Slashdot Mirror
Apache 1.3.33 Released
harmgsn writes "Following the release of Apache 1.3.32, the Apache Group released Apache 1.3.33 to fix a security flaw in mod_include and in the Content-Length field. The official announcement is available as well as the ChangeLog for the 1.3.x series."
Will there ever be software released that doesn't have flaws or bugs, or is that just utterly impossible? Even the Mozilla foundation has vulnerability and bug problems, and they have some of the best coders out there.
Free Desk
Been using Apache 2 on Fedora Core for the past few months, so shouldn't have any worries.
Brandon Petersen
Get Firefox!
So, one small change was made to prevent dumbasses from fucking over the buffer if they use characters not intended in the first place? Not worth it without updating other bugs, sorry to say. Work on the more important yet less known bugs instead!
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
Well, Apache 2 doesn't support all the mods at this moment, for example, it is still impossible to use some auth_tk (not sure about the name, to autologin in our Intranet.
Trolling using another account since 2005.
Not to say that justifies it, but this is just one bugfix. I hope people maintaining servers running Apache don't rely on Slashdot to inform them of this bug. This seems more an issue for a mailing list.
If you are running Debian Stable, then you are relying on the most solid version of Linux thus far. The Debian team does not spend time working on adding new features to the platform, so all efforts are instead diverted to bug fixing. In Stable, the likelihood of an 0wn4ge is slim to none, in other words. At least much less than in the other Debian versions.
That said, that only pertains to the operating system and accompanying binaries. It does not cover Apache. If there is a bug in Apache that allows the takeover of a system, a hacker could theoretically exploit that hole and cause damage to your system.
However! The damage that is possible via a hack such as this is limited to the permission level at which Apache is running. If it is running as root, well, your whole system is exposed. OTOH, if you have Apache locked down with no permissions whatsoever, the likely damage to your system is minimized.
Don't forget that mod_gzip is not fully supported in Apache 2.X.
Also, has anyone else noticed that slashdot itself is still 1.3.29?
After searching a bit, I can't find the netcraft page that lists which apache version (1 or 2) the % of sites are using...but for some reason I remember apache2 being actually *used*.
Hence why it's default now on a grand many distros...and many many others...
(Chances of you being right about it being more of a security risk? Depends on your view, namely the time it's been out vs. the time apache1 has been out. But hey, why not at least post proof with your post compared to just stating such things blindly?)
During last years jihad on IIS & IE I decided it would be a good idea to migrate the company's web servers to Apache. I decided to start simple and submit a plan to migrate just the department intranet server.
This is the actual response from management. The brain-dead VP that made this truly-enlightened decision first made a name for himself as a VP at a FAUCET COMPANY.
Listen to the faucet kings great idea:
"Shane, Thanks for your proposal. Unfortunately, I cannot approve the change. In fact, I've decided that we need to streamline these things in the future and make sure everyone is on the same page.
From now on, we will only install software on the servers that is at version 2.0 and above. There will be no exceptions to this. It's about security and reliability. Everyone knows you dont buy a car the first model year, why should software be any different. I've never heard of apachee, but if these guys are as good as you say they are enough people will bite to keep them going, and when they come out with the next major realease I think you'll see then that we're better off for waiting for them to really get it right.
thanks for beging on board with this, tom." [my name's shane]
Two years ago this guy won the "visionary of the year" award at the company conference.
Second, Apache 2 supports things like DAV which mean that to publish information on the web users need less access than with Apache 1 (such as shell accounts or worse FTP, since most ISP's don't think users should use SSH for some odd reason).
Lastly, Apache 2 can run Subversion. So not only can you use DAV to update information without shell access of any kind but you can version that information too.
[*] Why is multi-threading faster than the pre-fork model of Apache 1? Because there is less work to do when context-switching threads. A thread shares the same virtual address space with other threads in the process. Changing virtual address spaces is slow because it requires a TLB flush (as well as one or more extra registers to save). The TLB flush increases memory accesses.
FUD.
h tml
mod_defalte does GZIP encoding, and comes with the Apache 2.0 core:
http://httpd.apache.org/docs-2.0/mod/mod_deflate.
Apache 2.x is good enough for a large site such as sf.net, it is good enough for others.
[note to mods: With a story this useless, what else could I do but correct usage (I'll leave grammar and capitalization as an exercise for the reader)? I mean come on, the front page for a bugfix?!]
