Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache 2.0.52 Released

Posted by timothy on from the it-escaped dept.

roly writes "Not long after 2.0.51 was released, Apache 2.0.52 has come out. It's primarily a bugfix release, fixing one security flaw that was introduced in 2.0.51. See the release announcement, and the changelog. Download it from a mirror."

6 of 16 comments (clear)

  1. Apache 2.0.52 fixes 2.0.51 security regression by dananderson · · Score: 3, Informative

    As I noted in the Apache 2.0.51 notice in /., this Apache 2.0.52 fixes a security regression from 2.0.51. You can also apply a 4-line patch to 2.0.51. Apache 2.0.52 works fine for me in production (been using it since yesterday on 2 systems).

    1. Re:Apache 2.0.52 fixes 2.0.51 security regression by Anonymous Coward · · Score: 2, Insightful

      Makes me wonder. Do holes in the 1.3.x line not get discovered anymore because everyone is busy with 2.0.x?

      I'm running 1.3.x still and not sure whether to be glad it's not affected or worried it might be affected but noone notices.

    2. Re:Apache 2.0.52 fixes 2.0.51 security regression by Orbital+Sander · · Score: 3, Informative

      Do holes in the 1.3.x line not get discovered anymore because everyone is busy with 2.0.x?

      Many folks still run 1.3, and holes in that version tend to get fixed.

      --

      What Would the Fab Five Do?
    3. Re:Apache 2.0.52 fixes 2.0.51 security regression by roly · · Score: 2, Informative

      I still use 1.3.xx, as do many others. There was a hole found in 1.3.31 and older version to do with a buffer overflow in htpasswd that has been fixed in 1.3.32-dev. Proof that holes are still fixed.

      http://www.computec.ch/projekte/atk/plugins/plugin slist/Apache%20prior%201.3.32%20htpasswd%20buffer% 20overflow.plugin.html

      --
      "With Microsoft, you get Windows. With Linux, you get the full house" - unknown
  2. Apache security documentation by Anonymous Coward · · Score: 3, Informative


    http://www.cgisecurity.com/webservers/apache/

  3. Re:patch vs. upgrade by Medievalist · · Score: 3, Interesting

    Yeah, you need to do extra paperwork in such situations, so it might be less work to just up-rev.

    I frequently hack infrastructure software (like sendmail, bind and apache) to report incorrect version numbers, because that way the crackers always start out by trying attacks that don't work and are easily detected.

    Every time I see some buffoon trying an old sendmail trick I blackhole their IP at the edge router. I hope to eventually set up a tarpit and mire the losers in that, but for now I just discard their packets.

    I have to have all this documented because the auditors always telnet to port 25 and write down whatever they see, so they get all excited and think they've found a security hole... it's funny to watch their faces when I produce the documentation of the real versions of the software, and they realize they've been had!