Slashdot Mirror
Apache 2.0.44 Released
rbowen writes "The Apache Software Foundation is pleased to announce the release of Apache 2.0.44, which addresses a number of security issues. Download it from your favorite mirror." Rich notes that it fixes some important security problems (under Windows) for the Windows version. Also interesting is that now there truly is a split between a development and regular releases, adopting the Linux kernel model, with 2.1 being the dev Apache tree and 2.0 being the release tree.
I've been noticing that Apache doesn't make news anymore--at least on Slashdot, but to be fair I think it's because Apache is so stable (in the 1.3.x series, especially) people don't even think about it anymore. Good job, Apache Foundation!
-- @rjamestaylor on Ello
The biggest security problem with running apache on Windows is Windows. Anyone who uses windows for a server deserves what happens to their server.
Jason
ProfQuotes
They both have to do with running the server on 9x or ME.
Is Apache's security really the problem here?
I have been pwned because my
- Use the mirrors!
- Why do you guys post every single minor release?
- Damn, I just loaded 2.0.x! Stop updating the software so fast!
- I'm still using 1.9.x.
- I just downloaded it. Now what?
Ad nauseum.
Indeed why do we need to have split releases? Why do we need a dev and a release version?
"Rich notes that it fixes some important security problems (under Windows) for the Windows version"
I fixed that server security problem a long time ago...I just moved my Windows server from underneath the window to the rack beside the window.
Better than a poke in the eye? Two in the bush? Using a bloke manually replying to all server requests?
What scares me most about that site is that the content didn't freak me out like it used to.
I don't deal much with Apache. But, I decided to take a look at the download page to get a feel for its usability. What struck me the most was that there seem to be two important versions:
1. "Apache 2.0.44 is the best available version"
2. "Apache 1.3.27 is also available"
Now, don't get me wrong. I know enough to know that keeping around previous versions can be a Good Thing. However, as an outsider, this is confusing. Also, if you care to know, the entire section on verifying the integrity of the files was confusing.
Yes, I understand, I'm not the target audience. But, it still makes me frustrated to know that the Apache download site is mysterious. Just for giggles, take a look at the Windows NT Server download page. It ain't perfect, but at least you don't have to work about file integrity...
How to Download YouTube Videos
...and how have your experiences with it been?
No one I know has found a compelling reason to switch from Apache 1.
2.x is "better" but no one uses it because the whole internet and its associated apps and modules run on 1.x. Basically 2.x is in a chicken and the egg situation. 2.x IMO is better than 1.x, expecially on windows, but its going to be a long long time till 2.x installs outpace 1.x installs.
Charts showing the differences between apache 1.x and 2.x.
Actually a great article as a whole
I really dislike that version numbering system. I know it makes development version numbering much easier, etc, but damn. I don't know. To me, a 2.5.35 release should be *better* than a 2.4.20 release (speaking in terms of kernel development now), as opposed to being a bunch of ones and zeroes that don't even include a working IDE driver (to be fair, I'm not sure when in the 2.5 series IDE finally stabilized; I just pulled a number out of the air). But whatever. Just picking some nits...
Al Qaeda has ninjas!
But think about how fun it could be if:
* The computer is in a public place (such as a school library)
* And that JavaScript functions work, like they usually do in school libraries.
Set it up and walk away... then watch the love begin!
Long Overdue. Hopefully more news to come.
I guess without a task manager or "piled" windows on the taskbar, this could be a pretty fun site.
new features
--
the strongest word is still the word "free"
Anybody out there been using Apache 2.x and PHP enough to call it stable in their environment?
Other than huge threading improvements, are there any compelling reasons to switch from 1.3.x to 2.x right now?
No more BSOD or Code Red worries, and I don't have to ship $$$ to Billy G. so he can buy a bigger yacht than that whacko from Oracle...
how do we know it wasnt trojaned via that CVS exploit?
Same goes for the linux kernel and openssh as well.
-Johan
Unfortunately, they still haven't been able to solve the issues with SSL under windows, so the windows release comes without SSL. The effect of this can range from none (lots of sites don't use SSL) to the typical IT-Manager complaint "but we NEED SSL". Unfortunately, what they don't realise is that staying with IIS is not the solution.
