Apache 1.3.33 Released 227
harmgsn writes "Following the release of Apache 1.3.32, the Apache Group released Apache 1.3.33 to fix a security flaw in mod_include and in the Content-Length field. The official announcement is available as well as the ChangeLog for the 1.3.x series."
How (Score:1, Insightful)
Re:How (Score:2, Funny)
Re:How (Score:1, Funny)
BUGGY!
Re:How (Score:5, Insightful)
Nearly all software that is written leaves out some of these things, choosing to balence getting something done with quality. Some find a better balance than others
BTW. The mozilla programs are definately good programmers, but the codebase is certainly not the paragon of clean code. It is huge and unweildy, which is the main reason that Apple chose to build off of KHTML instead of Gecko when they made Safari. The situation has improved over time, but making an existing non-secure program secure, is much harder than doing it (mostly) correct from the start.
Re:How (Score:5, Informative)
Knuth is a freak of nature who spent eight years writing a program on his own, largely for his own edification and completely free of commercial pressure. Few others have that freakish ability, fewer still get to work on their pet project by themselves for that long before offering it to the world. So there are limits to how many lessons can be drawn from this very unusual example.
No... (Score:5, Insightful)
That's not what I meant at all. What I meant was by the comment that Knuth is a "freak" that Knuth is a freakishly talented individual. And, yes, Knuth's situation is pretty unique, even for open source developers. Not only does he have tenure (that means they can't sack him), because of his reputation he's able to spend his time doing pretty much whatever he wants to do free of the restrictions on ordinary academics, like that little thing, "teaching", or sweating over whether he's going to get published. So he could hack away at TeX as and when the mood took him, without any pressure from his boss to actually produce anything, or any users badgering him for a new release, or figuring out how the other developers had screwed up, or trying to implement broken bits of the standard (because there *was* no standard).
They are *not* the typical circumstances under which most developers have to work.
Re:No... (Score:3, Interesting)
From http://www.tug.org/whatis.html
Donald Knuth, a professor of computer science at Stanford University and the author of numerous books on computer science and the TeX composition system, rewards the first finder of each typo or computer program bug with a check based on the source and the age of the bug. Since his books go into numerous editions, he does have a chance to correct errors. Typos and other errors in books typically yield $2.56 each once a
No. (Score:2)
A possible exception exists for programs written by Knuth.
What is freakish is that Knuth is the only person with the ability and determination and discipline required to write a program without bugs.
Me I'd find some other term than "freakish", like phenominal, but the critical distinction is the same.
Re:How (Score:5, Insightful)
Even properly structured, carefully written stuff will contain securiity bugs! It requires attention, more attention, and yet more attention still.
It requires proper layering of the code so that the number of variables to track at any one point is as small as possible.
Spend lots of time on design. Draw flowcharts to cover key areas of your application. kivio is your friend! [koffice.org] Consult your flowcharts before you make changes to the program. A well-layed-out flowchart can be worth more than reams of notes in the code.
Above all, structure your code so that the default behavior is secure in the event of a failure.
For example, you've done something stupid, and you're passing unescaped text to the database.
Whoops!
1) Why are you passing text directly to the database? If you communicate with the database with a proper API, you *can't* pass unescaped text to the database.
2) Are you capturing the errors from the database, so that you aren't displaying any obvious sign (to the public) of what's gone wrong?
3) Is the database connection transacted, so that you can return to a known good state?
4) Do you have some kind of error trap or handler so that you can find out exactly what the errors were and fix them in a sane way?
5) Have you tested your code with DELIBERATE bugs so that you know how it will behave in the event of a failure?
The hendling of any errors from that should *NEVER* be made clear to the outside, only that "an error has occured".
The goal is a system designed with multiple layers of protection so that a failure at any point does not result in a security breach! It should fail securely, so that problems result only in error reports, NOT SECURITY HOLES.
Easy to say, damn hard to do...
Re:How (Score:2)
Re:How (Score:2)
"Why are you passing text directly to the database". Um... because the API to a SQL database is SQL which is... text?
You have eliminated the use of PHP (since if the interpreter fails, where is the error reported?) *and* SQL (because the API is text based) in your web page developement. Yes, I agree that would tend to increase security, but at what cost? Are you trying to eliminate your own job?
