cancel
Showing results for 
Search instead for 
Did you mean: 

Apache in need of update

turtel
Grafter
Posts: 29
Registered: 01-09-2007

Apache in need of update

The apache service running on the cgi cluster according to phpinfo() is 1.3.9 this is well out of date and i belive has several security flaws.

Quote

This version of Apache is principally a security and bug fix release. Of particular note is that 1.3.27 addresses and fixes the issues noted in CAN-2002-0839 (mitre.org), CAN-2002-0840 (mitre.org) and CAN-2002-0843 (mitre.org) .


Take from apache.org so there is at least 1 or is that 3 errors fixed in the latest release.

Apache 2 would be much better. It works nicely with php 4.3
8 REPLIES
N/A

Apache in need of update

There are also major security bugs in version 2. Atleast most of the bugs in ver 1.3 have been identified and resolved with patches.

I would welcome an upgrade, although I am not sure what benefits Plusnet users would see.

Darren.
turtel
Grafter
Posts: 29
Registered: 01-09-2007

Apache in need of update

updating to version 2 in my experaince will yeild a big performace gain which would be nice, even on the new cgi cluster...

In terms of bugs fixed thats what the difference between apache 1.3.9 and 1.3.28 is 1.3.28 contains the fixes for the 1.3 code tree.
N/A

Apache in need of update

1.3.9 is a very stable tree of apache.

Unless there are security issues, or major resource improvments, of updating to a version within the current tree, I see no reason to move versions.

This holds true for most service providers out there. THey wait until a tree is preven to be stable, which is allways the best way, never to delve in feet first, to only come out the other side worse for ware.

Apache 2 just isn't ready as a production code base. Once complete, it would prove excelent in a load based production system.

As they say, why fix what isn't broke.

1.3.27 provides no features over 1.3.9.
Ianwild
Grafter
Posts: 3,835
Registered: 05-04-2007

Apache in need of update

Just to echo that, it is company policy that we will not install any version of software which is not in full production release - When your hosting 50,000 websites you have to be a bit careful with things like this!

Regards,
turtel
Grafter
Posts: 29
Registered: 01-09-2007

Apache in need of update

I'm happy for +net to stick with apache 1.3.x until 2.0 is production, its the most stable beta i've ever seen but anyway.

No my main point was that the current version the new cgi platform is 1.3.9 which is out of date. The whole point about version 1.3.27 is it is a bug fixing /security fix for all apache 1.3 releases. So in responce to the erlier point, i agree if it aint broke dont fix it, but according to the devlopers 1.3.9 is broke.
N/A

Apache in need of update

According to developers IPv4 is broke, thats why they made IPv6.

However, why are we still dishing out IPv4 connections as standard, without so much as a tunnel on top?

The reality is, just because there is newer versionnout, it doesn't mean it is better.

Most companies operate by choosing a stable release, and applying patches, to rule out any issues that could arrise.

IE, making it a cross between 1.3.9 and a higher version.

You will find as many resrouce hunting changes made in the 1.3 tree. Many of these can causes security issues in other parts of the code.

Do you know how long it takes to perform a code audit?

I seriously hope +net do not install server software like apache, without these audits.

These can take months to complete, especialy with limited resources.
N/A

Apache in need of update

I've just noticed that the standard plusnet server for user webpages runs apache 1.3.26 so plusnet obviously think it is stable and useable, so why is the cgi server still running 1.3.9?

As far as i understand it, it should have nothing to do with php or any other extra service provided on the cgi server as they either run independently using invocations or are run as apache modules, which work the same in versions 1.3.9 and 1.3.26!
N/A

Apache in need of update

Both invokations and modules are as you say.

However, they both use apache APIs, to provide system execution and interaction, which doesn't take place while serving static content.

I stillhavn't seen a reason to shift from 1.3.9 yet.

1.3.9 is regarded as a stable tree of apache, and out of the 13 machines (other than +net) I have access too, they are running 1.3.9 or below.

DId you ever consider +net may be using custom modifications?

Many providers do. So in adition to a normal code audit, you have to port form patch porting, and then a code audit on that too. In some cases, the modifications are not allways possible with new trees.