...
However, I do know of one company (whom my friend's father works for) that decided not to use Apache because they wanted 2.0.?? (because it was the latest release, so there was no way they would consider 1.x) but couldn't live without SSL. Of course they're using IIS on an unpatched WinNT4 box
What Apache needs to become the server of choice in companies like this is an education campaign. If you work at such a company, please tell the people in charge of this stuff about Apache, IIS and general security/stability issues under Windows. Mind you, Apache is still the #1 server around, so it is debatable whether this is a necessary step. But for the sake of secure, stable websites that don't leave your site open wider than a $2 hooker (ie, as wide open as the RIAA) please spread the word about Apache.
And Apache/SSL guys, I'm sure you're working on the issue, so best of luck solving it!
This sig intentionally left bla... dammit!
Who's got the whiteout?
me too.
small world, eh?
--
the strongest word is still the word "free"
Without M$, think of all the trouble prepubescent twerps would get into. They might actually do something like go outside and be - get this - athletic!
This may be an issue of not being able to see the forest from the trees, and everyone that knows apache, knows what version they need for their server, so may not be the best bet for noobs.
But then again they may want all noobs to download the 2.x version, so the use of "best available" might be their marketing.
Oh wait, we don't know that, now do we? M$ code has to be kept secret for reasons of national security (well, that was only said under oath in a court of law, so it might have been wrong...)
Do it every week until their dumbass MCSE's figure out what's going on...
...that Mandrake Linux ships with Apache 1.3.27 and that RedHat ships with Apache 2.0.something. However, RedHat users have reported PHP compatiility problems, especially PHP 4. There have also been issues with SQL and Apache 2.0. I wonder if 2.0.44 fixes these issues.
Find a job you like and you will never work a day in your life.
I've used apache 2.0, and it's great and all, but I ain't switching over until the PHP folks say that the PHP-apache-2 module is good to go.
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
2.x
- 1.x
-----
1.0
Duh.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
i recently made the switch when php 4.3.0 was released. no problems as far as i've seen running 2.0.43 with php as long as its built using the default unthreaded model (ie same as 1.3)
Jeremy
err, ive got this "friend" who works at a college library and they have heaps of javascript enabled thin client terminals without a taskbar or task manager accessible from the machines, and he just told me he's gonna give that a shot when he closes up tonight to, you know, give the co-workers a surprise when they switch on the monitors in the morning.
--honest, who doesn't think part of the "monopoly" settlement was uncledotUSsam didn't get to slip in a few zingers? And the code "released" to rooshia ain't the same? It's too juicy a way for the totally invasive association TIA to have ignored.
Hasn't one of the recent controversies on /. been that the Linux kernel does not use Open Source tools (like CVS) for version control, but rather uses BitKeeper instead?
We did that to our manager's laptop at work once. Pulled it up and closed the cover. The funny thing is, his boss borrowed the laptop before he got to work.
but fuck me your sig is lame.
I tried and failed to install Apache 2.x over 1.3 on my Mandrake 9.0 box. Am I that stupid, or is this really that hard?
:)
First one to tell me to go to the Apache forum sites gets a swift kick...that's like going to the dump to look for an old magazine. Far too much material to wade thru...I've tried, so don't get smart
If you are willing to use a non-free solution like IIS, then a non-free product based upon Apache that provides SSL should be attractive to you. I am referring to IHS (IBM HTTP Server) which is a value added (to Apache) product from IBM.
There is no such thing as luck. Luck is nothing but an absence of bad luck.
from the post: it fixes some important security problems (under Windows) for the Windows version.
I wonder... does this mean there are some security problems left in the Windows Version under OSes other than Windows?
my
Because...
Production releases are more
- fully qa'd
- apache is more accountable if something goes wrong
- steady documentation
Dev versions are more
- unstable, they can have serious errors
- experimental, and have features that might be thrown away
- not fully documented, so using the greatest might be hard
- use at your own risk, it is a sandbox for development, not production quality
-
ping -f 255.255.255.255 # if only
True, but I would have thought having dev versions make more sense for an OS for a home box, whre you can play about with it, poke it in a few directions and see what happens.