Ratboy.
Re:How (Score:3, Insightful)
Ahem...
Here's an example of BAD YOU-ARE-SO-OWNED CODE
Here's an example of MUCH BETTER CODE...
Re:How (Score:2)
You'd know, I guess. ;)
Re:How (Score:3, Informative)
Er, wrong. qmail has had a couple of security flaws, and more than a couple of bugs [uni-dortmund.de]. For a more exhaustive list, Google [google.com] is your friend.
Re:How (Score:3, Informative)
Many of the "bugs" listed above are arguable, and frequently disputed by qmail users and opponents. That is, many of them could not be a reason to single-handedly strike down qmail itself.
As an example.. From the above document:
So.. qmail 1.03 was released in June 1998, RFC 2128 was released in April 2001. I'm inclined to say that calling this a "violation" i
Re:How (Score:3, Insightful)
-- Brian W. Kernighan
Re:How (Score:1)
Then again, apps are much more complicated nowadays.
On the other hand, the wide reach of the internet allows for easy patching which can lead to sloppy coding since updates are too easy to aquire.
Re:How (Score:3, Insightful)
Today, I had a new linux server installed for me, and before I even told my customer his mail address, he had spam sent to it, and the server was subject to 2 attacks that BFD detected.
Your old apps probably had all those security flaws in them, just nobody was interested in looking for them.
Re:How (Score:2)
A relative of mine worked with a guy who wrote a program to do a single thing: Terminate itself.
(They were doing OS programming and this was actually a useful thing to have in that context.)
That's it. The simplest possible program you could write. It was a single assembly instruction. So the guy started bragging about how he'd written the only bug-free program, ever.
Well.. the gods did not look kindly upon that hubris. It turned out he'd forgotten something. He'd forgotten to
Re:How (Score:2)
function hello(){ print "Hello, World!"; }
Though most frosh comp sci majors still seem to screw it up.
Re:How (Score:1)
Ah, but mkdir has had bugs in the past. I can't remember exactly, but at one time mkdir had a race condition problem affecting ownership and permissions (akin to not using transactions in sql). I think it has had other bugs as well.
Good thing I use Apache 2 (Score:2, Funny)
Brandon Petersen
Get Firefox! [spreadfirefox.com]
Re:Good thing I use Apache 2 (Score:3, Funny)
Re:Good thing I use Apache 2 (Score:2)
Giggidy giggidy!
One small change (Score:2, Insightful)
Re:One small change (Score:5, Insightful)
A little overblown (Score:4, Interesting)
Not to say that justifies it, but this is just one bugfix. I hope people maintaining servers running Apache don't rely on Slashdot to inform them of this bug. This seems more an issue for a mailing list.
Re:A little overblown (Score:5, Funny)
No kidding. The Apache section is like Ralph Nader. It's always there, it gets about 1% as many comments as any other section, a boring story about it still hits the headlines now and again, but you try to get rid of it and it gets all crazy.
Re:A little overblown (Score:4, Funny)
Re:A little overblown (Score:1)
I'm not saying Apache isn't important at all, but important as Science, Developers, AskSlashdot, Apple? I don't think so.
Re:A little overblown (Score:2)
Re:A little overblown (Score:2)
Re:A little overblown (Score:4, Funny)
Heh, that reminds me: About 3 or 4 years ago, I was up late fixing some server issue. While I was waiting around I checked Slashdot and saw a story in the Apache section about some Apache conference or party or something that was taking place in Belgium or Norway, I can't remember exactly. It had been up for hours, maybe even days with no comments. So, thinking it would be like taking candy from a baby, I first posted. About a week later, I checked the same story and the only post was my first post. I think that story got archived with that single post.
Re:A little overblown (Score:3, Funny)
People told me that I shouldn't take the comments on Slashdot seriously because they are inaccurate, but I believe I have evidence to the contrary.
Re:A little overblown (Score:2)
Re:A little overblown (Score:3, Funny)
"mod_include: Fix potential buffer overflow with escaped characters in SSI tag string."
-- At least it's a different one.
"Multiple security issues
-- I thought they fixed that already.
I tried to migrate to Apache. (Score:5, Funny)
This is the actual response from management. The brain-dead VP that made this truly-enlightened decision first made a name for himself as a VP at a FAUCET COMPANY.
