LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Development page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Apache HTTP server 1.3.42 released

[Posted February 3, 2010 by corbet]

From:  Colm MacCarthaigh <colm-AT-apache.org>
To:  announce-AT-apache.org, announce-AT-httpd.apache.org
Subject:  Apache HTTP Server 1.3.42 released (final release of 1.3.x)
Date:  Wed, 3 Feb 2010 00:03:34 +0000
Archive-link:  Article, Thread 


                       Apache HTTP Server 1.3.42 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 1.3.42 of the Apache HTTP
   Server ("Apache"). This release is intended as the final release of
   version 1.3 of the Apache HTTP Server, which has reached end of life
   status.

   There will be no more full releases of Apache HTTP Server 1.3.
   However, critical security updates may be made available from the
   following website:

        http://www.apache.org/dist/httpd/patches/ 
   
   Our thanks go to everyone who has helped make Apache HTTP Server 1.3
   the most successful, and most used, webserver software on the planet!

   This Announcement notes the significant changes in
   1.3.42 as compared to 1.3.41.

   This version of Apache is is principally a bug and security fix release.
   The following moderate security flaw has been addressed:

     * CVE-2010-0010 (cve.mitre.org)
       mod_proxy: Prevent chunk-size integer overflow on platforms
       where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.

   Please see the CHANGES_1.3.42 file in this directory for a full list
   of changes for this version.

   Apache 1.3.42 is the final stable release of the Apache 1.3 family. We
   strongly recommend that users of all earlier versions, including 1.3
   family releases, upgrade to to the current 2.2 version as soon as possible.
   For information about how to upgrade, please see the documentation:
          
	  http://httpd.apache.org/docs/2.2/upgrading.html


   Apache 1.3.42 is available for download from

           http://httpd.apache.org/download.cgi

   This service utilizes the network of mirrors listed at:

           http://www.apache.org/mirrors/

   Binary distributions may be available for your specific platform from

           http://www.apache.org/dist/httpd/binaries/

   Binaries distributed by the Apache HTTP Server Project are provided as a
   courtesy by individual project contributors. The project makes no
   commitment to release the Apache HTTP Server in binary form for any
   particular platform, nor on any particular schedule.

   IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS
   variants. While the ports to non-Unix platforms (such as Win32, Netware or
   OS2) will function for some applications, Apache 1.3 is not designed for
   these platforms. Apache 2 was designed from the ground up for security,
   stability, or performance issues across all modern operating systems.
   Users of any non-Unix ports are strongly cautioned to move to Apache 2.

   The Apache project no longer distributes non-Unix platform binaries from
   the main download pages for Apache 1.3. If absolutely necessary, a binary
   may be available at http://archive.apache.org/dist/httpd/.

Apache 1.3.42 Major changes

  Security vulnerabilities

   The main security vulnerabilities addressed in 1.3.42 are:

  *) SECURITY: CVE-2010-0010 (cve.mitre.org)
     mod_proxy: Prevent chunk-size integer overflow on platforms
     where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.

  Bugfixes addressed in 1.3.42 are:

  *) Protect logresolve from mismanaged DNS records that return
     blank/null hostnames. 

-- 
Colm MacCárthaigh
(Log in to post comments)

Apache HTTP server 1.3.42 released

Posted Feb 3, 2010 18:26 UTC (Wed) by patrick_g (subscriber, #44470) [Link]

As far as I know OpenBSD use a modified version of Apache 1.3.x. Bullet point in the last version review: "Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support".

If Apache 1.3.42 is the last official release does it means that the OpenBSD devs will have to maintain their fork forever ?

Apache HTTP server 1.3.42 released

Posted Feb 3, 2010 18:37 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link]

They already maintain several forks and it shouldn't be any more of a
additional problem to rebase their patches on whatever latest Apache version
is available if that is deemed necessary

OpenBSD

Posted Feb 3, 2010 22:45 UTC (Wed) by rfunk (subscriber, #4054) [Link]

As I recall, they maintain their own fork at least partly because they don't
like the license that more recent versions of Apache are released under. So
they aren't going to apply their patches to a newer upstream version unless
that license changes to something more to their liking.

OpenBSD

Posted Feb 4, 2010 9:39 UTC (Thu) by epa (subscriber, #39769) [Link]

As I recall, they maintain their own fork at least partly because they don't like the license that more recent versions of Apache are released under.
This is true, and it seems an unfortunate misunderstanding on one side or the other. The Apache developers insist that the new licence essentially an X11-style permissive licence but with an additional patent grant - so it gives you more rights than the plain X11 licence, which covers copyright only. The OpenBSD developers disagree and perhaps also feel that the licence text is too complex. This could be resolved if the Apache project would dual-license their releases under both 1.0 and 2.0 licences; companies like IBM which worry about software patents could use the new one, and old-school BSD hackers could stay with the old one.

Apache HTTP server 1.3.42 released

Posted Feb 3, 2010 22:51 UTC (Wed) by rfunk (subscriber, #4054) [Link]

I think they already planned to maintain their fork forever, or until they
developed their own replacement.

Apache HTTP server 1.3.42 released

Posted Feb 3, 2010 22:55 UTC (Wed) by maro (subscriber, #34315) [Link]

OpenBSD forked Apache way back because of their hardening changes, but they
stopped to incorporate changes from Apache already at version 1.3.29 because
of the license change to the Apache License v2.0. See the "Specific Cases"
on http://www.openbsd.org/policy.html

And yes, this means there are better choices for running web servers with
all the latest and greatest features, or running SpamAssassin (which also
switched to the Apache License v2.0). Where OpenBSD shines is in front of
performance- and feature oriented systems such as Linux or FreeBSD, because
of its excellent robustness, security and networking capabilities.

Apache HTTP server 1.3.42 released

Posted Feb 3, 2010 19:42 UTC (Wed) by flewellyn (subscriber, #5047) [Link]

Wow, talk about long-term support. Apache 2 first came out (as a final, production release) in 2002. 8 years of supporting an older, obsolete release is quite a commitment in time and energy.

Not to slight other FOSS projects, especially distributions, which have a shorter time to "end-of-life", mind you: 8 years of support for an old, obsolete version of a piece of software may not be appropriate in many cases. I can certainly see how doing so for an entire distribution is much less viable than for a single package, now matter how complex.

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds