Apache 2.4.57 Released

[sparek]

Apache 2.5.57 has been released which should fix the issue as described in the thread at

Apache HTTP Server - 2.4.56 Released

It looks like Apache HTTP Server 2.4.56 has been released with two vulnerability fixes (CVE-2023-27522 and CVE-2023-25690). Hopefully we can see this pushed into DirectAdmin/CustomBuild soon :). Apache HTTP Server 2.4.56 Changelog

forum.directadmin.com

This is also a good example of the damning that happens because of the DirectAdmin and CustomBuild integration.

Currently the latest DirectAdmin v1.648 is littered with bugs and other abnormalities:

DirectAdmin v1.648 has been released

Hi everyone! We are happy to announce the release of DirectAdmin 1.648. Key new features are - DB manager (easy way to see what DB is doing and to terminate unwanted queries), improvements in sub-domain document root handling, updates to cPanel import tool, and some more. Full release change...

forum.directadmin.com

I'm personally avoiding v1.648 until all of these issues get ironed out.

But presumably I won't be eligible for Apache 2.4.57 until I upgrade to DirectAdmin v1.648.

This is not to complain about all of the issues in DirectAdmin v1.648 - those types of things are going to happen as updates are presented to more and more users. It's the fact that CustomBuild on DirectAdmin v1.647 presumably won't get any updates until I update to DirectAdmin v1.648. And if they do decide to push this Apache update out on DirectAdmin v1.647 then what was the point of integrating the two together anyway?

I know I've been a hard critic of the integration of DirectAdmin and CustomBuild. But it's scenarios like this that is why I have this stance. Constructive criticism can be very valuable and it's not my intention to be overly critical or juvenile in my criticism. Being able to lay out why I believe a direction is wrong is valuable in building a company or project. If you surround yourself with "yes" men you're not going to get the benefit of different perspectives.

 

[BillyS]

But presumably I won't be eligible for Apache 2.4.57 until I upgrade to DirectAdmin v1.648.

I don't think DA thought through this new approach to delivering software through CustomBuild. If what is happening was intentional, then they put their development ahead of their customers. The easy way around this problem is to deploy hot fixes to alpha beta, stable and current versions of DA. Like you, I was avoiding 1.648 because of the bugs but was "forced" to upgrade from 1.647 because they didn't take the time to push a hotfix to that version.

The most concerning part for me is the large number of bugs in recent version. They are basically pushing beta versions to customers, calling it current and having customer debug on their behalf.

Perhaps DA should start a bug bounty program?

 

[sparek]

The issues with 1.648 - and the same thing happened with 1.647 - is again all about perspective.

I know from experience, you can write something and test it out yourself, but until it's put out there for the masses, you're not going to uncover all of the "bugs" or "issues".

So from that point of view, I can kind of reason with the DirectAdmin development team on these issues. On the other hand however, it seems that there are a lot of these types of issues with each release - and that is kind of concerning. To their credit though, they do seem to fix the issues rather quickly. It's just by the time they fix that issue another issue has been raised. Eventually it all settles down.

In fact - the whole issue with Apache 2.4.56 and Apache 2.4.57 illustrates that this happens to other products. Apache didn't realize there was an issue with their changes involving mod_rewrite in 2.4.56 until it was released to the masses. But at the same time, MOST Apache releases don't experience major issues soon after they are released.

If I were to make a broad suggestion - I might suggest different paid tiers of the same product. Pretend for a moment, and for the sake of this argument to make it easier to understand, that v1.648 was released as "Alpha". A someone or company that purchases an "Alpha" license for say $10/mo would be the only ones that have access to this release right now. A released called "Beta" would be had for $20/mo. After a period of time Alpha gets pushed to Beta. A release called "Stable" would be had for $30/mo. After a period of time Beta would get pushed to Stable. Another words, there's an incentive for someone to be the guinea pig for a release.

Ultimately however, it depends on how many people/companies are willing to be that guinea pig - and just how technical savvy and how much they're actually using the product. Someone that's hosting a few friends and family members website is probably not going to have the since of urgency to find and explore bugs as a professional web hosting company. If that someone just sees the $10/mo Alpha as a cheap control panel and never contributes any issue insight - then he's not really helping.

Also how would keep someone on "Alpha" from just not upgrading until the next Alpha reaches Stable?

So logistically I don't have all the inner workings ironed out. And the idea just may not be feasible at all. BUT... if you want real people to find real issues with your product - you have to give them an incentive to do so. Right now, the incentive is in reverse. There's NO incentive for me as a professional web hosting company to update to a new version of DirectAdmin the minute it is released. The incentive for me is to wait until a lot or most of the bugs have been squashed out.

Tying CustomBuild stack application updates into the DirectAdmin core sets a dangerous precedent. As others have stated - I'm not the only one that's waiting things out on DirectAdmin v1.648. While the issues fixed in Apache 2.4.57 may not be exactly security related - if they had been, we would all be stuck. Risk the security implications of an older Apache version or experience the issues still being found in DirectAdmin v1.648?

I do realize that in order to utilize CustomBuild the server should have a valid license. And while there MAY be instances where the DirectAdmin core needs to insure that certain stack applications accept certain configurations, but I think those instances are few and far between. I don't think there are any configuration changes between Apache 2.4.56 and Apache 2.4.57 that is tied to the DirectAdmin core. As far as library linking, if the DirectAdmin core needs a specific library or library version, then that should be installed or linked to within the DirectAdmin update itself. The DirectAdmin core should be self-contained. If the DirectAdmin core is depending on libraries from CustomBuild - then it's not self-contained.

These are my reasons for not liking the integration of CustomBuild and DirectAdmin core. I hope the takeaway here is that my reasons are understandable. Like I said, constructive criticism can be a powerful tool and if you're in any industry long enough you learn to value input that doesn't always reflect your own reasons.