Apache 2.0.52 Released

roly writes "Not long after 2.0.51 was released, Apache 2.0.52 has come out. It's primarily a bugfix release, fixing one security flaw that was introduced in 2.0.51. See the release announcement, and the changelog. Download it from a mirror."

Category

Shouldn't this be in the Apache section as well as the IT section?

Apache 2.0.52 fixes 2.0.51 security regression

[dananderson]

As I noted in the Apache 2.0.51 notice in /., this Apache 2.0.52 fixes a security regression from 2.0.51. You can also apply a 4-line patch to 2.0.51. Apache 2.0.52 works fine for me in production (been using it since yesterday on 2 systems).

Re:Apache 2.0.52 fixes 2.0.51 security regression

Makes me wonder. Do holes in the 1.3.x line not get discovered anymore because everyone is busy with 2.0.x?

I'm running 1.3.x still and not sure whether to be glad it's not affected or worried it might be affected but noone notices.

Re:Apache 2.0.52 fixes 2.0.51 security regression

you mean "so far, it doesn't crash in one day and counting" :)

Re:Apache 2.0.52 fixes 2.0.51 security regression

[Orbital+Sander]

Do holes in the 1.3.x line not get discovered anymore because everyone is busy with 2.0.x?

Many folks still run 1.3, and holes in that version tend to get fixed.

Re:Apache 2.0.52 fixes 2.0.51 security regression

[roly]

I still use 1.3.xx, as do many others. There was a hole found in 1.3.31 and older version to do with a buffer overflow in htpasswd that has been fixed in 1.3.32-dev. Proof that holes are still fixed.

http://www.computec.ch/projekte/atk/plugins/plugin slist/Apache%20prior%201.3.32%20htpasswd%20buffer% 20overflow.plugin.html

Re:Apache 2.0.52 fixes 2.0.51 security regression

Apache 2.0.52 works fine for me in production (been using it since yesterday on 2 systems).

Wow, that's some serious uptime in production... 1 day, whoa man! Is your system uptime that high too; please don't say 2 days or I'll cream myself!

Re:Apache 2.0.52 fixes 2.0.51 security regression

Have any of the issues concerning PHP been solved? I have tried digging through the source in my off time to see if I can find the issue, but so far, it seems even PHP 5 has its issues with Apache 2.0.x.

Apache security documentation

http://www.cgisecurity.com/webservers/apache/

patch vs. upgrade

[uid100]

It's nice to see that you can easily patch an existing 2.0.51 installation, but if you are in an environment where there are any regular security audits they may ding you for a 2.0.51 installation even though it's been patched.

Overall, great job by the Apache team and those that support them!

Re:patch vs. upgrade

[Medievalist]

Yeah, you need to do extra paperwork in such situations, so it might be less work to just up-rev.

I frequently hack infrastructure software (like sendmail, bind and apache) to report incorrect version numbers, because that way the crackers always start out by trying attacks that don't work and are easily detected.

Every time I see some buffoon trying an old sendmail trick I blackhole their IP at the edge router. I hope to eventually set up a tarpit and mire the losers in that, but for now I just discard their packets.

I have to have all this documented because the auditors always telnet to port 25 and write down whatever they see, so they get all excited and think they've found a security hole... it's funny to watch their faces when I produce the documentation of the real versions of the software, and they realize they've been had!

question - slightly offtopic

[virtualone]

there is a feature i am missing for apache 2.x:

can i throttle to montly amount of traffic per virtual site?

there was a mod in apache 1.x but i know none for 2.x

too many security issues?

The apache 2 webserver has had frequent updates becaouse of security issues...I'd expect that for a .0 release, but apache2 is already quite old. Plus...this was a security bug introduced in 2.0.51...which is sad. It looks like apache is no the stone wall it used to be :(

More on it

uber.name/ross