Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Software Apache

Apache 1.3.33 Released 227

harmgsn writes "Following the release of Apache 1.3.32, the Apache Group released Apache 1.3.33 to fix a security flaw in mod_include and in the Content-Length field. The official announcement is available as well as the ChangeLog for the 1.3.x series."
This discussion has been archived. No new comments can be posted.

Apache 1.3.33 Released

Comments Filter:
  • How (Score:1, Insightful)

    by igzat ( 817053 )
    Will there ever be software released that doesn't have flaws or bugs, or is that just utterly impossible? Even the Mozilla foundation has vulnerability and bug problems, and they have some of the best coders out there.
    • Re:How (Score:2, Funny)

      by Anonymous Coward
      Yes, I think there is one, it is called the "Hello World" program.
      • Re:How (Score:1, Funny)

        by Anonymous Coward
        Did you check the return value of the printf call?

        BUGGY!
    • Re:How (Score:5, Insightful)

      by pavon ( 30274 ) on Friday October 29, 2004 @12:43AM (#10660738)
      Sure, no one has found any bugs Knuth's TeX in years. Same for Qmail, and others. You have to know exactly what you are doing before you start - which often means writing a throw away version of the software first to work out the kinks in the design. You have to have a simple clean design, and coding practice - as one of the Unix developers said debuging is 10x harder than writing code, so you you write code as cleverly as you can, you are, by definition, not qualified to debug that code. You have to know upfront how to write secure code, and think about with every function you write - never put this off for later. Then you have to have some one else rigorously read over every line of code to find any mistakes. Lastly you have to systematically test each part of the code individually and together. Then after years of widespread use without any major feature changes you will have weeded out nearly all of the bugs.

      Nearly all software that is written leaves out some of these things, choosing to balence getting something done with quality. Some find a better balance than others :)

      BTW. The mozilla programs are definately good programmers, but the codebase is certainly not the paragon of clean code. It is huge and unweildy, which is the main reason that Apple chose to build off of KHTML instead of Gecko when they made Safari. The situation has improved over time, but making an existing non-secure program secure, is much harder than doing it (mostly) correct from the start.
      • Re:How (Score:5, Informative)

        by Goonie ( 8651 ) * <robert,merkel&benambra,org> on Friday October 29, 2004 @01:01AM (#10660827) Homepage
        Sure, no one has found any bugs Knuth's TeX in years.

        Knuth is a freak of nature who spent eight years writing a program on his own, largely for his own edification and completely free of commercial pressure. Few others have that freakish ability, fewer still get to work on their pet project by themselves for that long before offering it to the world. So there are limits to how many lessons can be drawn from this very unusual example.

      • Re:How (Score:5, Insightful)

        by mcrbids ( 148650 ) on Friday October 29, 2004 @01:14AM (#10660871) Journal
        Secure code is HARD to write!

        Even properly structured, carefully written stuff will contain securiity bugs! It requires attention, more attention, and yet more attention still.

        It requires proper layering of the code so that the number of variables to track at any one point is as small as possible.

        Spend lots of time on design. Draw flowcharts to cover key areas of your application. kivio is your friend! [koffice.org] Consult your flowcharts before you make changes to the program. A well-layed-out flowchart can be worth more than reams of notes in the code.

        Above all, structure your code so that the default behavior is secure in the event of a failure.

        For example, you've done something stupid, and you're passing unescaped text to the database.

        Whoops!

        1) Why are you passing text directly to the database? If you communicate with the database with a proper API, you *can't* pass unescaped text to the database.

        2) Are you capturing the errors from the database, so that you aren't displaying any obvious sign (to the public) of what's gone wrong?

        3) Is the database connection transacted, so that you can return to a known good state?

        4) Do you have some kind of error trap or handler so that you can find out exactly what the errors were and fix them in a sane way?

        5) Have you tested your code with DELIBERATE bugs so that you know how it will behave in the event of a failure?

        The hendling of any errors from that should *NEVER* be made clear to the outside, only that "an error has occured".

        The goal is a system designed with multiple layers of protection so that a failure at any point does not result in a security breach! It should fail securely, so that problems result only in error reports, NOT SECURITY HOLES.

        Easy to say, damn hard to do...
        • by Pxtl ( 151020 )
          First and foremost: don't use the C standard library. glib or C++ standard lib. C standard library is security suicide.
        • "*NEVER* be made clear to the outside"? What *is* the "outside" when providing toolkit software?

          "Why are you passing text directly to the database". Um... because the API to a SQL database is SQL which is... text?

