Apache 2.0.52 Released

roly writes "Not long after 2.0.51 was released, Apache 2.0.52 has come out. It's primarily a bugfix release, fixing one security flaw that was introduced in 2.0.51. See the release announcement, and the changelog. Download it from a mirror."

Category

[Anonymous Coward]

Shouldn't this be in the Apache section as well as the IT section?

Apache 2.0.52 fixes 2.0.51 security regression

[dananderson]

As I noted in the Apache 2.0.51 notice in /. [slashdot.org], this Apache 2.0.52 fixes a security regression from 2.0.51. You can also apply a 4-line patch to 2.0.51. Apache 2.0.52 works fine for me in production (been using it since yesterday on 2 systems).

Re:Apache 2.0.52 fixes 2.0.51 security regression

[Anonymous Coward]

Makes me wonder. Do holes in the 1.3.x line not get discovered anymore because everyone is busy with 2.0.x?

I'm running 1.3.x still and not sure whether to be glad it's not affected or worried it might be affected but noone notices.

Re:Apache 2.0.52 fixes 2.0.51 security regression

[Orbital Sander]

Do holes in the 1.3.x line not get discovered anymore because everyone is busy with 2.0.x?

Many folks still run 1.3, and holes in that version tend to get fixed.

Re:Apache 2.0.52 fixes 2.0.51 security regression

[roly]

I still use 1.3.xx, as do many others. There was a hole found in 1.3.31 and older version to do with a buffer overflow in htpasswd that has been fixed in 1.3.32-dev. Proof that holes are still fixed.

http://www.computec.ch/projekte/atk/plugins/plugin slist/Apache%20prior%201.3.32%20htpasswd%20buffer% 20overflow.plugin.html [computec.ch]

Apache security documentation

[Anonymous Coward]

http://www.cgisecurity.com/webservers/apache/ [cgisecurity.com]

patch vs. upgrade

[uid100]

It's nice to see that you can easily patch an existing 2.0.51 installation, but if you are in an environment where there are any regular security audits they may ding you for a 2.0.51 installation even though it's been patched.

Overall, great job by the Apache team and those that support them!

Re:patch vs. upgrade

[Medievalist]

Yeah, you need to do extra paperwork in such situations, so it might be less work to just up-rev.

I frequently hack infrastructure software (like sendmail, bind and apache) to report incorrect version numbers, because that way the crackers always start out by trying attacks that don't work and are easily detected.

Every time I see some buffoon trying an old sendmail trick I blackhole their IP at the edge router. I hope to eventually set up a tarpit and mire the losers in that, but for now I just discard th

question - slightly offtopic

[virtualone]

there is a feature i am missing for apache 2.x:

can i throttle to montly amount of traffic per virtual site?

there was a mod in apache 1.x but i know none for 2.x