Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache HTTP Server 1.3.29 Released

Posted by timothy on from the dot-dot-dot-dot dept.

Dan writes "The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 1.3.29 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 1.3.29 as compared to 1.3.28. Release 1.3.29 addresses and fixes a potential security issue CAN-2003-0542 (cve.mitre.org): Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. You can download this release from one of your preferred mirror sites."

36 comments

  1. First? by Anonymous Coward · · Score: -1, Troll

    First post. Muhaha.

  2. Big Changes ? by noselasd · · Score: 3, Insightful

    Where are the big changes ? I see 8 more or less minor bugfixes.

  3. The Apache Section's Motto: by Farley+Mullet · · Score: 4, Funny

    Slashdot's Apache Section: For The Apache Admin Who Just Refuses To Get On The Mailing List.

  4. On the note of that... by FinestLittleSpace · · Score: 2, Funny

    ...I better make the obligatory comment....

    "Cor, at least it's not IIS... we'd be having thousands of bugfixes. Damn M$."

  5. oh fuck by Anonymous Coward · · Score: -1, Offtopic

    I can't believe I just shit my pants at work! I was having a rather nice day, but then for lunch I had the Burrito Gran Culo from the downstairs cafeteria, and I'm bubbling like a fuckin tea kettle.

    So of course, as much as I tried to hold it (I couldn't go to the bathroom because I was too busy coding some SCO/Linux kernel stuff), and I just let go. I can still feel some of the 2nd stage drippings oozing out of my asshole.

    Wait, the black woman in the cube next to me just said "What da fuck is dat funky smell?!".

    Fuck, looks like I better fetch the Times before I go home a finger through the classefied.

    oh, and maybe take a shower.

  6. Thanks by barcodez · · Score: 2, Interesting

    Well I for one appreciate the Apache httpd development team's efforts.

    --

    ----
  7. Why list a commercial web site? by Futurepower(R) · · Score: 3, Insightful


    The Slashdot story said, "... are pleased to announce the release of version 1.3.29 of the Apache HTTP Server ("Apache")."

    However, that link references only a copy of the release info on a commercial bulletin board, BSDForums.org, that has plenty of advertisements.

    The Slashdot story could have said, "... are pleased to announce the release of version 1.3.29 of the Apache HTTP Server ("Apache")", which is the official announcement on the apache.org site.

    1. Re:Why list a commercial web site? by Anonymous Coward · · Score: 0

      Yeah, blame it on slashdot. Maybe you should take it up with the person who actually wrote the post? Maybe this Dan fellow runs (or gets some form of compensation from) BSDForums.org?

    2. Re:Why list a commercial web site? by shrubya · · Score: 1
      copy of the release info on a commercial bulletin board, BSDForums.org

      Notice that the article was submitted by dan@bsdforums.org and you will achieve enlightenment.

      At least he was honest about his affiliation.
    3. Re:Why list a commercial web site? by a.koepke · · Score: 1

      commercial bulletin board, BSDForums.org, that has plenty of advertisements.

      All I see are 3 text links near the top

      NetBSD 1.6 CDs,T-Mobile's Online Store and The Design & Implementation of 4.3 BSD Unix OS.

      Not exactly what I would call plenty of advertisements.

      --


      (\(\
      (^.^)
      (")")
      *This is the cute bunny virus, please copy this into your sig so it can spread
  8. Why Not 2.0? by 4of12 · · Score: 1

    OK, I'll admit not being on the apache mailing list.

    But I'm thinking of installing Apache (and gentoo ) on an unused Athlon box.

    Is there any reason not to install the latest Apache 2.0 instead of the 1.3 series?

    [I ask because, IIRC, early releases of 2.0 didn't support the latest PHP.]

    --
    "Provided by the management for your protection."
    1. Re:Why Not 2.0? by babbage · · Score: 1

      I'm not a PHP guy, so I can't be definitive about that, but the two big areas where Apache 2.0 seems to have been un-finished are PHP and mod_perl support. Random poking around on Google suggests anecdotally that this was true at least as recently as July, according to a random blog hit.

