Apache 2.0.48 Released

Gruturo writes "Busy week for the Apache software foundation: After 1.3.29, version 2 gets an update as well with 2.0.48, which mainly fixes these two security vulnerabilities. As usual, using a mirror is recommended." The official announcement lists several changes as well.

Apache security documentation

http://www.cgisecurity.com/webservers/apache/

Re:A step in the right direction

[Karamchand]

Tell me: For how long has Tomcat been an commercial application server?
Yea, I know.. ihbt..

RedHat Fedora coming out on Monday will have this?

[linuxguy]

Generally RedHat will not put in new packages at the last minute. But this is a security fix release only and also Fedora is considered more experimental than regular Redhat releases.

Time to upgrade my Apple ][ server.

It will take all November to compile it :(

Re:Debian

[damiam]

Debian stable will never update their Apache packages, although they will backport bugfixes. If you want the latest and greatest, use testing or unstable, which has had Apache 2 since the week it was released.

Hmmm...

[damiam]

An Apache point release on the front page? Can you say "slow news day"?

Re:Hmmm...

[spektr]

An Apache point release on the front page? Can you say "slow news day"?

It annoys me that I have to download the full dupe at every point release. Can't they post incremental patches for the article and the replies?

Re:Hmmm...

[Ianoo]

Why not use something like ccache? Then you only need to recompile changed files. I think. I don't personally use it...

Re:Hmmm...

[spektr]

I rarely compile slashdot threads. I think CVS access to the article database would suffice.

Re:Hmmm...

[shibbydude]

Mod parent up! I think he was trying to be funny.

Re:Hmmm...

[error502]

Can you say "slow news day"?

I have a speech impediment, you insensitive clod!

Re:Hmmm...

[spektr]

Mod parent up! I think he was trying to be funny.

I tried? Dang. There is no try...
Then better mod me sideways, before my posting makes somebody cry.

Re:Hmmm...

[Repugnant_Shit]

slaw nows dee ...dammit, I guess I can't

Re:Hmmm...

[nr]

Well its sunday after all. Dont you thinks its even more gnarley that the ninth Linux kernel pre-release (-pre9) made the frontpage, its not even dot release! :) I thinks its good that important open-source software get their spot in the sun, becouse many of us do not follow all projects closely and its nice to have interesting discussions about the software and the project.

Re:A step in the right direction

[Tim+C]

commercial application servers such as Tomcat

Tomcat is open source; it's one of the Jakarta projects.

compared to Oracle's WebSphere

IBM make WebSphere, not Oracle.

If Ximian would only release the .NET framework for Solaris

Microsoft makes the .NET Framework, not Ximian, although Ximian does have a hand in Mono, the open source implementation of the .NET Framework.

Re:A step in the right direction

[zaphod.nu]

WebSphere is IBM, not Oracle.
Tomcat is Apache Foundation and Free(tm).
LocalDirector is Cisco.
.NET Framework is Microsoft.

Besides those minor error and the jibberish the +1 Interesting might be sensible?

OMG YES YES YES!

2.0.48 is released!

This is the defining moment of my life. I have been continually pressing the "refresh" button since the story about 2.0.47 being released. Now all my hard work has paid off.

2.0.48 is released at last!

Re:OMG YES YES YES!

[Praeluceo]

Yeah, and even after refreshing your browswer since July 10th, for the sole purpose of finding this announcement, you -still- couldn't get a first post? That's just pathetic.

Not only do you need a life, you need to get better at not having one!

Re:Debian

[PReDiToR]

Can I ask a stupid question, and say

Why not jsut download it and install it yourself?

Re:Debian

[damiam]

Make sure you have security.debian.org in your /etc/apt/sources.list file. If you don't, you won't get security updates until they hit the main repository in a minor release, which can be a while.

Logging bug

[KalvinB]

I used Apache 2.0.47 for all of a day before I decided to never use the 2.0.x line again. Apparently when a partial transfer is requested, Apache 2.0.47 logs the full amount requested. Not what was actually transfered. I ended up showing over 10GB of transfer in a single day on a 256Kbit DSL line. Which if you do the math is only physically capable of about 2.5GB a day.

I looked at my logs and determined that a couple AOL users were trying to get a rather large file

aca9bd40.ipt.aol.com 655 6689 1004 310
acc4e74f.ipt.aol.com 1014 5412 521 148
ac8bd972.ipt.aol.com 140 1565 534 745

Requests MB KB Bytes. All that transfer supposedly happened in about a day.

