Apache 1.3.33 Released

harmgsn writes "Following the release of Apache 1.3.32, the Apache Group released Apache 1.3.33 to fix a security flaw in mod_include and in the Content-Length field. The official announcement is available as well as the ChangeLog for the 1.3.x series."

Good thing I use Apache 2

[brandonp]

Been using Apache 2 on Fedora Core for the past few months, so shouldn't have any worries.

Brandon Petersen
Get Firefox!

Re:Good thing I use Apache 2

[eobanb]

Personally, I'm waiting for Apache 1.3.37. 0h y34h!!!

Re:How

Yes, I think there is one, it is called the "Hello World" program.

One small change

[jZnat]

So, one small change was made to prevent dumbasses from fucking over the buffer if they use characters not intended in the first place? Not worth it without updating other bugs, sorry to say. Work on the more important yet less known bugs instead!

Re:One small change

[Electroly]

Without that "one small change", someone could own your computer by just sending a specially crafted HTTP response when you hit a website. I personally think anything that can allow "bad people" to get access to your computer without too much difficulty is something that should get fixed. Suit yourself.

Re:What ever

[mirko]

Well, Apache 2 doesn't support all the mods at this moment, for example, it is still impossible to use some auth_tk (not sure about the name, to autologin in our Intranet.

A little overblown

[Stevyn]

After looking at the changelog, is this a topic for the main page? I mean people complain when a minor revision of the Linux kernel or KDE comes out.

Not to say that justifies it, but this is just one bugfix. I hope people maintaining servers running Apache don't rely on Slashdot to inform them of this bug. This seems more an issue for a mailing list.

Re:A little overblown

[Anonymous+Crowhead]

After looking at the changelog [apache.org], is this a topic for the main page?

No kidding. The Apache section is like Ralph Nader. It's always there, it gets about 1% as many comments as any other section, a boring story about it still hits the headlines now and again, but you try to get rid of it and it gets all crazy.

Re:A little overblown

Don't blame me, I voted IIS.

Re:A little overblown

[Neil+Blender]

No kidding. The Apache section is like Ralph Nader. It's always there, it gets about 1% as many comments as any other section, a boring story about it still hits the headlines now and again, but you try to get rid of it and it gets all crazy.

Heh, that reminds me: About 3 or 4 years ago, I was up late fixing some server issue. While I was waiting around I checked Slashdot and saw a story in the Apache section about some Apache conference or party or something that was taking place in Belgium or Norway, I can't remember exactly. It had been up for hours, maybe even days with no comments. So, thinking it would be like taking candy from a baby, I first posted. About a week later, I checked the same story and the only post was my first post. I think that story got archived with that single post.

Re:A little overblown

[Trepidity]

God we're geeks :)

People told me that I shouldn't take the comments on Slashdot seriously because they are inaccurate, but I believe I have evidence to the contrary.

Re:A little overblown

[Tony-A]

With all the stories on Microsoft exploits, the Slashdot editors are trying to give equal time.

"mod_include: Fix potential buffer overflow with escaped characters in SSI tag string."
-- At least it's a different one.

"Multiple security issues ... that could allow an attacker to compromise a computer running Windows and gain complete control over it."
-- I thought they fixed that already.

Re:How

[pavon]

Sure, no one has found any bugs Knuth's TeX in years. Same for Qmail, and others. You have to know exactly what you are doing before you start - which often means writing a throw away version of the software first to work out the kinks in the design. You have to have a simple clean design, and coding practice - as one of the Unix developers said debuging is 10x harder than writing code, so you you write code as cleverly as you can, you are, by definition, not qualified to debug that code. You have to know upfront how to write secure code, and think about with every function you write - never put this off for later. Then you have to have some one else rigorously read over every line of code to find any mistakes. Lastly you have to systematically test each part of the code individually and together. Then after years of widespread use without any major feature changes you will have weeded out nearly all of the bugs.

Nearly all software that is written leaves out some of these things, choosing to balence getting something done with quality. Some find a better balance than others :)

BTW. The mozilla programs are definately good programmers, but the codebase is certainly not the paragon of clean code. It is huge and unweildy, which is the main reason that Apple chose to build off of KHTML instead of Gecko when they made Safari. The situation has improved over time, but making an existing non-secure program secure, is much harder than doing it (mostly) correct from the start.

I tried to migrate to Apache.

