Slashdot Mirror
Apache 1.3.26 and 2.0.39 Released
cliffwoolley writes "The Apache Software Foundation has released new versions of both Apache 1.3 and 2.0. These versions are both security and bug-fix releases. They address and fix the issues noted in CAN-2002-0392 [CERT VU#944335] regarding a vulnerability in the handling of chunked transfer encoding. You can download the new releases here." This of course is for the exploit that we reported yesterday. It is hard to complain about a 24-hour response time for a bug.
... but it certainly would've been better if ISS had allowed it, or even writeup a proper patch or give the right info on who's vulnerable.
Personally, their argument about not contacting the Apache Foundation because some of them work for Red Hat is complete bullshit, plus the fact that they could've contacted CERT about it instead. CERT would've made sure RH didnt take credit, since that's among ISS's fears, and also would've told them that the issue was known and being worked on.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
It is hard to complain about a 24-hour response time for a bug.
No, it's not:)
Seriously, though, it's a pretty impressive turn around time and should give some credence to those of us making arguments that the support is really there for open source projects like Apache, even though there's no "1-800-HELPME" number nor an expensive maintenance and support agreement.
"Provided by the management for your protection."
It is hard to complain about a 24-hour response time for a bug.
I think this is the real advantage of OSS. It's people that make Apache, not some group of nameless programmers in a high-rise somewhere. The Apache programmers use Apache on a daily basis, so they stand to gain just as much as the rest of us do by releasing a quick fix. I honestly think they care about making it a good, bug-free product. I put much more trust into the open-source projects than I do for any closed source commercial package.
"I'll say it again for the logic-impaired." -- Larry Wall.
Downloaded a moment ago and the package is broken so I reverted to downloading the bloated non-msi executable and it works just fine.
Doesn't anyone actually read the articles anymore? Apache was aware of the issue before ISS posted their advisory.
Givng Apache 24 hours to make a bug fix imposed an unreasonable deadline, and also encouraged the fix to be quick and dirty. Any time code is patched, it could cause other bugs to show, or introduce new ones. Developers need a certain amount of time to do testing once changes are made to make sure they didn't break anything! Kudos to the apache developers for meeting the deadline, but anti-kudos to (i'm not sure who) those imposed it.
ISS is full of shit. They have no respect for the way things work. Due to being connected with the security team of my company, I knew about the bug for a few days. And also that the Apache group was working to correct it. But not, the pricks at ISS had to release it with a whopping two hour notice, not only that but they released a broken patch.
And on top of all of that their stock goes up. What a crock of shit.
</rant>
Props to the Apache team for a quick and thorough fix. Now this, THIS is what I call quality control and customer service. This outruns and outguns Microsoft's see no evil, speak no evil policy on security hotfixes. Hands down.
Anyone know the status of mod_ssl for 1.3.26?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
First I must say good work the the apache team, but the must stop and remind everyone the work is not done. Now this patch needs to be applied to all affected systems, now it is time for the SA's and the what not of the world to step up. Lets not forget this fact because even MS releases patchs sooner or later (ok later), but it seems that many boxes stay effected for ever due to bad admining on said MS box(en).
man
No manual entry for
This advisory is for the multi-threaded version on apache only. So sites running 1.3.x on *nix are unaffected.
Had me worried there for a minute as I admin quite a few of those.
I know I'm going to hell, I'm just trying to get good seats.
Any idea when the fix will be in the woody packages?
I'm not sure, since I don't closely follow CERT myself - but an acquaintance e-mailed me the CERT advisory today and I noticed that the 1.3.x version of apache it cites is not 1.3.26 - its 1.3.25:
I noticed that a 1.3.25 doesn't actually exist anywhere ... was there a failed release?
Need I point out my earlier comment? I'll save you the trouble of looking it up:
I believe it was Dark Helmet who once said, "Evil will always triumph because good is dumb." But in the case of software, it's pretty clear that free will always triumph because commercial is dumb. Honestly, software developed out of a desire to:
is simply going to be better software than something that's developed out of the runaway greed rampant in the inferior competition.
Well at least it's only a DoS.
:(
Looks like it's going to be a long night.
I know I'm going to hell, I'm just trying to get good seats.
Oh sweat. Is this just me, or does 1.3.26 break PHP? I recompiled PHP 4.2.1 from source, but I still get this message when trying to start Apache:
/usr/local/apache/libexec/libphp4.so is garbled - perhaps this is not an Apache module DS
API module structure `php4_module' in file
O?
I regressed to PHP 4.1.2 (the last version that I used sucessfully), and as soon as I did that, it worked like a peach. Perhaps it's a PHP problem; I never used PHP 4.2.x with Apache 1.3.24, so I don't know.
/.ers have this experience?
Any other
How can you? It's called "A Patchy" server, after all.
--
http://www.aikiweb.com - AikiWeb Aikido Information
Well i think the 24 hour response time is a good thing.. However to play devils advocate for a second - if Microsoft had resolved an issue (i know stop laughing and read on) in 24 hours would it have been posted on here in this manner?? I suspect it would have had a different slant to it...
I only ask this in the light of the fact that ALL software has bugs and issues and exploits but all software eventually gets patched - I find open source more responsive in some cases and worse in others - its not a given that something will get fixed every time faster but on average it is - this is an advantage of open source software for me. The disadvantage of course lies in people who claim open source software never has a bug or exploit at all - all software HAS these things but some softwqare gets fixed faster than others.
Good one to the apache team.
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Um, surely you mean vulnerability ?
My next sig will be ready soon, but subscribers can beat the rush
...to never work during the weekend.
;-)
The weekend is for relaxing
Anyone knows that a real, professional company would sit on the vuln report for a few weeks, until the finder got fed up and went public with it, then they'd complain about irresponsible disclosure and take two weeks to release a fix.
It's at modssl.org. Thanks, Ralph!
-- http://frobnosticate.com
Did anyone else notice that the Makefile is missing from the 1.3.26 release? I can't find it anywhere. I was going to upgrade real quick but this rather important piece of the puzzle is missing.
Vintage computer games and RPG books available. Email me if you're interested.
They original poster probably has very good reasons for using Apache 1.3.
If I take my car to the mechanic for a tune-up, the answer I'm not looking to hear is "forget about the tune-up. why don't you just buy a BMW M1?". In the meantime, I've got an otherwise perfectly fine car just like the original poster likely has a perfectly fine setup (perhaps with apps built and tested under Apache 1.3) and the latest and greatest isn't the answer for them.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
if Microsoft had resolved an issue (i know stop laughing and read on) in 24 hours would it have been posted on here in this manner?? I suspect it would have had a different slant to it
Considering it took something over three days before a search for Code Red on microsoft.com returned anything when microsoft apparently already had a patch for a couple of weeks, methinks the slant would be incredulity.
ALL software has bugs and issues and exploits
Agreed, with the possible exception of some stuff by Donald Knuth.
but all software eventually gets patched
Nope. dBASE5 for DOS has a serious bug which will never be patched. (Under certain conditions, "reading" a file will cause the initial 6 bytes of several other files to be reqritten with stale cached data. Ugly.)
I just followed the links, and, if i'm not crazy, you can now run 2.0.x on Windows 98...
Any verification of this?
(its not for me - its for a guy i support... i'm running off of OpenBSD myself)
guns kill people like spoons make Rosie O'Donnell fat.
It's there now. Make sure you reload the page.
I'm already running it in our staging environment, to test it before loading the whole kit-and-caboodle to our production servers.
You can accomplish anything you set your mind to. The impossible just takes a little longer.