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I'm assuming you're not trolling, so would you mind elaborating a bit?
No one uses Apache 2 in production. I guess all those sites don't have a clue about security.
Why is your server running 2.0, then?
Netcraft's "What's That Site Running?" report on www.force-elite.com
I'm assuming by your nick here that you're Chip, of course.
You forgot one.
I support the Center for Consumer Freedom
I can't but help noticing you made a typo. Your entire message should be spelled ``FUD''.
I support the Center for Consumer Freedom
In Stable, the likelihood of an 0wn4ge is slim to none, in other words.
How about this, or this then?
No distribution is inherently more secure than another, a Debian Woody machine will be as easily compromised as any other distribution, if the admin is incompetent. (And, no, I'm not saying all machines are compromised because of incompetent admins)
Wow cold fusion and jrun? People still use those? Are they running as modules or a CGI?
Maybe you should go back to IIS. You should not run a web server you can't get working. Leave apache for other people.
evil is as evil does
It doesn't appear that mod_ssl 1.3.33-NNN is available yet. I can't update until this is done, or all my ssl sites break.
ugh...
and I'd just started rolling out 1.3.32!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I'm only going to comment on two bits of your post, since I've never used ColdFusion/JRun with Apache (Or at all, for that matter) and cannot address the main issue.
disabled all uneeded services, performance tuned our app
You only did that _after_ you noticed your application is having problems?
what, it would follow 1.3.34?
Do they have to keep releasing a new version everytime a bug or security flaw comes up?
Why not just release patches for the bugs and just update the patch tree??
Lord of the Binges.
Cough.
"I don't see how it could, since "effect" is a noun."
Good try (and moderately funny) but no cigar. The word "effect" can be used as a noun *or* a transitive verb in which case the meaning can be read as "to bring about." That, too, would be moderately funny, for an entirely different reason.
The word "affect," on the other hand, is most commonly used as an intransitive verb, though its usage as a noun still exists (e.g. "affectation").
[Web-link-as-pseudo-authoritative-citation omitted.]
Wow... did you ever here the cliche of a face so ugly it breaks mirrors... that site is so horrendous it breaks apache. Anyway...your huge community doesn't seem to be all that huge... google uses a modified version of apache, slashdot uses apache, sourceforge.net uses apache, and Amazon.com runs apache... as well as many others. If your having hours of downtime a day you must not be all there in your head. Seriously, go download Fedora Core 2, install it, everything will be set up for you... port your code to php or jsp or whatever if your finding it unstable. Coldfusion is hell and way overrated. If your going to use opensource, go completely open source because thats what it was designed with in mind. But judging from your website, you've got a lot more work to do then just getting a server running properly. Ugh... go buy a book or two, one for servers and one for web design. I'm not trying to troll... I just can't believe what this guy said, never in all my years have I had any trouble with Apache, whereas I also admin an IIS server and its *hell*...but it pays the bills:)
Regards,
Steve
Unfortunatly, despite your best attempts to slander the apache software, it looks more like pebkac
That's not what I meant at all. What I meant was by the comment that Knuth is a "freak" that Knuth is a freakishly talented individual. And, yes, Knuth's situation is pretty unique, even for open source developers. Not only does he have tenure (that means they can't sack him), because of his reputation he's able to spend his time doing pretty much whatever he wants to do free of the restrictions on ordinary academics, like that little thing, "teaching", or sweating over whether he's going to get published. So he could hack away at TeX as and when the mood took him, without any pressure from his boss to actually produce anything, or any users badgering him for a new release, or figuring out how the other developers had screwed up, or trying to implement broken bits of the standard (because there *was* no standard).
They are *not* the typical circumstances under which most developers have to work.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
. . . and speaking of pour websites, one of our old customers (I had to try and answer his question in a professional way as to why people weren't coming to his website) designing-websites.com although he has gotten a lot better than what it was before
Well, http://mplayerhq.hu/pipermail/mplayer-dev-eng/2003 -December/022821.html is just one of the usual rants of mplayer against Debian. If you go further in this thread, you will find
http://mhttp//mplayerhq.hu/pipermail/mplayer-dev-e ng/2003-December/022879.htmlplayerhq.hu/pipermail/ mplayer-dev-eng/2003-December/022877.html> and http://mplayerhq.hu/pipermail/mplayer-dev-eng/2003 -December/022879.html, which show that the admin didn't have a clue how his server was compromised (it must be the kernel and/or Debian, because he is a perfect admin, or what?).
