Apache 2.0.45 Released

thx2001r writes "Well, it's no longer April 1st across the contiguous United States, so the coast is clear to say Apache 2.0.45 is released. This version contains two important security fixes and a number of bug fixes. The security fixes affect all platforms and versions of Apache 2.0.x up until this update with some special caveats for the 2.0.45 OS/2 release. It looks like the first security vulnerability addressed in this eighth public release of the Apache 2.0.x series is having its details witheld until April 8th. This is being called "a significant Denial of Service vulnerability" for Apache 2.0.x by the ASF."

Soo... When can NT users use this?

[Eneff]

I mean, when will SSL support be ported for Apache 2?

Last time I tried to compile SSL support from scratch it was a nightmare of errors...

Re:Soo... When can NT users use this?

[rdieter]

when will SSL support be ported for Apache 2?

FYI, SSL support is builtin (apache.org) now.

Re:Soo... When can NT users use this?

[thx2001r]

Well, I've been using Apache 2.0.x Mod_SSL OpenSSL since, Apache 2.0.35, on Windows NT 5 (Win2k). Get a compiler the instructions are available publicly.

The only reason it is not pre-compiled for binary release (win32) with OpenSSL by Apache Group is legal concerns over strong encryption:

"This version is only available at present in a -no_ssl flavor, due to ongoing questions of strong crypto redistribution. When a binary build with mod_ssl compiled in is made available, the -no_ssl flavor will remain as an option for those in jurisdictions that restrict ssl encryption, as well as those T8 prohibited from downloading from the ASF's US-based servers." Source:

Apache 2.0.44 and the latest OpenSSL 0.9.7a were, well, a bit of a challenge to compile, but it's done (and that was mostly to do with OpenSSL 0.9.7a). Now on to 2.0.45!

Re:Soo... When can NT users use this?

[thx2001r]

Update: In Win32, the compiled 2.0.44 mod_ssl.so (DSO) works just fine with the Apache Group 2.0.45 MSI installer package. Just add the DSO, your conf file(s), OpenSSL keys, and you're good to go!

Looks like the API is actually remaining stable (as advertised) at least in Win32, in mod_ssl! Way to go Apache Group!!!

PHP4 with Apache2?

[shagymoe]

Anyone know if it is safe to stick my php4 toe in the Apache2 water? I've heard some bad stories about php4 with Apache2 so I'm sticking with 1.3.27 right now with php4.3.1.

Re:PHP4 with Apache2?

[bodgit]

I've been running PHP 4.2.3 with Apache 2.0.43+ and there haven't been any problems so far. I've kept the PHP options to a minimum to get Horde/Imp working, so there may be some adventurous settings that will still cause problems.

Re:PHP4 with Apache2?

[Malcolm+Scott]

I've been using Apache 2.0.44 with PHP 4.3.1 for a while on a Gentoo-based server, and I've had no problem at all. Works like a treat.

The PHP team needed to do a bit of code tweaking to make PHP fit into the Apache 2 module format (APXS2) - so initially, as you say, PHP support for Apache 2 was very bad/nonexistant. But that work has been completed AFAIK, so any recent PHP version should work fine with Apache 2.

Re:PHP4 with Apache2?

Apache 2.0.44 with PHP 4.3.0 running great on my OpenBSD 3.2 box. I'm sure this new release will fix any problems that most people had with PHP with Apache. Goodluck! :)

Re:PHP4 with Apache2?

[Bobulusman]

I'm running Apache 2.0.44 w/ PHP 4.3.0 on Windows XP Pro and have not had any problems. with it. When I first set it up, I had some random crashes, but that turned out to be my software firewall. Since I've uninstalled it, no problems.

Re:PHP4 with Apache2?

[Mitchell+Mebane]

Actually, yes. mod_php even works quite well. Been running our company web server on Apache2/PHP4/mod_php for a little over a year now, with _zero_ problems. Current setup is Apache 2.0.44/PHP4.3.1/mod_php.

Re:PHP4 with Apache2?

[Gambit-x7x]

It's fine... i have been using php4.x(aip) and Apache2.x for half a year now on multiple OS(RH8, winXP(home), win2k(Server))... works like a charm.... ocazinal problem if you like me DLing the lates versions... the configuration use to be triky but now they got it worked out...

PHP4 with Apache2: YES!

[dananderson]

Most problems seem to be caused by those who use the Apache MT model with thread-unsafe libraries that PHP may link in.

Stick with the classic (Apache 1.x) prefork MPM model and you'll be a lot safer. YMMV.

I have a writeup on using PHP with Apache 2 at http://dan.drydog.com/apache2php.html

When they bring it down

[milosoftware]

Hmm, just a DOS vulnerability.

To upgrade my 2.0.44 box, I'll have to bring it down... So it's better to wait for the first attack and when it stops, upgrade it. It will be down only once then.

Maybe i'll compile the 45 version, and install it automatically when the current httpd exits...

Damnit!

Damnit, are there API changes again? My mod_ssl from 2.0.44 doesn't work, do I have to compile the damn thing all over again? It was SUCH a bitch last time, I'm will not be happy if I have to do it again.

Init: Session Cache is not configured [hint: SSLSessionCache]

What? I have the same config and SSL libs as I did on 2.0.44, everything else is 2.0.45, ARGHHHH!

Re:Damnit!

[thx2001r]

Actually (and an update from previous post),

I used the compiled mod_ssl from 2.0.44 on 2.0.45... this is on the Win2k Apache. In this case, mod_ssl 2.0.44 openssl 0.9.7a win32.

It looks like the modules really DON'T have to be recompiled all the time... hopefully, the vulnerabilities don't extend to the mod_ssl 2.0.44 code as well... sigh.

Re:Damnit!

Of course mod_ssl needs upgrading... you've
paid attention the security bulletins at http://www.openssl.org/ ... right???

Re:Damnit!

[thx2001r]

OpenSSL does not create Mod_SSL... they are not affiliated, as far as I know... ASF creates Mod_SSL for Apache 2.0.x (while www.modssl.org creates the Apache 1.3.x ones).

I assume you are referring to the new versions of OpenSSL released? I do not know for a fact that the OpenSSL release affects Mod_SSL releases, particularly since Mod_SSL for 2.0.x is related to ASF releases of Apache 2.0.x.

Someone please correct me if I'm drastically wrong here regarding Apache 2.0.x and Mod_SSL 2.0.x (and point me to the documentation that proves otherwise).

PHP4 & Apache 2.0.43 not accepting tags

[rorya]

Last I tried, PHP4 (4.3.0 i think it was) on Apache 2.0.43 did not support the XML compliant way of jumping into the PHP interpreter (ie. "", rather than the more common way "?php". Has anyone else noticed this issue?

Apache 2.0.43 & php 4.3.0 not accepting SCRIPT

[rorya]

Last I tried, PHP4 (4.3.0 i think it was) on Apache 2.0.43 did not support the XML compliant way of jumping into the PHP interpreter (ie. "SCRIPT LANGUAGE="PHP", rather than the more common way "?php". Has anyone else noticed this issue?

Apache 2.0.46 is now out!

Get it here!

Oh, and last post.

1.3.27

[packethead]

Does this DOS affect 1.3.27?

No. You're fine. (last post)