Apache 2.0.53 Released, Fixes 2 Security Problems

CGIsecurity.com writes "Two security issues have been addressed in Apache's 2.0.53 build. The entire Apache announcement can be found here."

From the changelog:

[molo]

*) SECURITY: CAN-2004-0942 (cve.mitre.org)
Fix for memory consumption DoS in handling of MIME folded request
headers. [Joe Orton]

*) SECURITY: CAN-2004-0885 (cve.mitre.org)
mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
bypassed during an SSL renegotiation. PR 31505.
[Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]

Re:Go Troll, go!

[Anonymous Coward]

C'mon troll, at least cite the actual study [tinyurl.com] when you post!

An Anonymous Coward on Slashdot talking about trolling has posted an anonymized tinyurl link supposedly linking to some study about IIS being better than Apache. Hmmm... Sounds reasonable. *click*

Warning

You have followed a TinyURL that goes to an image with distasteful nudity.

If you still wish to continue to that site, please follow this link:

http://www.redcoat.net/pics/tubgirl.jpg [redcoat.net]

Hmmm... Distasteful nudity? It must be some mistake. I am l

Re:Go Troll, go!

[mboverload]

Ok, now WTF WAS THAT?!?!

is it time for 2.0.x over 1.3.x?

[Tumbleweed]

Okay, I'm about to set up my first webserver in about 10 years, and I've got an 'ask slashdot' here - should I install 1.3.x or 2.0.x? I don't care about what most hosting companies are providing, but what are the pitfalls of going with 2.0.x over 1.3.x, and vice-versa?

Re:is it time for 2.0.x over 1.3.x?

[Matt Perry]

Correction, PHP with Apache's threading module isn't recommended. PHP and any add-ons works great with the Apache 2.x prefork module. Prefork makes Apache work just like 1.3.

Re:is it time for 2.0.x over 1.3.x?

[panic911]

I realize the php folks don't suggest using it with Apache 2.0, but honestly I've used PHP4 and PHP5 on it for years with not one problem (in Linux and Windows). I always stay current with apache2 and install it as the php.net site suggests. It works great.

Re:is it time for 2.0.x over 1.3.x?

[Hank Reardon]

The answer is...

It depends.

What are you going to do with it? What modules are you going to run? Have the modules been ported from Apache 1.3 to Apache 2.x yet? Are you going to use mod_perl? Unix or NT?

If you're looking at a PHP/Apache solution, ignore the "PHP doesn't work with Apache 2" screaming; most times it's only half right. If you want to run PHP on Apache 2, make sure you use the Prefork model instead of threads. The problem PHP has is most of the add-on libraries aren't thread-safe - the prefor

Re:is it time for 2.0.x over 1.3.x?

[Quattro Vezina]

I'd recommend 2.x. I'm using it myself, and it's fine.

That FUD you hear about Apache2 not working with PHP is just that, FUD. The only problem lies with the worker multi-process module (and it's because PHP was coded in a braindead fashion--it's not Apache's fault). Use the prefork MPM instead and you'll be fine. Also, from what I understand, PHP5 has resolved those issues.

Re:is it time for 2.0.x over 1.3.x?

[wizbit]

Wow, for someone trying to dispel FUD, you're sure dispensing an impressive amount of your own.

You can run PHP4 just fine on Apache 2. The problem is NOT, as you say, directly with PHP, but with the libraries that are typically linked/compiled in when building PHP (mcrypt, imap, mysql, etc) that are not multi-thread safe. PHP will have the same problems (though it will run just fine with the prefork MPM) until the module authors get the code cleaned up, or you'll end up building a barebones PHP interpreter.

The 1.3 series is multi-process, which doesn't work terribly well on Windows. Apache2 brings far better Windows support, but either should run just fine on a Linux machine. Use whichever you're more familiar with.

Re:is it time for 2.0.x over 1.3.x?

[Tumbleweed]

I wasn't planning on PHP, but Python - any problems with Apache 2 on that front?

Re:is it time for 2.0.x over 1.3.x?

[FireChipmunk]

No, infact, mod_python [modpython.org] is only actively developed for Apache 2.0. They don't even support the version for 1.3 anymore.

Re:is it time for 2.0.x over 1.3.x?

[Tumbleweed]

Decision made. :)

Thanks for the info, everyone.

Re:is it time for 2.0.x over 1.3.x?

[Chmarr]

I've been playing around with mod_fastcgi myself. Gives you the same advantages as mod_python, but it guarantees to be running in a different process space, which I quite like. There's pure-python client implementations available.

You'd need to use mod_python if you were intending fiddling with the apache internals, though, but for simple web apps, mod_fastcgi works great.

Re:is it time for 2.0.x over 1.3.x?

[molnarcs]

Yeah, php works just fine with apache2 (for me at least) - and I using threading (not prefork) - which is double no-no according to rumours. See here [netcraft.com] (lately not shown b/c firewall servertoken settings, but php is there, well, and healthy).

Re:is it time for 2.0.x over 1.3.x?

[TheLink]

More bugs/security issues?

Re:is it time for 2.0.x over 1.3.x?

[newker]

i would prefer staying to 1.3xx unless otherwise a newely discovered major security bug is discovered in it. apache version 2 seems not 100% compatible with hosting control panels like cpanel. so definitely its not yet time to upgrade

Ebuild?

[Mad Merlin]

Anybody know when the ebuild will be out? Checked packages.gentoo.org already but I don't see it there yet.

Why Don't Slashdotters Have more interest

[osewa77]

.. In topics like this one? Because, apparently, security is so boring.