Slashdot Mirror
Apache 1.3.26 and 2.0.39 Released
cliffwoolley writes "The Apache Software Foundation has released new versions of both Apache 1.3 and 2.0. These versions are both security and bug-fix releases. They address and fix the issues noted in CAN-2002-0392 [CERT VU#944335] regarding a vulnerability in the handling of chunked transfer encoding. You can download the new releases here." This of course is for the exploit that we reported yesterday. It is hard to complain about a 24-hour response time for a bug.
... but it certainly would've been better if ISS had allowed it, or even writeup a proper patch or give the right info on who's vulnerable.
Personally, their argument about not contacting the Apache Foundation because some of them work for Red Hat is complete bullshit, plus the fact that they could've contacted CERT about it instead. CERT would've made sure RH didnt take credit, since that's among ISS's fears, and also would've told them that the issue was known and being worked on.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
was bored while downloading :)
I just installed Apache over the weekend, and now this comes out! Argh!
It is hard to complain about a 24-hour response time for a bug.
No, it's not:)
Seriously, though, it's a pretty impressive turn around time and should give some credence to those of us making arguments that the support is really there for open source projects like Apache, even though there's no "1-800-HELPME" number nor an expensive maintenance and support agreement.
"Provided by the management for your protection."
It had started innocently enough, Queen Amidala thought as the events of
the past few days flew by blurrishly in her mind. A rescue turned bad on
Naboo demanded her ship make emergency repairs on the nearest planet. That
planet had to be Tatooine. Disembarking, she disguised herself as her
handmaiden, Padmè Naberrie in order to be allowed to join the team sent to
explore the settlements.
Qui-Gon allowed her to join them reluctantly, warning her to stay close to him.
She did. As they entered the city, Master Qui-Gon Jinn instructed her on how
to act as people who were in the city were most likely to be of the kind of
folk who had no desire of being found. She had remembered her retort was blunt
and to the point. She wished now she had not rebeled even so slightly against
the wise Jedi Master.
Staring at the burning funeral pyre, she fought hard not to shed the tears that
threatened to burst forth from her eyes. Qui-Gon was a good man, one whome
could be trusted implicitly. The galaxy should have lots more men like him.
Being 14 years old was tough. Being a 14 year old queen, ruler of an entire
world was next to impossible. At times even she, herself, wondered why the
Naboo elected her. But her story didn't end with entering into a Tatooine
settlement.
She entered an establishment with Qui-Gon and Jar Jar Binks, a kooky tall
Gungan thief. When she was about to get settled into the business mindset,
things had shifted for her. Watto had called in his helper, a young boy. He
was cute. Well, he wasn't all THAT young. He looked about 10, about eight
inches shorter than her with dirty blond hair. She didn't really know what to
say to him as Qui-Gon and Watto left to bargain for the necessary hyper drive
parts. So instead, the boy started the conversation for her.
"Are you an angel?" he asked. She was taken off guard, "What?" So he asked
again, and explained that someone he knew explained that angels were a very
beautiful species that lived on a far away world. She was impressed, he seemed
very smart. Looks...brains...what more could a girl ask for. She was taken by
him, would have said so, too, but he continued explaining that he was sold to
Watto.
"You're a slave?" she asked seemingly unable to believe it. The boy stiffened,
sitting up a bit straighter, "I'm a person, and my name is Anakin." She felt a
bit ashamed. Nervousness set in as she was uncertain how to rectify her
behavior. Anakin kept talking a bit and Amidala was listening intently. Well,
she would have been if Jar Jar hadn't been poking around with a Pit Droid that
suddenly decided to spring around and make loud noise when its "nose" was
tapped.
Soon Qui-Gon and Watto arrived again and they decided to take their leave.
Amidala looked at Anakin and smiled, "I'm glad to have met you, Anakin."
Turning she left. "I'm glad to have met you, too!" she heard him calling
from outside the establishment.
-=-=-=-=-
Chapter 2
"The Stirrings"
Her story hadn't even stopped there. Walking for a short ways Jar Jar ran into
some trouble with a local podracer named Sebulba threatening to, as Anakin put
it, turn Jar Jar into orange goo. But, there again, the young boy had stepped
in and helped them out. Queen Amidala was beginning to think that there was
something very mysterious about him, indeed.