[shaneh0]

During last years jihad on IIS & IE I decided it would be a good idea to migrate the company's web servers to Apache. I decided to start simple and submit a plan to migrate just the department intranet server.

This is the actual response from management. The brain-dead VP that made this truly-enlightened decision first made a name for himself as a VP at a FAUCET COMPANY.

Listen to the faucet kings great idea:

"Shane, Thanks for your proposal. Unfortunately, I cannot approve the change. In fact, I've decided that we need to streamline these things in the future and make sure everyone is on the same page.

From now on, we will only install software on the servers that is at version 2.0 and above. There will be no exceptions to this. It's about security and reliability. Everyone knows you dont buy a car the first model year, why should software be any different. I've never heard of apachee, but if these guys are as good as you say they are enough people will bite to keep them going, and when they come out with the next major realease I think you'll see then that we're better off for waiting for them to really get it right.

thanks for beging on board with this, tom." [my name's shane]

Two years ago this guy won the "visionary of the year" award at the company conference.

Re:I tried to migrate to Apache.

[quillsta]

I was called by the wrong name 8 months into my current job staying in a company flat with the CFO in london (now 2nd Sr. Admin). I feel the v2.0 scenario and it hurts my heart. blessed be (God|Allah|Jeebus|Jehova|Budda|Mr. Dobbs) and blessed be apache 1.3.x.

jez don't speak as though 2.0 is not primetime, because that is crazy speak -- the configuration files may have new directives and options, but yours is to weigh costs of access/benefit/detriment and deploy accordingly.

Take time to read and don't be swayed by a jihad. If you are really unsure of what one is google it and you will see it is not what you think

Re:I tried to migrate to Apache.

[Vellmont]

The idea is sound enough, we all know of course that no one adheres to any standards with regard to software revisions. Some software goes for years at version 0.x, and a 1.0 release is a really exceptional product. Others (like Microsoft) take at least up to version 3 for the thing to be actually useable.

Anyway, you should have (or perhaps you did) play his game and announce that Apache 2.0 has been out for more than 2 years. As far as the ridiculous >= 2.0 policy, I'd go the route that software companies know this trick and will inflate version numbers. That way the VP doesn't look like a total moron and can save some face when the policy goes the way of the dodo

Re:I tried to migrate to Apache.

[pchan-]

i would love to have had the chance to respond to this.

you could just download apache, edit the code and bump up the version number. but really, the right solution would have been to inform him that, in fact, there exists an "apachee 3.0". unfortunately, "apachee 3.0" is no longer free, and requires a 500$ yearly site license for under 10 installs (and reasonable fees for more). then you can bump up the version on apache 1.3 and install it on the company's computers. your friend (er, the "apachee foundation") can cash the yearly check for you.

Re:I tried to migrate to Apache.

[snero3]

Somebody probably has already mentioned this to you but you do know that apache does have a version 2? They are currently maintaining both the version v1 and v2 trees. Just thought I would let you know.

Re:What ever

[myg]

Apache 2 has quite a few good things going for it over Apache 1. First off, it handles multi-threading much better meaning that very heavy workloads require less CPU time[*]

Second, Apache 2 supports things like DAV which mean that to publish information on the web users need less access than with Apache 1 (such as shell accounts or worse FTP, since most ISP's don't think users should use SSH for some odd reason).

Lastly, Apache 2 can run Subversion. So not only can you use DAV to update information without shell access of any kind but you can version that information too.

[*] Why is multi-threading faster than the pre-fork model of Apache 1? Because there is less work to do when context-switching threads. A thread shares the same virtual address space with other threads in the process. Changing virtual address spaces is slow because it requires a TLB flush (as well as one or more extra registers to save). The TLB flush increases memory accesses.

Re:What ever

[FireChipmunk]

FUD.

mod_defalte does GZIP encoding, and comes with the Apache 2.0 core:
http://httpd.apache.org/docs-2.0/mod/mod_deflate.h tml

Re:What ever

[PhrostyMcByte]

SF.NET just sent out an email a few days ago:

The SourceForge.net team is pleased to announce the long-awaited
upgrade to our project web service. SourceForge.net staff are
currently in the process of completing hardware procurement and
system build-out. The official date for this upgrade has not yet
been set; once our hardware build-out has been completed, the
date will be announced on the SourceForge.net Site Status page.
https://sourceforge.net/docs/A04/

This upgrade consists of a significant hardware upgrade and
Operating System upgrade. Due to the large upgrades involved here,
it may be necessary to upgrade your scripts.

