Apache 1.3.33 Released

harmgsn writes "Following the release of Apache 1.3.32, the Apache Group released Apache 1.3.33 to fix a security flaw in mod_include and in the Content-Length field. The official announcement is available as well as the ChangeLog for the 1.3.x series."

A little overblown

[Stevyn]

After looking at the changelog, is this a topic for the main page? I mean people complain when a minor revision of the Linux kernel or KDE comes out.

Not to say that justifies it, but this is just one bugfix. I hope people maintaining servers running Apache don't rely on Slashdot to inform them of this bug. This seems more an issue for a mailing list.

Re:A little overblown

[Anonymous+Crowhead]

After looking at the changelog [apache.org], is this a topic for the main page?

No kidding. The Apache section is like Ralph Nader. It's always there, it gets about 1% as many comments as any other section, a boring story about it still hits the headlines now and again, but you try to get rid of it and it gets all crazy.

Re:A little overblown

Don't blame me, I voted IIS.

Re:A little overblown

[Neil+Blender]

No kidding. The Apache section is like Ralph Nader. It's always there, it gets about 1% as many comments as any other section, a boring story about it still hits the headlines now and again, but you try to get rid of it and it gets all crazy.

Heh, that reminds me: About 3 or 4 years ago, I was up late fixing some server issue. While I was waiting around I checked Slashdot and saw a story in the Apache section about some Apache conference or party or something that was taking place in Belgium or Norway, I can't remember exactly. It had been up for hours, maybe even days with no comments. So, thinking it would be like taking candy from a baby, I first posted. About a week later, I checked the same story and the only post was my first post. I think that story got archived with that single post.

Re:One small change

[Electroly]

Without that "one small change", someone could own your computer by just sending a specially crafted HTTP response when you hit a website. I personally think anything that can allow "bad people" to get access to your computer without too much difficulty is something that should get fixed. Suit yourself.

Re:How

[pavon]

Sure, no one has found any bugs Knuth's TeX in years. Same for Qmail, and others. You have to know exactly what you are doing before you start - which often means writing a throw away version of the software first to work out the kinks in the design. You have to have a simple clean design, and coding practice - as one of the Unix developers said debuging is 10x harder than writing code, so you you write code as cleverly as you can, you are, by definition, not qualified to debug that code. You have to know upfront how to write secure code, and think about with every function you write - never put this off for later. Then you have to have some one else rigorously read over every line of code to find any mistakes. Lastly you have to systematically test each part of the code individually and together. Then after years of widespread use without any major feature changes you will have weeded out nearly all of the bugs.

Nearly all software that is written leaves out some of these things, choosing to balence getting something done with quality. Some find a better balance than others :)

BTW. The mozilla programs are definately good programmers, but the codebase is certainly not the paragon of clean code. It is huge and unweildy, which is the main reason that Apple chose to build off of KHTML instead of Gecko when they made Safari. The situation has improved over time, but making an existing non-secure program secure, is much harder than doing it (mostly) correct from the start.

I tried to migrate to Apache.

[shaneh0]

During last years jihad on IIS & IE I decided it would be a good idea to migrate the company's web servers to Apache. I decided to start simple and submit a plan to migrate just the department intranet server.

This is the actual response from management. The brain-dead VP that made this truly-enlightened decision first made a name for himself as a VP at a FAUCET COMPANY.

Listen to the faucet kings great idea:

"Shane, Thanks for your proposal. Unfortunately, I cannot approve the change. In fact, I've decided that we need to streamline these things in the future and make sure everyone is on the same page.

From now on, we will only install software on the servers that is at version 2.0 and above. There will be no exceptions to this. It's about security and reliability. Everyone knows you dont buy a car the first model year, why should software be any different. I've never heard of apachee, but if these guys are as good as you say they are enough people will bite to keep them going, and when they come out with the next major realease I think you'll see then that we're better off for waiting for them to really get it right.

thanks for beging on board with this, tom." [my name's shane]

Two years ago this guy won the "visionary of the year" award at the company conference.

Re:I tried to migrate to Apache.

[pchan-]

i would love to have had the chance to respond to this.

you could just download apache, edit the code and bump up the version number. but really, the right solution would have been to inform him that, in fact, there exists an "apachee 3.0". unfortunately, "apachee 3.0" is no longer free, and requires a 500$ yearly site license for under 10 installs (and reasonable fees for more). then you can bump up the version on apache 1.3 and install it on the company's computers. your friend (er, the "apachee foundation") can cash the yearly check for you.

Re:What ever

[myg]

Apache 2 has quite a few good things going for it over Apache 1. First off, it handles multi-threading much better meaning that very heavy workloads require less CPU time[*]

Second, Apache 2 supports things like DAV which mean that to publish information on the web users need less access than with Apache 1 (such as shell accounts or worse FTP, since most ISP's don't think users should use SSH for some odd reason).

