Page 1 of 3 123 LastLast
Results 1 to 20 of 54

Thread: Apache 2.2.3 Released

  1. #1
    Join Date
    Oct 2003
    Location
    Calgary, AB
    Posts
    696

    Apache 2.2.3 Released

    The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.2.3 of the Apache HTTP Server ("Apache").

    This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed;

    CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
    mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
    and 2.2 since 2.2.0.

    Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team.

    This flaw does not affect a default installation of Apache HTTP Server.
    Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:

    * The RewriteRule allows the attacker to control the initial part of the
    rewritten URL (for example if the substitution URL starts with $1)
    * The RewriteRule flags do NOT include any of the following flags:
    Forbidden (F), Gone (G), or NoEscape (NE).

    Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.

    The Apache HTTP Server project recommends that all users who have built Apache from source apply the patch or upgrade to the latest level and rebuild. Providers of Apache-based web servers in pre-compiled form will be able to determine if this vulnerability applies to their builds. That determination has no bearing on any other builds of Apache HTTP Server, and Apache HTTP Server users are urged to exercise caution and apply patches or upgrade unless they have specific instructions from the provider of their web server. Statements from vendors can be obtained from the US-CERT vulnerability note for this issue at:

    http://www.kb.cert.org/vuls/id/395412

    The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability.

    We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.

    Apache HTTP Server 2.2.3 is available for download from:

    http://httpd.apache.org/download.cgi

    Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see:

    http://httpd.apache.org/docs/2.2/new_features_2_2.html

    Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes.

    Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available with this security fix. See the appropriate CHANGES from the url above.
    The Apache HTTP Project developers strongly encourage all users to migrate to Apache 2.2, as only limited maintenance is performed on these legacy versions.

    This release includes the Apache Portable Runtime (APR) version 1.2.7 bundled with the tar and zip distributions. The APR libraries libapr, libaprutil, and (on Win32) libapriconv must all be updated to ensure binary compatibility and address many known platform bugs.

    This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, but no substantial reworking should be necessary.

    http://svn.apache.org/repos/asf/http...2.x/VERSIONING

    When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs, you must ensure that any modules you will be using (and the libraries they depend
    on) are thread-safe.

  2. #2
    Join Date
    Mar 2005
    Location
    Kingdom of Bahrain
    Posts
    961
    Thanks, update done


    Wael

  3. #3
    Join Date
    Jun 2006
    Posts
    152
    Wael are you running live with the new apache on your server?
    Had any problems?

    I see they have a 2.0.59 now, wonder if da will update their customapache for that
    Last edited by felosi; 07-29-2006 at 03:40 AM.

  4. #4
    Join Date
    Mar 2005
    Location
    Kingdom of Bahrain
    Posts
    961
    DA work fine with apache 2.0.x and 2.2.x and stable.
    how to update from 2.0.x to 2.2.3
    Code:
    cd /usr/local/directadmin/customapache
    rm -fr build
    wget http://files.directadmin.com/services/customapache/build
    chmod 755 build
    ./build update
    ./build clean
    ./build update_data_ap2
    perl -pi -e 's/2.0.58/2.2.3/' build
    wget http://www.reverse.net/pub/apache/httpd/httpd-2.2.3.tar.gz
    ./build apache_2
    ./build php_ap2 n
    ./build zend
    /sbin/service httpd restart
    and
    Code:
    ./build mod_frontpage_ap2
    not support apache 2.2.x i don't use it before with apache 1.3.x & 2.0.x for security reason.

    Upadte your server via yum before update apache.
    Note:- easy to go back to apache 2.0.x or 1.3.x if you don't want apache 2.2.x


    Wael

  5. #5
    Join Date
    Jun 2006
    Posts
    152
    I did this to get the latest 2.0.59, everything works ok so far. Its supposed to have fixed some exploits in mod rewrite so I updated right away

    cd /usr/local/directadmin/customapache
    rm -fr build
    wget http://files.directadmin.com/service...omapache/build
    chmod 755 build
    ./build update
    ./build clean
    ./build update_data_ap2
    perl -pi -e 's/2.0.58/2.0.59/' build
    wget http://apache.mirrors.versehost.com/...-2.0.59.tar.gz
    ./build apache_2
    ./build php_ap2 n
    ./build zend
    /sbin/service httpd restart

  6. #6
    Join Date
    Mar 2005
    Location
    Kingdom of Bahrain
    Posts
    961
    Originally posted by felosi
    I did this to get the latest 2.0.59, everything works ok so far. Its supposed to have fixed some exploits in mod rewrite so I updated right away

    cd /usr/local/directadmin/customapache
    rm -fr build
    wget http://files.directadmin.com/service...omapache/build
    chmod 755 build
    ./build update
    ./build clean
    ./build update_data_ap2
    perl -pi -e 's/2.0.58/2.0.59/' build
    wget http://apache.mirrors.versehost.com/...-2.0.59.tar.gz
    ./build apache_2
    ./build php_ap2 y
    ./build zend
    /sbin/service httpd restart
    fine 100%

  7. #7
    Join Date
    Aug 2004
    Location
    uk
    Posts
    1,584
    apache 2.2.2 I have running on a freebsd 6.1 server and it gives httpready errors, apache also keeps stopping responding staying in locked state. This was fine on 6.1-RC and went bad after the server was upgraded to 6.1-release I havent yet tried 2.0 on the server so I dont know if apache 2.2 is the problem and will try this new version to see if any difference.

  8. #8
    Join Date
    Nov 2004
    Posts
    24
    Hi Wael,
    Have you noticed any performance improvement going from 2.0.x to 2.2.x? And is it still necessary to run "./build update_data_ap2" going from 2.0.x to 2.2.3?

