Apache 2.0.48 Released

Gruturo writes "Busy week for the Apache software foundation: After 1.3.29, version 2 gets an update as well with 2.0.48, which mainly fixes these two security vulnerabilities. As usual, using a mirror is recommended." The official announcement lists several changes as well.

Re:American Indians

[haizi_23]

was that funny?

Apache security documentation

[Anonymous Coward]

http://www.cgisecurity.com/webservers/apache/ [cgisecurity.com]

RedHat Fedora coming out on Monday will have this?

[linuxguy]

Generally RedHat will not put in new packages at the last minute. But this is a security fix release only and also Fedora is considered more experimental than regular Redhat releases.

Re:RedHat Fedora coming out on Monday will have th

[Bartlet]

For the pollyannish ...

From:
http://fedora.redhat.com/participate/sche dule/

Schedule
Fedora Core 1 / Cambridge

* July 21 2003 - Test 1 (originally called Beta 1) release
* September 25 2003 - Test 2 release
* October 13 2003 - Test 3 release
* November 3 2003 - General Availability

Re:Debian

[damiam]

Debian stable will never update their Apache packages, although they will backport bugfixes. If you want the latest and greatest, use testing or unstable, which has had Apache 2 since the week it was released.

Re:Debian

[cscx]

although they will backport bugfixes

Ok, good, I was curious whether or not they were actually distributing security updates, which is why I was starting to worry.

Re:Debian

[damiam]

Make sure you have security.debian.org [debian.org] in your /etc/apt/sources.list file. If you don't, you won't get security updates until they hit the main repository in a minor release, which can be a while.

Re:Debian

[PReDiToR]

Can I ask a stupid question, and say

Why not jsut download it and install it yourself?

Re:Debian

[jjohnson]

You know, I avoided the RPM of apache when I built my webserver, instead choosing to download it and compile 2.0 from source, and get it working myself. Which I did. Having done it once, I know it pretty well now, and it took me five minutes to go from 2.0.45 to 2.0.48 after seeing this story, having saved my ./configure in an executable file. I ran that, make, make install, copy the conf files and the resin .so, test it, and switch the symbolic link that the sys V script goes to.

So. Untinstall the deb, download it, compile it, install it, and get it working. It's no harder to configure, and you're free of package tyranny.

Re:Debian

[jjohnson]

Neither did the OP. Nor 2.045, nor 2.0 at all.

Time to upgrade my Apple ][ server.

[Anonymous Coward]

It will take all November to compile it :( [slashdot.org]

Hmmm...

[damiam]

An Apache point release on the front page? Can you say "slow news day"?

Re:Hmmm...

[spektr]

An Apache point release on the front page? Can you say "slow news day"?

It annoys me that I have to download the full dupe at every point release. Can't they post incremental patches for the article and the replies?

Re:Hmmm...

[Ianoo]

Why not use something like ccache [samba.org]? Then you only need to recompile changed files. I think. I don't personally use it...

Re:Hmmm...

[spektr]

I rarely compile slashdot threads. I think CVS access to the article database would suffice.

Re:Hmmm...

[shibbydude]

Mod parent up! I think he was trying to be funny.

Re:Hmmm...

[spektr]

Mod parent up! I think he was trying to be funny.

I tried? Dang. There is no try...
Then better mod me sideways, before my posting makes somebody cry.

Re:Hmmm...

[error502]

Can you say "slow news day"?

I have a speech impediment, you insensitive clod!

Re:Hmmm...

[tenman]

what happened to your JEs? I kinda miss catching up on your laptop, your school schedule, and life with the 'rents...

Left hanging,
TEN

Re:Hmmm...

[Repugnant_Shit]

slaw nows dee ...dammit, I guess I can't

Re:Hmmm...

[nr]

Well its sunday after all. Dont you thinks its even more gnarley that the ninth Linux kernel pre-release (-pre9) made the frontpage, its not even dot release! :) I thinks its good that important open-source software get their spot in the sun, becouse many of us do not follow all projects closely and its nice to have interesting discussions about the software and the project.

OMG YES YES YES!

[Anonymous Coward]

2.0.48 is released!

This is the defining moment of my life. I have been continually pressing the "refresh" button since the story about 2.0.47 being released. Now all my hard work has paid off.

2.0.48 is released at last!

