Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache 2.0.53 Released, Fixes 2 Security Problems

Posted by timothy on from the issues-is-sort-of-ambiguous dept.

CGIsecurity.com writes "Two security issues have been addressed in Apache's 2.0.53 build. The entire Apache announcement can be found here."

32 comments

  1. From the changelog: by molo · · Score: 4, Informative
    *) SECURITY: CAN-2004-0942 (cve.mitre.org)
    Fix for memory consumption DoS in handling of MIME folded request
    headers. [Joe Orton]

    *) SECURITY: CAN-2004-0885 (cve.mitre.org)
    mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
    bypassed during an SSL renegotiation. PR 31505.
    [Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]
    --
    Using your sig line to advertise for friends is lame.
  2. is it time for 2.0.x over 1.3.x? by Tumbleweed · · Score: 1

    Okay, I'm about to set up my first webserver in about 10 years, and I've got an 'ask slashdot' here - should I install 1.3.x or 2.0.x? I don't care about what most hosting companies are providing, but what are the pitfalls of going with 2.0.x over 1.3.x, and vice-versa?

    1. Re:is it time for 2.0.x over 1.3.x? by Anonymous Coward · · Score: 0

      If you want to use PHP I suggest using 1.3 as PHP running on 2.x isn't suggested by either vendor.

    2. Re:is it time for 2.0.x over 1.3.x? by Hank+Reardon · · Score: 2, Informative

      The answer is...

      It depends.

      What are you going to do with it? What modules are you going to run? Have the modules been ported from Apache 1.3 to Apache 2.x yet? Are you going to use mod_perl? Unix or NT?

      If you're looking at a PHP/Apache solution, ignore the "PHP doesn't work with Apache 2" screaming; most times it's only half right. If you want to run PHP on Apache 2, make sure you use the Prefork model instead of threads. The problem PHP has is most of the add-on libraries aren't thread-safe - the prefork MPM works like Apache 1.3's process model and you'll be OK.

      If you're using mod_perl for a production system, you'll probably want to wait a couple of months until MP2 stabalizes.

      As for pitfalls, the only big ones I've run into was trying to run mod_perl on Apache 2 and finding that I had to rewrite most of the handlers to use the new module layout and trying to run PHP under a threaded model.

      --
      There's so little difference between politics and jihad lately...
    3. Re:is it time for 2.0.x over 1.3.x? by Quattro+Vezina · · Score: 1

      I'd recommend 2.x. I'm using it myself, and it's fine.

      That FUD you hear about Apache2 not working with PHP is just that, FUD. The only problem lies with the worker multi-process module (and it's because PHP was coded in a braindead fashion--it's not Apache's fault). Use the prefork MPM instead and you'll be fine. Also, from what I understand, PHP5 has resolved those issues.

      --
      I support the Center for Consumer Freedom
    4. Re:is it time for 2.0.x over 1.3.x? by wizbit · · Score: 3, Informative

      Wow, for someone trying to dispel FUD, you're sure dispensing an impressive amount of your own.

      You can run PHP4 just fine on Apache 2. The problem is NOT, as you say, directly with PHP, but with the libraries that are typically linked/compiled in when building PHP (mcrypt, imap, mysql, etc) that are not multi-thread safe. PHP will have the same problems (though it will run just fine with the prefork MPM) until the module authors get the code cleaned up, or you'll end up building a barebones PHP interpreter.

      The 1.3 series is multi-process, which doesn't work terribly well on Windows. Apache2 brings far better Windows support, but either should run just fine on a Linux machine. Use whichever you're more familiar with.

    5. Re:is it time for 2.0.x over 1.3.x? by Tumbleweed · · Score: 1

      I wasn't planning on PHP, but Python - any problems with Apache 2 on that front?

    6. Re:is it time for 2.0.x over 1.3.x? by Matt+Perry · · Score: 4, Informative

      Correction, PHP with Apache's threading module isn't recommended. PHP and any add-ons works great with the Apache 2.x prefork module. Prefork makes Apache work just like 1.3.

      --
      Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
    7. Re:is it time for 2.0.x over 1.3.x? by FireChipmunk · · Score: 4, Informative

      No, infact, mod_python is only actively developed for Apache 2.0. They don't even support the version for 1.3 anymore.