Yeah, Apache is more secure
No Shit Sherlock
and open source,
That's immaterial
but it isn't as good for enterprise as IIS is.
Bull. I'd finger either poor coding by your developers or poor administration of Apache/Coldfusion. Or maybe you were trying to run Apache on Windows which is not a good idea.
Apache is more difficult but it's not that much more difficult. There are even web administration tools that make life easier.
My first Apache config script worked ok but I had to do a bit of digging around on the net before I got all of the info I needed. M$ had a bad habit of making stuff appear easy by making lots of default choices for you that you might not make if you were given the informed choice.
What are you listening to? (http://megamanic.blogetery.com/)
> From now on, we will only install software on the servers that is at version 2.0 and above
Hmm.. let this guy install Windows 3.1 on the servers (apparently that *is* > 2.0)
Hmm.. maybe I wonder if Knuth did a good thing by freezing TeX at 3.14 (or was it 3.14.15...)
Quidquid latine dictum sit, altum videtur
Apparently those visions included lots of shifting colors...
People will pass up steak once a week, for crap every day.
I'll have to chime in and join the speculation that the problem lies with CF. I didn't even know CF would run under Apache.
Try installing phpBB, it's free, and moderately pretty by default. The only hitch would be migrating your existing user accounts. If you have their passwords in plaintext, just examine phpBB's registration code, and write a script to insert your existing users into phpBB's database.
I have phpBB running on a site with about 8,000 users that gets 1500+ posts a day. Works great and it's free!
How is that FUD? Inaccurate maybe. But the functionality is there, if only by a different name.
Nothing sneaky was done - the CEO still knows it's open source - but now he has a phone number to call and can drag someone to his office.
Rather than laugh, I'd say go for it. If your friend owns a suit and prints a nice business card it could be win/win for everyone.
It is worth noting that the Content-Length security problem is in mod_proxy, not in the main daemon.
See CAN-2004-0492 for details.
Kernel developers today released the eagerly awaited linux kernel 1.2.14. Everyone should update to this latest version as soon as possible to make use of the security fixes that this update provides.
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10);'
Security effects ALL of us.
ITYM the other way around - it's LACK of secure (safe) sex that effects all of us.
I believe posters are recognized by their sig. So I made one.
www.apache.org - Apache 2: ....
...
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:17:14 GMT
Server: Apache/2.0.52 (Unix)
www.redhat.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:05 GMT
Server: Apache
www.cnn.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:45 GMT
Server: Apache
www.cnet.com - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:08 GMT
Server: Apache/2.0
www.bbc.co.uk - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:38 GMT
Server: Apache/2.0.51 (Unix)
us2.php.net - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:20:01 GMT
Server: Apache/2.0.46 (Unix) mod_perl/1.99_09 Perl/v5.8.0 mod_ssl/2.0.46 OpenSSL/0.9.6g DAV/2 FrontPage/5.0.2.2634 PHP/4.3.2 mod_gzip/2.0.26.1a
I guess a lot of people use Apache 2!
I should know, this is my post. In hindsight, maybe I should've actually explained what I meant by those two examples.
The first, the one about the Debian machines being compromised was to show nothing is unbreakable (even though the Debian people made some mistakes in configuring those machines, their far from being responsible for that).
The second, the MPlayer one was to show that a clueless admin (Okay, I know I shouldn't call the MPlayer people names based on a single experience, but that's the impression I got from that thread.) matters more than the distribution he or she uses.
Debian people prefer to fix the bugs without updating to new upstream version whenever possible.
I suppose that apache_1.3.31-7 package would soon hit the repository and it would have this bug fixed
That doesn't mean the security patches are not applied.
Don't forget that even Debian Stable is using Apache 1.3.26 yet the security updates are backported to that version by the glorious debian community shortly after the announcements from Apache foundation.
When I was taking my A-levels, I helped out in my school's remedial studies unit. On the walls in there were a set of colourful cartoon posters drawing attention to commonly-mixed-up words.
One was of a stereotypical 50kg weakling in a gym, about to lift a set of weights and saying "Will this affect me?" And the answer from his muscle-bound colleague was "Look at the effect it had on me!"
Another one was a kid with an untied shoe, and a teacher calling after her, "Your lace is loose! You might lose a shoe!" At the time, I never thought that was particularly relevant; since around my particular neck of the woods, "lose" {as in "I don't care if the Rams don't win, just as long as Forest lose"} is often pronounced so as to rhyme with "nose".
