Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Apache 2.0.48 Released

Posted by CowboyNeal on Sat Nov 01, 2003 07:49 PM
from the hitting-the-streets dept.
Software Upgrades Apache
Gruturo writes "Busy week for the Apache software foundation: After 1.3.29, version 2 gets an update as well with 2.0.48, which mainly fixes these two security vulnerabilities. As usual, using a mirror is recommended." The official announcement lists several changes as well.
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Apache 2.0.48 Released 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Apache security documentation (Score:3, Informative)

    by Anonymous Coward on Saturday November 01 2003, @07:53PM (#7368748)

    http://www.cgisecurity.com/webservers/apache/ [cgisecurity.com]

  • RedHat Fedora coming out on Monday will have this? (Score:3, Informative)

    by linuxguy (98493) on Saturday November 01 2003, @07:56PM (#7368765)
    Generally RedHat will not put in new packages at the last minute. But this is a security fix release only and also Fedora is considered more experimental than regular Redhat releases.

  • Time to upgrade my Apple ][ server. (Score:3, Funny)

    by Anonymous Coward on Saturday November 01 2003, @08:01PM (#7368787)
    It will take all November to compile it :( [slashdot.org]

  • Hmmm... (Score:3, Funny)

    by damiam (409504) on Saturday November 01 2003, @08:05PM (#7368807)
    An Apache point release on the front page? Can you say "slow news day"?

    • Re:Hmmm... (Score:4, Funny)

      by spektr (466069) on Saturday November 01 2003, @08:17PM (#7368878)
      An Apache point release on the front page? Can you say "slow news day"?

      It annoys me that I have to download the full dupe at every point release. Can't they post incremental patches for the article and the replies?
    • Can you say "slow news day"?

      I have a speech impediment, you insensitive clod!
    • slaw nows dee ...dammit, I guess I can't

    • Re:Hmmm... (Score:2, Insightful)

      by nr (27070)
      Well its sunday after all. Dont you thinks its even more gnarley that the ninth Linux kernel pre-release (-pre9) made the frontpage, its not even dot release! :) I thinks its good that important open-source software get their spot in the sun, becouse many of us do not follow all projects closely and its nice to have interesting discussions about the software and the project.

  • OMG YES YES YES! (Score:5, Funny)

    by Anonymous Coward on Saturday November 01 2003, @08:08PM (#7368820)
    2.0.48 is released!

    This is the defining moment of my life. I have been continually pressing the "refresh" button since the story about 2.0.47 being released. Now all my hard work has paid off.

    2.0.48 is released at last!

    • One question: (Score:1, Funny)

      by Anonymous Coward
      Do you know if they released 2.0.48 yet?

    • Re:OMG YES YES YES! (Score:4, Funny)

      by Praeluceo (528253) on Saturday November 01 2003, @10:18PM (#7369290) Homepage Journal
      Yeah, and even after refreshing your browswer since July 10th, for the sole purpose of finding this announcement, you -still- couldn't get a first post? That's just pathetic.

      Not only do you need a life, you need to get better at not having one!

  • Logging bug (Score:5, Informative)

    by KalvinB (205500) on Saturday November 01 2003, @08:16PM (#7368869) Homepage
    I used Apache 2.0.47 for all of a day before I decided to never use the 2.0.x line again. Apparently when a partial transfer is requested, Apache 2.0.47 logs the full amount requested. Not what was actually transfered. I ended up showing over 10GB of transfer in a single day on a 256Kbit DSL line. Which if you do the math is only physically capable of about 2.5GB a day.

    I looked at my logs and determined that a couple AOL users were trying to get a rather large file

    aca9bd40.ipt.aol.com 655 6689 1004 310
    acc4e74f.ipt.aol.com 1014 5412 521 148
    ac8bd972.ipt.aol.com 140 1565 534 745

    Requests MB KB Bytes. All that transfer supposedly happened in about a day.