Whereas Apache is only really useful when its thrown out into the wild. I don't know it just seems to make more sense for Linux than Apache.
I have a mini-howto on Apache 2.x and PHP 4 at http://dan.drydog.com/apache2php.html As for the new 2.0.x stable series--that's great news. What it means is "no more recompiling modules between minor releases."
Some moderator blew their whole load on this thread, which was already at 0.
0 is the new -1, you know.
Um... you've been gravely misinformed. Microsoft DOESN'T work fine. Really. As a netadmin/webmaster myself, I shouldn't have to worry about BSODs, frozen boxes, vulnerabilities and the like. With M$, I would have to worry about that all the time, rather than when a security patch is out (you know, the ones that don't replace your config when you implement them?). The truth of the matter is, I NEED APACHE.
Support Israeli punk bands. Man Alive.
Well, what about apache developers? They need a place to test stuff, no? Mind you, developers need a place for their milestones as well, regardless if it is production quality or not. When apache gets up to 2.1.xx, apache foundation will start gamma testing to put these features into 2.2.xx.
-
ping -f 255.255.255.255 # if only
I tried it the other day on Win XP, it seems so slugish... not the system itself (hardware wise)... Anyone else experience this?
There are no issues with SSL and Apache for windows. Apache(binary) for win32 does not come compiled with SSL due to some confusion with strong crypto laws. You can compile Apache with SSL integrated by downloading the source and using VC++. And IIRC, there is already a binary in the contrib dir on openssl.org.
Stop redirecting the webmaster account on your box to /dev/null. I tried to mail you about a hole on your box last week. Fix it or I'll root you and leave a nice message explaining things on your homepage.
or +1 Spleen Bursting?
Spam removed for the Internet's pleasure
as a professional bank robber, i refuse to let laws dictate how _I_ feed my family.
Actually, the issues they have under Windows are legal and nothing else. In fact, it works just great (if you don't believe me, compile Apache with SSL under Windows (you'll need Visual C++ 5 and up)... Apache Software Foundation even gives you detailed instructions on how to do it!)!
Since Apache 2.0.x is the first version of Apache for Windows that is largely considered a Production release they are debating the legal issues of releasing a BINARY version of Apache 2.0.x for Win32 compiled with OpenSSL libraries. This is especially the case since they are not SELLING the software to do it, so they can not really control who would use it. They will figure something out, but in the meantime, do not release it in their binaries.
As a matter of fact, Apache 2.0.4x Win32 can easily be setup to use OpenSSL and ModSSL! This is thoroughly explained at this web site. It even explains to you where to get binary distributions of it (not directly from Apache as discussed above).
In fact, on a single Pentium II or III with Win2k (even workstation) you have plenty of horsepower to use SSL and Apache 2.0.x. I would like to mention a couple of things, I use it in an academic environment and it has been running stable and secure for almost half a year now.
It has a commercial SSL certificate on it. Apache 2.0.x on Win32 is quite a bit tricky to get your private key and public certificate to work if it is PEM encoded. If it is not PEM encoded, it is a snap! That right there is one thing that can save you hours of head banging on wall! Make sure your key and certificate after you've received them are not PEM encoded for less aggravation. You can always run them through (at least the cert) OpenSSL to remove the encoding.
Also, your certificate chain must be put together the right way, but you should get instructions for that from your certificate authority.
I agree, Apache on Win32 is a much better choice than IIS. IIS can be a relatively secure product if administered properly. There are, of course, numerous security holes that have been publicized, and it should be mentioned that most were left open by the administrators who should have known better. They got IIS to work and didn't bother with security! Most of the reasons to NOT use IIS are the fact that you need at least NT Server 4, 5, 6, etc. (the workstation version of IIS is too limited for production usage) and the steep licensing that costs, and the fact that it has much more features than 99.9% of websites will need!
