Apache 1.3.26 and 2.0.39 Released

← Back to Stories (view on slashdot.org)

Apache 1.3.26 and 2.0.39 Released

Posted by krow on Tuesday June 18, 2002 @11:45AM from the would-you-like-fries-with-that dept.

cliffwoolley writes "The Apache Software Foundation has released new versions of both Apache 1.3 and 2.0. These versions are both security and bug-fix releases. They address and fix the issues noted in CAN-2002-0392 [CERT VU#944335] regarding a vulnerability in the handling of chunked transfer encoding. You can download the new releases here." This of course is for the exploit that we reported yesterday. It is hard to complain about a 24-hour response time for a bug.

17 of 138 comments (clear)

24 is nice... by jeffy124 · 2002-06-18 11:52 · Score: 5, Insightful

... but it certainly would've been better if ISS had allowed it, or even writeup a proper patch or give the right info on who's vulnerable.

Personally, their argument about not contacting the Apache Foundation because some of them work for Red Hat is complete bullshit, plus the fact that they could've contacted CERT about it instead. CERT would've made sure RH didnt take credit, since that's among ISS's fears, and also would've told them that the issue was known and being worked on.

--
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Complaints Timescale by 4of12 · 2002-06-18 12:00 · Score: 5, Insightful

It is hard to complain about a 24-hour response time for a bug.

No, it's not:)

Seriously, though, it's a pretty impressive turn around time and should give some credence to those of us making arguments that the support is really there for open source projects like Apache, even though there's no "1-800-HELPME" number nor an expensive maintenance and support agreement.

--
"Provided by the management for your protection."
1. Re:Complaints Timescale by 4of12 · 2002-06-18 12:53 · Score: 5, Funny
  
  just type it in a search engine...
  
  What are you asking, man! I'd have to learn how to read, write and think to do that.
  
  Can't I just get a warm fuzzy feeling by buying a large support agreement from Microsoft?
  
  Besides, I'll be among a large herd of IIS users - who could possibly know and want to `sploit me with Code Red?
  
  Most buyers at my site are using fradulent credit card numbers anyway, so if the database gets owned it's not all that big a deal.
  
  --
  "Provided by the management for your protection."
24 Hour Response Time by PeekabooCaribou · 2002-06-18 12:09 · Score: 4, Insightful

It is hard to complain about a 24-hour response time for a bug.

I think this is the real advantage of OSS. It's people that make Apache, not some group of nameless programmers in a high-rise somewhere. The Apache programmers use Apache on a daily basis, so they stand to gain just as much as the rest of us do by releasing a quick fix. I honestly think they care about making it a good, bug-free product. I put much more trust into the open-source projects than I do for any closed source commercial package.

--
"I'll say it again for the logic-impaired." -- Larry Wall.
Win32 MSI Installer Broken by tyrione · 2002-06-18 12:52 · Score: 3, Informative

Downloaded a moment ago and the package is broken so I reverted to downloading the bloated non-msi executable and it works just fine.
Folks at ISS by Anonymous Coward · 2002-06-18 14:21 · Score: 5, Insightful

ISS is full of shit. They have no respect for the way things work. Due to being connected with the security team of my company, I knew about the bug for a few days. And also that the Apache group was working to correct it. But not, the pricks at ISS had to release it with a whopping two hour notice, not only that but they released a broken patch.

And on top of all of that their stock goes up. What a crock of shit.
</rant>
mod_ssl? by Phroggy · 2002-06-18 14:34 · Score: 3, Interesting

Anyone know the status of mod_ssl for 1.3.26?

--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
1. Re:mod_ssl? by jonabbey · 2002-06-18 14:54 · Score: 5, Informative
  
  mod_ssl is baked into the Apache releases 2.0.35 and later, and is _far_ easier to compile and install than the old Apache 1.3 + external mod_ssl was.
  
  Get to Apache 2.0.x when you can.
  
  --
  - jon
  
  Ganymede, a GPL'ed metadirectory for UNIX
2. Re:mod_ssl? by accessdeniednsp · 2002-06-18 15:27 · Score: 3, Informative
  
  Argh..I posted a comment but it was replied to the wrong thread by accident. Crap.. Anyway, here's what I had to say. Hope it helps. (I hope I'm not going to get flamed for anything on this but I probably will).
  
  Me and woolley chatted on irc tonite and i verified his patch [theaimsgroup.com] does indeed work. You will have to manually adjust apache_1.3.26/src/ap/Makefile.tmpl to add the three object files to line 7:
  
  ap_hook.o ap_ctx.o ap_mm.o
  
  The patch will cause a rejection due to modifications between 1.3.24 and 1.3.26 to the file.
  
