Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache 1.3.26 and 2.0.39 Released

Posted by krow on from the would-you-like-fries-with-that dept.

cliffwoolley writes "The Apache Software Foundation has released new versions of both Apache 1.3 and 2.0. These versions are both security and bug-fix releases. They address and fix the issues noted in CAN-2002-0392 [CERT VU#944335] regarding a vulnerability in the handling of chunked transfer encoding. You can download the new releases here." This of course is for the exploit that we reported yesterday. It is hard to complain about a 24-hour response time for a bug.

6 of 138 comments (clear)

  1. Win32 MSI Installer Broken by tyrione · · Score: 3, Informative

    Downloaded a moment ago and the package is broken so I reverted to downloading the bloated non-msi executable and it works just fine.

  2. 24 hour response? by xswl0931 · · Score: 2, Informative

    Doesn't anyone actually read the articles anymore? Apache was aware of the issue before ISS posted their advisory.

  3. Re:mod_ssl? by jonabbey · · Score: 5, Informative

    mod_ssl is baked into the Apache releases 2.0.35 and later, and is _far_ easier to compile and install than the old Apache 1.3 + external mod_ssl was.

    Get to Apache 2.0.x when you can.

    --
    - jon

    Ganymede, a GPL'ed metadirectory for UNIX
  4. Re:Complaints Timescale by Anonymous Coward · · Score: 1, Informative

    Is this the same Covalent who had the gall to tell me today when I telephoned (before that notice was up) for support on one of their SSL products that they had assessed the vulnerability and it wasn't all that big a problem, as Apache handled it pretty well and the child processes would die off?

    When I pointed out that this was exactly WHY I needed the patch, as our webservers are actually important to us and we'd rather not have them DoS'd, she mumbled something about adding us to a alert list for when the patches were ready.

  5. Re:mod_ssl? by accessdeniednsp · · Score: 3, Informative

    Argh..I posted a comment but it was replied to the wrong thread by accident. Crap.. Anyway, here's what I had to say. Hope it helps. (I hope I'm not going to get flamed for anything on this but I probably will).

    Me and woolley chatted on irc tonite and i verified his patch [theaimsgroup.com] does indeed work. You will have to manually adjust apache_1.3.26/src/ap/Makefile.tmpl to add the three object files to line 7:

    ap_hook.o ap_ctx.o ap_mm.o

    The patch will cause a rejection due to modifications between 1.3.24 and 1.3.26 to the file.

    The patch applies to apache-1.3.24, btw. And be sure to use mod_ssl-2.8.8-1.3.24 and add --force on the mod_ssl configure line.

    Woolley's patch works great.

  6. FUD by Vainglorious+Coward · · Score: 5, Informative
    This of course is for the exploit that we reported yesterday

    Um, surely you mean vulnerability ?

    --
    My next sig will be ready soon, but subscribers can beat the rush