Apache 2.0.45 Released

← Back to Stories (view on slashdot.org)

Posted by michael on Wednesday April 2, 2003 @01:38AM from the better-than-okra dept.

thx2001r writes "Well, it's no longer April 1st across the contiguous United States, so the coast is clear to say Apache 2.0.45 is released. This version contains two important security fixes and a number of bug fixes. The security fixes affect all platforms and versions of Apache 2.0.x up until this update with some special caveats for the 2.0.45 OS/2 release. It looks like the first security vulnerability addressed in this eighth public release of the Apache 2.0.x series is having its details witheld until April 8th. This is being called "a significant Denial of Service vulnerability" for Apache 2.0.x by the ASF."

16 of 35 comments (clear)

Min score:

Reason:

Sort:

Soo... When can NT users use this? by Eneff · 2003-04-02 03:49 · Score: 2, Interesting

I mean, when will SSL support be ported for Apache 2?

Last time I tried to compile SSL support from scratch it was a nightmare of errors...
1. Re:Soo... When can NT users use this? by rdieter · 2003-04-02 04:08 · Score: 5, Informative
  
  when will SSL support be ported for Apache 2?
  FYI, SSL support is builtin (apache.org) now.
2. Re:Soo... When can NT users use this? by thx2001r · 2003-04-02 06:59 · Score: 5, Informative
  
  Well, I've been using Apache 2.0.x Mod_SSL OpenSSL since, Apache 2.0.35, on Windows NT 5 (Win2k). Get a compiler the instructions are available publicly.
  
  The only reason it is not pre-compiled for binary release (win32) with OpenSSL by Apache Group is legal concerns over strong encryption:
  
  "This version is only available at present in a -no_ssl flavor, due to ongoing questions of strong crypto redistribution. When a binary build with mod_ssl compiled in is made available, the -no_ssl flavor will remain as an option for those in jurisdictions that restrict ssl encryption, as well as those T8 prohibited from downloading from the ASF's US-based servers." Source:
  
  Apache 2.0.44 and the latest OpenSSL 0.9.7a were, well, a bit of a challenge to compile, but it's done (and that was mostly to do with OpenSSL 0.9.7a). Now on to 2.0.45!
  
  --
  -Joe
  If we're all god's children, what's so special about Jesus? - Jimmy Carr
3. Re:Soo... When can NT users use this? by thx2001r · 2003-04-06 12:42 · Score: 2, Interesting
  
  Update: In Win32, the compiled 2.0.44 mod_ssl.so (DSO) works just fine with the Apache Group 2.0.45 MSI installer package. Just add the DSO, your conf file(s), OpenSSL keys, and you're good to go!
  
  Looks like the API is actually remaining stable (as advertised) at least in Win32, in mod_ssl! Way to go Apache Group!!!
  
  --
  -Joe
  If we're all god's children, what's so special about Jesus? - Jimmy Carr
PHP4 with Apache2? by shagymoe · 2003-04-02 06:51 · Score: 2, Interesting

Anyone know if it is safe to stick my php4 toe in the Apache2 water? I've heard some bad stories about php4 with Apache2 so I'm sticking with 1.3.27 right now with php4.3.1.
1. Re:PHP4 with Apache2? by bodgit · 2003-04-02 07:04 · Score: 4, Informative
  
  I've been running PHP 4.2.3 with Apache 2.0.43+ and there haven't been any problems so far. I've kept the PHP options to a minimum to get Horde/Imp working, so there may be some adventurous settings that will still cause problems.
2. Re:PHP4 with Apache2? by Malcolm+Scott · 2003-04-02 07:45 · Score: 4, Informative
  
  I've been using Apache 2.0.44 with PHP 4.3.1 for a while on a Gentoo-based server, and I've had no problem at all. Works like a treat.
  