Apache, on the other hand, gives you a relatively secure environment from the get-go that makes you ADD the features you need. After working with Apache it should become apparent that this is clearly the way to go. Intelligent administration of servers can really make almost any modern OS relatively secure. Perhaps if Apache on Win32 catches on it may encite people to port more great open source server software to natively run on Win32 as Apache does (does not use Cygwin... though you CAN of couse, use the Cygwin version of Apache which won't perform as well as the Native Win32 version does). Plus, Apache can run just fine on NT workstation (saving plenty of money on the NT server licenses)!
Interestingly enough, Apache Win32 in our setup outperforms other departments at our institution using IIS on Win32! Perhaps benchmarks in this area should be publicized a bit more!
-Joe
If we're all god's children, what's so special about Jesus? - Jimmy Carr
...You'll need this patch. A bit of a glitch, now solved.
Please, let me know how long will take to download this?
Any admin worth his or her salt would dance naked for Gates' amusement before using an Apache binary from a distribution.
So much speed and security issues can be decided upon in the compilation stage of Apache...
If you're just playing around with a webserver, maybe a binary is fine. If you're actually serving pages, do yourself a favor and look into compiling it yourself. It does look daunting at first (especially to 'newbies' - there's a metric assload of options to choose from!), but it's definately worth it in the end.
You're a pretty crappy admin then.
I run Apache 1.3.26 on Windows 2K and have been for the past 2 years. The only time a BSOD happened was when the HD cable came loose from all the heating and cooling. I had my server running 100% for 46 days and only rebooted because I was trying out some new SMTP (not MS) software which turned out to be complete and utter crap and a wasted reboot. It's now been going again for 15 days without a single issue. I've never had a Windows issue. On average I do a reboot once a month for software updates or whatever but never because I have to.
If your Windows machine has issues it's because your hardware is crap or you've loaded crappy software/drivers on it. I have 4 Win2K machines of various configurations that never have issues.
If you have security issues it's because you havn't clued into the fact that MS doesn't include much of a firewall. I have no security issues because I have an excellent hardware solution. There are plenty of excellent software solutions like ZoneAlarm.
If you're actually a netadmin/webmaster worth their salt I'm wondering why in the world you'd have security issues with any OS. Are you plugging the line directly into the computer? And if so, what do you expect? I wouldn't put Linux right on the wire either.
IIS has known exploits and if you're actually worth your salt you'd know how to prevent them from being used. If you NEED APACHE then you probably have no idea how to deal with and correct security issues. I like Apache because it's simple and effective.
On topic, I'll care about Apache 2.whatever when PHP is no longer broken. Apache 1.3.x is kinda the old reliable. Until 2.x can match it, there's no real burning need to upgrade.
Ben
Work Safe Porn
"Also, remember that there's hundreds of Unix vulnerabilities ever week."
Interesting. Can you explain this?
If we include all the crappy applications programmed by idiots who don't have a clue, then, sure.
However, if we don't consider the root exploit in pr0nv13w v 2.23-15.36a-bcdefg1224 a 'Unix vulnerability' (or 'Linux', 'BSD', etc.), surely, a hole in IIS isn't a 'Windows' vulnerability.
Bah, it's two in the morning
In short, I spend a lot less time with Windows update than I do patching my damned Linux box.
Oh, look - *another* glib update!
> I had my server running 100% for 46 days and only rebooted because I was trying out some new SMTP (not MS) software which turned out to be complete and utter crap and a wasted reboot.
Erm, can you explain why you would need to reboot your box after installing a piece of software? I only reboot my *nix boxes when I upgrade the hardware, not when I install software/change server settings/change display resolution/move the mouse/etc.
Windows sounds pretty fucking lame to me.
Reverse Proxy/load balancer, Http/Https, very small, tight code, minimises security risks. No matter what web server you're using, this should solve most of your security problems.
It's a world of laughter
A world of tears
It's a world of hopes
And a world of fears
There's so much that we share
That it's time we're aware
It's a small world after all
There is just one moon
And one golden sun
And a smile means
Friendship to ev'ryone
Though the mountains divide
And the oceans are wide
It's a small world after all
It's a small world after all
It's a small world after all
It's a small world after all
It's a small, small world
Well, I did not know that it was officially named "The linux kernel model". Or maybe it was just that the slashdot people have a need to get the word "linux" to as many news headers as possible. Don't tell me you haven't noticed?
