Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache 1.3.26 and 2.0.39 Released

Posted by krow on from the would-you-like-fries-with-that dept.

cliffwoolley writes "The Apache Software Foundation has released new versions of both Apache 1.3 and 2.0. These versions are both security and bug-fix releases. They address and fix the issues noted in CAN-2002-0392 [CERT VU#944335] regarding a vulnerability in the handling of chunked transfer encoding. You can download the new releases here." This of course is for the exploit that we reported yesterday. It is hard to complain about a 24-hour response time for a bug.

1 of 138 comments (clear)

  1. Re:24 is nice... by Verizon+Guy · · Score: 0, Flamebait

    Sure, we could say that, but if they exploit never went public, would the Apache group have sat around with their thumbs up their asses doing nothing? IOW, I think that if it never went public, we certainly wouldn't have seen a patch today. I mean, Apache has known about this for months --- another developer secretly exploited it for the Apache folks. I think sometimes you need the extra kick in the behind to get those patches out. I'm 100% convinced that if that exploit didn't go public yesterday, we wouldn't have a patch today. Yet in all that time, hackers could have been exploiting all those Apache servers on the net... which according to Netcraft is the most popular Internet web server.

    Strangely enough, I think we can all safely tell the zealots now to go fuck themselves when they cite "security by obscurity" against Microsoft, as it seems like it's an epidemic in the Open Source community as well. Only reason Microsoft patches take a lot longer to go public is that since they're not a loose band of hackers like most open source projects, they can't just go out and release a patch---it has to be subject to all sorts of corporate hoopla, like quality testing and that sort. They need to be absolutely sure it doesn't do something like turn your box into liquid shit... they could get SUED big time. If an open source project released a bum patch, who/what is there to go after if something messes up? Nobody. That's where the fundamental difference lies... with open source, there is no organization to go after.

    --

    Aw, fuck it. Let's go bowling. - The Big Lebowski