...

New configuration:

Fedora Linux: Fedora Core 2
Linux kernel 2.6.x
GNU libc 2.3.3
Apache 2.0.51
Perl 5.8.3
PHP 4.3.8
Python 2.3.3
Tcl 8.4.5

Apache 2.x is good enough for a large site such as sf.net, it is good enough for others.

Re:I can't figure this release note out

[mrchaotica]

does this effect me?

I don't see how it could, since "effect" is a noun.

I don't want to loose the security battle

Well, better keep that battle tied up then!

[note to mods: With a story this useless, what else could I do but correct usage (I'll leave grammar and capitalization as an exercise for the reader)? I mean come on, the front page for a bugfix?!]

Re:How

[Goonie]

Sure, no one has found any bugs Knuth's TeX in years.

Knuth is a freak of nature who spent eight years writing a program on his own, largely for his own edification and completely free of commercial pressure. Few others have that freakish ability, fewer still get to work on their pet project by themselves for that long before offering it to the world. So there are limits to how many lessons can be drawn from this very unusual example.

Re:What ever

[FireChipmunk]

No one uses Apache 2 in production. I guess all those sites don't have a clue about security.

Re:How

[mcrbids]

Secure code is HARD to write!

Even properly structured, carefully written stuff will contain securiity bugs! It requires attention, more attention, and yet more attention still.

It requires proper layering of the code so that the number of variables to track at any one point is as small as possible.

Spend lots of time on design. Draw flowcharts to cover key areas of your application. kivio is your friend! Consult your flowcharts before you make changes to the program. A well-layed-out flowchart can be worth more than reams of notes in the code.

Above all, structure your code so that the default behavior is secure in the event of a failure.

For example, you've done something stupid, and you're passing unescaped text to the database.

Whoops!

1) Why are you passing text directly to the database? If you communicate with the database with a proper API, you *can't* pass unescaped text to the database.

2) Are you capturing the errors from the database, so that you aren't displaying any obvious sign (to the public) of what's gone wrong?

3) Is the database connection transacted, so that you can return to a known good state?

4) Do you have some kind of error trap or handler so that you can find out exactly what the errors were and fix them in a sane way?

5) Have you tested your code with DELIBERATE bugs so that you know how it will behave in the event of a failure?

The hendling of any errors from that should *NEVER* be made clear to the outside, only that "an error has occured".

The goal is a system designed with multiple layers of protection so that a failure at any point does not result in a security breach! It should fail securely, so that problems result only in error reports, NOT SECURITY HOLES.

Easy to say, damn hard to do...

Re:How

[pairo]

Sure, no one has found any bugs Knuth's TeX in years. Same for Qmail, and others.
Er, wrong. qmail has had a couple of security flaws, and more than a couple of bugs. For a more exhaustive list, Google is your friend.

Mod_ssl?

[mcrbids]

It doesn't appear that mod_ssl 1.3.33-NNN is available yet. I can't update until this is done, or all my ssl sites break.

ugh...

and I'd just started rolling out 1.3.32!

Re:Apache is awful.

[pairo]

I'm only going to comment on two bits of your post, since I've never used ColdFusion/JRun with Apache (Or at all, for that matter) and cannot address the main issue.

disabled all uneeded services, performance tuned our app

You only did that _after_ you noticed your application is having problems?

As opposed to . . .

[WinterpegCanuck]

Following the release of Apache 1.3.32

what, it would follow 1.3.34?

why cant they just release patches?

[xot]

Do they have to keep releasing a new version everytime a bug or security flaw comes up?
Why not just release patches for the bugs and just update the patch tree??

Re:why cant they just release patches?

[pairo]

Because it makes it easy to keep track of wether you're vulnerable or not. Because it makes it obvious something important changed. Because it allows them to release a couple of other patches as well.

Re:why cant they just release patches?

[pairo]

You can easily turn that off.

Re:I can't figure this release note out

[value_added]

"I don't see how it could, since "effect" is a noun."

Good try (and moderately funny) but no cigar. The word "effect" can be used as a noun *or* a transitive verb in which case the meaning can be read as "to bring about." That, too, would be moderately funny, for an entirely different reason.

The word "affect," on the other hand, is most commonly used as an intransitive verb, though its usage as a noun still exists (e.g. "affectation").