One question:

[Anonymous Coward]

Do you know if they released 2.0.48 yet?

Re:OMG YES YES YES!

[Praeluceo]

Yeah, and even after refreshing your browswer since July 10th, for the sole purpose of finding this announcement, you -still- couldn't get a first post? That's just pathetic.

Not only do you need a life, you need to get better at not having one!

Logging bug

[KalvinB]

I used Apache 2.0.47 for all of a day before I decided to never use the 2.0.x line again. Apparently when a partial transfer is requested, Apache 2.0.47 logs the full amount requested. Not what was actually transfered. I ended up showing over 10GB of transfer in a single day on a 256Kbit DSL line. Which if you do the math is only physically capable of about 2.5GB a day.

I looked at my logs and determined that a couple AOL users were trying to get a rather large file

aca9bd40.ipt.aol.com 655 6689 1004 310
acc4e74f.ipt.aol.com 1014 5412 521 148
ac8bd972.ipt.aol.com 140 1565 534 745

Requests MB KB Bytes. All that transfer supposedly happened in about a day.

I notified bug-track but apparently such a simple problem (which doesn't exist in the 1.3.x line) isn't worth addressing.

After all, who actually uses the Apache 2.0.x logs to monitor transfer? Hopefully not any hosting companies because the customers are going to get royally screwed.

Ben

Re:Logging bug

[Anonymous Coward]

Download the code and fix it yourself. Submit a patch back to Apache. Feel good knowing you both helped a project you use and fixed your own problem.

Re:Logging bug

[bruthasj]

This continues my confusion as chronicled here [slashdot.org].

Can we get past these comments about "fixing it yourself"? Or is this just the default customer service coming out these days?

I do thank you for not Karma whoring by posting as AC.

"Fix it yourself"

[KalvinB]

Doesn't go over well with business people. I do programming as a profession. However, when the 1.3.x line is flawless it's hard to convince myself it's worth my time to tackle this problem. Considering how many people have downloaded and rely on the 2.0 line, I wonder how many have the skill or motivation to fix such a glaring and simplistic flaw that should never have existed.

Especially considering someone did take the time to write a logging module that works and Apache still refuses to make it the st

wow

[Anonymous Coward]

Wow, Apache should put a line in their license to disallow you from using it.

I do programming as a profession

Oooh. Am I supposed to bow to your mightiness? Frankly, you've already swept me off my feet.

By telling me to "fix it myself" he was basically telling everyone to ignore the fact that Apache is ignoring already existing fixes and needlessly reinvent the wheel themselves.

No, actually, he was basically telling you to fix it yourself, no need to read into it. If you're such a programming professiona

Re:Logging bug

[portnoy]

Um, didn't someone provide a solution [apache.org] to your bug report? (i.e. use the more advanced log module).

Seems to me that they do see this as a problem worth addressing; they already have a fix.

Workaround, not a fix

[KalvinB]

That fix should be standard. Obviously Apache knows about the problem but even when someone fixes it for them (so writting a fix myself as someone else suggested is a worthless pursuit to try to actually fix the problem) they continue to insist on ignoring the problem and linking by default to a known broken module that they refuse to fix. And on top of that, they fail to properly document the workaround.

Most web-site owners are more interested in running their business than dicking around with source co

Re:Workaround, not a fix

[Hard_Code]

Frankly, all of the Apache projects I've interacted with seem really insular :/

Re:In other words, yet another OSS bug?

[vigilology]

You don't pay for the oxygen you're breathing, do you?

10 bucks

[jeffkjo1]

10 bucks says my university still doesn't upgrade it's servers from 2.0.40

Netcraft stats for Apache

[bhny]

the new netcraft stats are posted [netcraft.com].

apache just keeps stealing more market share-

Re:Netcraft stats for Apache

[Feztaa]

I love that graph.

At no point in history has Apache ever had less marketshare than Microsoft's webserver. :)

Re:Netcraft stats for Apache

[Anonymous Coward]

These are not OS stats...they are server stats. If a machine is running Apache on Windows, it gets counted as Apache. If a Windows/IIS server is behind some kind of elaborate proxy setup which is under another OS, it will be counted as IIS, although some impossible combinations like Linux/IIS or Solaris/IIS may result.

If it is not serving web pages at all, it shouldn't be counted, and it won't be.

