Apache Server Tightens Security With Upgrade

By Sean Michael Kerner (Send Email)
Posted Mar 23, 2004


Looking to keep Web pages rolling along, the Apache Software Foundation late Friday upgraded its HTTP server. The latest release of the open source HTTP server contains a collection of bug fixes to prevent denial of service attacks.

The open source foundation responsible for Apache development said version 2.0.49 is available for download and is primarily a bug fix release. The latest version is compatible with modules compiled for 2.0.42 and later.

"For us this was just a regular release, nothing reactionary about it," Sander Striker, a director of the Apache Software Foundation (ASF), told internetnews.com. "Of course we do take security issues into account, but ... we would have had a release anyway."

The Apache 2.0.49 change log notes a large number of bug fixes and security enhancements. In particular, this release fixes three previously identified security vulnerabilities on certain platforms. CAN-2004-0174, which may allow a denial of service attack -- CAN-2003-0020, which is a potential terminal emulator vulnerability; and CAN-2004-0113, which is a potential "mod_ssl" memory leak exploit that could permit a denial of service attack.

The Apache's HTTP Server 1.3.x distribution, currently at version 1.3.29, was not updated at this time.

"It means that these particular bugs were not present in the latest 1.3 version (1.3.29). Apache Software Foundation member Rich Bowen told internetnews.com." I'm not making a sweeping comment to say that 1.3 or 2.0 is "more secure" because that would be inaccurate."

Developers on the Apache 1.3.x branch have recently been discussing the next 1.3.x release, version 1.3.30 on the development mailing list. Striker said, "The 1.3 release cycle will probably start this week. But don't hold it against me if it doesn't."

Apache 2.0.49 is the 11th public release on the 2.x branch of the HTTP server. The Apache 2.x development began in earnest in 1998. The Apache Software Foundation has been using Apache 2.x to run apache.org since December 2000, and the first production ready version of Apache 2..x was released April of 2002.

When the production version of Apache 2.035 was released, the Apache Software Foundation wrote, "We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade."

Despite the Apache Software Foundation's encouragement that users upgrade, the 1.3.x branch remains the dominant Web server across the Internet at large.

"If it ain't broke don't fix it is in many a sysadmins book," Striker said. "1.3.x works for a lot of places and continues to keep working."

He went on to note that he expects 2.0.x to be considered for new installations, and it's the default Web server for Red Hat's products. Red Hat shifted to 2.0.x with Red Hat Linux 8 and with Red Hat Enterprise Linux at version 3.

Bowen also noted another perceived barrier to Apache 2.0.x adoption: integration with the popular Web PHP scripting language.

"There is a perception that mod_php "doesn't work properly" on 2.x, so people are reluctant to move." he told internetnews.com. "Also, a number of popular third- party modules have not been ported yet."

The official PHP project documentation actually clearly states, "Do not use Apache 2.0 and PHP in a production environment neither on Unix nor on Windows."

Bowen disagrees with the PHP documentation, however, noting that actual users report using PHP with Apache 2.0.x without problems.

"I tend to put more weight on the experience than on the line on a Web site," he said.

This article was originally posted on internetnews.com.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.