Lastly, Apache 2 can run Subversion. So not only can you use DAV to update information without shell access of any kind but you can version that information too.

[*] Why is multi-threading faster than the pre-fork model of Apache 1? Because there is less work to do when context-switching threads. A thread shares the same virtual address space with other threads in the process. Changing virtual address spaces is slow because it requires a TLB flush (as well as one or more extra registers to save). The TLB flush increases memory accesses.

Re:Good thing I use Apache 2

[eobanb]

Personally, I'm waiting for Apache 1.3.37. 0h y34h!!!

Re:What ever

[PhrostyMcByte]

SF.NET just sent out an email a few days ago:

The SourceForge.net team is pleased to announce the long-awaited
upgrade to our project web service. SourceForge.net staff are
currently in the process of completing hardware procurement and
system build-out. The official date for this upgrade has not yet
been set; once our hardware build-out has been completed, the
date will be announced on the SourceForge.net Site Status page.
https://sourceforge.net/docs/A04/

This upgrade consists of a significant hardware upgrade and
Operating System upgrade. Due to the large upgrades involved here,
it may be necessary to upgrade your scripts.

...

New configuration:

Fedora Linux: Fedora Core 2
Linux kernel 2.6.x
GNU libc 2.3.3
Apache 2.0.51
Perl 5.8.3
PHP 4.3.8
Python 2.3.3
Tcl 8.4.5

Apache 2.x is good enough for a large site such as sf.net, it is good enough for others.

Re:I can't figure this release note out

[mrchaotica]

does this effect me?

I don't see how it could, since "effect" is a noun.

I don't want to loose the security battle

Well, better keep that battle tied up then!

[note to mods: With a story this useless, what else could I do but correct usage (I'll leave grammar and capitalization as an exercise for the reader)? I mean come on, the front page for a bugfix?!]

Re:How

[Goonie]

Sure, no one has found any bugs Knuth's TeX in years.

Knuth is a freak of nature who spent eight years writing a program on his own, largely for his own edification and completely free of commercial pressure. Few others have that freakish ability, fewer still get to work on their pet project by themselves for that long before offering it to the world. So there are limits to how many lessons can be drawn from this very unusual example.

Re:What ever

[FireChipmunk]

No one uses Apache 2 in production. I guess all those sites don't have a clue about security.

Re:How

[mcrbids]

Secure code is HARD to write!

Even properly structured, carefully written stuff will contain securiity bugs! It requires attention, more attention, and yet more attention still.

It requires proper layering of the code so that the number of variables to track at any one point is as small as possible.

Spend lots of time on design. Draw flowcharts to cover key areas of your application. kivio is your friend! Consult your flowcharts before you make changes to the program. A well-layed-out flowchart can be worth more than reams of notes in the code.

Above all, structure your code so that the default behavior is secure in the event of a failure.

For example, you've done something stupid, and you're passing unescaped text to the database.

Whoops!

1) Why are you passing text directly to the database? If you communicate with the database with a proper API, you *can't* pass unescaped text to the database.

2) Are you capturing the errors from the database, so that you aren't displaying any obvious sign (to the public) of what's gone wrong?

3) Is the database connection transacted, so that you can return to a known good state?

4) Do you have some kind of error trap or handler so that you can find out exactly what the errors were and fix them in a sane way?

5) Have you tested your code with DELIBERATE bugs so that you know how it will behave in the event of a failure?

The hendling of any errors from that should *NEVER* be made clear to the outside, only that "an error has occured".

The goal is a system designed with multiple layers of protection so that a failure at any point does not result in a security breach! It should fail securely, so that problems result only in error reports, NOT SECURITY HOLES.

Easy to say, damn hard to do...

Re:How

[pairo]

Sure, no one has found any bugs Knuth's TeX in years. Same for Qmail, and others.
Er, wrong. qmail has had a couple of security flaws, and more than a couple of bugs. For a more exhaustive list, Google is your friend.

Re:Apache is awful.

[pairo]

I'm only going to comment on two bits of your post, since I've never used ColdFusion/JRun with Apache (Or at all, for that matter) and cannot address the main issue.

disabled all uneeded services, performance tuned our app

You only did that _after_ you noticed your application is having problems?

Re:Apache is awful.

[LnxAddct]

Wow... did you ever here the cliche of a face so ugly it breaks mirrors... that site is so horrendous it breaks apache. Anyway...your huge community doesn't seem to be all that huge... google uses a modified version of apache, slashdot uses apache, sourceforge.net uses apache, and Amazon.com runs apache... as well as many others. If your having hours of downtime a day you must not be all there in your head. Seriously, go download Fedora Core 2, install it, everything will be set up for you... port your code to php or jsp or whatever if your finding it unstable. Coldfusion is hell and way overrated. If your going to use opensource, go completely open source because thats what it was designed with in mind. But judging from your website, you've got a lot more work to do then just getting a server running properly. Ugh... go buy a book or two, one for servers and one for web design. I'm not trying to troll... I just can't believe what this guy said, never in all my years have I had any trouble with Apache, whereas I also admin an IIS server and its *hell*...but it pays the bills:)
Regards,
Steve

Re:why cant they just release patches?

