Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache 1.3.33 Released

Posted by CowboyNeal on from the one-more-try dept.

harmgsn writes "Following the release of Apache 1.3.32, the Apache Group released Apache 1.3.33 to fix a security flaw in mod_include and in the Content-Length field. The official announcement is available as well as the ChangeLog for the 1.3.x series."

14 of 227 comments (clear)

  1. How by igzat · · Score: 1, Insightful

    Will there ever be software released that doesn't have flaws or bugs, or is that just utterly impossible? Even the Mozilla foundation has vulnerability and bug problems, and they have some of the best coders out there.

    --

    Free Desk

    1. Re:How by pavon · · Score: 5, Insightful

      Sure, no one has found any bugs Knuth's TeX in years. Same for Qmail, and others. You have to know exactly what you are doing before you start - which often means writing a throw away version of the software first to work out the kinks in the design. You have to have a simple clean design, and coding practice - as one of the Unix developers said debuging is 10x harder than writing code, so you you write code as cleverly as you can, you are, by definition, not qualified to debug that code. You have to know upfront how to write secure code, and think about with every function you write - never put this off for later. Then you have to have some one else rigorously read over every line of code to find any mistakes. Lastly you have to systematically test each part of the code individually and together. Then after years of widespread use without any major feature changes you will have weeded out nearly all of the bugs.

      Nearly all software that is written leaves out some of these things, choosing to balence getting something done with quality. Some find a better balance than others :)

      BTW. The mozilla programs are definately good programmers, but the codebase is certainly not the paragon of clean code. It is huge and unweildy, which is the main reason that Apple chose to build off of KHTML instead of Gecko when they made Safari. The situation has improved over time, but making an existing non-secure program secure, is much harder than doing it (mostly) correct from the start.

    2. Re:How by mcrbids · · Score: 4, Insightful

      Secure code is HARD to write!

      Even properly structured, carefully written stuff will contain securiity bugs! It requires attention, more attention, and yet more attention still.

      It requires proper layering of the code so that the number of variables to track at any one point is as small as possible.

      Spend lots of time on design. Draw flowcharts to cover key areas of your application. kivio is your friend! Consult your flowcharts before you make changes to the program. A well-layed-out flowchart can be worth more than reams of notes in the code.

      Above all, structure your code so that the default behavior is secure in the event of a failure.

      For example, you've done something stupid, and you're passing unescaped text to the database.

      Whoops!

      1) Why are you passing text directly to the database? If you communicate with the database with a proper API, you *can't* pass unescaped text to the database.

      2) Are you capturing the errors from the database, so that you aren't displaying any obvious sign (to the public) of what's gone wrong?

      3) Is the database connection transacted, so that you can return to a known good state?

      4) Do you have some kind of error trap or handler so that you can find out exactly what the errors were and fix them in a sane way?

      5) Have you tested your code with DELIBERATE bugs so that you know how it will behave in the event of a failure?

      The hendling of any errors from that should *NEVER* be made clear to the outside, only that "an error has occured".

      The goal is a system designed with multiple layers of protection so that a failure at any point does not result in a security breach! It should fail securely, so that problems result only in error reports, NOT SECURITY HOLES.

      Easy to say, damn hard to do...

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    3. Re:How by gbjbaanb · · Score: 2, Insightful

      nothing to do with complexity really, your old 8086 was never connected to the internet as we know it, and security was more a case of choosing a password that wasn't 'password'.

      Today, I had a new linux server installed for me, and before I even told my customer his mail address, he had spam sent to it, and the server was subject to 2 attacks that BFD detected.

      Your old apps probably had all those security flaws in them, just nobody was interested in looking for them.

    4. Re:How by DrSkwid · · Score: 2, Insightful

      Debugging is twice as hard as writing the code in the first place. Therefore,if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.

      -- Brian W. Kernighan

      --
      There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
    5. Re:How by mcrbids · · Score: 2, Insightful
      "Why are you passing text directly to the database". Um... because the API to a SQL database is SQL which is... text?

      Ahem...

      Here's an example of BAD YOU-ARE-SO-OWNED CODE ...
      $sql="SELECT * FROM userdb WHERE login='".$_REQUEST['login']."' AND password='".$_REQUEST['password'].'";
      $res=mysql_ query($conn, $sql);
      Here's an example of MUCH BETTER CODE...
      $DB=New Database();
      $DB->SetQuery("SELECT * FROM userdb WHERE login='@login' AND password='@password'");
      $DB->Set('login', $_REQUEST['login']);
      $DB->Set('password', $_REQUEST['password']);
      if (!$res=$DB->Query())
      return Error("Sorry. There was an error while processing your request");
      Notice that the values being passed thru to the database are not being sent directly (there's that word, maybe you missed it?) to the database. This way, you can't (easily) make the mistake of not escaping the value before it's passed to the database - that's handled by object $DB.

