Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Apache Software

Apache 2.0.44 Released 198

rbowen writes "The Apache Software Foundation is pleased to announce the release of Apache 2.0.44, which addresses a number of security issues. Download it from your favorite mirror." Rich notes that it fixes some important security problems (under Windows) for the Windows version. Also interesting is that now there truly is a split between a development and regular releases, adopting the Linux kernel model, with 2.1 being the dev Apache tree and 2.0 being the release tree.
This discussion has been archived. No new comments can be posted.

Apache 2.0.44 Released

Comments Filter:
  • I've been noticing that Apache doesn't make news anymore--at least on Slashdot, but to be fair I think it's because Apache is so stable (in the 1.3.x series, especially) people don't even think about it anymore. Good job, Apache Foundation!
  • The biggest security problem with running apache on Windows is Windows. Anyone who uses windows for a server deserves what happens to their server.

    Jason
    ProfQuotes [profquotes.com]
    • Haha.. as if someone running a unpatched Linux box who gets hacked doesn't deserve it. :-)
    • by Anonymous Coward on Tuesday January 21, 2003 @10:25PM (#5132417)
      Try to crack mine then.

      The IP is 207.46.248.109
    • "The biggest security problem with running apache on Windows is Windows. Anyone who uses windows for a server deserves what happens to their server."

      Everybody who generalizes sucks.
      • not sure if this is funny or insightful, damn limitations of slashdot moderation! :D
        • "not sure if this is funny or insightful, damn limitations of slashdot moderation! :D"

          Ha!

          Now that I think about it, I don't know what I'd think if I ran across that. I can tell you, though, that I was gritting my teeth when I wrote that. I'm sick of people making stupid generalizations like that based on some MSPhobia. (damn I wish I could make that rhyme with HomoPhobia.)

      • by rseuhs ( 322520 ) on Wednesday January 22, 2003 @10:46AM (#5135438)
        Everybody who generalizes sucks.

        Your statement is so dumb and stupid, I don't know where to begin debunking it.

        Almost every statement is a generalization.

        "The sky is blue" - but not when it's cloudy or at night.

        "This item costs x$" - but not if you add in taxes, transportation to get to the store.

        "My table is flat" - but not if you take into account the small inperfections on the wodden surface and the tiny tilt it sure has.

        "Windows is a security nightmare" - but not if you spend day and night securing the computer, maintaining virus-scanners and install and test all patches.

        The ability to generalize is a basic ability of a thinking being.

        P.S.: Seriously, why should anybody want to use Windows as a webserver? The only reason I can think of is when you are locked into MS-only technology like ASP which rules out Apache anyway. So why? Just because the computer came with Windows? Because Bill Gates tells you?

        • "Your statement is so dumb and stupid, I don't know where to begin debunking it. "

          You shouldn't have tried debunking it. You missed my point by nearly 100%. Go read the post I was responding to, then read mine again. Maybe it'll become clearer. Somebody else got it, so I know it's not too obscure.

          " Seriously, why should anybody want to use Windows as a webserver? The only reason I can think of is when you are locked into MS-only technology like ASP which rules out Apache anyway. So why? Just because the computer came with Windows? Because Bill Gates tells you?"

          I'd give you reasons, but that'd just invite argument. Instead I'd suggest that if you're asking a question like that, it's because you've been reading Slashdot too long, as opposed to speaking from experience.

          I speak from experience, and I can tell you IIS is not the nightmare people make it out to be. If it were I wouldn't have time to tinker around on Slashdot.
  • Apache (Score:3, Interesting)

    by ObviousGuy ( 578567 ) <ObviousGuy@hotmail.com> on Tuesday January 21, 2003 @10:11PM (#5132338) Homepage Journal
    They both have to do with running the server on 9x or ME.

    Is Apache's security really the problem here?
  • by Anonymous Coward on Tuesday January 21, 2003 @10:12PM (#5132341)
    - Use the mirrors!
    - Why do you guys post every single minor release?
    - Damn, I just loaded 2.0.x! Stop updating the software so fast!
    - I'm still using 1.9.x.
    - I just downloaded it. Now what?