    8. Re:is it time for 2.0.x over 1.3.x? by Tumbleweed · · Score: 1

      Decision made. :)

      Thanks for the info, everyone.

    9. Re:is it time for 2.0.x over 1.3.x? by TheLink · · Score: 1

      More bugs/security issues?

      --
    10. Re:is it time for 2.0.x over 1.3.x? by molnarcs · · Score: 1

      Yeah, php works just fine with apache2 (for me at least) - and I using threading (not prefork) - which is double no-no according to rumours. See here (lately not shown b/c firewall servertoken settings, but php is there, well, and healthy).

    11. Re:is it time for 2.0.x over 1.3.x? by panic911 · · Score: 3, Informative

      I realize the php folks don't suggest using it with Apache 2.0, but honestly I've used PHP4 and PHP5 on it for years with not one problem (in Linux and Windows). I always stay current with apache2 and install it as the php.net site suggests. It works great.

    12. Re:is it time for 2.0.x over 1.3.x? by newker · · Score: 2, Informative

      i would prefer staying to 1.3xx unless otherwise a newely discovered major security bug is discovered in it. apache version 2 seems not 100% compatible with hosting control panels like cpanel. so definitely its not yet time to upgrade

      --
      anything is made affordable...
    13. Re:is it time for 2.0.x over 1.3.x? by Chmarr · · Score: 1

      I've been playing around with mod_fastcgi myself. Gives you the same advantages as mod_python, but it guarantees to be running in a different process space, which I quite like. There's pure-python client implementations available.

      You'd need to use mod_python if you were intending fiddling with the apache internals, though, but for simple web apps, mod_fastcgi works great.

    14. Re:is it time for 2.0.x over 1.3.x? by Anonymous Coward · · Score: 0

      who the fuck cares about cpanel?

  3. Re:Go Troll, go! by Anonymous Coward · · Score: 3, Funny

    C'mon troll, at least cite the actual study when you post!

    An Anonymous Coward on Slashdot talking about trolling has posted an anonymized tinyurl link supposedly linking to some study about IIS being better than Apache. Hmmm... Sounds reasonable. *click*

    Warning

    You have followed a TinyURL that goes to an image with distasteful nudity.

    If you still wish to continue to that site, please follow this link:

    http://www.redcoat.net/pics/tubgirl.jpg

    Hmmm... Distasteful nudity? It must be some mistake. I am looking for a web server usage report. I think I will follow that link anyway, maybe the warning is wrong. *click*

    OH DEAR GOD!!! WARNING!! DON'T CLICK PARENT LINK! MOD PARENT DOWN! DOWN! DON'T CLICK!!!!!!1

  4. No way! by Anonymous Coward · · Score: 0

    The current version of 1.3.x is 1.3.33. Only 4 more updates to get to 1.3.37. Then we'll all be 1337!

  5. Re:Two Whole Security Violations? by Anonymous Coward · · Score: 0

    Hey dispshit, read his italicised text.

  6. Ebuild? by Mad+Merlin · · Score: 1

    Anybody know when the ebuild will be out? Checked packages.gentoo.org already but I don't see it there yet.

    --
    Game! - Where the stick is mightier than the sword!
    1. Re:Ebuild? by Anonymous Coward · · Score: 0

      According to Bug 81267 security fixes have been applied to apache ebuilds 2.0.52-r1 and up.

    2. Re:Ebuild? by Anonymous Coward · · Score: 0

      Yeah, but are all those bug fixes in there too?

  7. Re:Go Troll, go! by mboverload · · Score: 1

    Ok, now WTF WAS THAT?!?!

  8. The first rule of "Linux Security Problems": by Anonymous Coward · · Score: 0

    The first rule of "Linux Security Problems":
    THERE ARE NO LINUX SECURITY PROBLEMS.EVER

    The second rule of "Linux Security Problems":
    THERE ARE NO LINUX SECURITY PROBLEMS. EVER

  9. Stick with IIS by Anonymous Coward · · Score: 0

    Apache is shit and reminds me of some filthy nasty indian. Open source has been proven to be inferior and it's nothing but a security nightmare.

  10. Why Don't Slashdotters Have more interest by osewa77 · · Score: 1

    .. In topics like this one? Because, apparently, security is so boring.