Je fume. Tu fumes. Nous fûmes!
I'm using mod_dav with Apache 1.
-prator
I really hope that, with this post, this is a hint of things to come at /.
/. special in the past make it to the front page again. Instead we're getting game reviews, movie reviews and politics. Sounds more like a mainstream news source now, doesn't it?
/. gave off before because, at the end of the day, that's all it is. A tagline.
I really think that overall feel of slashdot has changed and not necessarily for the better. I'd really like to see kernel releases, Gnome & KDE flamewars, Quickies, obscure language write-ups and everything else that made
The buzz of the open source world fell flat the last couple of years. I really hope it wasn't because of the market crash and that the core of the excitement wasn't the dream of cashing out by installing linux everywhere.
Open source, I think most people still don't realize, is the source of true power in speech in this day and age. If it wasn't for projects like Linux, Apache, MySQL, PHP/Perl/Python, etc. the web would be dominated by large corporations who would be the only ones capable of paying the large sums of cash for web-service software that would have no doubt been that most expensive software out if not for the free-as-in-beer-speech competition. Open source bestowed the average man a voice in the newest of media channels.
I truely hope the energy & excitement due to that fact never leaves... especially here on Slashdot. The editors shouldn't let the tagline "News for Nerds. Stuff that matters." limit the vibe
I can't wait for release 1.3.37
qmail has bugs, just no bugs that affect security. But they are bugs nonetheless.
.qmail file. I can't remember the exact details of that.
One bug is to do with insufficient checking of a counter, so it wraps at 2GB. The worst case here is that the program crashes, I believe. I don't think it is exploitable.
Another bug is a crash on parsing a slightly weird
Then there are various other things that you could consider bugs. qmail doesn't comply with the current Internet standards. If you restrict bugs to mean "doesn't function as originally designed", then these are not bugs. But I think they would be considered bugs by most people, since they affect qmail's interaction with other mail software.
There running as Apache modules obviously. But even then we're still being crushed under the weight of our load.
Hmm, I can't seem to find the updated windows version.
Change is certain; progress is not obligatory.
Yes, Árpi is actually quite incompetent at times. Btw as far as i remeber the incident it was a remote kernel exploit, nothing to do with Debian...it could have been any other linux box running the same version of kernel...
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Yes, but what they claimed (And, amazingly enough, they were right) was that the attacker needed to gain local access first, by exploiting a service. Nevertheless, claiming that Debian was to blame was a bit off.
That's weird...why on earth a remote expoit would require local access? Thats why it is remote, no local access is required.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
The kernel exploit they (And _YOU_) are referring to is a _LOCAL_ exploit, it's the one that affected Debian.
And, by re-reading your post (Yeah, I know. But I'm trying to get drunk here, ya know!), I see you were wrong from the start. See above.
I'm not trying to troll, but many people make this mistake. Next time you think about migrating to a product, visit the products website to research what the latest production release is and look at a product roadmap to see if it would be worth wile to wait until a newer version becomes availiable. Then after you have done all of the research, you can present your findings to your higher ups in a manner that allows them to make an informed choice. That works wonders.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Why is multi-threading faster than the pre-fork model of Apache 1? Because there is less work to do when context-switching threads. A thread shares the same virtual address space with other threads in the process. Changing virtual address spaces is slow because it requires a TLB flush (as well as one or more extra registers to save).
Not every architecture requires a hardware a TLB flush. Some of them (like ia64, I think) maintain a tag called ASID (Address Space IDentifier) so TLB entries can be shared by different processes which share memory pages. Anyway, I always thought that the real performance and scalability benefit between using processes or threads was on task creation and destruction and not on task switching. I'm not saying that a TLB flush on a context switch is negigible but by itself probably is not so important. Could you give any pointers on this?
Ah, so that's why sites that use the Sourceforge web service have been so slow lately.
8-)
Apache1 or apache2? Windows or Unix?
Apache under windows is JustBadIdea if you ask me.
evil is as evil does
I'm not 100% sure but I suspect it isn't really all that supported anymore.
The down-side to threads is, as some posters have pointed out that a few modules (PHP comes to mind) aren't thread safe. I don't really use PHP nor do I like the language enough to bother with it.
But of the things I do use they all seem to be very happy with threads. And for Win32 users the threading model is pretty much their only model.