      Ratboy.
      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  2. One small change by jZnat · · Score: 2, Insightful

    So, one small change was made to prevent dumbasses from fucking over the buffer if they use characters not intended in the first place? Not worth it without updating other bugs, sorry to say. Work on the more important yet less known bugs instead!

    --
    'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
    1. Re:One small change by Electroly · · Score: 5, Insightful

      Without that "one small change", someone could own your computer by just sending a specially crafted HTTP response when you hit a website. I personally think anything that can allow "bad people" to get access to your computer without too much difficulty is something that should get fixed. Suit yourself.

  3. why cant they just release patches? by xot · · Score: 2, Insightful

    Do they have to keep releasing a new version everytime a bug or security flaw comes up?
    Why not just release patches for the bugs and just update the patch tree??

    --
    Lord of the Binges.
  4. Re:I can't figure this release note out by value_added · · Score: 2, Insightful

    "I don't see how it could, since "effect" is a noun."

    Good try (and moderately funny) but no cigar. The word "effect" can be used as a noun *or* a transitive verb in which case the meaning can be read as "to bring about." That, too, would be moderately funny, for an entirely different reason.

    The word "affect," on the other hand, is most commonly used as an intransitive verb, though its usage as a noun still exists (e.g. "affectation").

    [Web-link-as-pseudo-authoritative-citation omitted.]

  5. No... by Goonie · · Score: 4, Insightful
    So Knuth is the only open source developer to write his own code and thats freakish?

    That's not what I meant at all. What I meant was by the comment that Knuth is a "freak" that Knuth is a freakishly talented individual. And, yes, Knuth's situation is pretty unique, even for open source developers. Not only does he have tenure (that means they can't sack him), because of his reputation he's able to spend his time doing pretty much whatever he wants to do free of the restrictions on ordinary academics, like that little thing, "teaching", or sweating over whether he's going to get published. So he could hack away at TeX as and when the mood took him, without any pressure from his boss to actually produce anything, or any users badgering him for a new release, or figuring out how the other developers had screwed up, or trying to implement broken bits of the standard (because there *was* no standard).

    They are *not* the typical circumstances under which most developers have to work.

    --

    Any sufficiently advanced technology is indistinguishable from a rigged demo
    --Andy Finkel (J. Klass?)
  6. Re:What ever by Anonymous Coward · · Score: 1, Insightful

    How is that FUD? Inaccurate maybe. But the functionality is there, if only by a different name.

  7. Parent deserves insightful. by Anonymous Coward · · Score: 1, Insightful
    It's both sad and funny, but I'm (a VP) finding the exact same trouble, with a CEO not understanding of any software without commercial support. No problem - I've got underemployeed friends who know postgresql, and sure enough by re-labeling it XYZ-corp-postgresql and a contract to update when upgrades come out, and to forward requests between the company to&from developers on the mailinglist when/if other problems occur, everyone was happy.

    Nothing sneaky was done - the CEO still knows it's open source - but now he has a phone number to call and can drag someone to his office.

    Rather than laugh, I'd say go for it. If your friend owns a suit and prints a nice business card it could be win/win for everyone.

  8. Back to /. roots? by FudgePackinJesus · · Score: 4, Insightful

    I really hope that, with this post, this is a hint of things to come at /.

    I really think that overall feel of slashdot has changed and not necessarily for the better. I'd really like to see kernel releases, Gnome & KDE flamewars, Quickies, obscure language write-ups and everything else that made /. special in the past make it to the front page again. Instead we're getting game reviews, movie reviews and politics. Sounds more like a mainstream news source now, doesn't it?

    The buzz of the open source world fell flat the last couple of years. I really hope it wasn't because of the market crash and that the core of the excitement wasn't the dream of cashing out by installing linux everywhere.

    Open source, I think most people still don't realize, is the source of true power in speech in this day and age. If it wasn't for projects like Linux, Apache, MySQL, PHP/Perl/Python, etc. the web would be dominated by large corporations who would be the only ones capable of paying the large sums of cash for web-service software that would have no doubt been that most expensive software out if not for the free-as-in-beer-speech competition. Open source bestowed the average man a voice in the newest of media channels.

    I truely hope the energy & excitement due to that fact never leaves... especially here on Slashdot. The editors shouldn't let the tagline "News for Nerds. Stuff that matters." limit the vibe /. gave off before because, at the end of the day, that's all it is. A tagline.