    Ad nauseum.
  • by aspjunkie ( 265714 ) on Tuesday January 21, 2003 @10:15PM (#5132360) Homepage
    "Rich notes that it fixes some important security problems (under Windows) for the Windows version"

    I fixed that server security problem a long time ago...I just moved my Windows server from underneath the window to the rack beside the window.

  • by webword ( 82711 ) on Tuesday January 21, 2003 @10:19PM (#5132382) Homepage
    I don't deal much with Apache. But, I decided to take a look at the download page to get a feel for its usability. What struck me the most was that there seem to be two important versions:

    1. "Apache 2.0.44 is the best available version"
    2. "Apache 1.3.27 is also available"

    Now, don't get me wrong. I know enough to know that keeping around previous versions can be a Good Thing. However, as an outsider, this is confusing. Also, if you care to know, the entire section on verifying the integrity of the files was confusing.

    Yes, I understand, I'm not the target audience. But, it still makes me frustrated to know that the Apache download site is mysterious. Just for giggles, take a look at the Windows NT Server download page [microsoft.com]. It ain't perfect, but at least you don't have to work about file integrity...
    • by rollthelosindice ( 635783 ) on Tuesday January 21, 2003 @10:29PM (#5132449) Homepage
      The 2.x and 1.x releases are VERY DIFFERENT. and mod_perl, for 1, hasn't released a stable release for the 2.x tree, so using the good old 1.3.27 is what you need to do.

      This may be an issue of not being able to see the forest from the trees, and everyone that knows apache, knows what version they need for their server, so may not be the best bet for noobs.

      But then again they may want all noobs to download the 2.x version, so the use of "best available" might be their marketing.

      • Indeed...if you're a newbie to web server administration, you don't want to learn by just going out there and downloading the software and installing it. That's where we get incorrectly configured sites and security holes. The best way to learn is to get a feel for the software hands-on using a server that you can mess around with under the eye of a trained administrator. Once you've figured out the basics of security and efficiency, then you can be ready to install the software on your own, and you'll know which one meets your needs the most.
    • by MoThugz ( 560556 ) on Tuesday January 21, 2003 @10:31PM (#5132454) Homepage
      All this is answered here [apache.org]...

      Apache 2.0... has new features built into it, however, it is still relatively new. And some bugs are still lying around here and there. I reverted to 1.3 because of serious bugs in the PHP module (in version 2.0.1x, .14? .15?, can't remember exactly).

      Apache 1.3... is "old", but has built a solid userbase because of this age factor. It is also proven reliable and stable code.

      • by JebusIsLord ( 566856 ) on Tuesday January 21, 2003 @10:49PM (#5132572)
        php 4.3.0 is running slick on my 2.0.43 apache install.
        • Yes. It Runs per se. But if you go into php bug database and apache2 related bugs [php.net] and look into #17868 [php.net] you will know the reason.

          Atleast, this is the case for me not to migrate our production environment since machines im managing are based on ssi based templates and i there is shitload of rewriting unless this wont get fixed.

      • by PacketMaster ( 65250 ) on Tuesday January 21, 2003 @11:00PM (#5132630) Homepage
        Apache 2.0... has new features built into it, however, it is still relatively new. And some bugs are still lying around here and there. I reverted to 1.3 because of serious bugs in the PHP module (in version 2.0.1x, .14? .15?, can't remember exactly).


        I was quite excited with 2.0.43 but ended up back at 1.3.27 because PHP 4.2.3 (haven't tried 4.3.0 yet) made Apache unstable, specifically when calling an 'apachectl restart' which made my pager go off due to the server segfaulting at 4am during logrotate. In my testing, it was PHP that caused this instability.

        Also, with 2.0.43 I couldn't get it to build with anything but the OpenSSL package, which on my box was 0.9.6b (hole!) but I couldn't get it for the life of me to look at an alternate install of 0.9.6h.

        2.0.44 will perhaps fix these problems.
    • I followed your link and kept looking for an IIS download. I followed several links and still could not find an IIS download. I also could not find a download for NT server so I don't know why it's called the NT server download page.

      So where is the IIS download and how do I make sure it hasn't been messed with.
    • What's important to note here is that far from all extensions which are being developed for Apache are in a production stable state on the 2.x platform. One every good example is PHP, which just recently with the 4.3-version was announced to be stable on the Unix-version. Windows webservers serving PHP should still use the 1.3.x-branch a little while.

