Red Hat is complete bullshit, plus the fact that they could've contacted CERT about it instead. CERT would've made sure RH didnt take credit, since that's among ISS's fears, and also would've told them that the issue was known and being worked on.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
It is hard to complain about a 24-hour response time for a bug.
No, it's not:)
Seriously, though, it's a pretty impressive turn around time and should give some credence to those of us making arguments that the support is really there for open source projects like Apache, even though there's no "1-800-HELPME" number nor an expensive maintenance and support agreement.
"Provided by the management for your protection."
It is hard to complain about a 24-hour response time for a bug.
I think this is the real advantage of OSS. It's people that make Apache, not some group of nameless programmers in a high-rise somewhere. The Apache programmers use Apache on a daily basis, so they stand to gain just as much as the rest of us do by releasing a quick fix. I honestly think they care about making it a good, bug-free product. I put much more trust into the open-source projects than I do for any closed source commercial package.
"I'll say it again for the logic-impaired." -- Larry Wall.
Downloaded a moment ago and the package is broken so I reverted to downloading the bloated non-msi executable and it works just fine.
Your statement would be right on the mark, if it had the advantage of being based on fact. The "fix" you refer to is not, and was not, the actual correction, since the bug itself was more involved than that.
But thanks for playing! Better luck next time!
Doesn't anyone actually read the articles anymore? Apache was aware of the issue before ISS posted their advisory.
Givng Apache 24 hours to make a bug fix imposed an unreasonable deadline, and also encouraged the fix to be quick and dirty. Any time code is patched, it could cause other bugs to show, or introduce new ones. Developers need a certain amount of time to do testing once changes are made to make sure they didn't break anything! Kudos to the apache developers for meeting the deadline, but anti-kudos to (i'm not sure who) those imposed it.
ISS is full of shit. They have no respect for the way things work. Due to being connected with the security team of my company, I knew about the bug for a few days. And also that the Apache group was working to correct it. But not, the pricks at ISS had to release it with a whopping two hour notice, not only that but they released a broken patch.
And on top of all of that their stock goes up. What a crock of shit.
</rant>
Okay, I'm a lamer, I'd rather do a "rpm --rebuild" than whip it up from scratch.
Does anybody know where a 2.0.39 RPM is available?
Props to the Apache team for a quick and thorough fix. Now this, THIS is what I call quality control and customer service. This outruns and outguns Microsoft's see no evil, speak no evil policy on security hotfixes. Hands down.
Or will this old version patch successfully against the latest Apache release? I haven't tried mixing versions.
Super ninja monkeys will one day rule the world!
Anyone know the status of mod_ssl for 1.3.26?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
First I must say good work the the apache team, but the must stop and remind everyone the work is not done. Now this patch needs to be applied to all affected systems, now it is time for the SA's and the what not of the world to step up. Lets not forget this fact because even MS releases patchs sooner or later (ok later), but it seems that many boxes stay effected for ever due to bad admining on said MS box(en).
man
No manual entry for
This advisory is for the multi-threaded version on apache only. So sites running 1.3.x on *nix are unaffected.
Had me worried there for a minute as I admin quite a few of those.
I know I'm going to hell, I'm just trying to get good seats.
Any idea when the fix will be in the woody packages?
I'm not sure, since I don't closely follow CERT myself - but an acquaintance e-mailed me the CERT advisory today and I noticed that the 1.3.x version of apache it cites is not 1.3.26 - its 1.3.25:
I noticed that a 1.3.25 doesn't actually exist anywhere ... was there a failed release?
so are you claiming that the bug fix took a full 24 hours to complete? face it, the other poster had a point: turnaround times are limited by other things than coding.
Need I point out my earlier comment? I'll save you the trouble of looking it up:
I believe it was Dark Helmet who once said, "Evil will always triumph because good is dumb." But in the case of software, it's pretty clear that free will always triumph because commercial is dumb. Honestly, software developed out of a desire to:
is simply going to be better software than something that's developed out of the runaway greed rampant in the inferior competition.
Well at least it's only a DoS.
:(
Looks like it's going to be a long night.
I know I'm going to hell, I'm just trying to get good seats.
Oh sweat. Is this just me, or does 1.3.26 break PHP? I recompiled PHP 4.2.1 from source, but I still get this message when trying to start Apache:
/usr/local/apache/libexec/libphp4.so is garbled - perhaps this is not an Apache module DS
API module structure `php4_module' in file
O?
I regressed to PHP 4.1.2 (the last version that I used sucessfully), and as soon as I did that, it worked like a peach. Perhaps it's a PHP problem; I never used PHP 4.2.x with Apache 1.3.24, so I don't know.
/.ers have this experience?
Any other
How can you? It's called "A Patchy" server, after all.
--
http://www.aikiweb.com - AikiWeb Aikido Information
Well i think the 24 hour response time is a good thing.. However to play devils advocate for a second - if Microsoft had resolved an issue (i know stop laughing and read on) in 24 hours would it have been posted on here in this manner?? I suspect it would have had a different slant to it...
I only ask this in the light of the fact that ALL software has bugs and issues and exploits but all software eventually gets patched - I find open source more responsive in some cases and worse in others - its not a given that something will get fixed every time faster but on average it is - this is an advantage of open source software for me. The disadvantage of course lies in people who claim open source software never has a bug or exploit at all - all software HAS these things but some softwqare gets fixed faster than others.
Good one to the apache team.
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Um, surely you mean vulnerability ?
My next sig will be ready soon, but subscribers can beat the rush
umm... The bug wasn`t fixed in 24 hours!
:)
The apache coders have known about it for a while now, but it was only ISS going public early that forced the quick release of the patch before full testing!
Still good that we didn`t need to wait a few weeks for the update though!