[Web-link-as-pseudo-authoritative-citation omitted.]

Re:Apache is awful.

[LnxAddct]

Wow... did you ever here the cliche of a face so ugly it breaks mirrors... that site is so horrendous it breaks apache. Anyway...your huge community doesn't seem to be all that huge... google uses a modified version of apache, slashdot uses apache, sourceforge.net uses apache, and Amazon.com runs apache... as well as many others. If your having hours of downtime a day you must not be all there in your head. Seriously, go download Fedora Core 2, install it, everything will be set up for you... port your code to php or jsp or whatever if your finding it unstable. Coldfusion is hell and way overrated. If your going to use opensource, go completely open source because thats what it was designed with in mind. But judging from your website, you've got a lot more work to do then just getting a server running properly. Ugh... go buy a book or two, one for servers and one for web design. I'm not trying to troll... I just can't believe what this guy said, never in all my years have I had any trouble with Apache, whereas I also admin an IIS server and its *hell*...but it pays the bills:)
Regards,
Steve

No...

[Goonie]

So Knuth is the only open source developer to write his own code and thats freakish?

That's not what I meant at all. What I meant was by the comment that Knuth is a "freak" that Knuth is a freakishly talented individual. And, yes, Knuth's situation is pretty unique, even for open source developers. Not only does he have tenure (that means they can't sack him), because of his reputation he's able to spend his time doing pretty much whatever he wants to do free of the restrictions on ordinary academics, like that little thing, "teaching", or sweating over whether he's going to get published. So he could hack away at TeX as and when the mood took him, without any pressure from his boss to actually produce anything, or any users badgering him for a new release, or figuring out how the other developers had screwed up, or trying to implement broken bits of the standard (because there *was* no standard).

They are *not* the typical circumstances under which most developers have to work.

Re:No...

[martin_b1sh0p]

Apparently his code does have bugs from time to time:

From http://www.tug.org/whatis.html
Donald Knuth, a professor of computer science at Stanford University and the author of numerous books on computer science and the TeX composition system, rewards the first finder of each typo or computer program bug with a check based on the source and the age of the bug. Since his books go into numerous editions, he does have a chance to correct errors. Typos and other errors in books typically yield $2.56 each once a book is in print (pre-publication "bounty-hunter" photocopy editions are priced at $.25 per), and program bugs rise by powers of 2 each year from $1.28 or so to a maximum of $327.68. Knuth's name is so valued that very few of his checks - even the largest ones - are actually cashed, but instead framed. (Barbara Beeton states that her small collection has been worth far more in bragging rights than any equivalent cash in hand. She's also somewhat biased, being Knuth's official entomologist for the TeX system, but informal surveys of past check recipients have shown that this holds overwhelmingly for nearly everyone but starving students.) This probably won't be true for just anyone, but the relatively small expense can yield a very worthwhile improvement in accuracy.

Try phpBB

I'll have to chime in and join the speculation that the problem lies with CF. I didn't even know CF would run under Apache.

Try installing phpBB, it's free, and moderately pretty by default. The only hitch would be migrating your existing user accounts. If you have their passwords in plaintext, just examine phpBB's registration code, and write a script to insert your existing users into phpBB's database.

I have phpBB running on a site with about 8,000 users that gets 1500+ posts a day. Works great and it's free!

Re:How

[Chexum]

...more than a couple bugs...

Many of the "bugs" listed above are arguable, and frequently disputed by qmail users and opponents. That is, many of them could not be a reason to single-handedly strike down qmail itself.

As an example.. From the above document:

All the contents of this document refer to qmail-1.03.

4.3. Bandwidth hogging (violates RFC-2821 SHOULD clause)

So.. qmail 1.03 was released in June 1998, RFC 2128 was released in April 2001. I'm inclined to say that calling this a "violation" is not that fair. Even more so if you consider that it might have been included in the RFC *in response* of qmail's behaviour by *ahem* some lobbyists. In contrast, qmail's behaviour was explicitly chosen by its author, and he directs anyone who claims this is "hogging", that they should "measure, not speculate" of the implications of the behaviour. What did he get?

And, allow me to say, in my opinion, a "SHOULD" clause is not violated if the "full implications" are "understood and carefully weighed", which has apparently happened.

So, what meant is, the picture is not so clear, you should not believe anything you hear or say on the internet... Not even about qmail.