I notified bug-track but apparently such a simple problem (which doesn't exist in the 1.3.x line) isn't worth addressing.

After all, who actually uses the Apache 2.0.x logs to monitor transfer? Hopefully not any hosting companies because the customers are going to get royally screwed.

Ben

Re:Logging bug

Download the code and fix it yourself. Submit a patch back to Apache. Feel good knowing you both helped a project you use and fixed your own problem.

Re:Logging bug

[portnoy]

Um, didn't someone provide a solution to your bug report? (i.e. use the more advanced log module).

Seems to me that they do see this as a problem worth addressing; they already have a fix.

Re:Logging bug

[bruthasj]

This continues my confusion as chronicled here.

Can we get past these comments about "fixing it yourself"? Or is this just the default customer service coming out these days?

I do thank you for not Karma whoring by posting as AC.

Link above logs you out

[fred87]

Just thought i'd say - the link is a logout link

Re:In other words, yet another OSS bug?

[vigilology]

You don't pay for the oxygen you're breathing, do you?

One question:

Do you know if they released 2.0.48 yet?

Netcraft stats for Apache

[bhny]

the new netcraft stats are posted.

apache just keeps stealing more market share-

Re:Netcraft stats for Apache

[Feztaa]

I love that graph.

At no point in history has Apache ever had less marketshare than Microsoft's webserver. :)

Re:Netcraft stats for Apache

These are not OS stats...they are server stats. If a machine is running Apache on Windows, it gets counted as Apache. If a Windows/IIS server is behind some kind of elaborate proxy setup which is under another OS, it will be counted as IIS, although some impossible combinations like Linux/IIS or Solaris/IIS may result.

If it is not serving web pages at all, it shouldn't be counted, and it won't be.

Re:Netcraft stats for Apache

[CapeBretonBarbarian]

...and what about all those *internel* windows servers running IIS that aren't visible to Netcraft. They're never counted in the stats. Nor are our internal servers running apache. Worrying about internal servers is pointless. You'll never know for sure.

Re:If it "works", why did it need a patch?

[shibbydude]

All this proves is OSS zealots are hypocrites, with double standards.

Thank you! Now where are my mod points?...

Re:American Indians

[haizi_23]

was that funny?

Re:Cock-smoking?

[tds67]

...to pay your $1499 licensing fee you cock-smoking teabaggers.

Yah, as if anyone's going to let you take a lighter to their cock...sheesh...

Re:Don't forget...

[shibbydude]

Stop the fucking SCO jokes!!! It's over.

Re:A step in the right direction

[morelife]

ISA Server
huh? Microsoft Internet Security and Acceleration Server? The one all the dweebs put in front of Exchange when management's looking the other way? That's not an application server, it's a proxy/firewall whose chief function is to generate revenue for Microsoft while providing zero real functionality.

the Apache team outdid themselves by providing a nice API that integrates nicely with most the commercial application servers such as Tomcat...
How /wierd/ that the httpd team would shoot for functionality with another product from the Apache
Group..

DBAs find the performance lacking compared to Oracle's WebSphere
And they are right: Oracle's Websphere is pretty slow - it doesn't freekin' exist so it doesn't run very fast AT ALL.

If Ximian would only release the .NET framework for Solaris we would definately be able to unleash some more serious functionality
Looks like you and the team switch development and delivery platforms every 7 to 10 days. It seems like those Ximian people go out of their way to slow progress. BASTARDS!

definately
Most everyone is definitely using a more recent version of definitely, which is nice. You can download it at www.m-w.com on the Internet.

Re:Yay

[mentin]

What works? All I see is two security bugs fixed.

If the fixes were from Microsoft, the /. would have an article "Two More Critical Windows Flaws".

But it is open source, so we get "Apache 2.0.48 Released".

So does it proof anything except double standard on /.?

Re:RedHat Fedora coming out on Monday will have th

[Bartlet]

For the pollyannish ...

From:
http://fedora.redhat.com/participate/sche dule/

Schedule
Fedora Core 1 / Cambridge

* July 21 2003 - Test 1 (originally called Beta 1) release
* September 25 2003 - Test 2 release
* October 13 2003 - Test 3 release
* November 3 2003 - General Availability

Apache 2.0

[ceswiedler]

Are people using 2.0 much yet? I remember all of the blowup over how 2.0 didn't really add anything unless you wanted to run it on Windows, and it caused a lot of problems for modules like mod_perl. Is everyone still sticking with 1.3?