          You have eliminated the use of PHP (since if the interpreter fails, where is the error reported?) *and* SQL (because the API is text based) in your web page developement. Yes, I agree that would tend to increase security, but at what cost? Are you trying to eliminate your own job?

          Ratboy.
          • Re:How (Score:3, Insightful)

            by mcrbids ( 148650 )
            "Why are you passing text directly to the database". Um... because the API to a SQL database is SQL which is... text?

            Ahem...

            Here's an example of BAD YOU-ARE-SO-OWNED CODE ...

            $sql="SELECT * FROM userdb WHERE login='".$_REQUEST['login']."' AND password='".$_REQUEST['password'].'";
            $res=mysql_ query($conn, $sql);

            Here's an example of MUCH BETTER CODE...

            $DB=New Database();
            $DB->SetQuery("SELECT * FROM userdb WHERE login='@login' AND password='@password'");
            $DB->Set('login', $_REQUEST['login']);
            $DB-

        • "Even properly structured, carefully written stuff will contain securiity bugs!"

          You'd know, I guess. ;)

      • Re:How (Score:3, Informative)

        by pairo ( 519657 )
        Sure, no one has found any bugs Knuth's TeX in years. Same for Qmail, and others.
        Er, wrong. qmail has had a couple of security flaws, and more than a couple of bugs [uni-dortmund.de]. For a more exhaustive list, Google [google.com] is your friend.
        • Re:How (Score:3, Informative)

          by Chexum ( 1498 )

          ...more than a couple

          bugs [uni-dortmund.de]...

          Many of the "bugs" listed above are arguable, and frequently disputed by qmail users and opponents. That is, many of them could not be a reason to single-handedly strike down qmail itself.

          As an example.. From the above document:

          All the contents of this document refer to qmail-1.03.

          4.3. Bandwidth hogging (violates RFC-2821 SHOULD clause)

          So.. qmail 1.03 was released in June 1998, RFC 2128 was released in April 2001. I'm inclined to say that calling this a "violation" i

      • Re:How (Score:3, Insightful)

        by DrSkwid ( 118965 )
        Debugging is twice as hard as writing the code in the first place. Therefore,if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.

        -- Brian W. Kernighan

    • by vawlk ( 14842 )
      I am just reminded about how many apps that I used to run on my old 8086 that never needed patching. Same with old console games...they always seemed to just work.

      Then again, apps are much more complicated nowadays.

      On the other hand, the wide reach of the internet allows for easy patching which can lead to sloppy coding since updates are too easy to aquire.
      • Re:How (Score:3, Insightful)

        by gbjbaanb ( 229885 )
        nothing to do with complexity really, your old 8086 was never connected to the internet as we know it, and security was more a case of choosing a password that wasn't 'password'.

        Today, I had a new linux server installed for me, and before I even told my customer his mail address, he had spam sent to it, and the server was subject to 2 attacks that BFD detected.

        Your old apps probably had all those security flaws in them, just nobody was interested in looking for them.
    • Nope. All software has bugs.

      A relative of mine worked with a guy who wrote a program to do a single thing: Terminate itself.
      (They were doing OS programming and this was actually a useful thing to have in that context.)

      That's it. The simplest possible program you could write. It was a single assembly instruction. So the guy started bragging about how he'd written the only bug-free program, ever.

      Well.. the gods did not look kindly upon that hubris. It turned out he'd forgotten something. He'd forgotten to
    • Here's one:
      function hello(){ print "Hello, World!"; }

      Though most frosh comp sci majors still seem to screw it up.

  • Been using Apache 2 on Fedora Core for the past few months, so shouldn't have any worries.

    Brandon Petersen
    Get Firefox! [spreadfirefox.com]
  • One small change (Score:2, Insightful)

    by jZnat ( 793348 )
    So, one small change was made to prevent dumbasses from fucking over the buffer if they use characters not intended in the first place? Not worth it without updating other bugs, sorry to say. Work on the more important yet less known bugs instead!
    • by Electroly ( 708000 ) on Friday October 29, 2004 @12:31AM (#10660688)
      Without that "one small change", someone could own your computer by just sending a specially crafted HTTP response when you hit a website. I personally think anything that can allow "bad people" to get access to your computer without too much difficulty is something that should get fixed. Suit yourself.
  • A little overblown (Score:4, Interesting)

    by Stevyn ( 691306 ) on Friday October 29, 2004 @12:26AM (#10660667)
    After looking at the changelog [apache.org], is this a topic for the main page? I mean people complain when a minor revision of the Linux kernel or KDE comes out.

