Apache 2.0.50 Released

← Back to Stories (view on slashdot.org)

Posted by simoniker on Wednesday June 30, 2004 @07:01PM from the incredible-bongo-band dept.

Gruturo writes "The Apache Software Foundation just released version 2.0.50, which, apart from the usual incremental improvements and bug fixes, addresses security vulnerabilities such as CAN-2004-0493 (Memory leak which could lead to resource depletion == DoS) and CAN-2004-0488 (a mod_ssl buffer overflow). Be kind to their servers and use a mirror."

40 comments

Min score:

Reason:

Sort:

Open source: Beyond capitalism? by Anonymous Coward · 2004-06-30 19:21 · Score: -1, Offtopic

The full text of this article from The Economist follows. The original content is subscriber-only; it is reproduced here in the hope and expectation that you will find it useful.
The article does not strictly deal with this most recent release of Apache, but it is mentioned in this article as an example of open source's successes. The rest of the article is certainly worth reading, if only for a well-argued perspective on the strengths and weaknesses of open source.
----
Open source
Beyond capitalism?
Jun 10th 2004
From The Economist print edition
The open-source model can be applied to goods other than software, but it has its limits
THAT "open source" is a good way to make software is beyond question. For those unfamiliar with the term, the open-source model allows many people to collaborate on the development of a piece of software by making its underlying programming instructions, or source code, open to everyone, usually by publishing them on the internet. The resulting program is then given away too: open-source software is shared, not sold. Commercial software vendors, by contrast, jealously guard their source code because only by keeping it secret can they protect their ability to demand money for their products.
[Image]
By far the best-known example of open-source software is Linux, an operating system that is maintained by volunteers around the world, runs on everything from wristwatches to mainframes and now powers one in five of the world's server computers. Open source's other successes include Apache, a piece of software that powers two-thirds of the world's web servers, Sendmail, a program that dispatches most of the world's e-mail, and MySQL, a database program.
Advocates of open source argue that it produces software that is secure, reliable and, of course, cheap. All this is clearly true, despite the fact that open source's opponents--chief among them Microsoft, the world's largest software company--try to deny it. Now many people want to apply the open-source model in many fields other than software. There is already an open-source cola recipe, an open-source encyclopedia and open-source academic journals. The model is also being applied in medical research (see article). Some zealots even argue that the open-source approach represents a new, post-capitalist model of production. Are there no limits to the power of open source?
Of course there are. The model is particularly well suited to information-rich goods, of which software is merely the most obvious example, since it is pure information. The surprisingly good open-source encyclopedia (see Wikipedia.org) is another example. Like software, it is modular, which allows different people to work on different bits. Drugs, too, are information-rich goods, and searching for candidate molecules and performing clinical trials may be amenable to open-source-style distributed collaboration. So far, so good. But building, say, an open-source car is rather more problematic, since information (in the form of design and specifications) constitutes only a minor ingredient: the costs of materials and manufacturing would remain. Until someone invents a "universal replicator" capable of synthesising any object from software specifications, it is hard to see how the open-source model can be applied to manufactured goods.
The model has other limitations as well. It is not clear, for example, that the open-source model can be genuinely innovative--most open-source software merely imitates existing commercial products. Furthermore, the open-source software movement is driven by the desire to dethrone the proprietary software model, embodied by Microsoft. This shared g
Safe to upgrade yet? by Anonymous Coward · 2004-06-30 19:24 · Score: 1, Informative

I'm still using 1.3.31. php working okay these days? How about php 5?
1. Re:Safe to upgrade yet? by a.koepke · 2004-06-30 19:53 · Score: 5, Informative
  
  I am using PHP 5 and works great. The trick is to compile Apache using the prefork MPM.
  
  Quote from http://httpd.apache.org/docs-2.0/mod/prefork.html
  
  This Multi-Processing Module (MPM) implements a non-threaded, pre-forking web server that handles requests in a manner similar to Apache 1.3. It is appropriate for sites that need to avoid threading for compatibility with non-thread-safe libraries. It is also the best MPM for isolating each request, so that a problem with a single request will not affect any other.
  
  Using Apache 2 in this method will make it work perfectly with PHP.
  
  --
  
  (\(\
  (^.^)
  (")")
  *This is the cute bunny virus, please copy this into your sig so it can spread
2. Re:Safe to upgrade yet? by stoborrobots · 2004-06-30 20:04 · Score: 2, Informative
  
  PHP+Apache2 is "working OK"...
  
  Just not well enough to sign off an enterprise solution on...
  
