dcsimg
RealTime IT News

Fast Point Upgrade For Apache 1.3.x

A week after releasing a new version of its Apache 1.3.x Web Server, the Apache Software Foundation (ASF) has released a new point upgrade.

According to the 1.3.33 changelog, the new point version includes a fix for CAN-2004-0940, which is a bug in the mod_include module. Essentially it's a potential buffer overflow that could allow local users who can create SSI documents to execute arbitrary code and trigger a length calculation error.

"Essentially, a 'we-need-to-fix-this-now bug' was discovered after the roll and announcement of 1.3.32," Ken Coar, Apache Software Foundation board member, told internetnews.com. "Once rolled, we don't re-roll, so the version advanced."

The ASF announcement for Apache 1.3.33 noted that version "1.3.32 was not formally released." (However, the 1.3.32 release was available on Apache mirrors for download last week.)

The point release (between 1.3.32 and 1.3.33) within about a wek is one of the fastest in recent memory for the Apache 1.3.x Web Server, which is considered among most widespread Web server in use.

The fastest point release, however, is still about a 24-hour period between June 17 and 18, 2002 for the 1.3.25 release to the 1.3.26 release.

"There have been times in the past when the version has jumped by more than one, but yes, I think times when the intervening versions were released are rare," Coar said.

"No-one likes to release stuff with bugs in it, even if they're documented," he explained. "However, the 'release early and often' and 'many eyes' aspects are philosophically in conflict with perfectionism. Perfectionism is typically an individual trait; the open methodology is a communal one."

The apache.org announcement states that "We consider Apache 1.3.33 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible."

However, a random search through the Internet shows a wide list of Apache Web server point releases in use.

"If I were just an end-user, how I felt about pervasiveness would depend on the purpose for which I was using the web. If I'm doing e-commerce, I'll want my vendors to be secure. That won't translate into 'I want them to run x', " Coar explained.

Apache is the dominant Web server in use across the Internet. According to Coar though, dominance was never really the aim of Apache.

"Our focus is on building good software, largely out of the pride in a job well done," Coar said. "What people do with it is up to them. I think many if not most of the developers would still be working on Apache even if it had only a tiny marketshare."