Informing the group that a sand storm was coming shortly after that, Anakin
invited them to stay at his house with his mother. It was while they were
eating that they disovered Anakin was into a very fast, very dangerous sport
called podracing. Much was discussed at the dinner table and a plan was
reached on how to easily acquire the parts needed to fix the broken hyper drive
on the star ship.
Durring the entire podrace, Amidala was tense, she was so affraid for her new
friend. But he was becoming more than just a friend in her heart. She was
beginning to have feelings for him. When Anakin won the podrace in 1st place,
her heart leapt for joy and she admited to herself that she had never known
such elation.
Later on the ship, she had approached the com panel and reviewed the message
that she had recieved from her contact on Naboo. Things didn't look good and
she was more than a little worried. Since she was still disguised as her
handmaiden, Padmè, she approached young Anakin who was sitting quietly by the
table. He confided to her that he was very cold. She brought him over a spare
blanket. Covering him softly, she looked down at him, not quite sure how to
express her love for him, not quite sure if love was a word she should use
around him.
She again was taken aback when he confessed that he had made something for her.
When she looked at it, her heart began beating faster, then began swelling
when he told her that he carved it himself to bring her good fortune. She told
him that she didn't need it. She told him that no matter where she went she
would always remember him and care for him. He then had very bluntly told her
that he cared for her, too. She wanted to cry. Anakin was in love with Padmè
when all along it was Queen Amidala disguised as her handmaiden. She wanted to
tell him, but was affraid how he'd react.
-=-=-=-=-
Chapter 3
"The Awakening"
As soon as he confesses his affections for her, she takes him into her arms and
kisses him with the utmost in passion. Her sexual hunger stirring deep within
her. Right there, with Jar Jar asleep not more than three feet away, they kiss
like there's no tomorrow. Anakin's always a very skillful kisser. Always.
His tongue always knows exactly what to do. With gentle caresses, his hands
stroke her cheeks and neck.
Soon she has stripped off all of her clothes and stands before the young boy in
the nude, but he doesn't sit idly by either. He is undressed soon as well.
Jar Jar just vanishes. He no longer is. They come together as one again,
their mouthes meeting hungrily, their kiss deep as their tongues dance to an
erotic tempo that only they can hear. His fingers and hands touching her all
over, everywhere, her young breasts, her barely hair-covered cunt. Shivers of
excitement course through her body every time. EVERY TIME.
She lays him back and kisses her way down his body, his little boy erection
standing up straight and proud. He's no longer wearing an innocent expression,
instead his face is smiling, he's got a confident expression, one that's almost
dark in its very nature. He's always laughing at her, he's always looking down
on her, making her feel lower than what she really is. She is queen. QUEEN,
she always reminds herself. But still the expression remains.
Putting it out of her mind, she takes his hardness into her mouth and lavishly
works it over with her tongue. His expression never changes from the confident
smile, but she doesn't care. She never cares. He was once very sweet and
kind, and even though he's no longer sweet and kind, she remembers him as he
once was and that is what prompts her to go on.
Without waiting for any signal, she straddles him, sitting down swiftly,
Anakin's hardness plunging deeply inside of her. She always cries out in
pleasure/pain. The first feelings are always so incredible, so inevitable she
nearly has an orgasm right there. Her cunt is deffinately juicing enough.
With an incredibly fast pace she begins bouncing up and down on his suddenly
huge cock. She's not quite sure how it got so big, but she's not really in the
mood for caring. Her love, her affection, her young, handsome Anakin is all
that matters.
Placing her hand down between her legs, she slowly begins rubbing her aching
clitoris in fast paced circles, sending her higher and higher into oblivious
ecstacy. Her head is throbbing. Always throbbing, pounding. Her mouth then
drops open as she pinches her clit firmly, her breathing ragged and rushed.
Her young breasts bouncing slightly with every up-down motion, her eyes
squeezed tightly shut. No matter how many times she fucks him, she can't get
over the feeling that she is with someone other than her Anakin.
