RealTime IT News

Apache Server Upgrade Tightens Security

Looking to keep Web pages rolling along, the Apache Software Foundation has released the latest upgrade to its HTTP server.

The open source foundation that is responsible for the development of the Apache said version 2.0.49 is available for download and principally serves as a bug fix release. The latest version is compatible with modules compiled for 2.0.42 and later.

"For us this was just a regular release, nothing reactionary about it," Sander Striker, a director of the Apache Software Foundation (ASF), told internetnews.com. "Of course we do take security issues into account, but . . . we would have had a release anyway."

The Apache 2.0.49 change log notes a large number of bug fixes and security enhancements. In particular this release fixes three previously identified security vulnerabilities on certain platforms. CAN-2004-0174, which may allow a DoS attack ; CAN-2003-0020, which is a potential terminal emulator vulnerability; and CAN-2004-0113, which is a potential "mod_ssl" memory leak exploit that could permit a DoS attack.

The Apache's HTTP Server 1.3.x branch, currently at version 1.3.29 was not updated at this time. The first official public release (0.6.2) of the Apache server was in April 1995. Since April of 1996, according to Netcraft statistics, Apache has remained the dominant Web server beating back numerous challengers including Microsoft's IIS (Internet information server) over the years.

"It means that these particular bugs were not present in the latest 1.3 version (1.3.29). Apache Software Foundation member Rich Bowen told internetnews.com." I'm not making a sweeping comment to say that 1.3 or 2.0 is "more secure" because that would be inaccurate."

Developers on the Apache 1.3.x branch have recently been discussing the next 1.3.x release, version 1.3.30 on the development mailing list. Striker said, "The 1.3 release cycle will probably start this week. But don't hold it against me if it doesn't."

Apache 2.0.49 is the eleventh public release on the 2.x branch of the HTTP server. The Apache 2.x development began in earnest in 1998. The Apache Software Foundation has been using Apache 2.x to run apache.org since December 2000. The first production ready version of Apache 2..x was released April of 2002. When the production version of Apache 2.035 was released the Apache Software Foundation wrote in their release "We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade."

In spite of the Apache Software Foundation's encouragement for users to upgrade however, the 1.3.x branch still remains the dominant Web server across the Internet at large.

"If it ain't broke don't fix it is in many a sysadmins book," Striker said. "1.3.x works for a lot of places and continues to keep working."

He went on to mention that for new installations he expects that 2.0.x is usually considered and it's the default Web server for Red Hat's products. Raleigh, N.C.-based Red Hat shifted to 2.0.x with Red Hat Linux 8 and with Red Hat Enterprise Linux at version 3.

Bowen also noted another perceived barrier to Apache 2.0.x adoption, is integration with the popular Web PHP scripting language.

"There is a perception that mod_php "doesn't work properly" on 2.x, so people are reluctant to move." he told internetnews.com. "Also, a number of popular third party modules have not been ported yet."

The official PHP project documentation actually clearly states," Do not use Apache 2.0 and PHP in a production environment neither on Unix nor on Windows."

Bowen disagrees with the PHP documentation however, noting that actual users report that they are using PHP with Apache 2.0.x without problems.

"I tend to put more weight on the experience than on the line on a Web site," he said.