Re:Apache 2.0

2.0 does have numerous features and enhancements over 1.3 but didn't offer significant performance advantages over 1.3 on Linux and most Unix platforms . And as far as "problems" go, 2.0 had a completely new module system so modules had to be redesigned for 2.0, not really a problem with the modules. Just taken awhile to redesign them. Most Linux distros have moved to 2.0 which is what people really have been waiting for.

Re:Apache 2.0

Apache2 runs quite well with mod_perl and just about everything else under win32.

Check out http://www.devside.net

Re:Apache 2.0

[Spoke]

IMO, the best reason to use Apache 2.0 is that with mod_deflate, you can now easily add content encoding compression to an entire website to save bandwidth. Previously with Apache 1.3, you could add in mod_gzip, but mod_gzip wouldn't compress SSL content without some very ugly config hacks including mod_proxy with a substantial performance benefit. 2.0 eliminates this issue.

I've seen bandwith drop on websites drop from 20-80% depending on how much content is non-compressible (like graphics).

Re:Apache 2.0

[haeger]

Oh yes.
mod_perl is a real showstopper for me. I'd love to upgrade to Apace2.x but I really need mod_perl to function properly and it isn't ready so I'm sticking with 1.3 for now.

Does anyone know the status of mod_perl? Should I try to lessen my dependency on it? Is 2.0 worth the upgrade even if I have to rewrite my app?

.haeger

Re:Apache 2.0

[Corporate+Gadfly]

I am using mod_perl 2 (really 1.99_10) in production without any problems. You do have to sort of keep up with the mod_perl mailing list, but it has performed without any problems for me so far.

Re:Apache 2.0

[sffubs]

I'm using it very happily - tbh I can't tell much difference between 2.x and 1.x, except that I can use mod-xslt on 2.x

--sffubs

Re:Nope

[morelife]

I just read the link you posted to the "webmin" comment.

Although my heart goes out to the original poster, bless his soul, it's the moderators I'm worried about. Everyone who moderated that post either Interesting or Informative should have their testicles removed to ensure that the disease goes no further. Actually I think Ashcroft's working on a USA PATRIOT Act improvement addressing this very issue. That way we wouldn't need a warrant. Just go in, castrate, ask questions later.

Old news

[mrt300]

See this.

This version was released the same day as 1.3.29 earlier in the week, Wednesday, I believe. Perhaps future posters would consider combining this news into one post.

Re:What??!

[FxChiP]

... why'd you post as an AC?

1.3 branch

[amembleton]

Why are there two branches of Apache? There's the 1.3 and 2.0 lines. I've heard that 1.3 is better than 2.0, so is 2.0 effectivelly a beta? Why are there still new releases of 1.3, why not concentrate on 2.0?

Re:1.3 branch

[jjohnson]

The 2.0 line offers new internals and a new module API that's supposedly a lot cleaner and better organized. The biggest internal change of which I'm aware is that Apache now does proper threading, instead of fork()ing--that's why the big improvement on Windows, which is natively threaded, while a smaller improvement on unices.

Re:1.3 branch

[crisco]

AFAIK New releases of 1.3 are bugfixes and security patches. 2.0 has been labeled production ready for over a year.

The problem isn't Apache itself but the open source modules that help make Apache the most useful webserver out there. Widely used projects like mod_perl and mod_php have only recentlyy released versions of these that work properly with Apache 2 and even these are still labeled betas.

Additionally, most competent sysadmins won't mess with what isn't broken, so their server farms running 1.3 are going to continue running 1.3 for a while yet.

Re:1.3 branch

[Spoke]

As long as you stick with the pre-forked MPM of Apache2, you really shouldn't have any problems with add-on modules like mod_perl and mod_php. Problems only arise when using one of the threaded MPMs.

Re:What??!

[DAldredge]

I didn't and I don't.

side note. I love this type m keyboard!!!

Re:MOD PARENT DOWN: REDUNDANT AND A TROLL

[morelife]

If some of the ideas in the post you linked struck a nerve with you, and it sounds like they might have, why don't you log in under a real name and say what's on your mind?

Better than ever before

[a5cii]

Apache 2.0.48 works extremely well on windows 2000 there are no problems such as hanging during shutdown for me anymore one qualm i have is that the configuration could be made a bit easier using a web based interface like the one which abyss web server from www.aprelium.com has i look forward to a long and happy life with apache MC

Workaround, not a fix

[KalvinB]

That fix should be standard. Obviously Apache knows about the problem but even when someone fixes it for them (so writting a fix myself as someone else suggested is a worthless pursuit to try to actually fix the problem) they continue to insist on ignoring the problem and linking by default to a known broken module that they refuse to fix. And on top of that, they fail to properly document the workaround.