Content-Length in mod_proxy

[morten+poulsen]

It is worth noting that the Content-Length security problem is in mod_proxy, not in the main daemon.

See CAN-2004-0492 for details.

Re:How

[gbjbaanb]

nothing to do with complexity really, your old 8086 was never connected to the internet as we know it, and security was more a case of choosing a password that wasn't 'password'.

Today, I had a new linux server installed for me, and before I even told my customer his mail address, he had spam sent to it, and the server was subject to 2 attacks that BFD detected.

Your old apps probably had all those security flaws in them, just nobody was interested in looking for them.

In other news....

[abdulwahid]

Kernel developers today released the eagerly awaited linux kernel 1.2.14. Everyone should update to this latest version as soon as possible to make use of the security fixes that this update provides.

Re:I can't figure this release note out

[Scarblac]

Security effects ALL of us.

ITYM the other way around - it's LACK of secure (safe) sex that effects all of us.

Re:What ever

[bustersnyvel]

www.apache.org - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:17:14 GMT
Server: Apache/2.0.52 (Unix) ....

www.redhat.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:05 GMT
Server: Apache ...

www.cnn.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:45 GMT
Server: Apache

www.cnet.com - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:08 GMT
Server: Apache/2.0

www.bbc.co.uk - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:38 GMT
Server: Apache/2.0.51 (Unix)

us2.php.net - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:20:01 GMT
Server: Apache/2.0.46 (Unix) mod_perl/1.99_09 Perl/v5.8.0 mod_ssl/2.0.46 OpenSSL/0.9.6g DAV/2 FrontPage/5.0.2.2634 PHP/4.3.2 mod_gzip/2.0.26.1a

I guess a lot of people use Apache 2!

Back to /. roots?

[FudgePackinJesus]

I really hope that, with this post, this is a hint of things to come at /.

I really think that overall feel of slashdot has changed and not necessarily for the better. I'd really like to see kernel releases, Gnome & KDE flamewars, Quickies, obscure language write-ups and everything else that made /. special in the past make it to the front page again. Instead we're getting game reviews, movie reviews and politics. Sounds more like a mainstream news source now, doesn't it?

The buzz of the open source world fell flat the last couple of years. I really hope it wasn't because of the market crash and that the core of the excitement wasn't the dream of cashing out by installing linux everywhere.

Open source, I think most people still don't realize, is the source of true power in speech in this day and age. If it wasn't for projects like Linux, Apache, MySQL, PHP/Perl/Python, etc. the web would be dominated by large corporations who would be the only ones capable of paying the large sums of cash for web-service software that would have no doubt been that most expensive software out if not for the free-as-in-beer-speech competition. Open source bestowed the average man a voice in the newest of media channels.

I truely hope the energy & excitement due to that fact never leaves... especially here on Slashdot. The editors shouldn't let the tagline "News for Nerds. Stuff that matters." limit the vibe /. gave off before because, at the end of the day, that's all it is. A tagline.

Re:Back to /. roots?

[74nova]

I'd really like to see ... Gnome & KDE flamewars

there arent gnome and kde flame wars anymore because we kde zealots won.


easy there boys, its a joke

Future thought

[SirLestat]

I can't wait for release 1.3.37

Re:How

[DrSkwid]

Debugging is twice as hard as writing the code in the first place. Therefore,if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.

-- Brian W. Kernighan

Re:How

[mcrbids]

"Why are you passing text directly to the database". Um... because the API to a SQL database is SQL which is... text?

Ahem...

Here's an example of BAD YOU-ARE-SO-OWNED CODE ...

$sql="SELECT * FROM userdb WHERE login='".$_REQUEST['login']."' AND password='".$_REQUEST['password'].'";
$res=mysql_ query($conn, $sql);

Here's an example of MUCH BETTER CODE...

$DB=New Database();
$DB->SetQuery("SELECT * FROM userdb WHERE login='@login' AND password='@password'");
$DB->Set('login', $_REQUEST['login']);
$DB->Set('password', $_REQUEST['password']);
if (!$res=$DB->Query())
return Error("Sorry. There was an error while processing your request");

Notice that the values being passed thru to the database are not being sent directly (there's that word, maybe you missed it?) to the database. This way, you can't (easily) make the mistake of not escaping the value before it's passed to the database - that's handled by object $DB.

Ratboy.