    Not to say that justifies it, but this is just one bugfix. I hope people maintaining servers running Apache don't rely on Slashdot to inform them of this bug. This seems more an issue for a mailing list.

    • by Anonymous Crowhead ( 577505 ) on Friday October 29, 2004 @12:34AM (#10660701)
      After looking at the changelog [apache.org], is this a topic for the main page?

      No kidding. The Apache section is like Ralph Nader. It's always there, it gets about 1% as many comments as any other section, a boring story about it still hits the headlines now and again, but you try to get rid of it and it gets all crazy.
      • by Anonymous Coward on Friday October 29, 2004 @12:40AM (#10660730)
        Don't blame me, I voted IIS.
      • Yeah was this one of the original sections or something? Couldn't this just be thrown into IT? After all, it's IT people who would be interested in subject matter like this.

        I'm not saying Apache isn't important at all, but important as Science, Developers, AskSlashdot, Apple? I don't think so.
      • by Neil Blender ( 555885 ) <neilblender@gmail.com> on Friday October 29, 2004 @01:14AM (#10660872)
        No kidding. The Apache section is like Ralph Nader. It's always there, it gets about 1% as many comments as any other section, a boring story about it still hits the headlines now and again, but you try to get rid of it and it gets all crazy.

        Heh, that reminds me: About 3 or 4 years ago, I was up late fixing some server issue. While I was waiting around I checked Slashdot and saw a story in the Apache section about some Apache conference or party or something that was taking place in Belgium or Norway, I can't remember exactly. It had been up for hours, maybe even days with no comments. So, thinking it would be like taking candy from a baby, I first posted. About a week later, I checked the same story and the only post was my first post. I think that story got archived with that single post.
    • Apache 1.3 is a well established product, with over 65% of the market share [netcraft.com]. It is important that security flaws are quickly found, fixed and patched everywhere, to avoid possible exploits (esp. worms) from spreading and choking the net. I'm sure you can think of good examples of why this is good practice ;-)
    • With all the stories on Microsoft exploits, the Slashdot editors are trying to give equal time.

      "mod_include: Fix potential buffer overflow with escaped characters in SSI tag string."
      -- At least it's a different one.

      "Multiple security issues ... that could allow an attacker to compromise a computer running Windows and gain complete control over it."
      -- I thought they fixed that already.

  • by shaneh0 ( 624603 ) on Friday October 29, 2004 @12:47AM (#10660761)
    During last years jihad on IIS & IE I decided it would be a good idea to migrate the company's web servers to Apache. I decided to start simple and submit a plan to migrate just the department intranet server.

    This is the actual response from management. The brain-dead VP that made this truly-enlightened decision first made a name for himself as a VP at a FAUCET COMPANY.

    Listen to the faucet kings great idea:

    "Shane, Thanks for your proposal. Unfortunately, I cannot approve the change. In fact, I've decided that we need to streamline these things in the future and make sure everyone is on the same page.

    From now on, we will only install software on the servers that is at version 2.0 and above. There will be no exceptions to this. It's about security and reliability. Everyone knows you dont buy a car the first model year, why should software be any different. I've never heard of apachee, but if these guys are as good as you say they are enough people will bite to keep them going, and when they come out with the next major realease I think you'll see then that we're better off for waiting for them to really get it right.

    thanks for beging on board with this, tom." [my name's shane]

    Two years ago this guy won the "visionary of the year" award at the company conference.
    • Luckily, there is an Apache 2.0!
    • I was called by the wrong name 8 months into my current job staying in a company flat with the CFO in london (now 2nd Sr. Admin). I feel the v2.0 scenario and it hurts my heart. blessed be (God|Allah|Jeebus|Jehova|Budda|Mr. Dobbs) and blessed be apache 1.3.x.

      jez don't speak as though 2.0 is not primetime, because that is crazy speak -- the configuration files may have new directives and options, but yours is to weigh costs of access/benefit/detriment and deploy accordingly.

      Take time to read and don't be s
    • Out of interest, how did you respond?

    • The idea is sound enough, we all know of course that no one adheres to any standards with regard to software revisions. Some software goes for years at version 0.x, and a 1.0 release is a really exceptional product. Others (like Microsoft) take at least up to version 3 for the thing to be actually useable.

