Apache 2.0.46 Released

The Apache HTTP Server Project writes "Apache 2.0.46 has been released. It's an important security-fix release, fixing both a crash bug [CAN-2003-0245] and a DoS [CAN-2003-0189], so everybody using prior versions of Apache 2.0 should grab a copy from the nearest mirror and upgrade!"

Re:PHP

[noselasd]

You have to ask the developers of PHP on that, as it is a a PHP issue, not apache.

Re:PHP

[Anonymous Coward]

The PHP developers weren't the ones that kept changing the Apache API after it was "stable."

Apache 2 now "plays nice" with PHP & other mod

[dananderson]

Ever since Apache 2.0.42, the Apache 2 developers have grown up :-) and decided to stop changing the API in what's now called the "stable" release series (currently 2.0.x).

What does that mean to you? It means you no longer have to download and recompile, from source, a new version of PHP to fix what Apache broke.

However, with Apache 2, I don't recommend the multi-threading MPM. No big deal if you're using Apache 1, since multi-threading isn't available (with UNIX/Linux at least). The problem isn't Ap

vague changelog

[Imperator]

I wish the announcement would be a bit more specific about the security fixes and who needs them. I don't use mod_dav or a threaded MPM, but do I still need to upgrade?

Re:vague changelog

[cliffwoolley]

but do I still need to upgrade?

Definitely upgrade. Note also that full details of the problem will be released on Friday.

--Cliff Woolley
Apache HTTP Server Project
Apache 2.0.46 Release Management team

Re:vague changelog

[GigsVT]

Why not now? If the problem is fixed, what do you have to hide?

Re:vague changelog

[SpaFF]

Well for one it gives people a chance to upgrade before the "bad guys" know the specifics of what the problem is. That way people can get their servers updated before a DoS attack program is written.

Re:vague changelog

[RubberDuckie]

There is now more information here [securityfocus.com]. It looks like an exploit is possible, though it would be difficult. Better to upgrade now and be safe.

Re:vague changelog

[milosoftware]

Looks to me that you only need to upgrade when either:

You use basic authentication in combination with multi-threading mpm on UNIX AND you're afraid of DOS (authentication after attack will fail for everybody until restart)

You use mod_dav (I haven't got a clue what that mod does) AND don't like to see your server crash after an attack.

Unfortunately..

[SiMac]

The HTTP proxy and several experimental modules don't compile. They're not essential modules for me, but it would be nice if they would work.

Simon

Re:Unfortunately..

[ThomMay]

That's strange - none of the apache hackers that have seen this post can reproduce your problems? Can you submit a bug report or follow up here with more info...

-Thom
Apache committer, Debian developer

Re:Unfortunately..

[SiMac]

Okay, here's another problem, i'm not sure if it's Apache or me. Earlier today, when I looked on my server, I saw this:

16330 root 15 0 6244 6244 2848 S 99.5 1.2 1425m 0 httpd

It used 1425 minutes of processor time, so I guess it's been running for a while. Any ideas what it could be doing?

Re:Unfortunately..

[Jeff Trawick]

That's something to report via http://nagoya.apache.org/bugzilla/

As far as the --enable-proxy-httpd thing... Apache doesn't look for configure options it doesn't understand and instead assumes that they are for apr or apr-util or libtool or expat or anything else that might be configured under the covers.

Re:Unfortunately..

[SiMac]

It turns out it was my fault...i did --enable-proxy-httpd but not --enable-proxy. Perhaps there should be some configure check to stop me from doing this?

Sorry to waste your time.

Re:Unfortunately..

[Jeff Trawick]

Please open a PR at http://nagoya.apache.org/bugzilla/

It apparently doesn't matter how many boxes we build it on, somebody's build is always going to break :(

(if it makes you feel any better/worse, I built 2.0.46's mod_proxy on a bunch of different boxes today... hopefully we can figure out why it won't build on yours)

dang it, more upgrade!

[JDizzy]

I just pulled down all the stuff for my apache2, and 2 days later it time to start all over again. yee-haw!