  9. #9
    Join Date
    Nov 2005
    Location
    USA
    Posts
    231
    front page support?

  10. #10
    Join Date
    Mar 2005
    Location
    Kingdom of Bahrain
    Posts
    961
    Originally posted by rpan
    Hi Wael,
    Have you noticed any performance improvement going from 2.0.x to 2.2.x? And is it still necessary to run "./build update_data_ap2" going from 2.0.x to 2.2.3?
    you can use ./build update_data_ap2 to rebuild apache just set what ver. you want.


    Wael

  11. #11
    Join Date
    Mar 2005
    Location
    Kingdom of Bahrain
    Posts
    961
    Originally posted by bigboy
    front page support?
    still not support.

    Wael

  12. #12
    Join Date
    Jan 2006
    Location
    Arnhem, The Netherlands
    Posts
    107
    Code:
    checking for APR version 1.2.0 or later... no
    configure: error: APR version 1.2.0 or later is required
    
    *** There was an error while trying to configure Apache 2. Check the configure.apache_2 file
    Probaly I need to manual compile APR then, right?

    Also found: http://httpd.apache.org/docs/2.2/install.html

    Where can I disable FP-extensions because it tries to patch before compiling.
    Last edited by Pascal; 08-17-2006 at 08:18 AM.

  13. #13
    Join Date
    Jan 2006
    Location
    Arnhem, The Netherlands
    Posts
    107

    Update APR

    Right, finally I have it installed... even the Apache install manual failed too This is the way espacially if you have APR < 1:

    Code:
    wget http://apache.mirrors.webazilla.nl/apr/apr-1.2.7.tar.gz
    wget http://apache.mirrors.webazilla.nl/apr/apr-util-1.2.7.tar.gz
    tar zxf apr-1.2.7.tar.gz
    tar zxf apr-util-1.2.7.tar.gz
    cd apr-1.2.7
    ./configure --prefix=/usr/local/apr-httpd/
    make
    make install
    cd ..
    cd apr-util-1.2.7
     ./configure --prefix=/usr/local/apr-util-httpd/ --with-apr=/usr/local/apr-httpd/
    make
    make install
    cd ..
    Now update the configure script (configure.apache_2) and add:
    Code:
            --with-apr=/usr/local/apr-httpd/ \
            --with-apr-util=/usr/local/apr-util-httpd/ \
    I disabled FP extensions too. Edit "build" and find doApache2() and comment
    Code:
            echo "Patching with $FP_PATCH_AP2"
            patch -p0 < ../$FP_PATCH_AP2

  14. #14
    Join Date
    Jan 2006
    Location
    Arnhem, The Netherlands
    Posts
    107
    Although I couldn't get PHP 5.1.5 to work :X

    It was bitching about Perl and mod_proxy etc...

  15. #15
    Join Date
    Aug 2004
    Location
    uk
    Posts
    1,584
    apache 2.2.3 doesnt install as smoothly as 2.0 and 1.3 with the apr, when doing mod_perl I had to manually specify the apr location.

  16. #16
    Join Date
    Mar 2005
    Location
    USA, Texas
    Posts
    273
    Well I got it installed now but it killed SSH three times. I have not had it do that before untill now.

    It would die right after starting to compile php 5.1.6 but on the forth try it worked fine.

    This is a CentOS 4.3 system and I was running PHP 5.1.6 and Apache 2.0.59 before I started the upgrade to Apache 2.2.3

    Now I hope Apache quits restarting so much which happened after upgrading to 2.0.59 from 1.3.x.
    Do not feed the cows.

  17. #17
    Join Date
    Sep 2005
    Posts
    135
    DamnSkippy try using screen when you recompile apache and php.

    yum install screen

    then just add screen to the front of the build commands.

    ie screen ./build apache_2

    Use Ctrl + A & D to detach and let it run in the background.

    screen -list will show you any active screens and screen -r <screen name> to retach to an active screen.

    I believe it stops SSH crashing.

    Thanks,
    Grant

  18. #18
    Join Date
    Mar 2005
    Location
    USA, Texas
    Posts
    273
    I thought about that but if you have an active login to the admin section of the DA server you can restart SSH.

    However if it does actually stop SSH from crashing that would be a better way to do it.

    What I am unsure of is if the compile sequence actually finishes when SSH dies or if it causes the compile to die also.
    Do not feed the cows.

  19. #19
    Join Date
    Sep 2005
    Posts
    135
    It causes compile to die also I believe.

  20. #20
    Join Date
    Sep 2005
    Posts
    90
    screen works, it fixed my problem and make sure you do

    ./build mod_perl_ap2

    otherwise it will say that perl is garbled. lol!

Page 1 of 3 123 LastLast

Similar Threads

  1. Apache 2.2.23 released
    By ditto in forum Required Software Version Updates
    Replies: 6
    Last Post: 10-08-2012, 03:43 PM
  2. Apache 2.2.12 Released
    By smtalk in forum Required Software Version Updates
    Replies: 2
    Last Post: 07-30-2009, 06:12 AM
  3. Apache 2.2.8 | 2.0.63 | 1.3.41 Released
    By GXX in forum Required Software Version Updates
    Replies: 24
    Last Post: 02-17-2008, 01:54 AM
  4. Apache 1.3.37 Released
    By vandal in forum Required Software Version Updates
    Replies: 8
    Last Post: 09-05-2006, 06:55 PM
  5. Apache 1.3.3 released
    By Chrysalis in forum Required Software Version Updates
    Replies: 1
    Last Post: 10-29-2004, 02:55 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •