Apache 2.0.53 Released, Fixes 2 Security Problems

CGIsecurity.com writes "Two security issues have been addressed in Apache's 2.0.53 build. The entire Apache announcement can be found here."

From the changelog:

[molo]

*) SECURITY: CAN-2004-0942 (cve.mitre.org)
Fix for memory consumption DoS in handling of MIME folded request
headers. [Joe Orton]

*) SECURITY: CAN-2004-0885 (cve.mitre.org)
mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
bypassed during an SSL renegotiation. PR 31505.
[Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]

Re:is it time for 2.0.x over 1.3.x?

[Hank+Reardon]

The answer is...

It depends.

What are you going to do with it? What modules are you going to run? Have the modules been ported from Apache 1.3 to Apache 2.x yet? Are you going to use mod_perl? Unix or NT?

If you're looking at a PHP/Apache solution, ignore the "PHP doesn't work with Apache 2" screaming; most times it's only half right. If you want to run PHP on Apache 2, make sure you use the Prefork model instead of threads. The problem PHP has is most of the add-on libraries aren't thread-safe - the prefork MPM works like Apache 1.3's process model and you'll be OK.

If you're using mod_perl for a production system, you'll probably want to wait a couple of months until MP2 stabalizes.

As for pitfalls, the only big ones I've run into was trying to run mod_perl on Apache 2 and finding that I had to rewrite most of the handlers to use the new module layout and trying to run PHP under a threaded model.

Re:is it time for 2.0.x over 1.3.x?

[wizbit]

Wow, for someone trying to dispel FUD, you're sure dispensing an impressive amount of your own.

You can run PHP4 just fine on Apache 2. The problem is NOT, as you say, directly with PHP, but with the libraries that are typically linked/compiled in when building PHP (mcrypt, imap, mysql, etc) that are not multi-thread safe. PHP will have the same problems (though it will run just fine with the prefork MPM) until the module authors get the code cleaned up, or you'll end up building a barebones PHP interpreter.

The 1.3 series is multi-process, which doesn't work terribly well on Windows. Apache2 brings far better Windows support, but either should run just fine on a Linux machine. Use whichever you're more familiar with.

Re:is it time for 2.0.x over 1.3.x?

[Matt+Perry]

Correction, PHP with Apache's threading module isn't recommended. PHP and any add-ons works great with the Apache 2.x prefork module. Prefork makes Apache work just like 1.3.

Re:is it time for 2.0.x over 1.3.x?

[FireChipmunk]

No, infact, mod_python is only actively developed for Apache 2.0. They don't even support the version for 1.3 anymore.

Re:is it time for 2.0.x over 1.3.x?

[panic911]

I realize the php folks don't suggest using it with Apache 2.0, but honestly I've used PHP4 and PHP5 on it for years with not one problem (in Linux and Windows). I always stay current with apache2 and install it as the php.net site suggests. It works great.

Re:is it time for 2.0.x over 1.3.x?

[newker]

i would prefer staying to 1.3xx unless otherwise a newely discovered major security bug is discovered in it. apache version 2 seems not 100% compatible with hosting control panels like cpanel. so definitely its not yet time to upgrade