    I notified bug-track but apparently such a simple problem (which doesn't exist in the 1.3.x line) isn't worth addressing.

    After all, who actually uses the Apache 2.0.x logs to monitor transfer? Hopefully not any hosting companies because the customers are going to get royally screwed.

    Ben

    • Re:Logging bug (Score:2, Flamebait)

      by Anonymous Coward
      Download the code and fix it yourself. Submit a patch back to Apache. Feel good knowing you both helped a project you use and fixed your own problem.
      • This continues my confusion as chronicled here [slashdot.org].

        Can we get past these comments about "fixing it yourself"? Or is this just the default customer service coming out these days?

        I do thank you for not Karma whoring by posting as AC.
        • Doesn't go over well with business people. I do programming as a profession. However, when the 1.3.x line is flawless it's hard to convince myself it's worth my time to tackle this problem. Considering how many people have downloaded and rely on the 2.0 line, I wonder how many have the skill or motivation to fix such a glaring and simplistic flaw that should never have existed.

          Especially considering someone did take the time to write a logging module that works and Apache still refuses to make it the st

    • Re:Logging bug (Score:5, Informative)

      by portnoy (16520) on Saturday November 01 2003, @10:32PM (#7369340) Homepage
      Um, didn't someone provide a solution [apache.org] to your bug report? (i.e. use the more advanced log module).

      Seems to me that they do see this as a problem worth addressing; they already have a fix.

      • That fix should be standard. Obviously Apache knows about the problem but even when someone fixes it for them (so writting a fix myself as someone else suggested is a worthless pursuit to try to actually fix the problem) they continue to insist on ignoring the problem and linking by default to a known broken module that they refuse to fix. And on top of that, they fail to properly document the workaround.

        Most web-site owners are more interested in running their business than dicking around with source co
  • 10 bucks says my university still doesn't upgrade it's servers from 2.0.40

  • Netcraft stats for Apache (Score:5, Interesting)

    by bhny (97647) <bh@u[ ]net ['sa.' in gap]> on Saturday November 01 2003, @08:31PM (#7368928)

    the new netcraft stats are posted [netcraft.com].

    apache just keeps stealing more market share-

  • Apache 2.0 (Score:3, Interesting)

    by ceswiedler (165311) * <chris@swiedler.org> on Saturday November 01 2003, @09:15PM (#7369072)
    Are people using 2.0 much yet? I remember all of the blowup over how 2.0 didn't really add anything unless you wanted to run it on Windows, and it caused a lot of problems for modules like mod_perl. Is everyone still sticking with 1.3?

    • Re:Apache 2.0 (Score:5, Informative)

      by Spoke (6112) <drees@greenhydrant.com> on Sunday November 02 2003, @02:08AM (#7370018)
      IMO, the best reason to use Apache 2.0 is that with mod_deflate, you can now easily add content encoding compression to an entire website to save bandwidth. Previously with Apache 1.3, you could add in mod_gzip, but mod_gzip wouldn't compress SSL content without some very ugly config hacks including mod_proxy with a substantial performance benefit. 2.0 eliminates this issue.

      I've seen bandwith drop on websites drop from 20-80% depending on how much content is non-compressible (like graphics).
    • Oh yes.
      mod_perl is a real showstopper for me. I'd love to upgrade to Apace2.x but I really need mod_perl to function properly and it isn't ready so I'm sticking with 1.3 for now.

      Does anyone know the status of mod_perl? Should I try to lessen my dependency on it? Is 2.0 worth the upgrade even if I have to rewrite my app?

      .haeger
      • I am using mod_perl 2 (really 1.99_10) in production without any problems. You do have to sort of keep up with the mod_perl mailing list, but it has performed without any problems for me so far.
  • Why are there two branches of Apache? There's the 1.3 and 2.0 lines. I've heard that 1.3 is better than 2.0, so is 2.0 effectivelly a beta? Why are there still new releases of 1.3, why not concentrate on 2.0?
    • The 2.0 line offers new internals and a new module API that's supposedly a lot cleaner and better organized. The biggest internal change of which I'm aware is that Apache now does proper threading, instead of fork()ing--that's why the big improvement on Windows, which is natively threaded, while a smaller improvement on unices.

