Cloud Testing Blog » Apache

Apache HTTP Server 2.3.5-alpha

Matt Rees - Cloud Testing — Thu, 28 Jan 2010 22:28:17 +0000

The Apache Software Foundation and the Apache HTTP Server Project have announced the release of version 2.3.5-alpha of the Apache HTTP Server. This version of Apache is principally an alpha release to test new technology and features that are incompatible or too large for the stable 2.2.x branch. This alpha release should not be presumed to be compatible with binaries built against any prior or future version.

Apache HTTP Server 2.3.5-alpha is available for download from: http://httpd.apache.org/download.cgi

Apache 2.3 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. For an overview of new features introduced since 2.3 please see: http://httpd.apache.org/docs/trunk/new_features_2_4.html

Please see the CHANGES_2.3 file, linked from the download page, for a full list of changes.

This release includes the Apache Portable Runtime (APR) version 1.4.2 and APR-Util version 1.3.9 in a separate -deps tarball. The APR libraries must be upgraded for all features of httpd to operate correctly.

This release builds on and extends the Apache 2.2 API. Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.3, and require minimal or no source code changes.

Apache/mod_ssl vulnerability and mitigation

Phil Smith - Cloud Testing — Sat, 07 Nov 2009 09:51:13 +0000

The following announcement has just been made to the announce mailing list:

Apache httpd is affected by CVE-2009-3555[1] (The SSL Injection or MiM attack[2]).

The Apache httpd webserver relies on OpenSSL for the implementation of the SSL/TLS protocol.

We strongly urge you to upgrade to OpenSSL 0.9.8l; and to be prepared to deploy OpenSSL 0.9.8m as it becomes available[3].

Note that these are for short term and mid-term mitigation only; the long term solution may well require a modification of the SSL and/or

TLS protocols[4].

For those who are not able to upgrade OpenSSL swiftly and/or for those who need detailed logging – we recommend that you roll out

this patch[5]:

http://www.apache.org/dist/httpd/patches/

apply_to_2.2.14 CVE-2009-3555-2.2.patch

sha1: 28cd58f3758f1add39417333825b9d854f4f5f43

as soon as possible. This is a partial fix in lieu of the protocol issues being addressed and further changes to OpenSSL. Like the

OpenSSL 0.9.8l stopgap measure this patch rejects in-session renegotiation.

If you are unable to patch and unable to roll our a newer version of OpenSSL, and you rely on Client Side Authentication with Certificates

then we recommend that you 1) ensure that you limit your configuration to a single ‘SSLClient require’ on VirtualHost/Sever level and 2)

remove all other (re)negotiation/require directives. However this does NOT fully protect you – it just curtails authentication in this

specific setting.

Apache HTTP Server 2.2.13

Matt Rees - Cloud Testing — Mon, 10 Aug 2009 15:36:43 +0000

An updated version of the Apache 2.2 web server has been released. It is primarily a security and bug fix release. It also bundles version 1.3.8 of the APR Library version 1.3.9 of the APR Utility Library, which addresses a security concern that may be triggered by some 3rd party modules.

All users are encouraged to upgrade to this version.

For full details see the Apache HTTP Server website at http://httpd.apache.org/

If you need to check your websites, why not give Cloud Testing a try – http://www.cloudtesting.com/, we offer a Functional Testing Service, Cross Browser Testing Service and a Website Archiving Service.