Slashdot Mirror
Apache 2.0.44 Released
rbowen writes "The Apache Software Foundation is pleased to announce the release of Apache 2.0.44, which addresses a number of security issues. Download it from your favorite mirror." Rich notes that it fixes some important security problems (under Windows) for the Windows version. Also interesting is that now there truly is a split between a development and regular releases, adopting the Linux kernel model, with 2.1 being the dev Apache tree and 2.0 being the release tree.
- Use the mirrors!
- Why do you guys post every single minor release?
- Damn, I just loaded 2.0.x! Stop updating the software so fast!
- I'm still using 1.9.x.
- I just downloaded it. Now what?
Ad nauseum.
"Rich notes that it fixes some important security problems (under Windows) for the Windows version"
I fixed that server security problem a long time ago...I just moved my Windows server from underneath the window to the rack beside the window.
Better than a poke in the eye? Two in the bush? Using a bloke manually replying to all server requests?
Charts showing the differences between apache 1.x and 2.x.
Actually a great article as a whole
new features
--
the strongest word is still the word "free"
Try to crack mine then.
The IP is 207.46.248.109
Heck, we'd use it....
If mod_perl 2.0 was released....
-- Spankmeister General
This may be an issue of not being able to see the forest from the trees, and everyone that knows apache, knows what version they need for their server, so may not be the best bet for noobs.
But then again they may want all noobs to download the 2.x version, so the use of "best available" might be their marketing.
We do on several of our servers. The main reason is that it's much, much easier to build an Apache server with SSL support on Apache 2 than it is on Apache 1.x, particularly if you're adding additional modules on top.
- jon
Ganymede, a GPL'ed metadirectory for UNIX
All this is answered here...
.14? .15?, can't remember exactly).
Apache 2.0... has new features built into it, however, it is still relatively new. And some bugs are still lying around here and there. I reverted to 1.3 because of serious bugs in the PHP module (in version 2.0.1x,
Apache 1.3... is "old", but has built a solid userbase because of this age factor. It is also proven reliable and stable code.
Welley Corporation - SLM Scammers
The IP is 207.46.248.109
I was going to mod this up as +1 Funny, but I was afraid that nobody would "get it." So, here's the reverse dns lookup so everybody understands.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
I've used apache 2.0, and it's great and all, but I ain't switching over until the PHP folks say that the PHP-apache-2 module is good to go.
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
2.x
- 1.x
-----
1.0
Duh.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
php 4.3.0 is running slick on my 2.0.43 apache install.
Jeremy
I was quite excited with 2.0.43 but ended up back at 1.3.27 because PHP 4.2.3 (haven't tried 4.3.0 yet) made Apache unstable, specifically when calling an 'apachectl restart' which made my pager go off due to the server segfaulting at 4am during logrotate. In my testing, it was PHP that caused this instability.
Also, with 2.0.43 I couldn't get it to build with anything but the OpenSSL package, which on my box was 0.9.6b (hole!) but I couldn't get it for the life of me to look at an alternate install of 0.9.6h.
2.0.44 will perhaps fix these problems.
Some people take their .sig way too seriously
If you are willing to use a non-free solution like IIS, then a non-free product based upon Apache that provides SSL should be attractive to you. I am referring to IHS (IBM HTTP Server) which is a value added (to Apache) product from IBM.
There is no such thing as luck. Luck is nothing but an absence of bad luck.
from the post: it fixes some important security problems (under Windows) for the Windows version.
I wonder... does this mean there are some security problems left in the Windows Version under OSes other than Windows?
my
I have a mini-howto on Apache 2.x and PHP 4 at http://dan.drydog.com/apache2php.html As for the new 2.0.x stable series--that's great news. What it means is "no more recompiling modules between minor releases."
Um... you've been gravely misinformed. Microsoft DOESN'T work fine. Really. As a netadmin/webmaster myself, I shouldn't have to worry about BSODs, frozen boxes, vulnerabilities and the like. With M$, I would have to worry about that all the time, rather than when a security patch is out (you know, the ones that don't replace your config when you implement them?). The truth of the matter is, I NEED APACHE.
Support Israeli punk bands. Man Alive.
There are no issues with SSL and Apache for windows. Apache(binary) for win32 does not come compiled with SSL due to some confusion with strong crypto laws. You can compile Apache with SSL integrated by downloading the source and using VC++. And IIRC, there is already a binary in the contrib dir on openssl.org.
I'd wait to upgrade, because it looks like version 2.0.45 will be out early next week. There are a couple of silly problems that were introduced into this release that need to be fixed.
v &m =104321038630487&w=2
http://marc.theaimsgroup.com/?l=apache-httpd-de
IANAAD (I am not an Apache developer), so don't kill me if I'm wrong, but that's what I read from the mailing list...
Actually, the issues they have under Windows are legal and nothing else. In fact, it works just great (if you don't believe me, compile Apache with SSL under Windows (you'll need Visual C++ 5 and up)... Apache Software Foundation even gives you detailed instructions on how to do it!)!
