Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache 2.0.46 Released

Posted by krow on from the as-seen-on-TV dept.

The Apache HTTP Server Project writes "Apache 2.0.46 has been released. It's an important security-fix release, fixing both a crash bug [CAN-2003-0245] and a DoS [CAN-2003-0189], so everybody using prior versions of Apache 2.0 should grab a copy from the nearest mirror and upgrade!"

19 comments

  1. PHP by Anonymous Coward · · Score: 0

    Any news on when Apache 2.x will officially be considered to "play nice" with PHP in a production environment?

    1. Re:PHP by noselasd · · Score: 1

      You have to ask the developers of PHP on that, as it is a a PHP issue, not apache.

    2. Re:PHP by Anonymous Coward · · Score: 1, Insightful

      The PHP developers weren't the ones that kept changing the Apache API after it was "stable."

  2. vague changelog by Imperator · · Score: 4, Interesting

    I wish the announcement would be a bit more specific about the security fixes and who needs them. I don't use mod_dav or a threaded MPM, but do I still need to upgrade?

    --

    Gates' Law: Every 18 months, the speed of software halves.
    1. Re:vague changelog by cliffwoolley · · Score: 4, Informative
      but do I still need to upgrade?


      Definitely upgrade. Note also that full details of the problem will be released on Friday.

      --Cliff Woolley
      Apache HTTP Server Project
      Apache 2.0.46 Release Management team
    2. Re:vague changelog by GigsVT · · Score: 1

      Why not now? If the problem is fixed, what do you have to hide?

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
    3. Re:vague changelog by SpaFF · · Score: 3, Informative

      Well for one it gives people a chance to upgrade before the "bad guys" know the specifics of what the problem is. That way people can get their servers updated before a DoS attack program is written.

      --
      -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
    4. Re:vague changelog by Anonymous Coward · · Score: 0

      So will thius affect more than just RedHat 8/9, AIX, and maybe OSX? Just curious about, say, RedHat adnaved server and the solaris httpd.

    5. Re:vague changelog by RubberDuckie · · Score: 1

      There is now more information here . It looks like an exploit is possible, though it would be difficult. Better to upgrade now and be safe.

    6. Re:vague changelog by milosoftware · · Score: 1

      Looks to me that you only need to upgrade when either:

      You use basic authentication in combination with multi-threading mpm on UNIX AND you're afraid of DOS (authentication after attack will fail for everybody until restart)

      You use mod_dav (I haven't got a clue what that mod does) AND don't like to see your server crash after an attack.

      --
      Musicians don't die. They just decompose.
  3. Unfortunately.. by SiMac · · Score: 1

    The HTTP proxy and several experimental modules don't compile. They're not essential modules for me, but it would be nice if they would work.

    Simon

    1. Re:Unfortunately.. by ThomMay · · Score: 1

      That's strange - none of the apache hackers that have seen this post can reproduce your problems? Can you submit a bug report or follow up here with more info...

      -Thom
      Apache committer, Debian developer

    2. Re:Unfortunately.. by Jeff+Trawick · · Score: 1

      Please open a PR at http://nagoya.apache.org/bugzilla/

      It apparently doesn't matter how many boxes we build it on, somebody's build is always going to break :(

      (if it makes you feel any better/worse, I built 2.0.46's mod_proxy on a bunch of different boxes today... hopefully we can figure out why it won't build on yours)

    3. Re:Unfortunately.. by SiMac · · Score: 1

      Okay, here's another problem, i'm not sure if it's Apache or me. Earlier today, when I looked on my server, I saw this:

      16330 root 15 0 6244 6244 2848 S 99.5 1.2 1425m 0 httpd

      It used 1425 minutes of processor time, so I guess it's been running for a while. Any ideas what it could be doing?

    4. Re:Unfortunately.. by SiMac · · Score: 2

      It turns out it was my fault...i did --enable-proxy-httpd but not --enable-proxy. Perhaps there should be some configure check to stop me from doing this?

      Sorry to waste your time.

    5. Re:Unfortunately.. by Jeff+Trawick · · Score: 1

      That's something to report via http://nagoya.apache.org/bugzilla/

      As far as the --enable-proxy-httpd thing... Apache doesn't look for configure options it doesn't understand and instead assumes that they are for apr or apr-util or libtool or expat or anything else that might be configured under the covers.

  4. dang it, more upgrade! by JDizzy · · Score: 1

    I just pulled down all the stuff for my apache2, and 2 days later it time to start all over again. yee-haw!

    --
    It isn't a lie if you belive it.
  5. Apache 2 now "plays nice" with PHP & other mod by dananderson · · Score: 1
    Ever since Apache 2.0.42, the Apache 2 developers have grown up :-) and decided to stop changing the API in what's now called the "stable" release series (currently 2.0.x).

    What does that mean to you? It means you no longer have to download and recompile, from source, a new version of PHP to fix what Apache broke.

    However, with Apache 2, I don't recommend the multi-threading MPM. No big deal if you're using Apache 1, since multi-threading isn't available (with UNIX/Linux at least). The problem isn't Apache or even PHP, but the scores of 3rd-party libraries PHP may hook into (depending on how much stuff you configure in PHP).

    For details on Apache 2 and PHP, see my webpage at http://dan.drydog.com/apache2php.html

  6. Check out this Apache Web Server by Anonymous Coward · · Score: 0

    Just got set up and am looking for someone's (anyone/everyone's)opinion. CLICK HERE or go to http://thunderhacker.dyndns.org