      As the download-page [php.net] on php.net [php.net] announces: "PHP 4.3.0 zip package [php.net] [5,811Kb] - 27 December 2002 (CGI binary plus server API versions for Apache, Apache2 (experimental)"
  • ...and how have your experiences with it been?

    No one I know has found a compelling reason to switch from Apache 1.
    • by Sir Spank-o-tron ( 18193 ) on Tuesday January 21, 2003 @10:26PM (#5132427) Homepage
      Heck, we'd use it....
      If mod_perl 2.0 was released....

      • Agreed. Here at netmar, we can't justify moving to Apache 2 until mod_perl is released in a configuration that works with apache2. Preferably without hours of trying to compile with various options against various gcc's.
        It would be nice if tomcat didn't require a priest, a monk, and a shaman to install, too.

      • Just yesterday I tried and tried to get mod_perl working with RedHat 8.0 (which uses Apache2).

        # rpm -q httpd mod_perl
        httpd-2.0.40-11
        mod_perl-1.99_05-3

        One problem was that it didn't start with the current
        directory set so my use's didn't work. Anyone had any luck with RH8.0?
    • by jonabbey ( 2498 ) <jonabbey@ganymeta.org> on Tuesday January 21, 2003 @10:29PM (#5132450) Homepage

      We do on several of our servers. The main reason is that it's much, much easier to build an Apache server with SSL support on Apache 2 than it is on Apache 1.x, particularly if you're adding additional modules on top.

    • we built and maintain www.babiesfirstchoice.com

      Ssl works fine on it too : )
    • I tried and failed to install Apache 2.x over 1.3 on my Mandrake 9.0 box. Am I that stupid, or is this really that hard?

      First one to tell me to go to the Apache forum sites gets a swift kick...that's like going to the dump to look for an old magazine. Far too much material to wade thru...I've tried, so don't get smart :)
    • My organization has been using a few apache 2 installs, for serving static content and proxying requests for the mod_perl and tomcat servers. We started using it 6-8 months ago, and have had zero problems.
  • Hrmph. (Score:1, Redundant)

    by cjpez ( 148000 )
    I really dislike that version numbering system. I know it makes development version numbering much easier, etc, but damn. I don't know. To me, a 2.5.35 release should be *better* than a 2.4.20 release (speaking in terms of kernel development now), as opposed to being a bunch of ones and zeroes that don't even include a working IDE driver (to be fair, I'm not sure when in the 2.5 series IDE finally stabilized; I just pulled a number out of the air). But whatever. Just picking some nits...
    • Re:Hrmph. (Score:2, Insightful)

      I think you're getting feature-rich and better confused. Normally newer releases have more in them, but this does not always equal better. For something to be better, stability, ease of use, speed, and so on are also factors. If version numbers told you which release was better, then they would likely change and be much more confusing in general.

      Perhaps what you were thinking of is the fact that the last number in the version is generally a statement of which release is better. This is generally true, since the last number is the revision number and is usually only incremented for bug fixes.
    • I really dislike that version numbering system. I know it makes development version numbering much easier, etc, but damn. I don't know. To me, a 2.5.35 release should be *better* than a 2.4.20 release

      I assume you're talking about the Linux numbering system where an odd/even minor version indicates developer/stable releases? Apache doesn't even use that system. The previous stable version is 1.3.x.

  • Long Overdue. Hopefully more news to come.

  • Anybody out there been using Apache 2.x and PHP enough to call it stable in their environment?

    Other than huge threading improvements, are there any compelling reasons to switch from 1.3.x to 2.x right now?

    • I'm using Apache 2.x w/ PHP and MySQL in an intranet work environment for a medium scale documentation creation/archiving service. No problems yet (after a mere 6 months of decent usage), but no real compelling reasons to upgrade if you don't need to.

      What I want to know is what exactly are the current showstoppers that are keeping everyone away from 2.x? Does everyone know something I don't?
    • i was using it for a while on a, ahem, "heavily loaded server" with limited ram, and it choked (load of ~50, all 64 megs of ram used, around 256megs of swap used). at the time, about a month ago, i had the newest php with the newest apache. The 64 megs of ram could have been the problem, but when i downgraded to the newest apache version 1 i didn't have a problem. the load problem disappeared, and the swap was almost unused. I eventually got more ram and all is well now, however with apache 1.