Listen to the faucet kings great idea:
"Shane, Thanks for your proposal. Unfortunately, I cannot approve the change. In fact, I've decided that we need to streamline these things in the future and make sure everyone is on the same page.
From now on, we will only install software on the servers that is at version 2.0 and above. There will be no exceptions to this. It's about security and reliability. Everyone knows you dont buy a car the first model year, why should software be any different. I've never heard of apachee, but if these guys are as good as you say they are enough people will bite to keep them going, and when they come out with the next major realease I think you'll see then that we're better off for waiting for them to really get it right.
thanks for beging on board with this, tom." [my name's shane]
Two years ago this guy won the "visionary of the year" award at the company conference.
Re:I tried to migrate to Apache. (Score:2)
Re:I tried to migrate to Apache. (Score:2, Interesting)
jez don't speak as though 2.0 is not primetime, because that is crazy speak -- the configuration files may have new directives and options, but yours is to weigh costs of access/benefit/detriment and deploy accordingly.
Take time to read and don't be s
Re:I tried to migrate to Apache. (Score:2)
Out of interest, how did you respond?
Re:I tried to migrate to Apache. (Score:3, Interesting)
Anyway, you should have (or perhaps you did) play his game and announce that Apache 2.0 has been out for more than 2 years. As far as the ridiculous >= 2.0 policy, I'd go the route that software com
Re:I tried to migrate to Apache. (Score:4, Funny)
you could just download apache, edit the code and bump up the version number. but really, the right solution would have been to inform him that, in fact, there exists an "apachee 3.0". unfortunately, "apachee 3.0" is no longer free, and requires a 500$ yearly site license for under 10 installs (and reasonable fees for more). then you can bump up the version on apache 1.3 and install it on the company's computers. your friend (er, the "apachee foundation") can cash the yearly check for you.
Re:I tried to migrate to Apache. (Score:2)
Re:I tried to migrate to Apache. (Score:2)
Re:I tried to migrate to Apache. (Score:2, Informative)
Somebody probably has already mentioned this to you but you do know that apache does have a version 2? They are currently maintaining both the version v1 and v2 trees. Just thought I would let you know.
Windows 3.1 anyone '?. (Score:2)
Hmm.. let this guy install Windows 3.1 on the servers (apparently that *is* > 2.0)
Hmm.. maybe I wonder if Knuth did a good thing by freezing TeX at 3.14 (or was it 3.14.15...)
Re:I tried to migrate to Apache. (Score:2)
Ohh, it's quite amazing how many Dilbert Style managers are out there, take him along to a dogbert re-education class
Re:I tried to migrate to Apache. (Score:2)
You poor bastard... you work for the Federal Government... Come inside, we'll give you a nice bowl of soup and let you talk to a chaplain of whatever belief system you follow. Yes, we do have an athiest chaplain. He's kind of an odd one, but a good sort.
You must be so cold. Come, come inside.
Advice. (Score:2)
Mod_ssl? (Score:3, Informative)
ugh...
and I'd just started rolling out 1.3.32!
Re:Mod_ssl? (Score:2)
I'm sure you're right, but that number bump would be enough to make mod_ssl-2.8.21-1.3.32 not install without fuss.
As opposed to . . . (Score:2, Funny)
what, it would follow 1.3.34?
Re:As opposed to . . . (Score:2)
Think how 2.4 follows 2.2 kernels ?.
Re:As opposed to . . . (Score:2)
why cant they just release patches? (Score:3, Insightful)
Why not just release patches for the bugs and just update the patch tree??
Re:why cant they just release patches? (Score:4, Informative)
Re:why cant they just release patches? (Score:2)
T'was around the time of the great OpenSSL vulnerabilities... As a lowly admin, my job was to update all the broken things to keep our servers up. So I did, using RH rpms. Of course, $BOSS didn't realize that RH (at least at the time. Never EVER touched it again after leaving that job) bac
Re:why cant they just release patches? (Score:2)
Especially it makes easy to track for everyone who send HEAD request to your server, because Apache dutifully report its version in the Server: header with default settings.