      You're certainly welcome to try it -- bug testers are always welcome for any open source project -- but last I heard the conventional wisdom was still to avoid Apache2 for any site that needs stable mod_perl or PHP support. I understand that they both work, more or less, but people still seem to have problems with stability.

      On the other hand, for other areas, Apache2 is supposed to be wonderful. I've heard reports of web server pool load tests that suggested that a tier of Apache2 servers could handle a load equivalent to something like 4 or 5 times as many Apache 1.3 servers. YMMV of course, but apparently there are real benefits to Apache2 for those that are in a position to take advantage of it.

      --
      DO NOT LEAVE IT IS NOT REAL
    2. Re:Why Not 2.0? by AShocka · · Score: 1

      As far as I know the problem isn't so much with Apache2 but with the changing API and modules because they haven't been rewritten /debugged to the specs of A2 to take advantage of it's architecture. Apache 2: Improvements Are Obvious, But Upgrade Choices Aren't

    3. Re:Why Not 2.0? by dsb3 · · Score: 1

      FWIW I have a server feeding over 1 million hits per day with Apache 2.0 and PHP.

      No stability problems here, yet ... (knock on wood)

      --

      Slashdot? Oh, I just read it for the articles.
    4. Re:Why Not 2.0? by mrt300 · · Score: 1

      PHP has been solidified for a few months with Apache 2.0.x. As far as mod_perl goes, they've been slow (6 months between releases) to even put out pre-releases. I can't say I blame them. There's been so much hype around the development of Perl 6 (more specifically, the Perl 6 runtime), that the mod_perl guys have to be wondering about their product's expected lifetime.

      FWIW, I've used the mod_perl 1.99 dev code without any issue on a server that handles a significant load of authentication. While doing that, even basic mod_perl functionality was shifting. I tend to think that the mod_perl slowdown isn't due to Apache's APIs, but due to their own.

    5. Re:Why Not 2.0? by cpghost · · Score: 1

      mod_throttle and other non-core modules are normally only available to the 1.3.x series (for now).

      Another reason is laziness: If the average admin can't find a package/port/... for an apache 2.x module in their favorite Linux distro or BSD ports collection, they'll normally go for 1.3.x, instead of porting the module to 2.x.

      --
      cpghost at Cordula's Web.
    6. Re:Why Not 2.0? by Anonymous Coward · · Score: 0

      FWIW -- used on of the experimental modules in Apache2 mod_auth_ldap.

      Stable isn't something I would use to describe it.

      I've had much better succes with other GPL ldap mod's for Apache2.

      Here's hoping that problem gets solved.

  9. Apache HTTP Server 2.0.48 is also out by jimjag · · Score: 3, Informative

    Released at the same time was 2.0.48.

  10. Apache security documentation by Anonymous Coward · · Score: 0


    http://cgisecurity.com/webservers/apache/

  11. what about 2.0.48? by bluethundr · · Score: 2, Informative


    In related news, the 2.48 version of apache was also released. Was this a slashdot moment, as well? Did I miss a memo? I'm assuming I have. I recently read the O'Reilly book on this topic and two things seemed clear. 1) That the authors of the book really preferred the 1.3.x series of httpd to the 2.x series and that 2) BSD is the way to be for Apache (though Linux is an "okay" substitute.) Which really surprised me because threading in Linux is better than BSD.

    So my questions are: If they are updating the 2.x series why are they *also* updating the 1.3.x series? Isn't the idea that 2.x will supplant/replace the earlier series? What do you get out of using the older version that you don't with the newer? Other than the ability to work with a tool that's more familiar to you becasue you've been using it for so long...Wouldn't the technological advantages of using the newer version outwiegh the inconvenience of yet another learning curve?