      I would stick with version 1 unless there's something in apache2 that you absolutely need.
    • For me it is merely a case of "if it ain't broke, don't fix it". I just haven't found a good reason to switch yet. Bug fixes and security patches keep on coming out for 1.3.x, and performance hasn't been an issue for me yet. (not that 2.x is supposed to fix everyone's performance woes)
    • I was just talking to another sysadmin today who has 4 sites running apache 2.x and PHP. From what I could gather, everything was running perfectly (at least for his needs). Granted it's second hand information, but I was surprised myself. So I guess there are quite a few people using it.
      • by Anonymous Coward

        So I guess there are quite a few people using it.

        You have a buddy that runs Apache2 so all the sudden quite a few people must be using it? What kind of clusterfart extrapolation is that?

        • Well, my friendly troll, if you want to get mathematical about it, the point is that there are what, thousands, tens of thousands of webmasters out there? What is the probability that I just happen to know the only one who is running PHP and Apache 2.0? Like next to nothing. Especially when we consider that both Apache and PHP are very popular technologies. So, if I bump into one sysadmin who is running Apache 2.0 and PHP, then there is a greater probability that a "few" sysadmins are using rather than just the one I met. Consequently, my statement is reasonable and you are just an Anonymous Troll.
    • by dananderson ( 1880 ) on Tuesday January 21, 2003 @11:44PM (#5132834) Homepage
      I have a mini-howto on Apache 2.x and PHP 4 at http://dan.drydog.com/apache2php.html [drydog.com] As for the new 2.0.x stable series--that's great news. What it means is "no more recompiling modules between minor releases."
  • by kruetz ( 642175 ) on Tuesday January 21, 2003 @10:27PM (#5132433) Journal
    Unfortunately, they still haven't been able to solve the issues with SSL under windows, so the windows release comes without SSL. The effect of this can range from none (lots of sites don't use SSL) to the typical IT-Manager complaint "but we NEED SSL". Unfortunately, what they don't realise is that staying with IIS is not the solution.

    However, I do know of one company (whom my friend's father works for) that decided not to use Apache because they wanted 2.0.?? (because it was the latest release, so there was no way they would consider 1.x) but couldn't live without SSL. Of course they're using IIS on an unpatched WinNT4 box ...

    What Apache needs to become the server of choice in companies like this is an education campaign. If you work at such a company, please tell the people in charge of this stuff about Apache, IIS and general security/stability issues under Windows. Mind you, Apache is still the #1 server around, so it is debatable whether this is a necessary step. But for the sake of secure, stable websites that don't leave your site open wider than a $2 hooker (ie, as wide open as the RIAA) please spread the word about Apache.

    And Apache/SSL guys, I'm sure you're working on the issue, so best of luck solving it!
    • I don't know about anyone else, but when ever the topic of SSL comes up, I recommend hardware acceleration. Software SSL creates too much load and stress and impacts stability. People should realize the best performance for SSL is hardware acceleration.
      • But can you provide any info/benchmark that suggests hardware SSL acceleration actaully worth the money? Recently, some of my colleagues evaluated several accelerator boards and they are all expensive and disappointing (in performance).

        In fact, as reported in an ApacheCon 2000 paper [geoffthorpe.net], an Athlon 600 can outperform most of the SSL accelerator boards. And that is with 1/3 of the cost. So, I usually recommend my friends/colleagues to set up a seperate Apache box to do the SSL and then reverse-proxy requests to the real web server.

        But SSL accelerator boards do have an advantage when considering key management.

    • by Kenneth Stephen ( 1950 ) on Tuesday January 21, 2003 @11:13PM (#5132708) Journal

      If you are willing to use a non-free solution like IIS, then a non-free product based upon Apache that provides SSL should be attractive to you. I am referring to IHS (IBM HTTP Server) which is a value added (to Apache) product from IBM.