Re:why cant they just release patches? (Score:2, Informative)
Re:why cant they just release patches? (Score:2)
"Wait a minute, is version 4.07-SP2 with hotfixes 78302, 78748, and 79391 now safe from exploit 17293-B or not?"
The thought alone gives me the shivers.
Content-Length in mod_proxy (Score:4, Informative)
See CAN-2004-0492 [mitre.org] for details.
In other news.... (Score:5, Funny)
Kernel developers today released the eagerly awaited linux kernel 1.2.14. Everyone should update to this latest version as soon as possible to make use of the security fixes that this update provides.
Back to /. roots? (Score:4, Insightful)
I really think that overall feel of slashdot has changed and not necessarily for the better. I'd really like to see kernel releases, Gnome & KDE flamewars, Quickies, obscure language write-ups and everything else that made
The buzz of the open source world fell flat the last couple of years. I really hope it wasn't because of the market crash and that the core of the excitement wasn't the dream of cashing out by installing linux everywhere.
Open source, I think most people still don't realize, is the source of true power in speech in this day and age. If it wasn't for projects like Linux, Apache, MySQL, PHP/Perl/Python, etc. the web would be dominated by large corporations who would be the only ones capable of paying the large sums of cash for web-service software that would have no doubt been that most expensive software out if not for the free-as-in-beer-speech competition. Open source bestowed the average man a voice in the newest of media channels.
I truely hope the energy & excitement due to that fact never leaves... especially here on Slashdot. The editors shouldn't let the tagline "News for Nerds. Stuff that matters." limit the vibe
Re:Back to /. roots? (Score:3, Funny)
easy there boys, its a joke
Re:Back to /. roots? (Score:2)
This used to be a nice "tip of the iceberg" place- it's where I got my feet wet with regards to linux. While the front page content is more buzzword/ad/blog centric than I care for, hey- there's filtering.
Fuck, I don't even know if Katz still posts columns or not. I got so sick of that shit that he's the only thing I locked out of my FP prefs.
So
Future thought (Score:5, Funny)
Re:What ever (Score:2, Informative)
Re:What ever (Score:1)
Also, has anyone else noticed that slashdot itself is still 1.3.29?
Re:What ever (Score:3, Informative)
mod_defalte does GZIP encoding, and comes with the Apache 2.0 core:
http://httpd.apache.org/docs-2.0/mod/mod_deflate.
Re:What ever (Score:1)
Re:What ever (Score:1)
Hence why it's default now on a grand many distros...and many many others...
(Chances of you being right about it being more of a security risk? Depends on your view, namely the time it's been out vs. the time apache1 has been out. But hey, why not at least post proof with your post compared to just stating such things blind
Re:What ever (Score:5, Informative)
Second, Apache 2 supports things like DAV which mean that to publish information on the web users need less access than with Apache 1 (such as shell accounts or worse FTP, since most ISP's don't think users should use SSH for some odd reason).
Lastly, Apache 2 can run Subversion [tigris.org]. So not only can you use DAV to update information without shell access of any kind but you can version that information too.
[*] Why is multi-threading faster than the pre-fork model of Apache 1? Because there is less work to do when context-switching threads. A thread shares the same virtual address space with other threads in the process. Changing virtual address spaces is slow because it requires a TLB flush (as well as one or more extra registers to save). The TLB flush increases memory accesses.
Re:What ever (Score:2)
-prator
Re:What ever (Score:2)
I'm not 100% sure but I suspect it isn't really all that supported anymore.
Re:What ever (Score:2)
Well that's hard given that apache-1.3.x doesn't use threading at all. Of course all the Linux distributions still ship with the "old" pre-fork method, because it's just as fast on Liunux ... and much safer, reliable and compatible.
Doing a task switch, even without a TBL flush, is
Re:What ever (Score:2)
The down-side to threads is, as some posters have pointed out that a few modules (PHP comes to mind) aren't thread safe. I don't really use PHP nor do I like the language enough to bother with it.
But of the things I do use they all seem to
Re:What ever (Score:5, Informative)
Apache 2.x is good enough for a large site such as sf.net, it is good enough for others.
Re:What ever (Score:1)
Re:What ever (Score:5, Informative)
Riddle me this then? (Score:2, Funny)
Netcraft's "What's That Site Running?" report on www.force-elite.com [netcraft.com]
I'm assuming by your nick here that you're Chip, of course.