[pairo]

Because it makes it easy to keep track of wether you're vulnerable or not. Because it makes it obvious something important changed. Because it allows them to release a couple of other patches as well.

No...

[Goonie]

So Knuth is the only open source developer to write his own code and thats freakish?

That's not what I meant at all. What I meant was by the comment that Knuth is a "freak" that Knuth is a freakishly talented individual. And, yes, Knuth's situation is pretty unique, even for open source developers. Not only does he have tenure (that means they can't sack him), because of his reputation he's able to spend his time doing pretty much whatever he wants to do free of the restrictions on ordinary academics, like that little thing, "teaching", or sweating over whether he's going to get published. So he could hack away at TeX as and when the mood took him, without any pressure from his boss to actually produce anything, or any users badgering him for a new release, or figuring out how the other developers had screwed up, or trying to implement broken bits of the standard (because there *was* no standard).

They are *not* the typical circumstances under which most developers have to work.

Re:No...

[martin_b1sh0p]

Apparently his code does have bugs from time to time:

From http://www.tug.org/whatis.html
Donald Knuth, a professor of computer science at Stanford University and the author of numerous books on computer science and the TeX composition system, rewards the first finder of each typo or computer program bug with a check based on the source and the age of the bug. Since his books go into numerous editions, he does have a chance to correct errors. Typos and other errors in books typically yield $2.56 each once a book is in print (pre-publication "bounty-hunter" photocopy editions are priced at $.25 per), and program bugs rise by powers of 2 each year from $1.28 or so to a maximum of $327.68. Knuth's name is so valued that very few of his checks - even the largest ones - are actually cashed, but instead framed. (Barbara Beeton states that her small collection has been worth far more in bragging rights than any equivalent cash in hand. She's also somewhat biased, being Knuth's official entomologist for the TeX system, but informal surveys of past check recipients have shown that this holds overwhelmingly for nearly everyone but starving students.) This probably won't be true for just anyone, but the relatively small expense can yield a very worthwhile improvement in accuracy.

Content-Length in mod_proxy

[morten+poulsen]

It is worth noting that the Content-Length security problem is in mod_proxy, not in the main daemon.

See CAN-2004-0492 for details.

In other news....

[abdulwahid]

Kernel developers today released the eagerly awaited linux kernel 1.2.14. Everyone should update to this latest version as soon as possible to make use of the security fixes that this update provides.

Re:What ever

[bustersnyvel]

www.apache.org - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:17:14 GMT
Server: Apache/2.0.52 (Unix) ....

www.redhat.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:05 GMT
Server: Apache ...

www.cnn.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:45 GMT
Server: Apache

www.cnet.com - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:08 GMT
Server: Apache/2.0

www.bbc.co.uk - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:38 GMT
Server: Apache/2.0.51 (Unix)

us2.php.net - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:20:01 GMT
Server: Apache/2.0.46 (Unix) mod_perl/1.99_09 Perl/v5.8.0 mod_ssl/2.0.46 OpenSSL/0.9.6g DAV/2 FrontPage/5.0.2.2634 PHP/4.3.2 mod_gzip/2.0.26.1a

I guess a lot of people use Apache 2!

Back to /. roots?

[FudgePackinJesus]

I really hope that, with this post, this is a hint of things to come at /.

I really think that overall feel of slashdot has changed and not necessarily for the better. I'd really like to see kernel releases, Gnome & KDE flamewars, Quickies, obscure language write-ups and everything else that made /. special in the past make it to the front page again. Instead we're getting game reviews, movie reviews and politics. Sounds more like a mainstream news source now, doesn't it?

The buzz of the open source world fell flat the last couple of years. I really hope it wasn't because of the market crash and that the core of the excitement wasn't the dream of cashing out by installing linux everywhere.

Open source, I think most people still don't realize, is the source of true power in speech in this day and age. If it wasn't for projects like Linux, Apache, MySQL, PHP/Perl/Python, etc. the web would be dominated by large corporations who would be the only ones capable of paying the large sums of cash for web-service software that would have no doubt been that most expensive software out if not for the free-as-in-beer-speech competition. Open source bestowed the average man a voice in the newest of media channels.

I truely hope the energy & excitement due to that fact never leaves... especially here on Slashdot. The editors shouldn't let the tagline "News for Nerds. Stuff that matters." limit the vibe /. gave off before because, at the end of the day, that's all it is. A tagline.

Future thought

[SirLestat]

I can't wait for release 1.3.37