    • MOD PARENT DOWN (Score:4, Informative)

      by Anonymous Coward on Tuesday January 21, 2003 @11:56PM (#5132888)
      There are no issues with SSL and Apache for windows. Apache(binary) for win32 does not come compiled with SSL due to some confusion with strong crypto laws. You can compile Apache with SSL integrated by downloading the source and using VC++. And IIRC, there is already a binary in the contrib dir on openssl.org.
    • by Mr Bill ( 21249 ) on Wednesday January 22, 2003 @12:08AM (#5132932)
      I'd wait to upgrade, because it looks like version 2.0.45 will be out early next week. There are a couple of silly problems that were introduced into this release that need to be fixed.

      http://marc.theaimsgroup.com/?l=apache-httpd-dev &m =104321038630487&w=2

      IANAAD (I am not an Apache developer), so don't kill me if I'm wrong, but that's what I read from the mailing list...
    • by thx2001r ( 635969 ) on Wednesday January 22, 2003 @12:47AM (#5133083) Homepage

      Actually, the issues they have under Windows are legal and nothing else. In fact, it works just great (if you don't believe me, compile Apache with SSL under Windows (you'll need Visual C++ 5 and up)... Apache Software Foundation even gives you detailed instructions on how to do it! [apache.org])!

      Since Apache 2.0.x is the first version of Apache for Windows that is largely considered a Production release they are debating the legal issues of releasing a BINARY version of Apache 2.0.x for Win32 compiled with OpenSSL libraries. This is especially the case since they are not SELLING the software to do it, so they can not really control who would use it. They will figure something out, but in the meantime, do not release it in their binaries.

      As a matter of fact, Apache 2.0.4x Win32 can easily be setup to use OpenSSL and ModSSL! This is thoroughly explained at this web site [raibledesigns.com]. It even explains to you where to get binary distributions of it (not directly from Apache as discussed above).

      In fact, on a single Pentium II or III with Win2k (even workstation) you have plenty of horsepower to use SSL and Apache 2.0.x. I would like to mention a couple of things, I use it in an academic environment and it has been running stable and secure for almost half a year now.

      It has a commercial SSL certificate on it. Apache 2.0.x on Win32 is quite a bit tricky to get your private key and public certificate to work if it is PEM encoded. If it is not PEM encoded, it is a snap! That right there is one thing that can save you hours of head banging on wall! Make sure your key and certificate after you've received them are not PEM encoded for less aggravation. You can always run them through (at least the cert) OpenSSL to remove the encoding.

      Also, your certificate chain must be put together the right way, but you should get instructions for that from your certificate authority.

      I agree, Apache on Win32 is a much better choice than IIS. IIS can be a relatively secure product if administered properly. There are, of course, numerous security holes that have been publicized, and it should be mentioned that most were left open by the administrators who should have known better. They got IIS to work and didn't bother with security! Most of the reasons to NOT use IIS are the fact that you need at least NT Server 4, 5, 6, etc. (the workstation version of IIS is too limited for production usage) and the steep licensing that costs, and the fact that it has much more features than 99.9% of websites will need!

      Apache, on the other hand, gives you a relatively secure environment from the get-go that makes you ADD the features you need. After working with Apache it should become apparent that this is clearly the way to go. Intelligent administration of servers can really make almost any modern OS relatively secure. Perhaps if Apache on Win32 catches on it may encite people to port more great open source server software to natively run on Win32 as Apache does (does not use Cygwin... though you CAN of couse, use the Cygwin version of Apache which won't perform as well as the Native Win32 version does). Plus, Apache can run just fine on NT workstation (saving plenty of money on the NT server licenses)!

      Interestingly enough, Apache Win32 in our setup outperforms other departments at our institution using IIS on Win32! Perhaps benchmarks in this area should be publicized a bit more!

    • I'm running it without any problems.
      http://uptime.netcraft.com/up/graph?mode_u=off&mod e_w=on&site=kalos.ath.cx&submit=Examine

      to be exact. =)
  • ...that Mandrake Linux ships with Apache 1.3.27 and that RedHat ships with Apache 2.0.something. However, RedHat users have reported PHP compatiility problems, especially PHP 4. There have also been issues with SQL and Apache 2.0. I wonder if 2.0.44 fixes these issues.
  • still unsure (Score:5, Insightful)

    by carpe_noctem ( 457178 ) on Tuesday January 21, 2003 @10:39PM (#5132510) Homepage Journal
    I've used apache 2.0, and it's great and all, but I ain't switching over until the PHP folks say that the PHP-apache-2 module is good to go.
  • by the_real_tigga ( 568488 ) <nephros@nOspAm.users.sourceforge.net> on Tuesday January 21, 2003 @11:18PM (#5132730) Journal
    from the post: it fixes some important security problems (under Windows) for the Windows version.