  Check out these links for more details...
  PHP-Dev Mailing list discussion
  Discussion on PHP buglist
  as well as a more tongue-in-cheek reply...
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
3. Re:Safe to upgrade yet? by Fweeky · 2004-06-30 23:18 · Score: 2, Interesting
  
  A better trick is to compile PHP using the FastCGI SAPI and Apache 2 with the perfectly fine mod_fastcgi. Lets you spread PHP across machines, lets you jail/chroot PHP seperate from Apache, lets you run fewer copies of PHP (which also reduces database connections), and lets you change webserver or language with minimal impact on the other.
  
  And yes, mmcache and friends work fine in FastCGI mode.
4. Re:Safe to upgrade yet? by Bronster · 2004-07-01 02:44 · Score: 4, Interesting
  
  just not well enough to sign off an enterprise solution on...
  
  I wouldn't sign off an enterprise solution on PHP full stop. Vile language.
  
  So says someone who did some work on Squirrelmail a little while back - man it sucks trying to support all the little incompatibilities and changing defaults and changing configurations everywhere. When you're undoing an automatic quote of variables depending on a guess from some other variables you know you've got "Visual Basic for da interweb" - except with a less stable API.
  
  That and the separate functions per DB type which caused all+dog to write their own copy of Perl's DBI in PHP before Pear came along.
  
  It might be an OK language for developping small stand-alone web apps, or a web app which runs on one infrastructure that you control and validate - but it's not a language for writing stuff you can install on any webhost and expect a complex app to keep working across versions.
  
  *grumble*
5. Re:Safe to upgrade yet? by kix · 2004-07-01 04:09 · Score: 1
  
  "...but it's not a language for writing stuff you can install on any webhost and expect a complex app to keep working across versions."
  
  well I have been doing just that with a quite large app (200 000+ lines of php code) and it has been working out just fine.
  
  odd, that.
  
  --
  I am SO cool I can keep meat fresh for a WEEK!!!!
6. Re:Safe to upgrade yet? by quelrods · 2004-07-01 08:57 · Score: 4, Insightful
  
  ya except apache 1.3 + php isn't really an enterprise solution to a large web application either. One of the reasons cited above for php not working w/ apache2.0 is a lack of thread safety. In php there isn't any. Also, you can thread sessions all reads and writes lock the session from any further reads or writes until the operation is completed.
  
  --
  :(){ :|:&};:
7. Re:Safe to upgrade yet? by Bronster · 2004-07-01 08:59 · Score: 1
  
  well I have been doing just that with a quite large app (200 000+ lines of php code) and it has been working out just fine.
  
  How many installations? What sort of app? Do you ever install it on systems where you can't insist that PHP is configured a particular way?
  
  I agree that 200,000+ lines of code is big.
  
  I can hardly talk, since I'm working on a fairly large app written in Perl, and it has its fun and games across versions with poorly written 3rd party modules, but at least the core language has been pretty good about keeping compatibility through the entire 5 series.
8. Re:Safe to upgrade yet? by kix · 2004-07-01 09:59 · Score: 1
  
  how many?
  admittedly, the number of installations on different servers is not that big - about 15 different servers so far and most of them (about 10 I think) have apache/php configs that we can't control. the number of sites it runs is around 200
  
  what kind of app?
  everything :) starting from cms/project management/messageboard and ending with ERP and over-the-web visual database forms creation and systems integration. basically it's an application server, or something like it and a huge amount of modules for it that do all kinds of different things.
  
  the strategy to make this work is relatively simple - assume that the php installation is about 2-3 years old and don't use newer features or else detect if they are available or not and if not, provide a replacement or a work-around. also, the magic quoting and database handling is abstracted away deep into a generic object storage system so that everything "just works".
  
  it does take a bit of work and being careful, but once you get used to it, it really is awfully fast to develop with it.
  
  --
  I am SO cool I can keep meat fresh for a WEEK!!!!
9. Re:Safe to upgrade yet? by Bronster · 2004-07-01 10:29 · Score: 1
  
  Yep, and there's a fair bit of that in any language unfortunately. I guess if it's a big enough app the abstracting is really important.
  
  We suffer from not enough abstraction in some ways.
10. Re:Safe to upgrade yet? by stoborrobots · 2004-07-01 17:16 · Score: 1
  
  Yep... you're right... no large enterprise systems would be run on PHP...
  
  Be careful what you imply... the PHP core IS thread-safe... the only unknown is the large number of external libraries which PHP uses... The issues are not seen in non-threaded implementations... Forked processes do not hit the thread-safety issues, so any library is safe there...
  
