Apache 2.0.44 Released

rbowen writes "The Apache Software Foundation is pleased to announce the release of Apache 2.0.44, which addresses a number of security issues. Download it from your favorite mirror." Rich notes that it fixes some important security problems (under Windows) for the Windows version. Also interesting is that now there truly is a split between a development and regular releases, adopting the Linux kernel model, with 2.1 being the dev Apache tree and 2.0 being the release tree.

First /. Apache article since Dec 2

[rjamestaylor]

I've been noticing that Apache doesn't make news anymore--at least on Slashdot, but to be fair I think it's because Apache is so stable (in the 1.3.x series, especially) people don't even think about it anymore. Good job, Apache Foundation!

Outsider Perspective

[webword]

I don't deal much with Apache. But, I decided to take a look at the download page to get a feel for its usability. What struck me the most was that there seem to be two important versions:

1. "Apache 2.0.44 is the best available version"
2. "Apache 1.3.27 is also available"

Now, don't get me wrong. I know enough to know that keeping around previous versions can be a Good Thing. However, as an outsider, this is confusing. Also, if you care to know, the entire section on verifying the integrity of the files was confusing.

Yes, I understand, I'm not the target audience. But, it still makes me frustrated to know that the Apache download site is mysterious. Just for giggles, take a look at the Windows NT Server download page [microsoft.com]. It ain't perfect, but at least you don't have to work about file integrity...

Re:Who's using Apache 2?

[Sir Spank-o-tron]

Heck, we'd use it....
If mod_perl 2.0 was released....

Still no SSL for Windows

[kruetz]

Unfortunately, they still haven't been able to solve the issues with SSL under windows, so the windows release comes without SSL. The effect of this can range from none (lots of sites don't use SSL) to the typical IT-Manager complaint "but we NEED SSL". Unfortunately, what they don't realise is that staying with IIS is not the solution.

However, I do know of one company (whom my friend's father works for) that decided not to use Apache because they wanted 2.0.?? (because it was the latest release, so there was no way they would consider 1.x) but couldn't live without SSL. Of course they're using IIS on an unpatched WinNT4 box ...

What Apache needs to become the server of choice in companies like this is an education campaign. If you work at such a company, please tell the people in charge of this stuff about Apache, IIS and general security/stability issues under Windows. Mind you, Apache is still the #1 server around, so it is debatable whether this is a necessary step. But for the sake of secure, stable websites that don't leave your site open wider than a $2 hooker (ie, as wide open as the RIAA) please spread the word about Apache.

And Apache/SSL guys, I'm sure you're working on the issue, so best of luck solving it!

Re:First /. Apache article since Dec 2

[Anonvmous Coward]

"I've been noticing that Apache doesn't make news anymore--at least on Slashdot..."

That's because it hasn't had a minute version change!

still unsure

[carpe_noctem]

I've used apache 2.0, and it's great and all, but I ain't switching over until the PHP folks say that the PHP-apache-2 module is good to go.

Re:Apache 2.x and PHP

[venom600]

For me it is merely a case of "if it ain't broke, don't fix it". I just haven't found a good reason to switch yet. Bug fixes and security patches keep on coming out for 1.3.x, and performance hasn't been an issue for me yet. (not that 2.x is supposed to fix everyone's performance woes)

Re:Hrmph.

[DetrimentalFiend]

I think you're getting feature-rich and better confused. Normally newer releases have more in them, but this does not always equal better. For something to be better, stability, ease of use, speed, and so on are also factors. If version numbers told you which release was better, then they would likely change and be much more confusing in general.

Perhaps what you were thinking of is the fact that the last number in the version is generally a statement of which release is better. This is generally true, since the last number is the revision number and is usually only incremented for bug fixes.

Re:Stuff

[fussman]

Um... you've been gravely misinformed. Microsoft DOESN'T work fine. Really. As a netadmin/webmaster myself, I shouldn't have to worry about BSODs, frozen boxes, vulnerabilities and the like. With M$, I would have to worry about that all the time, rather than when a security patch is out (you know, the ones that don't replace your config when you implement them?). The truth of the matter is, I NEED APACHE.

Re:First /. Apache article since Dec 2

[Anonymous Coward]

Either that or people are waiting until you can reliably use Perl and PHP with it...

MS works fine, you just don't know how to use it

[KalvinB]

You're a pretty crappy admin then.

I run Apache 1.3.26 on Windows 2K and have been for the past 2 years. The only time a BSOD happened was when the HD cable came loose from all the heating and cooling. I had my server running 100% for 46 days and only rebooted because I was trying out some new SMTP (not MS) software which turned out to be complete and utter crap and a wasted reboot. It's now been going again for 15 days without a single issue. I've never had a Windows issue. On average I do a reboot once a month for software updates or whatever but never because I have to.

If your Windows machine has issues it's because your hardware is crap or you've loaded crappy software/drivers on it. I have 4 Win2K machines of various configurations that never have issues.

If you have security issues it's because you havn't clued into the fact that MS doesn't include much of a firewall. I have no security issues because I have an excellent hardware solution. There are plenty of excellent software solutions like ZoneAlarm.

If you're actually a netadmin/webmaster worth their salt I'm wondering why in the world you'd have security issues with any OS. Are you plugging the line directly into the computer? And if so, what do you expect? I wouldn't put Linux right on the wire either.

IIS has known exploits and if you're actually worth your salt you'd know how to prevent them from being used. If you NEED APACHE then you probably have no idea how to deal with and correct security issues. I like Apache because it's simple and effective.

On topic, I'll care about Apache 2.whatever when PHP is no longer broken. Apache 1.3.x is kinda the old reliable. Until 2.x can match it, there's no real burning need to upgrade.

Ben