Re:Netcraft stats for Apache

[CapeBretonBarbarian]

...and what about all those *internel* windows servers running IIS that aren't visible to Netcraft. They're never counted in the stats. Nor are our internal servers running apache. Worrying about internal servers is pointless. You'll never know for sure.

Apache 2.0

[ceswiedler]

Are people using 2.0 much yet? I remember all of the blowup over how 2.0 didn't really add anything unless you wanted to run it on Windows, and it caused a lot of problems for modules like mod_perl. Is everyone still sticking with 1.3?

Re:Apache 2.0

[Anonymous Coward]

2.0 does have numerous features and enhancements over 1.3 but didn't offer significant performance advantages over 1.3 on Linux and most Unix platforms . And as far as "problems" go, 2.0 had a completely new module system so modules had to be redesigned for 2.0, not really a problem with the modules. Just taken awhile to redesign them. Most Linux distros have moved to 2.0 which is what people really have been waiting for.

Re:Apache 2.0

[Anonymous Coward]

Apache2 runs quite well with mod_perl and just about everything else under win32.

Check out http://www.devside.net

Re:Apache 2.0

[Spoke]

IMO, the best reason to use Apache 2.0 is that with mod_deflate, you can now easily add content encoding compression to an entire website to save bandwidth. Previously with Apache 1.3, you could add in mod_gzip, but mod_gzip wouldn't compress SSL content without some very ugly config hacks including mod_proxy with a substantial performance benefit. 2.0 eliminates this issue.

I've seen bandwith drop on websites drop from 20-80% depending on how much content is non-compressible (like graphics).

Re:Apache 2.0

[haeger]

Oh yes.
mod_perl is a real showstopper for me. I'd love to upgrade to Apace2.x but I really need mod_perl to function properly and it isn't ready so I'm sticking with 1.3 for now.

Does anyone know the status of mod_perl? Should I try to lessen my dependency on it? Is 2.0 worth the upgrade even if I have to rewrite my app?

.haeger

Re:Apache 2.0

[Corporate Gadfly]

I am using mod_perl 2 (really 1.99_10) in production without any problems. You do have to sort of keep up with the mod_perl mailing list, but it has performed without any problems for me so far.

Re:Apache 2.0

[sffubs]

I'm using it very happily - tbh I can't tell much difference between 2.x and 1.x, except that I can use mod-xslt [sourceforge.net] on 2.x

--sffubs

Excellent for mod_python 3.0.3 and Solaris

[milosoftware]

Saving lots of memory: Just run in 'worker' mode, and have only one system wide Python Interpreter. Also makes sharing DB connections and so much easier since you can just keep lots of globals around.

And that's on Solaris, where worker isn't default.

Oh, and mod_deflate is nice too.

Old news

[mrt300]

See this [slashdot.org].

This version was released the same day as 1.3.29 earlier in the week, Wednesday, I believe. Perhaps future posters would consider combining this news into one post.

1.3 branch

[amembleton]

Why are there two branches of Apache? There's the 1.3 and 2.0 lines. I've heard that 1.3 is better than 2.0, so is 2.0 effectivelly a beta? Why are there still new releases of 1.3, why not concentrate on 2.0?

Re:1.3 branch

[jjohnson]

The 2.0 line offers new internals and a new module API that's supposedly a lot cleaner and better organized. The biggest internal change of which I'm aware is that Apache now does proper threading, instead of fork()ing--that's why the big improvement on Windows, which is natively threaded, while a smaller improvement on unices.

Re:1.3 branch

[crisco]

AFAIK New releases of 1.3 are bugfixes and security patches. 2.0 has been labeled production ready for over a year.

The problem isn't Apache itself but the open source modules that help make Apache the most useful webserver out there. Widely used projects like mod_perl and mod_php have only recentlyy released versions of these that work properly with Apache 2 and even these are still labeled betas.

Additionally, most competent sysadmins won't mess with what isn't broken, so their server farms running 1.3 are going to continue running 1.3 for a while yet.

Re:1.3 branch

[Spoke]

As long as you stick with the pre-forked MPM of Apache2, you really shouldn't have any problems with add-on modules like mod_perl and mod_php. Problems only arise when using one of the threaded MPMs.