  The patch applies to apache-1.3.24, btw. And be sure to use mod_ssl-2.8.8-1.3.24 and add --force on the mod_ssl configure line.
  
  Woolley's patch works great.
*NIX is in the clear. by red5 · 2002-06-18 14:54 · Score: 3, Insightful

This advisory is for the multi-threaded version on apache only. So sites running 1.3.x on *nix are unaffected.

Had me worried there for a minute as I admin quite a few of those.

--
I know I'm going to hell, I'm just trying to get good seats.
CERT got it slightly wrong? by Jobe_br · 2002-06-18 15:03 · Score: 3, Interesting

I'm not sure, since I don't closely follow CERT myself - but an acquaintance e-mailed me the CERT advisory today and I noticed that the 1.3.x version of apache it cites is not 1.3.26 - its 1.3.25:
Upgrade to the latest version
The Apache Software Foundation has released two new versions of Apache that correct this vulnerability. System administrators can prevent the vulnerability from being exploited by upgrading to Apache version 1.3.25 or 2.0.39.

I noticed that a 1.3.25 doesn't actually exist anywhere ... was there a failed release?
See, I told you so. by rice_burners_suck · 2002-06-18 15:11 · Score: 5, Interesting
Need I point out my earlier comment? I'll save you the trouble of looking it up:
I have to say, the Apache web server is quite a high quality piece of work. The fact that an obscure security issue has been found is a good sign that developers and users are on top of things in the constant struggle against remote exploiters.

I am confident that a fix will be available very shortly. Serious sysadmins will have their servers patched sooner than any serious damage takes place. I don't have the same confidence when it comes to Microsoft's products.

I believe it was Dark Helmet who once said, "Evil will always triumph because good is dumb." But in the case of software, it's pretty clear that free will always triumph because commercial is dumb. Honestly, software developed out of a desire to:
- Learn,
- Do good,
- Have fun in the process...
is simply going to be better software than something that's developed out of the runaway greed rampant in the inferior competition.
FUD by Vainglorious+Coward · 2002-06-18 17:14 · Score: 5, Informative

This of course is for the exploit that we reported yesterday

Um, surely you mean vulnerability ?

--
My next sig will be ready soon, but subscribers can beat the rush
Re:24 Hours - unreasonable and dangerous by buffy · 2002-06-18 17:56 · Score: 5, Insightful

Givng Apache 24 hours to make a bug fix imposed an unreasonable deadline, and also encouraged the fix to be quick and dirty. Any time code is patched, it could cause other bugs to show, or introduce new ones. Developers need a certain amount of time to do testing once changes are made to make sure they didn't break anything! Kudos to the apache developers for meeting the deadline, but anti-kudos to (i'm not sure who) those imposed it.
You kind-of missed how this went down. Nobody "imposed" a 24-hour window for the bug to be fixed. Had IIS not been a bunch of boneheads and prematurely (as in ejaculation) released information regarding the vulnerability, the programmers involved could've taken a little bit more time to develop the fix, ensuring better quality.
The commendations re: the 24-hour turn around is simply referencing the ability of a lose-knit group of open source programmers to rapidly respond to a bad situation. Had Microsoft been in the same spot (they have been before--people have screwed them, too--and they most certainly will be again) it still would've taken them a lot longer to kick out the fix, and even longer to get it into their distribution channels.
That will teach you... by mikolajl · 2002-06-18 21:05 · Score: 3, Insightful

...to never work during the weekend.

The weekend is for relaxing ;-)
Actually... by SuiteSisterMary · 2002-06-19 02:31 · Score: 3, Insightful

It is hard to complain about a 24-hour response time for a bug.
Actually, it's easy. Watch. Gee, I wonder what sort of regression testing they did. Or anything along the lines of QA, other than 'it compiles with only warnings.'

--
Vintage computer games and RPG books available. Email me if you're interested.
How is that insightful? by dave-fu · 2002-06-19 02:36 · Score: 3, Insightful

They original poster probably has very good reasons for using Apache 1.3.
If I take my car to the mechanic for a tune-up, the answer I'm not looking to hear is "forget about the tune-up. why don't you just buy a BMW M1?". In the meantime, I've got an otherwise perfectly fine car just like the original poster likely has a perfectly fine setup (perhaps with apps built and tested under Apache 1.3) and the latest and greatest isn't the answer for them.

--
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.