    --
    Quod scripsi, scripsi.
    1. Re:what about 2.0.48? by WoodstockJeff · · Score: 2, Informative
      I don't think it is the learning curve, per se... I made the change-over to 2.x with few problems, other than some security issues that are outside of apache's control (Mandrake 9.x won't allow apache to run CGI without as-yet-unfound configuration changes).

      The main problem is that some things written for apache 1.x do not work under 2.x, or have significant problems. PHP was one of them; other modules have been problematic, too. Once PHP ran acceptably, we switched...

    2. Re:what about 2.0.48? by PowerBert · · Score: 2, Informative

      1.3.x isn't being updated. It's in bug fix mode, which means only bugs and security problems are fixed no active development is being done. I think one of the main reason for sticking with 1.3.x for now is that mod_perl for 2.0 isn't considered stable yet. We find it breaks a lot of our mod_perl server management stuff too. 2.0 hasn't been out that long really. How many people out there still run Windows NT4?

    3. Re:what about 2.0.48? by mysticalreaper · · Score: 4, Insightful

      If they are updating the 2.x series why are they *also* updating the 1.3.x series? Isn't the idea that 2.x will supplant/replace the earlier series? What do you get out of using the older version that you don't with the newer?

      Here, my friend is the beauty of open source. If you want to keep using apache 1.3 (as many are), you can. There's no such thing as a forced upgrade. What version of the software you use is entirely up to you. 2.0 is supposed to be an improvement over 1.3 (and it is), but it's not supposed to 'supplant' 1.3. Just like the Linux kernel 2.4 didn't 'supplant' 2.2, though it WAS an improvement.

      As long as there are interested people in the 1.3 series, bugfixes will come in, and holes will be patched. And that's why it's still being updated. Heck, even the 2.0 kernel is actively maintained. The canges are very slow, but if there's an obvious fix, it will be put in.

      So basically, it's up to you to decide which version to run. And that's exactly the idea, that you have choice and freedom with your software.

    4. Re:what about 2.0.48? by morelife · · Score: 1

      The main reason I can see is mod_perl.

      As another person said, it's not supported (yet).

      Understatement... try compiling it in ... it just doesn't work. v2.x is a rewrite. Still a baby and has to pay its dues in the field for a while :)

    5. Re:what about 2.0.48? by 8282now · · Score: 2, Informative

      I'm sure you've seen for yourself but the reason for the dual development track is that not all 1.3x modules have been migrated to the new 2.x platform.
      There are still a number of very popular modules that still require the use of the 1.3x code. So instead of "orphaning" those poor souls dependent (?) on the 1.3x modules, (as mentioned by another poster) the open source world allows for and supports multiple versions to exist.

      Just my two cents...

  12. What took so long by PowerBert · · Score: 0, Troll

    I posted this to /. 24 hours ago.
    Right after openpkg.org made their security alert on bugtrack.
    The new code was released very very quickly and was available about 20 hours ago.
    For some reason the apache front page has only just been updated.
    It seems to take longer to announce a new version than to build one.

  13. webserver written in Postscript! by satanami69 · · Score: 3, Funny

    Why bother with Apache when you can get the power of PS-HTTPD

    PS-HTTPD is a HTTP-server written in Postscript. It can handle the main task of a webserver, serving data.

    --
    I really hate Dan Patrick.
    1. Re:webserver written in Postscript! by bofkentucky · · Score: 1

      Thats the best laugh I've had in a year, thanks

      --
      09f911029d74e35bd84156c5635688c0
    2. Re:webserver written in Postscript! by fred87 · · Score: 1

      This is great :) thanks for the laugh

  14. money-making scheme by Futurepower(R) · · Score: 1


    So it was a money-making scheme for Dan?

    Why don't Slashdot editors catch this kind of thing?

    1. Re:money-making scheme by Phil+John · · Score: 1

      Oh come on, you can't be serious? Do you think that they make any profit from the site? I bet the adverts are just there so that Dan doesn't have to cover the cost of hosting out of his own pocket.