    I wonder... does this mean there are some security problems left in the Windows Version under OSes other than Windows?
  • I tried it the other day on Win XP, it seems so slugish... not the system itself (hardware wise)... Anyone else experience this?
  • by caferace ( 442 ) on Wednesday January 22, 2003 @01:21AM (#5133190) Homepage
    ...You'll need this patch [apache.org]. A bit of a glitch, now solved.
  • Security issues? (Score:2, Informative)

    by WildPony ( 632523 )
    Use Pound. [apsis.ch]

    Reverse Proxy/load balancer, Http/Https, very small, tight code, minimises security risks. No matter what web server you're using, this should solve most of your security problems.

  • Well, I did not know that it was officially named "The linux kernel model". Or maybe it was just that the slashdot people have a need to get the word "linux" to as many news headers as possible. Don't tell me you haven't noticed?
  • Anybody has perchild_mpm working ok? I've seen in the announcement that some perchild_mpm problems had been fixed but looking at the sources I guess that it's still in the experimental zone.
  • Be careful upgrading (Score:3, Informative)

    by Karamchand ( 607798 ) on Wednesday January 22, 2003 @07:48AM (#5134246)
    Be careful with upgrading to 2.0.44 for some people report big problems with the new version. See this [google.com] and this [google.com] thread on google groups for reference.

    Cheers!
  • Apache and PHP (Score:2, Informative)

    by indyracing ( 640777 )
    I think it is time for the Foundation to maybe ramp up the development of the PHP module. 2.x has been out for quite awhile now, but there has not been any mass changing probably due to this fact. I have tried 2.x but couldn't get PHP to be stable enough for production so I had to go back to 1.x. Given the fact that PHP usage is still growing by leaps and bounds, you'd think Apache would want to really highlight the performance of 2.x by getting on the ball.
  • by blaqsun ( 643717 ) on Wednesday January 22, 2003 @09:33AM (#5134856)
    This is excellent news for Windows users who wish to run Apache 2 from their systems. For ages, it seems, Apache 2 had a security issue under Windows XP that would not allow it to run properly under the OS. Only users wh ohad registered with Microsfot online could download the special patches that fixed these problems.

    Now Apache 2 has worked around these issues while also improving security. Halleluia, I say. I can get rid of my old Linux server now and cannabalize the spare parts to augment my current XP server.
  • by Malcolm Scott ( 567157 ) on Wednesday January 22, 2003 @10:39AM (#5135378) Homepage
    I spent all last night getting Apache 2.0.43 installed with PHP & SSL, in parallel with Apache 1.3.27 (and repeatedly running into what turned out to be a weird Gentoo Portage bug). And now I'm going to have to do it all again! <Sigh>

    /me dissolves due to lack of sleep and excessive time spent in front of a blinking cursor...

    Hopefully I'll be able to work around that Gentoo bug a bit quicker next time, now I know where it's lurking in wait to catch me out :-)
  • by EXTomar ( 78739 ) on Wednesday January 22, 2003 @10:39AM (#5135385)
    Of course your regular maintance should include backups but I'm not talking about that. If you "play" with not so mature software for your production environment then you ARE asking for trouble.

    I have been playing with Apache 2.0 line for a while and it most assuredly does not have the stability of the 1.3 line. Each release does get a little better.

    What I end up doing is keeping a 2.0 and 1.3 server compiled with modules and configuration necessary. If it turns out that the 2.0 has a devistating problem or fails to work then then 1.3 is ready to go. The code bases aren't that large and although the configurations do differ they are managable.

    I recommend anyone who wants to try out Apache 2.0 but can't tolerate disruptions to maintain two configured servers.
  • If you install Apache 2.x under Windows, make sure you also install ZoneAlarm 3.5.x (or don't install ZA at all); previous versions of ZoneAlarm had some bugs that caused Apache 2.x to stop responding (and even crash occasionally).

    RMN
    ~~~

Successful and fortunate crime is called virtue. - Seneca

Working...