Semi relevant.... upgrading my freebsd 4.6 box to apache 2.0.39 of course required recompiling php.
/usr/ports/www/mod_php4/work / hp-4.2.1/libtool --silent --mode=compile cc -I. -I/usr/ports/www/mod_php4/work/php-4.2.p ache2filter -I/usr/ports/www/mod_php4/work/php-4.2.1/main -I/usr/ports/www/mod_php4/work/php-4.2.1 -I/usr/local/inclul /expat -D_REENTRANT -D_THREAD_SAFE -I/usr/ports/www/mod_php4/work/php-4.2.1/TSRM -I/usr/local/incl
;)
installing php 4.2.1 from ports again, it dies with:
Making all in apache2filter
/bin/sh
1/sapi/a
de/apache2 -I/usr/ports/www/mod_php4/work/php-4.2.1/Zend -I/usr/local/include -I/usr/local/include/mysql -I/usr/ports/www/mod_
php4/work/php-4.2.1/ext/xm
ude/pth -O -pipe -march=pentiumpro -I/usr/local/include -I/usr/local/include/pgsql -pthread -DZTS -prefer-pic -c php_function
s.c
php_functions.c:93: syntax error
*** Error code 1
Anyone else have the problem?
thanks in advance
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
...to never work during the weekend.
;-)
The weekend is for relaxing
Anyone knows that a real, professional company would sit on the vuln report for a few weeks, until the finder got fed up and went public with it, then they'd complain about irresponsible disclosure and take two weeks to release a fix.
hmm. the new version of the apache advisory doesn't mention ISS's "faulty" patch. retraction? http://httpd.apache.org/info/security_bulletin_200 20617.txt
Two ways of thinking:
1. Assume we can make it 100% secure, and then give it system privs.
2. Assume we will make mistakes, and make it run with reduced privs.
It is not a matter of who can make a more secure product. It is nice when something is designed with the assumption that the software, like all software, will have holes.
Security is a process, not a product. I like the direction Open Source is taking. Apache runs as a regular user. Bind runs as regular user. Postfix, Qmail, and the newer SSH from the OpenBSD team are designed with flaws in mind.
When Open Source products get slammed enough times, they change models. Some companies never learn.
It's at modssl.org. Thanks, Ralph!
-- http://frobnosticate.com
Did anyone else notice that the Makefile is missing from the 1.3.26 release? I can't find it anywhere. I was going to upgrade real quick but this rather important piece of the puzzle is missing.
Vintage computer games and RPG books available. Email me if you're interested.
They original poster probably has very good reasons for using Apache 1.3.
If I take my car to the mechanic for a tune-up, the answer I'm not looking to hear is "forget about the tune-up. why don't you just buy a BMW M1?". In the meantime, I've got an otherwise perfectly fine car just like the original poster likely has a perfectly fine setup (perhaps with apps built and tested under Apache 1.3) and the latest and greatest isn't the answer for them.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
if Microsoft had resolved an issue (i know stop laughing and read on) in 24 hours would it have been posted on here in this manner?? I suspect it would have had a different slant to it
Considering it took something over three days before a search for Code Red on microsoft.com returned anything when microsoft apparently already had a patch for a couple of weeks, methinks the slant would be incredulity.
ALL software has bugs and issues and exploits
Agreed, with the possible exception of some stuff by Donald Knuth.
but all software eventually gets patched
Nope. dBASE5 for DOS has a serious bug which will never be patched. (Under certain conditions, "reading" a file will cause the initial 6 bytes of several other files to be reqritten with stale cached data. Ugly.)
Oh, and in case you're wondering, I have other quotes.
Nathan's blog
PHP 4.2.1 doesn't seem to work with Apache 2.0.39. You need to upgrade to the CVS version of PHP; see the bug report
I just followed the links, and, if i'm not crazy, you can now run 2.0.x on Windows 98...
Any verification of this?
(its not for me - its for a guy i support... i'm running off of OpenBSD myself)
guns kill people like spoons make Rosie O'Donnell fat.
Sorry, I had assumed (mistakely I see) that you were actually *interested* in the whole issue.
But yes, sometimes mistakes are made. A fact I'm sure your parents are quite familiar with.
http://online.securityfocus.com/bid/5033/exploit/
Compile and run, and BAM, you have a uid=nobody shell on an OpenBSD server running vulnerable Apache.
The authors likely have a Linux exploit too, because glibc makes it much easier to exploit heap-corruption bugs.
I downloaded and installed the binary for 2.0.39 for RedHat and when I do an ./apachectl startssl all I get is a port 80 listening. When I do a netstat -an I only show 80. Ugh, I'm no Linux genius, I just need to get my MRTG/RRDTOOL https site back up. The FAQ for ModSSl/Apache is a little confusing to me. When I look in the modules directory I don't see a mod_ssl.so but there are 100 other modules. Why wouldnt this be included in the binary? Isn't it more important than all of that other stuff in there?
Changing the php_functions.c allowed the make to go fine. However I now have several problems cropped up on make install. First it was trying to find a directory '.' listed in the subdirs defiition in the Makefile in the source root. So I removed that and it proceeded a bit better but only until it got to here: Installing program: phpextdist make[2]: Leaving directory `/root/php-4.2.1/pear' make[1]: Leaving directory `/root/php-4.2.1/pear' make[1]: Entering directory `/root/php-4.2.1' make[1]: *** [install-sapi] Error 1 make[1]: Leaving directory `/root/php-4.2.1' make: *** [install-recursive] Error 1 Any ideas? I am using RH 7.1, and trying to build an Apache 2.0.39, PHP 4.2.1 setup. Cheers, Jock
http://online.securityfocus.com/news/493
i love you
You know where you are? You're in the $PATH, baby. You're gonna get executed!