  I'm not sure what you mean by "Also, you can thread sessions all reads and writes lock the session from any further reads or writes until the operation is completed." or how it relates to the issue at hand...
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
11. Re:Safe to upgrade yet? by FuzzyBad-Mofo · 2004-07-06 16:47 · Score: 1
  
  Oh yeah?
12. Re:Safe to upgrade yet? by Bronster · 2004-07-07 01:06 · Score: 1
  
  Yeah, thanks for carefully reading what I wrote. You'll notice that Yahoo is running its apps on basically one or at most a few carefully controlled environments - not trying to build something that installs in lots of different versions of PHP on lots of different architectures.
  
  Thanks for playing though.
13. Re:Safe to upgrade yet? by WoodstockJeff · 2004-07-07 03:55 · Score: 1
  
  I think there is a problem with definitions here. "Enterprise" doesn't mean the same thing as "deployed on hundreds of different systems world-wide".
  If I'm doing something for a large company (dozens of servers), there is going to be some form of configuration management involved to keep those servers consistent amongst themselves. Therefore, "all the little incompatibilities" aren't the factor they are in something like Squirrelmail or phpMyAdmin, where you can't control what Joe Sixpack has installed on his server.
14. Re:Safe to upgrade yet? by Anonymous Coward · 2004-07-08 06:38 · Score: 0
  
  Idiot mod, that isn't flamebait. There were some issues with PHP initially. oh well I guess this will get modded flamebait too :)
15. Re:Safe to upgrade yet? by FictionPimp · 2004-07-13 09:16 · Score: 1
  
  Depends what you think a line of code is. // is this a line of code if( $A == $b){ print("is this a line of code") } /* is this one line of code or two */ if(!$A) { print("how many lines of code is this"); } just a thought. I have used php for large projects, just nothing that I didn't control the install envoirment on, so I really cant comment on that. Although I bet my project had at least 20,000 lines of comments.
I choose security by Anonymous Coward · 2004-06-30 19:25 · Score: 3, Funny

For security I wouldn't use anything where the source is open.

I recommend Microsoft(r) Internet Information Services for server software (compiled with GS switch, so it's double secure compared to other products) and Microsoft(r) Internet Explorer for client (my favorite site MSN.com looks great in it).
1. Re:I choose security by nacturation · 2004-07-01 22:21 · Score: 1
  
  I recommend Microsoft(r) Internet Information Services for server software...
  
  The problem with Microsoft products is that those bastards invariably sneak in improvements along with bug fixes. This version of Apache, on the other hand, er... uh... never mind. Hey! What's that over there? [exits stage left]
  
  --
  Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
2. Re:I choose security by xbuzz · 2004-07-14 12:05 · Score: 1
  
  Thanks Bill!
Hold yer horses... by Anonymous Coward · 2004-06-30 20:29 · Score: 4, Interesting

Ok, so Apache2 has been around forever now. The big hoopla was the threading module instead of prefork. However, you can't really use the threading model with PHP or mod_perl due to 3rd party libs not being thread safe.

So is there really any point in using apache2 at all?

Beyond maybe a cache/proxy role?
1. Re:Hold yer horses... by afay · 2004-06-30 21:23 · Score: 4, Informative
  
  Well, here is a list of new features. Whether or not those features are worth the upgrade hassle is up to you.
  
  --
  Best slashdot comment
2. Re:Hold yer horses... by FuzzyBad-Mofo · 2004-07-06 16:44 · Score: 1
  
  Who needs 3rd party libs with PHP? Not me, and a substantial part of my paying job is working with Linux/Apache/MySQL/PHP.
3. Re:Hold yer horses... by guacamole · 2004-07-15 12:01 · Score: 1
  
  In addition to that, when I tried it, the "cgid" daemon (which is required for starting CGI scripts when apache is using worker mpm) would die once in a while disabling all CGI scripts on the server. I wonder if they have fixed that bug by now.
Mod parent up as funny? by tod_miller · 2004-06-30 21:40 · Score: 0

I laughed.

--
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
mod_mono by Anonymous Coward · 2004-06-30 23:54 · Score: 0

although i think it works in apache 1.3.x now, mod_mono was a deciding factor for me to switch to the 2.0 series. and for that, it has been working great...
A couple of responses by redwoodtree · 2004-07-01 06:52 · Score: 5, Informative

First of all, to the people who wonder what's so great about Apache 2.x you should take some time to understand that Apache 2 is a completely new way of thinking about the HTTP server paradigm. Apache 2.x is now no longer simply an HTTP server but a protocol server that can serve anything you can write, FTP, SMTP whatever. In fact Apache 2.x FTP server has been darn stable.