      --
      I am NaN
  15. This is important because it is security relaited by aaron_pet · · Score: 1

    If you have a web server... You don't want to get hacked... and you have to know about the patches to fix em.

    That is what slashdot is doing. It is highly important.

    Granted, they could just put it on the side... but hey! slash code is configurable!

    You can choose what types of news you want to read!
    Just log in and visit your preferences page... and make it so you don't see the apache news!

    --
    Please use [ informative / summarizing ] SUBJECT LINES
    Flame me here
  16. Apache Problems by Anonymous Coward · · Score: -1, Flamebait

    don't want to start a holy war here, but what is the deal with you Apache fanatics? I've been sitting here at my freelance gig in front of a Apache box (a P4 2.4 w/1024 Megs of RAM, on an Qwest OC3) for about 20 minutes now while it attempts to copy a 17 Meg file from one directory on the hard drive to another user. 20 minutes. At home, on my Pentium Pro 200 running NT 4/IIS 4 (On a dual T1, no less!), which by all standards should be a lot slower than this Apache box, the same operation would take about 2 minutes. If that.
    In addition, during this file transfer, PHP will not work. And everything else has ground to a halt. Even mod_perl is straining to keep up as I type this.

    I won't bore you with the laundry list of other problems that I've encountered while working on various Apache machines, but suffice it to say there have been many, not the least of which is I've never seen a Apache box that has run faster than its Windows counterpart, despite the Apache machines faster chip architecture. My 486/66 cable modem router with 8 megs of ram runs faster than this 2400 mhz machine at times. From a productivity standpoint, I don't get how people can claim that Apache is a "superior" server.

    Apache addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a Apache over other faster, cheaper, more stable httpd daemons.

    1. Re:Apache Problems by fred87 · · Score: 1

      /me remembers seeing this word-for-word in a thread yesterday with the word Apache swapped for Linux...

  17. It is a breach of trust. by Futurepower(R) · · Score: 1


    9 ads on the page.

    It is a breach of trust. The original page was available; why not link to that? If that is okay, what is next; will mirrors insert ads?

    The money apparently does NOT go to help BSD, but goes to a private company; is that true?

    Ads are good, in the right circumstances. Sneakiness is never good.

  18. Netcraft has confirmed: Apache is dying by Anonymous Coward · · Score: -1, Troll
    It is now official - Netcraft has confirmed: Apache is dying

    Yet another crippling bombshell hit the beleaguered Apache community when recently IDC confirmed that Apache accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that Apache has lost more market share, this news serves to reinforce what we've known all along. Apache is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.

    You don't need to be a Kreskin to predict Apache's future. The hand writing is on the wall: Apache faces a bleak future. In fact there won't be any future at all for Apache because Apache is dying. Things are looking very bad for Apache. As many of us are already aware, Apache continues to lose market share. Red ink flows like a river of blood. FreeApache is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeApache developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeApache is dying.

    Let's keep to the facts and look at the numbers.

    OpenApache leader Theo states that there are 7000 users of OpenApache. How many users of NetApache are there? Let's see. The number of OpenApache versus NetApache posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetApache users. Apache/OS posts on Usenet are about half of the volume of NetApache posts. Therefore there are about 700 users of Apache/OS. A recent article put FreeApache at about 80 percent of the Apache market. Therefore there are (7000+1400+700)*4 = 36400 FreeApache users. This is consistent with the number of FreeApache Usenet posts.

    Due to the troubles of Walnut Creek, abysmal sales and so on, FreeApache went out of business and was taken over by ApacheI who sell another troubled OS. Now ApacheI is also dead, its corpse turned over to yet another charnel house.

    All major surveys show that Apache has steadily declined in market share. Apache is very sick and its long term survival prospects are very dim. If Apache is to survive at all it will be among OS hobbyist dabblers. Apache continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, Apache is dead.

    Fact: Apache is dead