Since Apache 2.0.x is the first version of Apache for Windows that is largely considered a Production release they are debating the legal issues of releasing a BINARY version of Apache 2.0.x for Win32 compiled with OpenSSL libraries. This is especially the case since they are not SELLING the software to do it, so they can not really control who would use it. They will figure something out, but in the meantime, do not release it in their binaries.
As a matter of fact, Apache 2.0.4x Win32 can easily be setup to use OpenSSL and ModSSL! This is thoroughly explained at this web site. It even explains to you where to get binary distributions of it (not directly from Apache as discussed above).
In fact, on a single Pentium II or III with Win2k (even workstation) you have plenty of horsepower to use SSL and Apache 2.0.x. I would like to mention a couple of things, I use it in an academic environment and it has been running stable and secure for almost half a year now.
It has a commercial SSL certificate on it. Apache 2.0.x on Win32 is quite a bit tricky to get your private key and public certificate to work if it is PEM encoded. If it is not PEM encoded, it is a snap! That right there is one thing that can save you hours of head banging on wall! Make sure your key and certificate after you've received them are not PEM encoded for less aggravation. You can always run them through (at least the cert) OpenSSL to remove the encoding.
Also, your certificate chain must be put together the right way, but you should get instructions for that from your certificate authority.
I agree, Apache on Win32 is a much better choice than IIS. IIS can be a relatively secure product if administered properly. There are, of course, numerous security holes that have been publicized, and it should be mentioned that most were left open by the administrators who should have known better. They got IIS to work and didn't bother with security! Most of the reasons to NOT use IIS are the fact that you need at least NT Server 4, 5, 6, etc. (the workstation version of IIS is too limited for production usage) and the steep licensing that costs, and the fact that it has much more features than 99.9% of websites will need!
Apache, on the other hand, gives you a relatively secure environment from the get-go that makes you ADD the features you need. After working with Apache it should become apparent that this is clearly the way to go. Intelligent administration of servers can really make almost any modern OS relatively secure. Perhaps if Apache on Win32 catches on it may encite people to port more great open source server software to natively run on Win32 as Apache does (does not use Cygwin... though you CAN of couse, use the Cygwin version of Apache which won't perform as well as the Native Win32 version does). Plus, Apache can run just fine on NT workstation (saving plenty of money on the NT server licenses)!
Interestingly enough, Apache Win32 in our setup outperforms other departments at our institution using IIS on Win32! Perhaps benchmarks in this area should be publicized a bit more!
-Joe
If we're all god's children, what's so special about Jesus? - Jimmy Carr
...You'll need this patch. A bit of a glitch, now solved.
You're a pretty crappy admin then.
I run Apache 1.3.26 on Windows 2K and have been for the past 2 years. The only time a BSOD happened was when the HD cable came loose from all the heating and cooling. I had my server running 100% for 46 days and only rebooted because I was trying out some new SMTP (not MS) software which turned out to be complete and utter crap and a wasted reboot. It's now been going again for 15 days without a single issue. I've never had a Windows issue. On average I do a reboot once a month for software updates or whatever but never because I have to.
If your Windows machine has issues it's because your hardware is crap or you've loaded crappy software/drivers on it. I have 4 Win2K machines of various configurations that never have issues.
If you have security issues it's because you havn't clued into the fact that MS doesn't include much of a firewall. I have no security issues because I have an excellent hardware solution. There are plenty of excellent software solutions like ZoneAlarm.
If you're actually a netadmin/webmaster worth their salt I'm wondering why in the world you'd have security issues with any OS. Are you plugging the line directly into the computer? And if so, what do you expect? I wouldn't put Linux right on the wire either.
IIS has known exploits and if you're actually worth your salt you'd know how to prevent them from being used. If you NEED APACHE then you probably have no idea how to deal with and correct security issues. I like Apache because it's simple and effective.
On topic, I'll care about Apache 2.whatever when PHP is no longer broken. Apache 1.3.x is kinda the old reliable. Until 2.x can match it, there's no real burning need to upgrade.
Ben
Work Safe Porn
This is excellent news for Windows users who wish to run Apache 2 from their systems. For ages, it seems, Apache 2 had a security issue under Windows XP that would not allow it to run properly under the OS. Only users wh ohad registered with Microsfot online could download the special patches that fixed these problems.
Now Apache 2 has worked around these issues while also improving security. Halleluia, I say. I can get rid of my old Linux server now and cannabalize the spare parts to augment my current XP server.
Your statement is so dumb and stupid, I don't know where to begin debunking it.
Almost every statement is a generalization.
"The sky is blue" - but not when it's cloudy or at night.
"This item costs x$" - but not if you add in taxes, transportation to get to the store.
"My table is flat" - but not if you take into account the small inperfections on the wodden surface and the tiny tilt it sure has.
"Windows is a security nightmare" - but not if you spend day and night securing the computer, maintaining virus-scanners and install and test all patches.
The ability to generalize is a basic ability of a thinking being.
P.S.: Seriously, why should anybody want to use Windows as a webserver? The only reason I can think of is when you are locked into MS-only technology like ASP which rules out Apache anyway. So why? Just because the computer came with Windows? Because Bill Gates tells you?