Re:Riddle me this then? (Score:1, Informative)
Every site I linked to was running APACHE 2.0.
Re:What ever (Score:2)
Re:What ever (Score:4, Informative)
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:17:14 GMT
Server: Apache/2.0.52 (Unix)
www.redhat.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:05 GMT
Server: Apache
www.cnn.com - Unknown apache version:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:18:45 GMT
Server: Apache
www.cnet.com - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:08 GMT
Server: Apache/2.0
www.bbc.co.uk - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:19:38 GMT
Server: Apache/2.0.51 (Unix)
us2.php.net - Apache 2:
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2004 09:20:01 GMT
Server: Apache/2.0.46 (Unix) mod_perl/1.99_09 Perl/v5.8.0 mod_ssl/2.0.46 OpenSSL/0.9.6g DAV/2 FrontPage/5.0.2.2634 PHP/4.3.2 mod_gzip/2.0.26.1a
I guess a lot of people use Apache 2!
Re:What ever (Score:2)
Re:What ever (Score:2)
Re:I can't figure this release note out (Score:1, Interesting)
That said, that only pertains to the operating system and accompanying binaries. It does not cover Apache. If there is a bug in Apache that allows
Re:I can't figure this release note out (Score:1)
How about this [debian.org], or this [mplayerhq.hu] then?
No distribution is inherently more secure than another, a Debian Woody machine will be as easily compromised as any other distribution, if the admin is incompetent. (And, no, I'm not saying all machines are compromised because of incompetent admins)
Re:I can't figure this release note out (Score:5, Funny)
[note to mods: With a story this useless, what else could I do but correct usage (I'll leave grammar and capitalization as an exercise for the reader)? I mean come on, the front page for a bugfix?!]
Re:I can't figure this release note out (Score:3, Insightful)
Good try (and moderately funny) but no cigar. The word "effect" can be used as a noun *or* a transitive verb in which case the meaning can be read as "to bring about." That, too, would be moderately funny, for an entirely different reason.
The word "affect," on the other hand, is most commonly used as an intransitive verb, though its usage as a noun still exists (e.g. "affectation").
[Web-link-as-pseudo-authoritative-citation omitted.]
Re:I can't figure this release note out (Score:3, Funny)
Security effects ALL of us.
ITYM the other way around - it's LACK of secure (safe) sex that effects all of us.
Re:Apache is awful. (Score:2)
Maybe you should go back to IIS. You should not run a web server you can't get working. Leave apache for other people.
Re:Apache is awful. (Score:2)
Apache under windows is JustBadIdea if you ask me.
Re:Apache is awful. (Score:3, Funny)
disabled all uneeded services, performance tuned our app
You only did that _after_ you noticed your application is having problems?
Re:Apache is awful. (Score:4, Interesting)
Regards,
Steve
On and off topic (Score:1)
. . . and speaking of pour websites, one of our old customers (I had to try and answer his question in a professional way as to why people weren't coming to his website) designing-websites.com [designing-websites.com] although he has
Re:Apache is awful. (Score:1)
Unfortunatly, despite your best attempts to slander the apache software, it looks more like pebkac [userfriendly.org]
Re:Apache is awful. (Score:2)
Running Apache on Windows isn't necessarily evil either. It's good for Windows shops or when using another OS would make the learning curve incredibly steep.
I use Apache/Win for my CGI SOAP services. While they are internal servers, they still get a moderate load. And I've never had a minute of trouble with Apache.
I'm also using Apache/XP/Firebird on my laptop to learn PHP. Which will eventually be moved to my Apache/Debian/Fir
Re:Apache is awful. (Score:2)
Try phpBB (Score:2, Informative)
Try installing phpBB, it's free, and moderately pretty by default. The only hitch would be migrating your existing user accounts. If you have their passwords in plaintext, just examine phpBB's registration code, and write a script to insert your existing users into phpBB's database.
I have phpBB running on a site with about 8,000 users that gets 1500+ posts a day. Works great and it's
Re:apache 1-3-31 on debian testing (Score:2)
I suppose that apache_1.3.31-7 package would soon hit the repository and it would have this bug fixed