  The PHP team needed to do a bit of code tweaking to make PHP fit into the Apache 2 module format (APXS2) - so initially, as you say, PHP support for Apache 2 was very bad/nonexistant. But that work has been completed AFAIK, so any recent PHP version should work fine with Apache 2.
3. Re:PHP4 with Apache2? by Bobulusman · 2003-04-03 05:05 · Score: 1
  
  I'm running Apache 2.0.44 w/ PHP 4.3.0 on Windows XP Pro and have not had any problems. with it. When I first set it up, I had some random crashes, but that turned out to be my software firewall. Since I've uninstalled it, no problems.
  
  --
  Cogito ergo sum in Slashdot.
4. Re:PHP4 with Apache2? by Mitchell+Mebane · 2003-04-03 05:56 · Score: 1
  
  Actually, yes. mod_php even works quite well. Been running our company web server on Apache2/PHP4/mod_php for a little over a year now, with _zero_ problems. Current setup is Apache 2.0.44/PHP4.3.1/mod_php.
  
  --
  
  The roots of education are bitter, but the fruit is sweet.
  --Aristotle
5. Re:PHP4 with Apache2? by Gambit-x7x · 2003-04-04 04:04 · Score: 1
  
  It's fine... i have been using php4.x(aip) and Apache2.x for half a year now on multiple OS(RH8, winXP(home), win2k(Server))... works like a charm.... ocazinal problem if you like me DLing the lates versions... the configuration use to be triky but now they got it worked out...
  
  --
  Who controls the information, controls the world...
PHP4 with Apache2: YES! by dananderson · 2003-04-02 07:17 · Score: 3, Informative

Most problems seem to be caused by those who use the Apache MT model with thread-unsafe libraries that PHP may link in.
Stick with the classic (Apache 1.x) prefork MPM model and you'll be a lot safer. YMMV.
I have a writeup on using PHP with Apache 2 at http://dan.drydog.com/apache2php.html
When they bring it down by milosoftware · 2003-04-03 19:23 · Score: 1

Hmm, just a DOS vulnerability.

To upgrade my 2.0.44 box, I'll have to bring it down... So it's better to wait for the first attack and when it stops, upgrade it. It will be down only once then.

Maybe i'll compile the 45 version, and install it automatically when the current httpd exits...

--
Musicians don't die. They just decompose.
PHP4 & Apache 2.0.43 not accepting tags by rorya · 2003-04-05 09:56 · Score: 1

Last I tried, PHP4 (4.3.0 i think it was) on Apache 2.0.43 did not support the XML compliant way of jumping into the PHP interpreter (ie. "", rather than the more common way "?php". Has anyone else noticed this issue?
Apache 2.0.43 & php 4.3.0 not accepting SCRIPT by rorya · 2003-04-06 07:36 · Score: 1

Last I tried, PHP4 (4.3.0 i think it was) on Apache 2.0.43 did not support the XML compliant way of jumping into the PHP interpreter (ie. "SCRIPT LANGUAGE="PHP", rather than the more common way "?php". Has anyone else noticed this issue?
Re:Damnit! by thx2001r · 2003-04-06 12:33 · Score: 1

Actually (and an update from previous post),

I used the compiled mod_ssl from 2.0.44 on 2.0.45... this is on the Win2k Apache. In this case, mod_ssl 2.0.44 openssl 0.9.7a win32.

It looks like the modules really DON'T have to be recompiled all the time... hopefully, the vulnerabilities don't extend to the mod_ssl 2.0.44 code as well... sigh.

--
-Joe
If we're all god's children, what's so special about Jesus? - Jimmy Carr
Re:Damnit! by thx2001r · 2003-04-11 10:35 · Score: 1

OpenSSL does not create Mod_SSL... they are not affiliated, as far as I know... ASF creates Mod_SSL for Apache 2.0.x (while www.modssl.org creates the Apache 1.3.x ones).

I assume you are referring to the new versions of OpenSSL released? I do not know for a fact that the OpenSSL release affects Mod_SSL releases, particularly since Mod_SSL for 2.0.x is related to ASF releases of Apache 2.0.x.

Someone please correct me if I'm drastically wrong here regarding Apache 2.0.x and Mod_SSL 2.0.x (and point me to the documentation that proves otherwise).

--
-Joe
If we're all god's children, what's so special about Jesus? - Jimmy Carr