Soon, she cries out in pleasure as her vaginal walls clamp down around her
lovers hard cock milking his cum from the hard shaft, and then it happens. She
is impregnated on the spot as he releases his sperm into her womb. Sweating
profusely she collapses backwards out of breath.
-=-=-=-=-
Epilogue
"Reality Bites"
At least, that's the way it SHOULD have happened, Queen Amidala thought as she
glanced away from the funeral fires of Qui-Gon Jinn. Instead it was merely a
fantasy of hers. Something she thought of when by herself and needed sexual
relief. Her feelings for young Anakin were very real, but she could never be
with him, it just wouldn't work out. Things like that never work out.
Her mind a million miles away from the funeral pyre, back on board the
space ship just after leaving Tatooine, her heart ached for Anakin's
confidence. For his trust... for his love. Her lower lip threatened to
quiver and give away her emotions. But, maybe she should cry, maybe. No,
she was the queen. But still, shouldn't SOME grief be allowed.
Her mind wandered to the landing platform on Coruscant where she and Anakin had
exchanged a warm affectionate smile and her heart swelled larger than before.
Glancing away from the flames that licked the body of Qui-Gon, a tear rolled
down her cheek, and nobody who looked at her was the wiser.
It is hard to complain about a 24-hour response time for a bug.
I think this is the real advantage of OSS. It's people that make Apache, not some group of nameless programmers in a high-rise somewhere. The Apache programmers use Apache on a daily basis, so they stand to gain just as much as the rest of us do by releasing a quick fix. I honestly think they care about making it a good, bug-free product. I put much more trust into the open-source projects than I do for any closed source commercial package.
"I'll say it again for the logic-impaired." -- Larry Wall.
This "bug" was a mis-signed size parameter passed to memcpy(). In other words, the "bug" "fix" was something "majorly complicated" like adding an (unsigned int) typecast.
If it took more than 5 minutes to fix this, I'd be surprised. 24 hours is ridiculous.
THE PORN COUNT: Bringing Porn to Slashdot, Daily.
Downloaded a moment ago and the package is broken so I reverted to downloading the bloated non-msi executable and it works just fine.
He will be missed
Show me That Smile (The Growing Pains Theme Song):
Show me that smile again.
Ooh show me that smile.
Don't waste another minute on your crying.
We're nowhere near the end.
We're nowhere near.
The best is ready to begin.
As long as we got each other
We got the world
Sitting right in our hands.
Baby rain or shine;
All the time.
We got each other
Sharing the laughter and love.
Alan Thicke's Journal
My Slashdot ads say "
Doesn't anyone actually read the articles anymore? Apache was aware of the issue before ISS posted their advisory.
Givng Apache 24 hours to make a bug fix imposed an unreasonable deadline, and also encouraged the fix to be quick and dirty. Any time code is patched, it could cause other bugs to show, or introduce new ones. Developers need a certain amount of time to do testing once changes are made to make sure they didn't break anything! Kudos to the apache developers for meeting the deadline, but anti-kudos to (i'm not sure who) those imposed it.
ISS is full of shit. They have no respect for the way things work. Due to being connected with the security team of my company, I knew about the bug for a few days. And also that the Apache group was working to correct it. But not, the pricks at ISS had to release it with a whopping two hour notice, not only that but they released a broken patch.
And on top of all of that their stock goes up. What a crock of shit.
</rant>
Okay, I'm a lamer, I'd rather do a "rpm --rebuild" than whip it up from scratch.
Does anybody know where a 2.0.39 RPM is available?
Props to the Apache team for a quick and thorough fix. Now this, THIS is what I call quality control and customer service. This outruns and outguns Microsoft's see no evil, speak no evil policy on security hotfixes. Hands down.
Or will this old version patch successfully against the latest Apache release? I haven't tried mixing versions.
Super ninja monkeys will one day rule the world!
Anyone know the status of mod_ssl for 1.3.26?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
First I must say good work the the apache team, but the must stop and remind everyone the work is not done. Now this patch needs to be applied to all affected systems, now it is time for the SA's and the what not of the world to step up. Lets not forget this fact because even MS releases patchs sooner or later (ok later), but it seems that many boxes stay effected for ever due to bad admining on said MS box(en).
man
No manual entry for
This advisory is for the multi-threaded version on apache only. So sites running 1.3.x on *nix are unaffected.
