Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache 1.3.26 and 2.0.39 Released

Posted by krow on from the would-you-like-fries-with-that dept.

cliffwoolley writes "The Apache Software Foundation has released new versions of both Apache 1.3 and 2.0. These versions are both security and bug-fix releases. They address and fix the issues noted in CAN-2002-0392 [CERT VU#944335] regarding a vulnerability in the handling of chunked transfer encoding. You can download the new releases here." This of course is for the exploit that we reported yesterday. It is hard to complain about a 24-hour response time for a bug.

4 of 138 comments (clear)

  1. 24 is nice... by jeffy124 · · Score: 5, Insightful

    ... but it certainly would've been better if ISS had allowed it, or even writeup a proper patch or give the right info on who's vulnerable.

    Personally, their argument about not contacting the Apache Foundation because some of them work for Red Hat is complete bullshit, plus the fact that they could've contacted CERT about it instead. CERT would've made sure RH didnt take credit, since that's among ISS's fears, and also would've told them that the issue was known and being worked on.

    --
    The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
  2. Complaints Timescale by 4of12 · · Score: 5, Insightful

    It is hard to complain about a 24-hour response time for a bug.

    No, it's not:)

    Seriously, though, it's a pretty impressive turn around time and should give some credence to those of us making arguments that the support is really there for open source projects like Apache, even though there's no "1-800-HELPME" number nor an expensive maintenance and support agreement.

    --
    "Provided by the management for your protection."
  3. Folks at ISS by Anonymous Coward · · Score: 5, Insightful


    ISS is full of shit. They have no respect for the way things work. Due to being connected with the security team of my company, I knew about the bug for a few days. And also that the Apache group was working to correct it. But not, the pricks at ISS had to release it with a whopping two hour notice, not only that but they released a broken patch.

    And on top of all of that their stock goes up. What a crock of shit.
    </rant>

  4. Re:24 Hours - unreasonable and dangerous by buffy · · Score: 5, Insightful
    Givng Apache 24 hours to make a bug fix imposed an unreasonable deadline, and also encouraged the fix to be quick and dirty. Any time code is patched, it could cause other bugs to show, or introduce new ones. Developers need a certain amount of time to do testing once changes are made to make sure they didn't break anything! Kudos to the apache developers for meeting the deadline, but anti-kudos to (i'm not sure who) those imposed it.

    You kind-of missed how this went down. Nobody "imposed" a 24-hour window for the bug to be fixed. Had IIS not been a bunch of boneheads and prematurely (as in ejaculation) released information regarding the vulnerability, the programmers involved could've taken a little bit more time to develop the fix, ensuring better quality.

    The commendations re: the 24-hour turn around is simply referencing the ability of a lose-knit group of open source programmers to rapidly respond to a bad situation. Had Microsoft been in the same spot (they have been before--people have screwed them, too--and they most certainly will be again) it still would've taken them a lot longer to kick out the fix, and even longer to get it into their distribution channels.