Apache 2.0 Cross-site Scripting Vulnerability

jimmy writes ""A vulnerability exists in the SSI error pages of Apache 2.0 that involves incorrect filtering of server signature data. The vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host." This Cross site scripting (or XSS) hole has been found in all versions of apache prior to 2.0.43. The advisory can be found here and users are urged to upgrade to address this problem."

Re:This is why I am holding off on upgrading to 2.

[stefanlasiewski]

(At home, I'm also using it to test svn . svn has alot of potential.)

It's partially the modules (We use ATG Dynamo, and they have not yet updated their connection module to work with 2.0).

It also has alot to do with my belief that the numbering system is a representation of maturity, and mature products have better performance, stability then the younger branches. Recent releases have more bugs then mature releases.

Our production system needs to be rock solid, we don't want to use these systems to test some newfangled Apache feature. Our Apache 1.3.26 servers never, ever crash.

It's my belief that the Apache 2.0 branch will have more bugs and performance issues then the 1.3.x branch. I don't have alot of hard data to support this belief,

Apache 1.3.26 is way more stable then Apache 1.0.

Remember how unstable Gnome 1.0 or linux-kernel 2.0 was? Over time, the bugs present in 1.0 or kernel 2.0 have been resolved, and as a result, we have Gnome 1.4 and kernel 2.4, two very good products.

For instance, look at Gnome 1.0 vs Gnome 1.2+ ; or linux-kernel 2.0 vs 2.4.

Likewise, Apache 2.1.0 will be faster, more stable and will have more useful features then the 2.0 branch.

As a side effect of the new features, 2.1.0 will introduce some bugs which were not present in the 2.0.43 series. Most of those bugs will be resolved once the developers, users and bug stompers have had sufficient time to find and patch bugs, around 2.1.5 or so.

Dot zero is NOT for everyone!!

[aphor]

I don't understand why people are whining about Apache 2.0 being shunned by the masses. Running a DOT ZERO version means LOTS OF PATCHES. If you can't easily recompile and move on (like your site depends on changing interfaces/features/bugs) then dot zero is not for you.

This isn't a chink in Apache's gleaming armor. Its free software. The process is just plain old programming and software evolution. Dot zero is for people of the bleeding edge. Not all websites qualify. The Apache way is a superior way to the IIS way. Other ways may be just dandy also. Problems with Apache 2.0 are no indication on that issue as long as they are.