Anybody has perchild_mpm working ok? I've seen in the announcement that some perchild_mpm problems had been fixed but looking at the sources I guess that it's still in the experimental zone.
Be careful with upgrading to 2.0.44 for some people report big problems with the new version. See this and this thread on google groups for reference.
Cheers!
IIS has known exploits and if you're actually worth your salt you'd know how to prevent them from being used. If you NEED APACHE then you probably have no idea how to deal with and correct security issues...
...or you want people from the outside world to be able to access your web server.
I think it is time for the Foundation to maybe ramp up the development of the PHP module. 2.x has been out for quite awhile now, but there has not been any mass changing probably due to this fact. I have tried 2.x but couldn't get PHP to be stable enough for production so I had to go back to 1.x. Given the fact that PHP usage is still growing by leaps and bounds, you'd think Apache would want to really highlight the performance of 2.x by getting on the ball.
This is excellent news for Windows users who wish to run Apache 2 from their systems. For ages, it seems, Apache 2 had a security issue under Windows XP that would not allow it to run properly under the OS. Only users wh ohad registered with Microsfot online could download the special patches that fixed these problems.
Now Apache 2 has worked around these issues while also improving security. Halleluia, I say. I can get rid of my old Linux server now and cannabalize the spare parts to augment my current XP server.
OK, just to all the other /.ers that might read, I KNOW YOU'RE BULLSHITTING ME. You're most likely some script kiddie out in the middle of nowhere posting on /. because you think its cool. Here's why I know you're bullshitting me. You said in the beginning of your post "I had my server running 100% for 46 days and only rebooted because I was trying out some new SMTP (not MS) software which turned out to be complete and utter crap and a wasted reboot." and then later wrote "On average I do a reboot once a month for software updates or whatever but never because I have to."If you stick to a monthly schedule, how can you have a 46 day run (with crappy software like that, but that's besides the point)? YOU are not worth your salt, any way you take that lie.
Support Israeli punk bands. Man Alive.
hahaha you just got your butt kicked. I love it when this kind of shit happens.
The example I know about is PHP. Everytime a Apache 2.0.x came out, PHP was broken (wouldn't compile) and I'd have to wait for a new PHP version that would handle the new or modified API. With this release I didn't even have to recompile and the existing PHP worked with Apache 2.0.x. Yeah!!!!!
I'm running RedHat 8.0 which has Apache 2.0.40 and PHP 4.2.2 running on it. I'm also running MySQL 3.23.52. Now, I get very very few connections to my webserver, but I do a bit of PHP coding which uses the MySQL database and it runs fine, even when I look at my PHP scripts/pages remotely. So, yeah, my Apache 2 HTTP server works fine with PHP and MySQL - damn stable (but it doesn't get much load at all).
Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".
While that is quite an accomplishment, its nothing for a Unix server to have that kind of uptime.
However, you almost certainly ran a security risk by keeping IIS up that long. I have Win2K pro on my desktop, and with Windows Update pulling down security updates automatically, I certainly don't remember a period where 46 days went by with out a security flaw - that needed to be patched - that required a reboot.
If you're keeping your server patch you're really looking at a week's uptime between reboots, on average.
Its more stable than Win9x to be sure, but thats not saying much. Windwos still has a long way to go before it really makes a decent server.
No, Thursday's out. How about never - is never good for you?
Ummmm.......
9:46pm up 139 days, 7:28, 1 user, load average: 20.06, 9.23, 6.47
It would have been up longer except my power failed - blown transformer (nice lightshow, so it wasn't a complete loss).
[Of course it's client-server; it runs on a LAN]
doh..... a really long day....
;-)
It's a linux box... RH, specifically...easy with the comments
[Of course it's client-server; it runs on a LAN]
You reboot once a month to do some software updates? I only reboot when I upgrade the kernel to my operating system. (Like once every 6 months to a year.)
Software updates on a Real Operating System don't need a reboot.
I actually run apache. I was trying to be sarcastic :-p
Of course, no matter how well Apache runs on NT Workstation, you're still artificially restricted to 10 concurrent inbound connnections, as that's hard-coded into the Workstation versions of NT, 2000, and XP (I think).