Slashdot Mirror
Apache 1.3.26 and 2.0.39 Released
cliffwoolley writes "The Apache Software Foundation has released new versions of both Apache 1.3 and 2.0. These versions are both security and bug-fix releases. They address and fix the issues noted in CAN-2002-0392 [CERT VU#944335] regarding a vulnerability in the handling of chunked transfer encoding. You can download the new releases here." This of course is for the exploit that we reported yesterday. It is hard to complain about a 24-hour response time for a bug.
... but it certainly would've been better if ISS had allowed it, or even writeup a proper patch or give the right info on who's vulnerable.
Personally, their argument about not contacting the Apache Foundation because some of them work for Red Hat is complete bullshit, plus the fact that they could've contacted CERT about it instead. CERT would've made sure RH didnt take credit, since that's among ISS's fears, and also would've told them that the issue was known and being worked on.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
It is hard to complain about a 24-hour response time for a bug.
No, it's not:)
Seriously, though, it's a pretty impressive turn around time and should give some credence to those of us making arguments that the support is really there for open source projects like Apache, even though there's no "1-800-HELPME" number nor an expensive maintenance and support agreement.
"Provided by the management for your protection."
It is hard to complain about a 24-hour response time for a bug.
I think this is the real advantage of OSS. It's people that make Apache, not some group of nameless programmers in a high-rise somewhere. The Apache programmers use Apache on a daily basis, so they stand to gain just as much as the rest of us do by releasing a quick fix. I honestly think they care about making it a good, bug-free product. I put much more trust into the open-source projects than I do for any closed source commercial package.
"I'll say it again for the logic-impaired." -- Larry Wall.
Givng Apache 24 hours to make a bug fix imposed an unreasonable deadline, and also encouraged the fix to be quick and dirty. Any time code is patched, it could cause other bugs to show, or introduce new ones. Developers need a certain amount of time to do testing once changes are made to make sure they didn't break anything! Kudos to the apache developers for meeting the deadline, but anti-kudos to (i'm not sure who) those imposed it.
ISS is full of shit. They have no respect for the way things work. Due to being connected with the security team of my company, I knew about the bug for a few days. And also that the Apache group was working to correct it. But not, the pricks at ISS had to release it with a whopping two hour notice, not only that but they released a broken patch.
And on top of all of that their stock goes up. What a crock of shit.
</rant>
This advisory is for the multi-threaded version on apache only. So sites running 1.3.x on *nix are unaffected.
Had me worried there for a minute as I admin quite a few of those.
I know I'm going to hell, I'm just trying to get good seats.
...to never work during the weekend.
;-)
The weekend is for relaxing
Vintage computer games and RPG books available. Email me if you're interested.
They original poster probably has very good reasons for using Apache 1.3.
If I take my car to the mechanic for a tune-up, the answer I'm not looking to hear is "forget about the tune-up. why don't you just buy a BMW M1?". In the meantime, I've got an otherwise perfectly fine car just like the original poster likely has a perfectly fine setup (perhaps with apps built and tested under Apache 1.3) and the latest and greatest isn't the answer for them.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.