Most web-site owners are more interested in running their business than dicking around with source code. Even if they knew how to even begin looking for the problem spot. I opted to revert back to 1.3.x since it's solid.

This reflects very poorly on Apache in regards to their attitude about bugs. Especially considering this shouldn't have been broken from the first 2.0 release.

"We know about it, but we don't care to fix our default logging module" is pretty sad.

It's nice to know a workaround exists but when something as simple as logging can't get an official fix it does very little to instill confidence in the product.

Maybe I'll give 2.0 another try later with my personal server but the server my business runs on will be sticking with 1.3. It works great and so I can just focus on running the business and writting source code for a job instead of reinventing fixes for a wheel that's been known to be broken for a very long time.

Ben

Re:Workaround, not a fix

[Hard_Code]

Frankly, all of the Apache projects I've interacted with seem really insular :/

"Fix it yourself"

[KalvinB]

Doesn't go over well with business people. I do programming as a profession. However, when the 1.3.x line is flawless it's hard to convince myself it's worth my time to tackle this problem. Considering how many people have downloaded and rely on the 2.0 line, I wonder how many have the skill or motivation to fix such a glaring and simplistic flaw that should never have existed.

Especially considering someone did take the time to write a logging module that works and Apache still refuses to make it the standard, insisting instead to link to the default, "approved," known to be broken one.

By telling me to "fix it myself" he was basically telling everyone to ignore the fact that Apache is ignoring already existing fixes and needlessly reinvent the wheel themselves.

I'd actually be happier not knowing the fix existed. Apache's actions would make more sense (and be more acceptible) because I could pretend it was a complicated issue still in progress.

Ben

wow

Wow, Apache should put a line in their license to disallow you from using it.

I do programming as a profession

Oooh. Am I supposed to bow to your mightiness? Frankly, you've already swept me off my feet.

By telling me to "fix it myself" he was basically telling everyone to ignore the fact that Apache is ignoring already existing fixes and needlessly reinvent the wheel themselves.

No, actually, he was basically telling you to fix it yourself, no need to read into it. If you're such a programming professional, it should be trivial to fix. Apache isn't someone you pay for something to work. It, like all other OSS projects, only get better when people get off their butt and fix problems. However, I'd rather have it stay broken and get fixed by someone decent than for it to grudgingly get fixed by as it's obvious you are a leech on open source's inner thigh.

Re:Debian

[jjohnson]

You know, I avoided the RPM of apache when I built my webserver, instead choosing to download it and compile 2.0 from source, and get it working myself. Which I did. Having done it once, I know it pretty well now, and it took me five minutes to go from 2.0.45 to 2.0.48 after seeing this story, having saved my ./configure in an executable file. I ran that, make, make install, copy the conf files and the resin .so, test it, and switch the symbolic link that the sys V script goes to.

So. Untinstall the deb, download it, compile it, install it, and get it working. It's no harder to configure, and you're free of package tyranny.

Re:[OT] I need help...

[togofspookware]

How is this flamebait? Seriously, if what this poor bloke says is true, then his roommate deserves at least *one million* punches-in-the-face.

(link for the humour impaired)

Re:If it "works", why did it need a patch?

[Prof.Phreak]

When was the last time a virus spread all across the world, shut down networks, etc., by exploiting a bug in Apache?

Microsoft has VERY LITTLE (compared to Apache) market share, yet it's been actually exploited MUCH MUCH more.

Another point about Apache is that it's open source (we can search the source and find buffer overflow succeptible code, fix it, etc.,) while with Microsoft or others, once they fix a bug, you have no idea how bad their source code it.

Also, fixing 2 bugs in this many months is actually pretty good. I think my XP box got like 50 or so 'critical updates' just this summer from windowsupdate.

Re:Yay

When Windows Service Packs come out, you get a "Windows Service Pack released" header.

Re:Debian

[jjohnson]

Neither did the OP. Nor 2.045, nor 2.0 at all.

Excellent for mod_python 3.0.3 and Solaris

[milosoftware]

Saving lots of memory: Just run in 'worker' mode, and have only one system wide Python Interpreter. Also makes sharing DB connections and so much easier since you can just keep lots of globals around.

And that's on Solaris, where worker isn't default.

Oh, and mod_deflate is nice too.

Re:MOD PARENT DOWN: REDUNDANT AND A TROLL

[morelife]

Ahhhh. Maybe because you're an editor here...