Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache 1.3.26 and 2.0.39 Released

Posted by krow on from the would-you-like-fries-with-that dept.

cliffwoolley writes "The Apache Software Foundation has released new versions of both Apache 1.3 and 2.0. These versions are both security and bug-fix releases. They address and fix the issues noted in CAN-2002-0392 [CERT VU#944335] regarding a vulnerability in the handling of chunked transfer encoding. You can download the new releases here." This of course is for the exploit that we reported yesterday. It is hard to complain about a 24-hour response time for a bug.

4 of 138 comments (clear)

  1. mod_ssl? by Phroggy · · Score: 3, Interesting

    Anyone know the status of mod_ssl for 1.3.26?

    --
    $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
    $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  2. CERT got it slightly wrong? by Jobe_br · · Score: 3, Interesting

    I'm not sure, since I don't closely follow CERT myself - but an acquaintance e-mailed me the CERT advisory today and I noticed that the 1.3.x version of apache it cites is not 1.3.26 - its 1.3.25:

    Upgrade to the latest version

    The Apache Software Foundation has released two new versions of Apache that correct this vulnerability. System administrators can prevent the vulnerability from being exploited by upgrading to Apache version 1.3.25 or 2.0.39.

    I noticed that a 1.3.25 doesn't actually exist anywhere ... was there a failed release?

  3. See, I told you so. by rice_burners_suck · · Score: 5, Interesting

    Need I point out my earlier comment? I'll save you the trouble of looking it up:

    I have to say, the Apache web server is quite a high quality piece of work. The fact that an obscure security issue has been found is a good sign that developers and users are on top of things in the constant struggle against remote exploiters.
    I am confident that a fix will be available very shortly. Serious sysadmins will have their servers patched sooner than any serious damage takes place. I don't have the same confidence when it comes to Microsoft's products.

    I believe it was Dark Helmet who once said, "Evil will always triumph because good is dumb." But in the case of software, it's pretty clear that free will always triumph because commercial is dumb. Honestly, software developed out of a desire to:

    • Learn,
    • Do good,
    • Have fun in the process...

    is simply going to be better software than something that's developed out of the runaway greed rampant in the inferior competition.

  4. PHP now broken? by Zeekamotay · · Score: 2, Interesting

    Oh sweat. Is this just me, or does 1.3.26 break PHP? I recompiled PHP 4.2.1 from source, but I still get this message when trying to start Apache:

    API module structure `php4_module' in file /usr/local/apache/libexec/libphp4.so is garbled - perhaps this is not an Apache module DS
    O?