      Anyway, you should have (or perhaps you did) play his game and announce that Apache 2.0 has been out for more than 2 years. As far as the ridiculous >= 2.0 policy, I'd go the route that software com
      • by pchan- ( 118053 ) on Friday October 29, 2004 @01:54AM (#10660998) Journal
        i would love to have had the chance to respond to this.

        you could just download apache, edit the code and bump up the version number. but really, the right solution would have been to inform him that, in fact, there exists an "apachee 3.0". unfortunately, "apachee 3.0" is no longer free, and requires a 500$ yearly site license for under 10 installs (and reasonable fees for more). then you can bump up the version on apache 1.3 and install it on the company's computers. your friend (er, the "apachee foundation") can cash the yearly check for you.
    • No, you don't buy a car the first model year (1.0). That's why you wait for Car 1.1 or higher. Waiting until the new model (2.0) is out is just plain stupid. :)
    • Somebody probably has already mentioned this to you but you do know that apache does have a version 2? They are currently maintaining both the version v1 and v2 trees. Just thought I would let you know.

    • > From now on, we will only install software on the servers that is at version 2.0 and above

      Hmm.. let this guy install Windows 3.1 on the servers (apparently that *is* > 2.0)

      Hmm.. maybe I wonder if Knuth did a good thing by freezing TeX at 3.14 (or was it 3.14.15...)
    • *rolls around on the floor laugning*

      Ohh, it's quite amazing how many Dilbert Style managers are out there, take him along to a dogbert re-education class :)
  • Mod_ssl? (Score:3, Informative)

    by mcrbids ( 148650 ) on Friday October 29, 2004 @01:53AM (#10660995) Journal
    It doesn't appear that mod_ssl 1.3.33-NNN is available yet. I can't update until this is done, or all my ssl sites break.

    ugh...

    and I'd just started rolling out 1.3.32!
  • Following the release of Apache 1.3.32

    what, it would follow 1.3.34?

  • by xot ( 663131 ) <fragiledeathNO@SPAMgmail.com> on Friday October 29, 2004 @01:59AM (#10661020) Journal
    Do they have to keep releasing a new version everytime a bug or security flaw comes up?
    Why not just release patches for the bugs and just update the patch tree??
  • by morten poulsen ( 220629 ) on Friday October 29, 2004 @03:37AM (#10661274) Homepage
    It is worth noting that the Content-Length security problem is in mod_proxy, not in the main daemon.

    See CAN-2004-0492 [mitre.org] for details.
  • by abdulwahid ( 214915 ) on Friday October 29, 2004 @03:49AM (#10661303) Homepage

    Kernel developers today released the eagerly awaited linux kernel 1.2.14. Everyone should update to this latest version as soon as possible to make use of the security fixes that this update provides.

  • Back to /. roots? (Score:4, Insightful)

    by FudgePackinJesus ( 444734 ) on Friday October 29, 2004 @06:59AM (#10661837)
    I really hope that, with this post, this is a hint of things to come at /.

    I really think that overall feel of slashdot has changed and not necessarily for the better. I'd really like to see kernel releases, Gnome & KDE flamewars, Quickies, obscure language write-ups and everything else that made /. special in the past make it to the front page again. Instead we're getting game reviews, movie reviews and politics. Sounds more like a mainstream news source now, doesn't it?

    The buzz of the open source world fell flat the last couple of years. I really hope it wasn't because of the market crash and that the core of the excitement wasn't the dream of cashing out by installing linux everywhere.

    Open source, I think most people still don't realize, is the source of true power in speech in this day and age. If it wasn't for projects like Linux, Apache, MySQL, PHP/Perl/Python, etc. the web would be dominated by large corporations who would be the only ones capable of paying the large sums of cash for web-service software that would have no doubt been that most expensive software out if not for the free-as-in-beer-speech competition. Open source bestowed the average man a voice in the newest of media channels.

    I truely hope the energy & excitement due to that fact never leaves... especially here on Slashdot. The editors shouldn't let the tagline "News for Nerds. Stuff that matters." limit the vibe /. gave off before because, at the end of the day, that's all it is. A tagline.
    • I'd really like to see ... Gnome & KDE flamewars
      there arent gnome and kde flame wars anymore because we kde zealots won.


      easy there boys, its a joke
    • Don't forget the DOOD CHECK OUT MY SCHWEET BLOG ENTRY posts. Or the ads-masquerading-as-posts posts.

      This used to be a nice "tip of the iceberg" place- it's where I got my feet wet with regards to linux. While the front page content is more buzzword/ad/blog centric than I care for, hey- there's filtering.

      Fuck, I don't even know if Katz still posts columns or not. I got so sick of that shit that he's the only thing I locked out of my FP prefs.

      So /. is getting better with age in at least one respect.
  • by SirLestat ( 452396 ) on Friday October 29, 2004 @07:12AM (#10661884)
    I can't wait for release 1.3.37

There is very little future in being right when your boss is wrong.

Working...