Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache 2.0.50 Released

Posted by simoniker on from the incredible-bongo-band dept.

Gruturo writes "The Apache Software Foundation just released version 2.0.50, which, apart from the usual incremental improvements and bug fixes, addresses security vulnerabilities such as CAN-2004-0493 (Memory leak which could lead to resource depletion == DoS) and CAN-2004-0488 (a mod_ssl buffer overflow). Be kind to their servers and use a mirror."

40 comments

  1. Safe to upgrade yet? by Anonymous Coward · · Score: 1, Informative

    I'm still using 1.3.31. php working okay these days? How about php 5?

    1. Re:Safe to upgrade yet? by a.koepke · · Score: 5, Informative

      I am using PHP 5 and works great. The trick is to compile Apache using the prefork MPM.

      Quote from http://httpd.apache.org/docs-2.0/mod/prefork.html

      This Multi-Processing Module (MPM) implements a non-threaded, pre-forking web server that handles requests in a manner similar to Apache 1.3. It is appropriate for sites that need to avoid threading for compatibility with non-thread-safe libraries. It is also the best MPM for isolating each request, so that a problem with a single request will not affect any other.

      Using Apache 2 in this method will make it work perfectly with PHP.

      --


      (\(\
      (^.^)
      (")")
      *This is the cute bunny virus, please copy this into your sig so it can spread
    2. Re:Safe to upgrade yet? by stoborrobots · · Score: 2, Informative

      PHP+Apache2 is "working OK"...

      Just not well enough to sign off an enterprise solution on...

      Check out these links for more details...
      PHP-Dev Mailing list discussion
      Discussion on PHP buglist
      as well as a more tongue-in-cheek reply...

      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
    3. Re:Safe to upgrade yet? by Fweeky · · Score: 2, Interesting

      A better trick is to compile PHP using the FastCGI SAPI and Apache 2 with the perfectly fine mod_fastcgi. Lets you spread PHP across machines, lets you jail/chroot PHP seperate from Apache, lets you run fewer copies of PHP (which also reduces database connections), and lets you change webserver or language with minimal impact on the other.

      And yes, mmcache and friends work fine in FastCGI mode.

    4. Re:Safe to upgrade yet? by Bronster · · Score: 4, Interesting

      just not well enough to sign off an enterprise solution on...

      I wouldn't sign off an enterprise solution on PHP full stop. Vile language.

      So says someone who did some work on Squirrelmail a little while back - man it sucks trying to support all the little incompatibilities and changing defaults and changing configurations everywhere. When you're undoing an automatic quote of variables depending on a guess from some other variables you know you've got "Visual Basic for da interweb" - except with a less stable API.

      That and the separate functions per DB type which caused all+dog to write their own copy of Perl's DBI in PHP before Pear came along.

      It might be an OK language for developping small stand-alone web apps, or a web app which runs on one infrastructure that you control and validate - but it's not a language for writing stuff you can install on any webhost and expect a complex app to keep working across versions.

      *grumble*

    5. Re:Safe to upgrade yet? by kix · · Score: 1

      "...but it's not a language for writing stuff you can install on any webhost and expect a complex app to keep working across versions."

      well I have been doing just that with a quite large app (200 000+ lines of php code) and it has been working out just fine.

      odd, that.

      --
      I am SO cool I can keep meat fresh for a WEEK!!!!
    6. Re:Safe to upgrade yet? by quelrods · · Score: 4, Insightful

      ya except apache 1.3 + php isn't really an enterprise solution to a large web application either. One of the reasons cited above for php not working w/ apache2.0 is a lack of thread safety. In php there isn't any. Also, you can thread sessions all reads and writes lock the session from any further reads or writes until the operation is completed.

      --
      :(){ :|:&};:
    7. Re:Safe to upgrade yet? by Bronster · · Score: 1

      well I have been doing just that with a quite large app (200 000+ lines of php code) and it has been working out just fine.

      How many installations? What sort of app? Do you ever install it on systems where you can't insist that PHP is configured a particular way?

      I agree that 200,000+ lines of code is big.

      I can hardly talk, since I'm working on a fairly large app written in Perl, and it has its fun and games across versions with poorly written 3rd party modules, but at least the core language has been pretty good about keeping compatibility through the entire 5 series.

    8. Re:Safe to upgrade yet? by kix · · Score: 1


      how many?
      admittedly, the number of installations on different servers is not that big - about 15 different servers so far and most of them (about 10 I think) have apache/php configs that we can't control. the number of sites it runs is around 200

      what kind of app?
      everything :) starting from cms/project management/messageboard and ending with ERP and over-the-web visual database forms creation and systems integration. basically it's an application server, or something like it and a huge amount of modules for it that do all kinds of different things.

      the strategy to make this work is relatively simple - assume that the php installation is about 2-3 years old and don't use newer features or else detect if they are available or not and if not, provide a replacement or a work-around. also, the magic quoting and database handling is abstracted away deep into a generic object storage system so that everything "just works".

      it does take a bit of work and being careful, but once you get used to it, it really is awfully fast to develop with it.

