Slashdot Mirror
Apache 1.3.33 Released
harmgsn writes "Following the release of Apache 1.3.32, the Apache Group released Apache 1.3.33 to fix a security flaw in mod_include and in the Content-Length field. The official announcement is available as well as the ChangeLog for the 1.3.x series."
Well, Apache 2 doesn't support all the mods at this moment, for example, it is still impossible to use some auth_tk (not sure about the name, to autologin in our Intranet.
Trolling using another account since 2005.
Second, Apache 2 supports things like DAV which mean that to publish information on the web users need less access than with Apache 1 (such as shell accounts or worse FTP, since most ISP's don't think users should use SSH for some odd reason).
Lastly, Apache 2 can run Subversion. So not only can you use DAV to update information without shell access of any kind but you can version that information too.
[*] Why is multi-threading faster than the pre-fork model of Apache 1? Because there is less work to do when context-switching threads. A thread shares the same virtual address space with other threads in the process. Changing virtual address spaces is slow because it requires a TLB flush (as well as one or more extra registers to save). The TLB flush increases memory accesses.
FUD.
h tml
mod_defalte does GZIP encoding, and comes with the Apache 2.0 core:
http://httpd.apache.org/docs-2.0/mod/mod_deflate.
Apache 2.x is good enough for a large site such as sf.net, it is good enough for others.
Knuth is a freak of nature who spent eight years writing a program on his own, largely for his own edification and completely free of commercial pressure. Few others have that freakish ability, fewer still get to work on their pet project by themselves for that long before offering it to the world. So there are limits to how many lessons can be drawn from this very unusual example.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
No one uses Apache 2 in production. I guess all those sites don't have a clue about security.
Sure, no one has found any bugs Knuth's TeX in years. Same for Qmail, and others.
Er, wrong. qmail has had a couple of security flaws, and more than a couple of bugs. For a more exhaustive list, Google is your friend.
It doesn't appear that mod_ssl 1.3.33-NNN is available yet. I can't update until this is done, or all my ssl sites break.
ugh...
and I'd just started rolling out 1.3.32!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I think you missed the point.
Every site I linked to was running APACHE 2.0.
Because it makes it easy to keep track of wether you're vulnerable or not. Because it makes it obvious something important changed. Because it allows them to release a couple of other patches as well.
Somebody probably has already mentioned this to you but you do know that apache does have a version 2? They are currently maintaining both the version v1 and v2 trees. Just thought I would let you know.
It said "windows 98 or better" so I installed Linux
I'll have to chime in and join the speculation that the problem lies with CF. I didn't even know CF would run under Apache.
Try installing phpBB, it's free, and moderately pretty by default. The only hitch would be migrating your existing user accounts. If you have their passwords in plaintext, just examine phpBB's registration code, and write a script to insert your existing users into phpBB's database.
I have phpBB running on a site with about 8,000 users that gets 1500+ posts a day. Works great and it's free!
Many of the "bugs" listed above are arguable, and frequently disputed by qmail users and opponents. That is, many of them could not be a reason to single-handedly strike down qmail itself.
As an example.. From the above document:
So.. qmail 1.03 was released in June 1998, RFC 2128 was released in April 2001. I'm inclined to say that calling this a "violation" is not that fair. Even more so if you consider that it might have been included in the RFC *in response* of qmail's behaviour by *ahem* some lobbyists. In contrast, qmail's behaviour was explicitly chosen by its author, and he directs anyone who claims this is "hogging", that they should "measure, not speculate" of the implications of the behaviour. What did he get?
And, allow me to say, in my opinion, a "SHOULD" clause is not violated if the "full implications" are "understood and carefully weighed", which has apparently happened.
So, what meant is, the picture is not so clear, you should not believe anything you hear or say on the internet... Not even about qmail.
"Ten years from now, they could do it in a few seconds." -- The Racketeer of the Hellfire Club, 1993, Phrack 42
It is worth noting that the Content-Length security problem is in mod_proxy, not in the main daemon.
See CAN-2004-0492 for details.
www.apache.org - Apache 2: ....
...
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:17:14 GMT
Server: Apache/2.0.52 (Unix)
www.redhat.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:05 GMT
Server: Apache
www.cnn.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:45 GMT
Server: Apache
www.cnet.com - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:08 GMT
Server: Apache/2.0
www.bbc.co.uk - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:38 GMT
Server: Apache/2.0.51 (Unix)
us2.php.net - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:20:01 GMT
Server: Apache/2.0.46 (Unix) mod_perl/1.99_09 Perl/v5.8.0 mod_ssl/2.0.46 OpenSSL/0.9.6g DAV/2 FrontPage/5.0.2.2634 PHP/4.3.2 mod_gzip/2.0.26.1a
I guess a lot of people use Apache 2!
You can easily turn that off.