Had me worried there for a minute as I admin quite a few of those.
I know I'm going to hell, I'm just trying to get good seats.
Any idea when the fix will be in the woody packages?
KTHXBYE!!!
I'm not sure, since I don't closely follow CERT myself - but an acquaintance e-mailed me the CERT advisory today and I noticed that the 1.3.x version of apache it cites is not 1.3.26 - its 1.3.25:
I noticed that a 1.3.25 doesn't actually exist anywhere ... was there a failed release?
Need I point out my earlier comment? I'll save you the trouble of looking it up:
I believe it was Dark Helmet who once said, "Evil will always triumph because good is dumb." But in the case of software, it's pretty clear that free will always triumph because commercial is dumb. Honestly, software developed out of a desire to:
is simply going to be better software than something that's developed out of the runaway greed rampant in the inferior competition.
Well at least it's only a DoS.
:(
Looks like it's going to be a long night.
I know I'm going to hell, I'm just trying to get good seats.
Oh sweat. Is this just me, or does 1.3.26 break PHP? I recompiled PHP 4.2.1 from source, but I still get this message when trying to start Apache:
/usr/local/apache/libexec/libphp4.so is garbled - perhaps this is not an Apache module DS
API module structure `php4_module' in file
O?
I regressed to PHP 4.1.2 (the last version that I used sucessfully), and as soon as I did that, it worked like a peach. Perhaps it's a PHP problem; I never used PHP 4.2.x with Apache 1.3.24, so I don't know.
/.ers have this experience?
Any other
How can you? It's called "A Patchy" server, after all.
--
http://www.aikiweb.com - AikiWeb Aikido Information
Well i think the 24 hour response time is a good thing.. However to play devils advocate for a second - if Microsoft had resolved an issue (i know stop laughing and read on) in 24 hours would it have been posted on here in this manner?? I suspect it would have had a different slant to it...
I only ask this in the light of the fact that ALL software has bugs and issues and exploits but all software eventually gets patched - I find open source more responsive in some cases and worse in others - its not a given that something will get fixed every time faster but on average it is - this is an advantage of open source software for me. The disadvantage of course lies in people who claim open source software never has a bug or exploit at all - all software HAS these things but some softwqare gets fixed faster than others.
Good one to the apache team.
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Um, surely you mean vulnerability ?
My next sig will be ready soon, but subscribers can beat the rush
You just know that this entire bug thing is just some guy that forgot to put a ; at the end of a line.
umm... The bug wasn`t fixed in 24 hours!
:)
The apache coders have known about it for a while now, but it was only ISS going public early that forced the quick release of the patch before full testing!
Still good that we didn`t need to wait a few weeks for the update though!
Semi relevant.... upgrading my freebsd 4.6 box to apache 2.0.39 of course required recompiling php.
/usr/ports/www/mod_php4/work / hp-4.2.1/libtool --silent --mode=compile cc -I. -I/usr/ports/www/mod_php4/work/php-4.2.p ache2filter -I/usr/ports/www/mod_php4/work/php-4.2.1/main -I/usr/ports/www/mod_php4/work/php-4.2.1 -I/usr/local/inclul /expat -D_REENTRANT -D_THREAD_SAFE -I/usr/ports/www/mod_php4/work/php-4.2.1/TSRM -I/usr/local/incl
;)
installing php 4.2.1 from ports again, it dies with:
Making all in apache2filter
/bin/sh
1/sapi/a
de/apache2 -I/usr/ports/www/mod_php4/work/php-4.2.1/Zend -I/usr/local/include -I/usr/local/include/mysql -I/usr/ports/www/mod_
php4/work/php-4.2.1/ext/xm
ude/pth -O -pipe -march=pentiumpro -I/usr/local/include -I/usr/local/include/pgsql -pthread -DZTS -prefer-pic -c php_function
s.c
php_functions.c:93: syntax error
*** Error code 1
Anyone else have the problem?
thanks in advance
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
...to never work during the weekend.