      --
      I am SO cool I can keep meat fresh for a WEEK!!!!
    9. Re:Safe to upgrade yet? by Bronster · · Score: 1

      Yep, and there's a fair bit of that in any language unfortunately. I guess if it's a big enough app the abstracting is really important.

      We suffer from not enough abstraction in some ways.

    10. Re:Safe to upgrade yet? by stoborrobots · · Score: 1

      Yep... you're right... no large enterprise systems would be run on PHP...

      Be careful what you imply... the PHP core IS thread-safe... the only unknown is the large number of external libraries which PHP uses... The issues are not seen in non-threaded implementations... Forked processes do not hit the thread-safety issues, so any library is safe there...

      I'm not sure what you mean by "Also, you can thread sessions all reads and writes lock the session from any further reads or writes until the operation is completed." or how it relates to the issue at hand...

      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
    11. Re:Safe to upgrade yet? by FuzzyBad-Mofo · · Score: 1

      Oh yeah?

    12. Re:Safe to upgrade yet? by Bronster · · Score: 1

      Yeah, thanks for carefully reading what I wrote. You'll notice that Yahoo is running its apps on basically one or at most a few carefully controlled environments - not trying to build something that installs in lots of different versions of PHP on lots of different architectures.

      Thanks for playing though.

    13. Re:Safe to upgrade yet? by WoodstockJeff · · Score: 1
      I think there is a problem with definitions here. "Enterprise" doesn't mean the same thing as "deployed on hundreds of different systems world-wide".

      If I'm doing something for a large company (dozens of servers), there is going to be some form of configuration management involved to keep those servers consistent amongst themselves. Therefore, "all the little incompatibilities" aren't the factor they are in something like Squirrelmail or phpMyAdmin, where you can't control what Joe Sixpack has installed on his server.

    14. Re:Safe to upgrade yet? by Anonymous Coward · · Score: 0

      Idiot mod, that isn't flamebait. There were some issues with PHP initially. oh well I guess this will get modded flamebait too :)

    15. Re:Safe to upgrade yet? by FictionPimp · · Score: 1

      Depends what you think a line of code is.

      // is this a line of code
      if( $A == $b){ print("is this a line of code") }

      /* is this one line of code

      or two */

      if(!$A) {
      print("how many lines of code is this");
      }

      just a thought. I have used php for large projects, just nothing that I didn't control the install envoirment on, so I really cant comment on that. Although I bet my project had at least 20,000 lines of comments.

  2. I choose security by Anonymous Coward · · Score: 3, Funny


    For security I wouldn't use anything where the source is open.

    I recommend Microsoft(r) Internet Information Services for server software (compiled with GS switch, so it's double secure compared to other products) and Microsoft(r) Internet Explorer for client (my favorite site MSN.com looks great in it).

    1. Re:I choose security by nacturation · · Score: 1

      I recommend Microsoft(r) Internet Information Services for server software...

      The problem with Microsoft products is that those bastards invariably sneak in improvements along with bug fixes. This version of Apache, on the other hand, er... uh... never mind. Hey! What's that over there? [exits stage left]

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    2. Re:I choose security by xbuzz · · Score: 1

      Thanks Bill!

  3. Hold yer horses... by Anonymous Coward · · Score: 4, Interesting

    Ok, so Apache2 has been around forever now. The big hoopla was the threading module instead of prefork. However, you can't really use the threading model with PHP or mod_perl due to 3rd party libs not being thread safe.

    So is there really any point in using apache2 at all?

    Beyond maybe a cache/proxy role?

    1. Re:Hold yer horses... by afay · · Score: 4, Informative

      Well, here is a list of new features. Whether or not those features are worth the upgrade hassle is up to you.

      --
      Best slashdot comment
    2. Re:Hold yer horses... by FuzzyBad-Mofo · · Score: 1

      Who needs 3rd party libs with PHP? Not me, and a substantial part of my paying job is working with Linux/Apache/MySQL/PHP.

    3. Re:Hold yer horses... by guacamole · · Score: 1

      In addition to that, when I tried it, the "cgid" daemon (which is required for starting CGI scripts when apache is using worker mpm) would die once in a while disabling all CGI scripts on the server. I wonder if they have fixed that bug by now.

  4. Mod parent up as funny? by tod_miller · · Score: 0

    I laughed.

