Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache 1.3.33 Released

Posted by CowboyNeal on from the one-more-try dept.

harmgsn writes "Following the release of Apache 1.3.32, the Apache Group released Apache 1.3.33 to fix a security flaw in mod_include and in the Content-Length field. The official announcement is available as well as the ChangeLog for the 1.3.x series."

6 of 227 comments (clear)

  1. A little overblown by Stevyn · · Score: 3, Interesting
    After looking at the changelog, is this a topic for the main page? I mean people complain when a minor revision of the Linux kernel or KDE comes out.

    Not to say that justifies it, but this is just one bugfix. I hope people maintaining servers running Apache don't rely on Slashdot to inform them of this bug. This seems more an issue for a mailing list.

  2. Re:I can't figure this release note out by Anonymous Coward · · Score: 1, Interesting

    If you are running Debian Stable, then you are relying on the most solid version of Linux thus far. The Debian team does not spend time working on adding new features to the platform, so all efforts are instead diverted to bug fixing. In Stable, the likelihood of an 0wn4ge is slim to none, in other words. At least much less than in the other Debian versions.

    That said, that only pertains to the operating system and accompanying binaries. It does not cover Apache. If there is a bug in Apache that allows the takeover of a system, a hacker could theoretically exploit that hole and cause damage to your system.

    However! The damage that is possible via a hack such as this is limited to the permission level at which Apache is running. If it is running as root, well, your whole system is exposed. OTOH, if you have Apache locked down with no permissions whatsoever, the likely damage to your system is minimized.

  3. Re:I tried to migrate to Apache. by quillsta · · Score: 2, Interesting

    I was called by the wrong name 8 months into my current job staying in a company flat with the CFO in london (now 2nd Sr. Admin). I feel the v2.0 scenario and it hurts my heart. blessed be (God|Allah|Jeebus|Jehova|Budda|Mr. Dobbs) and blessed be apache 1.3.x.

    jez don't speak as though 2.0 is not primetime, because that is crazy speak -- the configuration files may have new directives and options, but yours is to weigh costs of access/benefit/detriment and deploy accordingly.

    Take time to read and don't be swayed by a jihad. If you are really unsure of what one is google it and you will see it is not what you think

  4. Re:I tried to migrate to Apache. by Vellmont · · Score: 2, Interesting

    The idea is sound enough, we all know of course that no one adheres to any standards with regard to software revisions. Some software goes for years at version 0.x, and a 1.0 release is a really exceptional product. Others (like Microsoft) take at least up to version 3 for the thing to be actually useable.

    Anyway, you should have (or perhaps you did) play his game and announce that Apache 2.0 has been out for more than 2 years. As far as the ridiculous >= 2.0 policy, I'd go the route that software companies know this trick and will inflate version numbers. That way the VP doesn't look like a total moron and can save some face when the policy goes the way of the dodo

    --
    AccountKiller
  5. Re:Apache is awful. by LnxAddct · · Score: 4, Interesting

    Wow... did you ever here the cliche of a face so ugly it breaks mirrors... that site is so horrendous it breaks apache. Anyway...your huge community doesn't seem to be all that huge... google uses a modified version of apache, slashdot uses apache, sourceforge.net uses apache, and Amazon.com runs apache... as well as many others. If your having hours of downtime a day you must not be all there in your head. Seriously, go download Fedora Core 2, install it, everything will be set up for you... port your code to php or jsp or whatever if your finding it unstable. Coldfusion is hell and way overrated. If your going to use opensource, go completely open source because thats what it was designed with in mind. But judging from your website, you've got a lot more work to do then just getting a server running properly. Ugh... go buy a book or two, one for servers and one for web design. I'm not trying to troll... I just can't believe what this guy said, never in all my years have I had any trouble with Apache, whereas I also admin an IIS server and its *hell*...but it pays the bills:)
    Regards,
    Steve

  6. Re:No... by martin_b1sh0p · · Score: 3, Interesting

    Apparently his code does have bugs from time to time:

    From http://www.tug.org/whatis.html
    Donald Knuth, a professor of computer science at Stanford University and the author of numerous books on computer science and the TeX composition system, rewards the first finder of each typo or computer program bug with a check based on the source and the age of the bug. Since his books go into numerous editions, he does have a chance to correct errors. Typos and other errors in books typically yield $2.56 each once a book is in print (pre-publication "bounty-hunter" photocopy editions are priced at $.25 per), and program bugs rise by powers of 2 each year from $1.28 or so to a maximum of $327.68. Knuth's name is so valued that very few of his checks - even the largest ones - are actually cashed, but instead framed. (Barbara Beeton states that her small collection has been worth far more in bragging rights than any equivalent cash in hand. She's also somewhat biased, being Knuth's official entomologist for the TeX system, but informal surveys of past check recipients have shown that this holds overwhelmingly for nearly everyone but starving students.) This probably won't be true for just anyone, but the relatively small expense can yield a very worthwhile improvement in accuracy.