Better than ever before

[a5cii]

Apache 2.0.48 works extremely well on windows 2000 there are no problems such as hanging during shutdown for me anymore one qualm i have is that the configuration could be made a bit easier using a web based interface like the one which abyss web server from www.aprelium.com has i look forward to a long and happy life with apache MC

Re:[OT] I need help...

[togofspookware]

How is this flamebait? Seriously, if what this poor bloke says is true, then his roommate deserves at least *one million* punches-in-the-face.

(link for the humour impaired [homestarrunner.com])

Re:A step in the right direction

[Karamchand]

Tell me: For how long has Tomcat been an commercial application server?
Yea, I know.. ihbt..

Re:A step in the right direction

[Tim C]

commercial application servers such as Tomcat

Tomcat is open source; it's one of the Jakarta projects.

compared to Oracle's WebSphere

IBM make WebSphere, not Oracle.

If Ximian would only release the .NET framework for Solaris

Microsoft makes the .NET Framework, not Ximian, although Ximian does have a hand in Mono, the open source implementation of the .NET Framework.

Re:A step in the right direction

[zaphod.nu]

WebSphere is IBM, not Oracle.
Tomcat is Apache Foundation and Free(tm).
LocalDirector is Cisco.
.NET Framework is Microsoft.

Besides those minor error and the jibberish the +1 Interesting might be sensible?

Re:Nope

[morelife]

I just read the link you posted to the "webmin" comment.

Although my heart goes out to the original poster, bless his soul, it's the moderators I'm worried about. Everyone who moderated that post either Interesting or Informative should have their testicles removed to ensure that the disease goes no further. Actually I think Ashcroft's working on a USA PATRIOT Act improvement addressing this very issue. That way we wouldn't need a warrant. Just go in, castrate, ask questions later.

Re:A step in the right direction

[morelife]

ISA Server
huh? Microsoft Internet Security and Acceleration Server? The one all the dweebs put in front of Exchange when management's looking the other way? That's not an application server, it's a proxy/firewall whose chief function is to generate revenue for Microsoft while providing zero real functionality.

the Apache team outdid themselves by providing a nice API that integrates nicely with most the commercial application servers such as Tomcat...
How /wierd/ that the httpd team would shoot for functi

Re:MOD PARENT DOWN: REDUNDANT AND A TROLL

[morelife]

If some of the ideas in the post you linked struck a nerve with you, and it sounds like they might have, why don't you log in under a real name and say what's on your mind?

Re:MOD PARENT DOWN: REDUNDANT AND A TROLL

[morelife]

Ahhhh. Maybe because you're an editor here...

Re:A step in the right direction

[DAldredge]

The quality of both the mods and /. itself continues its downhill slide. And it is piciking up pace!

Re:What??!

[FxChiP]

... why'd you post as an AC?

Re:What??!

[DAldredge]

I didn't and I don't.

side note. I love this type m keyboard!!!

Re:If it "works", why did it need a patch?

[shibbydude]

All this proves is OSS zealots are hypocrites, with double standards.

Thank you! Now where are my mod points?...

Re:If it "works", why did it need a patch?

[Prof.Phreak]

When was the last time a virus spread all across the world, shut down networks, etc., by exploiting a bug in Apache?

Microsoft has VERY LITTLE (compared to Apache) market share, yet it's been actually exploited MUCH MUCH more.

Another point about Apache is that it's open source (we can search the source and find buffer overflow succeptible code, fix it, etc.,) while with Microsoft or others, once they fix a bug, you have no idea how bad their source code it.

Also, fixing 2 bugs in this many months is actual

Re:Yay

[mentin]

What works? All I see is two security bugs fixed.

If the fixes were from Microsoft, the /. would have an article "Two More Critical Windows Flaws".

But it is open source, so we get "Apache 2.0.48 Released".

So does it proof anything except double standard on /.?

Re:Yay

[Anonymous Coward]

When Windows Service Packs come out, you get a "Windows Service Pack released" header.

Link above logs you out

[fred87]

Just thought i'd say - the link is a logout link

Re:Cock-smoking?

[tds67]

...to pay your $1499 licensing fee you cock-smoking teabaggers.

Yah, as if anyone's going to let you take a lighter to their cock...sheesh...

Re:Don't forget...

[shibbydude]

Stop the fucking SCO jokes!!! It's over.