    --
    #hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
  5. mod_mono by Anonymous Coward · · Score: 0

    although i think it works in apache 1.3.x now, mod_mono was a deciding factor for me to switch to the 2.0 series. and for that, it has been working great...

  6. A couple of responses by redwoodtree · · Score: 5, Informative

    First of all, to the people who wonder what's so great about Apache 2.x you should take some time to understand that Apache 2 is a completely new way of thinking about the HTTP server paradigm. Apache 2.x is now no longer simply an HTTP server but a protocol server that can serve anything you can write, FTP, SMTP whatever. In fact Apache 2.x FTP server has been darn stable.

    Besides the threaded model and the above paradigm shift, there is also the great improvements in the build system, the API and IPv6 support. You can read all about it here: New Features 2.0 . Do yourself a favor and start learning Apache 2.x now, you will not regret it down the line.

    Finally, I believe that with the 2.0.50 release the contributors have solved some of the most serious bugs and have delivered one of the most stable releases of Apache to date. Of course time will tell if there are significant bugs, I wouldn't go upgrading your production environment tomorrow. But the folks there have worked really hard on the big bugs and I have to give them a big thank you.

    The full change list is here: Changes 2.0.50 . They have fixed a very serious stderr bug, several annoying ldap bugs, addressed various other security and performance issues and generally done a great job.

    Way to go folks. Thank you!!!

    1. Re:A couple of responses by Feztaa · · Score: 2, Funny

      So what you're saying is that Apache 2.x is the emacs of web servers? ;)

    2. Re:A couple of responses by Anonymous Coward · · Score: 0

      If Apache ever forms a cheerleading squad, I think you should definately try out.

    3. Re:A couple of responses by redwoodtree · · Score: 1

      Hey , Apache has been very good to me and my friends. It's made my entire career. And I'm proud to have contributed what little I've been able to.

    4. Re:A couple of responses by PhrostyMcByte · · Score: 1

      First of all, to the people who wonder what's so great about Apache 2.x you should take some time to understand that Apache 2 is a completely new way of thinking about the HTTP server paradigm. Apache 2.x is now no longer simply an HTTP server but a protocol server that can serve anything you can write, FTP, SMTP whatever. In fact Apache 2.x FTP server has been darn stable.

      IIS was already like this. You can host any number of protocols and services with it. In fact it already ships with FTP and SMTP services (though I don't think they are enabled by default).

    5. Re:A couple of responses by redwoodtree · · Score: 1

      That's true, but try doing some of the more complex proxing/redirecting/tunneling with IIS. I've managed farms of dozens of apache servers all serving a combined several thousand hits per second to application servers running tomcat. IIS was never able to keep up with that type of traffic. But if you prefer IIS , more power to you.

    6. Re:A couple of responses by FireChipmunk · · Score: 1

      Which FTP server for Apache are you using?

      mod_ftpd works great as an FTP server for Apache..

    7. Re:A couple of responses by Anonymous Coward · · Score: 0

      I was thinking exactly the same thing, and it's one of the reasons I hate IIS/Exchange. Microsoft seems to be floundering around trying to figure out if they want things modular or centralized. Personally I like having separate servers doing things like smtp, and pop3, etc. I don't think I'd have a problem with the centralized idea if it wasn't that IIS/Exchange was ungodly bloated.

    8. Re:A couple of responses by guacamole · · Score: 1

      I haven't had problems with libtool and apache but I have had all kinds of problems with libtool when compiling other software like PHP. It works well perhaps when you're compiling something on a Linux box which has all the libraries in the LSB compliant places and such but try using it on say HP or Solaris system that has some libraries in non-standard locations.

  7. Obligitory... by Anonymous Coward · · Score: 1, Funny

    Apache2 is a great OS, now it just needs a good web server.

  8. Well, it's another Apache2 release... by Quattro+Vezina · · Score: 1

    Cue the FUD about PHP being broken under Apache2...

    *sigh*

    --
    I support the Center for Consumer Freedom
  9. Subversion doesn't support Apache 1.x by Anonymous Coward · · Score: 0

    If you want to host subversion repositories using Apache, you need Apache 2.x.

    Of course, subversion doesn't REQUIRE Apache at all if you use the provided svnserve but I recommend the Apache+Subversion combo because it leverages all the network/authentication features in Apache.

    http://subversion.tigris.org/

  10. PHP support under Apache 2 is broken! by Anonymous Coward · · Score: 0

    Why they hell would anyone use Apache 2, when PHP support is completely broken, like what 2 YEARS after Apache 2 was released?

  11. Multprocess vs. multithreaded by Not+The+Real+Me · · Score: 1

    Does anyone know at which point multithreaded Apache (2.0) is better than multiprocess Apache(1.3)? I'm still using 1.3.x with PHP 4.3.x