    • Re:1.3 branch (Score:4, Informative)

      by crisco (4669) on Saturday November 01 2003, @11:53PM (#7369626) Homepage
      AFAIK New releases of 1.3 are bugfixes and security patches. 2.0 has been labeled production ready for over a year.

      The problem isn't Apache itself but the open source modules that help make Apache the most useful webserver out there. Widely used projects like mod_perl and mod_php have only recentlyy released versions of these that work properly with Apache 2 and even these are still labeled betas.

      Additionally, most competent sysadmins won't mess with what isn't broken, so their server farms running 1.3 are going to continue running 1.3 for a while yet.

    • Tell me: For how long has Tomcat been an commercial application server?
      Yea, I know.. ihbt..

    • Re:A step in the right direction (Score:5, Informative)

      by Tim C (15259) on Saturday November 01 2003, @08:07PM (#7368813)
      commercial application servers such as Tomcat

      Tomcat is open source; it's one of the Jakarta projects.

      compared to Oracle's WebSphere

      IBM make WebSphere, not Oracle.

      If Ximian would only release the .NET framework for Solaris

      Microsoft makes the .NET Framework, not Ximian, although Ximian does have a hand in Mono, the open source implementation of the .NET Framework.
    • WebSphere is IBM, not Oracle.
      Tomcat is Apache Foundation and Free(tm).
      LocalDirector is Cisco.
      .NET Framework is Microsoft.

      Besides those minor error and the jibberish the +1 Interesting might be sensible?
    • ISA Server
      huh? Microsoft Internet Security and Acceleration Server? The one all the dweebs put in front of Exchange when management's looking the other way? That's not an application server, it's a proxy/firewall whose chief function is to generate revenue for Microsoft while providing zero real functionality.

      the Apache team outdid themselves by providing a nice API that integrates nicely with most the commercial application servers such as Tomcat...
      How /wierd/ that the httpd team would shoot for functi
    • Debian stable will never update their Apache packages, although they will backport bugfixes. If you want the latest and greatest, use testing or unstable, which has had Apache 2 since the week it was released.
      • although they will backport bugfixes

        Ok, good, I was curious whether or not they were actually distributing security updates, which is why I was starting to worry.
        • Make sure you have security.debian.org [debian.org] in your /etc/apt/sources.list file. If you don't, you won't get security updates until they hit the main repository in a minor release, which can be a while.
    • Can I ask a stupid question, and say

      Why not jsut download it and install it yourself?

    • Re:Debian (Score:4, Interesting)

      by jjohnson (62583) on Sunday November 02 2003, @01:36AM (#7369930) Homepage
      You know, I avoided the RPM of apache when I built my webserver, instead choosing to download it and compile 2.0 from source, and get it working myself. Which I did. Having done it once, I know it pretty well now, and it took me five minutes to go from 2.0.45 to 2.0.48 after seeing this story, having saved my ./configure in an executable file. I ran that, make, make install, copy the conf files and the resin .so, test it, and switch the symbolic link that the sys V script goes to.

      So. Untinstall the deb, download it, compile it, install it, and get it working. It's no harder to configure, and you're free of package tyranny.
      • All this proves is OSS zealots are hypocrites, with double standards.

        Thank you! Now where are my mod points?...

      • When was the last time a virus spread all across the world, shut down networks, etc., by exploiting a bug in Apache?

        Microsoft has VERY LITTLE (compared to Apache) market share, yet it's been actually exploited MUCH MUCH more.

        Another point about Apache is that it's open source (we can search the source and find buffer overflow succeptible code, fix it, etc.,) while with Microsoft or others, once they fix a bug, you have no idea how bad their source code it.

        Also, fixing 2 bugs in this many months is actual

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.