Besides the threaded model and the above paradigm shift, there is also the great improvements in the build system, the API and IPv6 support. You can read all about it here: New Features 2.0 . Do yourself a favor and start learning Apache 2.x now, you will not regret it down the line.

Finally, I believe that with the 2.0.50 release the contributors have solved some of the most serious bugs and have delivered one of the most stable releases of Apache to date. Of course time will tell if there are significant bugs, I wouldn't go upgrading your production environment tomorrow. But the folks there have worked really hard on the big bugs and I have to give them a big thank you.

The full change list is here: Changes 2.0.50 . They have fixed a very serious stderr bug, several annoying ldap bugs, addressed various other security and performance issues and generally done a great job.

Way to go folks. Thank you!!!
1. Re:A couple of responses by Feztaa · 2004-07-01 08:55 · Score: 2, Funny
  
  So what you're saying is that Apache 2.x is the emacs of web servers? ;)
2. Re:A couple of responses by Anonymous Coward · 2004-07-01 15:06 · Score: 0
  
  If Apache ever forms a cheerleading squad, I think you should definately try out.
3. Re:A couple of responses by redwoodtree · 2004-07-01 15:47 · Score: 1
  
  Hey , Apache has been very good to me and my friends. It's made my entire career. And I'm proud to have contributed what little I've been able to.
4. Re:A couple of responses by PhrostyMcByte · 2004-07-02 07:15 · Score: 1
  
  First of all, to the people who wonder what's so great about Apache 2.x you should take some time to understand that Apache 2 is a completely new way of thinking about the HTTP server paradigm. Apache 2.x is now no longer simply an HTTP server but a protocol server that can serve anything you can write, FTP, SMTP whatever. In fact Apache 2.x FTP server has been darn stable.
  
  IIS was already like this. You can host any number of protocols and services with it. In fact it already ships with FTP and SMTP services (though I don't think they are enabled by default).
5. Re:A couple of responses by redwoodtree · 2004-07-02 07:56 · Score: 1
  
  That's true, but try doing some of the more complex proxing/redirecting/tunneling with IIS. I've managed farms of dozens of apache servers all serving a combined several thousand hits per second to application servers running tomcat. IIS was never able to keep up with that type of traffic. But if you prefer IIS , more power to you.
6. Re:A couple of responses by FireChipmunk · 2004-07-02 20:07 · Score: 1
  
  Which FTP server for Apache are you using?
  
  mod_ftpd works great as an FTP server for Apache..
7. Re:A couple of responses by Anonymous Coward · 2004-07-14 06:08 · Score: 0
  
  I was thinking exactly the same thing, and it's one of the reasons I hate IIS/Exchange. Microsoft seems to be floundering around trying to figure out if they want things modular or centralized. Personally I like having separate servers doing things like smtp, and pop3, etc. I don't think I'd have a problem with the centralized idea if it wasn't that IIS/Exchange was ungodly bloated.
8. Re:A couple of responses by guacamole · 2004-07-15 12:09 · Score: 1
  
  I haven't had problems with libtool and apache but I have had all kinds of problems with libtool when compiling other software like PHP. It works well perhaps when you're compiling something on a Linux box which has all the libraries in the LSB compliant places and such but try using it on say HP or Solaris system that has some libraries in non-standard locations.
Obligitory... by Anonymous Coward · 2004-07-01 09:55 · Score: 1, Funny

Apache2 is a great OS, now it just needs a good web server.
Well, it's another Apache2 release... by Quattro+Vezina · 2004-07-01 13:40 · Score: 1

Cue the FUD about PHP being broken under Apache2...

*sigh*

--
I support the Center for Consumer Freedom
Subversion doesn't support Apache 1.x by Anonymous Coward · 2004-07-02 01:47 · Score: 0

If you want to host subversion repositories using Apache, you need Apache 2.x.

Of course, subversion doesn't REQUIRE Apache at all if you use the provided svnserve but I recommend the Apache+Subversion combo because it leverages all the network/authentication features in Apache.

http://subversion.tigris.org/
PHP support under Apache 2 is broken! by Anonymous Coward · 2004-07-08 08:45 · Score: 0

Why they hell would anyone use Apache 2, when PHP support is completely broken, like what 2 YEARS after Apache 2 was released?
Multprocess vs. multithreaded by Not+The+Real+Me · 2004-07-11 10:38 · Score: 1

Does anyone know at which point multithreaded Apache (2.0) is better than multiprocess Apache(1.3)? I'm still using 1.3.x with PHP 4.3.x