Apache 1.3.33 Released

harmgsn writes "Following the release of Apache 1.3.32, the Apache Group released Apache 1.3.33 to fix a security flaw in mod_include and in the Content-Length field. The official announcement is available as well as the ChangeLog for the 1.3.x series."

Re:What ever

[myg]

Apache 2 has quite a few good things going for it over Apache 1. First off, it handles multi-threading much better meaning that very heavy workloads require less CPU time[*]

Second, Apache 2 supports things like DAV which mean that to publish information on the web users need less access than with Apache 1 (such as shell accounts or worse FTP, since most ISP's don't think users should use SSH for some odd reason).

Lastly, Apache 2 can run Subversion. So not only can you use DAV to update information without shell access of any kind but you can version that information too.

[*] Why is multi-threading faster than the pre-fork model of Apache 1? Because there is less work to do when context-switching threads. A thread shares the same virtual address space with other threads in the process. Changing virtual address spaces is slow because it requires a TLB flush (as well as one or more extra registers to save). The TLB flush increases memory accesses.

Re:What ever

[PhrostyMcByte]

SF.NET just sent out an email a few days ago:

The SourceForge.net team is pleased to announce the long-awaited
upgrade to our project web service. SourceForge.net staff are
currently in the process of completing hardware procurement and
system build-out. The official date for this upgrade has not yet
been set; once our hardware build-out has been completed, the
date will be announced on the SourceForge.net Site Status page.
https://sourceforge.net/docs/A04/

This upgrade consists of a significant hardware upgrade and
Operating System upgrade. Due to the large upgrades involved here,
it may be necessary to upgrade your scripts.

...

New configuration:

Fedora Linux: Fedora Core 2
Linux kernel 2.6.x
GNU libc 2.3.3
Apache 2.0.51
Perl 5.8.3
PHP 4.3.8
Python 2.3.3
Tcl 8.4.5

Apache 2.x is good enough for a large site such as sf.net, it is good enough for others.

Re:How

[Goonie]

Sure, no one has found any bugs Knuth's TeX in years.

Knuth is a freak of nature who spent eight years writing a program on his own, largely for his own edification and completely free of commercial pressure. Few others have that freakish ability, fewer still get to work on their pet project by themselves for that long before offering it to the world. So there are limits to how many lessons can be drawn from this very unusual example.

Re:What ever

[FireChipmunk]

No one uses Apache 2 in production. I guess all those sites don't have a clue about security.

Re:why cant they just release patches?

[pairo]

Because it makes it easy to keep track of wether you're vulnerable or not. Because it makes it obvious something important changed. Because it allows them to release a couple of other patches as well.

Content-Length in mod_proxy

[morten+poulsen]

It is worth noting that the Content-Length security problem is in mod_proxy, not in the main daemon.

See CAN-2004-0492 for details.

Re:What ever

[bustersnyvel]

www.apache.org - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:17:14 GMT
Server: Apache/2.0.52 (Unix) ....

www.redhat.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:05 GMT
Server: Apache ...

www.cnn.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:45 GMT
Server: Apache

www.cnet.com - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:08 GMT
Server: Apache/2.0

www.bbc.co.uk - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:38 GMT
Server: Apache/2.0.51 (Unix)

us2.php.net - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:20:01 GMT
Server: Apache/2.0.46 (Unix) mod_perl/1.99_09 Perl/v5.8.0 mod_ssl/2.0.46 OpenSSL/0.9.6g DAV/2 FrontPage/5.0.2.2634 PHP/4.3.2 mod_gzip/2.0.26.1a

I guess a lot of people use Apache 2!