;-)
The weekend is for relaxing
Anyone knows that a real, professional company would sit on the vuln report for a few weeks, until the finder got fed up and went public with it, then they'd complain about irresponsible disclosure and take two weeks to release a fix.
hmm. the new version of the apache advisory doesn't mention ISS's "faulty" patch. retraction? http://httpd.apache.org/info/security_bulletin_200 20617.txt
Two ways of thinking:
1. Assume we can make it 100% secure, and then give it system privs.
2. Assume we will make mistakes, and make it run with reduced privs.
It is not a matter of who can make a more secure product. It is nice when something is designed with the assumption that the software, like all software, will have holes.
Security is a process, not a product. I like the direction Open Source is taking. Apache runs as a regular user. Bind runs as regular user. Postfix, Qmail, and the newer SSH from the OpenBSD team are designed with flaws in mind.
When Open Source products get slammed enough times, they change models. Some companies never learn.
It's at modssl.org. Thanks, Ralph!
-- http://frobnosticate.com
Did anyone else notice that the Makefile is missing from the 1.3.26 release? I can't find it anywhere. I was going to upgrade real quick but this rather important piece of the puzzle is missing.
Vintage computer games and RPG books available. Email me if you're interested.
They original poster probably has very good reasons for using Apache 1.3.
If I take my car to the mechanic for a tune-up, the answer I'm not looking to hear is "forget about the tune-up. why don't you just buy a BMW M1?". In the meantime, I've got an otherwise perfectly fine car just like the original poster likely has a perfectly fine setup (perhaps with apps built and tested under Apache 1.3) and the latest and greatest isn't the answer for them.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
if Microsoft had resolved an issue (i know stop laughing and read on) in 24 hours would it have been posted on here in this manner?? I suspect it would have had a different slant to it
Considering it took something over three days before a search for Code Red on microsoft.com returned anything when microsoft apparently already had a patch for a couple of weeks, methinks the slant would be incredulity.
ALL software has bugs and issues and exploits
Agreed, with the possible exception of some stuff by Donald Knuth.
but all software eventually gets patched
Nope. dBASE5 for DOS has a serious bug which will never be patched. (Under certain conditions, "reading" a file will cause the initial 6 bytes of several other files to be reqritten with stale cached data. Ugly.)
Oh, and in case you're wondering, I have other quotes.
Nathan's blog
PHP 4.2.1 doesn't seem to work with Apache 2.0.39. You need to upgrade to the CVS version of PHP; see the bug report
I just followed the links, and, if i'm not crazy, you can now run 2.0.x on Windows 98...
Any verification of this?
(its not for me - its for a guy i support... i'm running off of OpenBSD myself)
guns kill people like spoons make Rosie O'Donnell fat.
http://online.securityfocus.com/bid/5033/exploit/
Compile and run, and BAM, you have a uid=nobody shell on an OpenBSD server running vulnerable Apache.
The authors likely have a Linux exploit too, because glibc makes it much easier to exploit heap-corruption bugs.
I downloaded and installed the binary for 2.0.39 for RedHat and when I do an ./apachectl startssl all I get is a port 80 listening. When I do a netstat -an I only show 80. Ugh, I'm no Linux genius, I just need to get my MRTG/RRDTOOL https site back up. The FAQ for ModSSl/Apache is a little confusing to me. When I look in the modules directory I don't see a mod_ssl.so but there are 100 other modules. Why wouldnt this be included in the binary? Isn't it more important than all of that other stuff in there?
Changing the php_functions.c allowed the make to go fine. However I now have several problems cropped up on make install. First it was trying to find a directory '.' listed in the subdirs defiition in the Makefile in the source root. So I removed that and it proceeded a bit better but only until it got to here: Installing program: phpextdist make[2]: Leaving directory `/root/php-4.2.1/pear' make[1]: Leaving directory `/root/php-4.2.1/pear' make[1]: Entering directory `/root/php-4.2.1' make[1]: *** [install-sapi] Error 1 make[1]: Leaving directory `/root/php-4.2.1' make: *** [install-recursive] Error 1 Any ideas? I am using RH 7.1, and trying to build an Apache 2.0.39, PHP 4.2.1 setup. Cheers, Jock
http://online.securityfocus.com/news/493
i love you
You know where you are? You're in the $PATH, baby. You're gonna get executed!