Well that's hard given that apache-1.3.x doesn't use threading at all. Of course all the Linux distributions still ship with the "old" pre-fork method, because it's just as fast on Liunux ... and much safer, reliable and compatible.
Doing a task switch, even without a TBL flush, is still much slower than not doing a task switch at all. Using two servers, apache for dynamic content and a fast one for static content is fairly common ... and much faster than apache 2.0.x.
And you are sacraficing a huge amount of reliability for that small TLB "improvement", then of course you have to take into account the extra locking needed in the threaded app. and the SMP cache invalidation traffic when you alter hot objects etc. Of course I'm sure you've measured all this ... not.
ustr: Managed string API with ave. 44% overhead over strdup(), for 0-20B
Or maybe you were trying to run Apache on Windows which is not a good idea.
Running Apache on Windows isn't necessarily evil either. It's good for Windows shops or when using another OS would make the learning curve incredibly steep.
I use Apache/Win for my CGI SOAP services. While they are internal servers, they still get a moderate load. And I've never had a minute of trouble with Apache.
I'm also using Apache/XP/Firebird on my laptop to learn PHP. Which will eventually be moved to my Apache/Debian/Firebird server.
It is amazing what you can accomplish if you do not care who gets the credit. -- Harry Truman
http://www.cgisecurity.com/webservers/apache
Believe me, if I started murdering people, there would be none of you left.
I think it has been out long enough to bang out the bugs. Even though 1.3.x is still being patched I think A2 is ready for prime time. We're close to implementing it in our shop in a production environment.
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
Do the following:
As a rule, any program of reasonable complexity has bugs.
A possible exception exists for programs written by Knuth.
What is freakish is that Knuth is the only person with the ability and determination and discipline required to write a program without bugs.
Me I'd find some other term than "freakish", like phenominal, but the critical distinction is the same.
I just could not notice having become troll for that comment. Oh well, whatever you want guys. Thing is, I'm using Apache 1 and 2 versions on some linux and windows machines, some out on the web, some for local development, whatever. There are also some folks I know, who run linux and windows servers for db and web serving, 1&2 apache's mixed. But every commited one of them (which I am not, not having an admin job, and I wouldn't ever want one) never considered exposing an A2 server out to the large scale public (just remember A2 and PHP thread problems, module migration problems - maybe these or not such a problem anymore, the shadows still lurk). Call them (or me) freaking FUD spreaders, it's just our way.
So we're the bad guys, stupid guys, whatever (like I care), and we're not worth talking about Apache, we poor schmucks. But you guys, who raise A2 into the clouds of Olympus, you rock, 'cause you know the truth.
For the typo: well, that's still just me.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Why Firebird? I've used it enough to still call it "Interbastard". I would have thought PostGreSQL would have been a better choice but give me a month until I've had it running a while on my home server then I'll tell you what name I've come up with for it ;)
What are you listening to? (http://megamanic.blogetery.com/)
I wouldn't mind Postgresql, but it has a very annoying feature that I can't tolerate. Let me preface this by saying I work with a lot of legacy MS-SQL TransactSQL. MS-SQL can be configured (default) to NOT be case sensitive in any way, shape, or form. If I create a table called MyTable, I can address it any way I like and I will get results. Same goes for fields. The only effect is that if I do a straight dump of a result set, my fields will be called DailySales, not dailysales or DAILYSALES. So I don't have to reformat them for the users. Now, a lot of this legacy SQL and table structures took that into account.
If I try to use that with Postgresql, I have to put "every statement" inside "double quotes" so it doesn't "lowercase every freaking field and table". Case sensitivity is fine, but evaluate statements as I enter them. If they insist on lowercasing everything I don't put in quotes, lowercase the SQL server side of the comparison too.
MySQL isn't an option for me. What good is a database server that doesn't return errors on validation failures. But I can live with Firebird now that they have the super server. It, or FlameRobin/IBAccess, lowercase all of my table and field names, but I can live with that.
And yeah, in the past I wasn't all that impressed with Interbase either. I've always used ClientDatasets to avoid it until recently. My complaint has always been a lack of decent tools and it's bizarre desire to expect the client to know the location of it's GDB files.
It is amazing what you can accomplish if you do not care who gets the credit. -- Harry Truman
does anybody know off hand how long they will contunue to support apache 1.x
Get your torrents...
omg I got first post!
Hello world