Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Apache HTTP Server 2.4.58 (CVE fixes) (apache.org)
72 points by neustradamus on Oct 19, 2023 | hide | past | favorite | 42 comments



Thanks! Macroexpanded:

HTTP/2 Rapid Reset: deconstructing the record-breaking attack - https://news.ycombinator.com/item?id=37831004 - Oct 2023 (23 comments)

HTTP/2 zero-day vulnerability results in record-breaking DDoS attacks - https://news.ycombinator.com/item?id=37830998 - Oct 2023 (71 comments)

The novel HTTP/2 'Rapid Reset' DDoS attack - https://news.ycombinator.com/item?id=37830987 - Oct 2023 (106 comments)


"The early Apache server was a big hit, but we all knew that the codebase needed a general overhaul and redesign."

From the README of the apache_1.3.0 distribution (April 1998) https://archive.apache.org/dist/httpd/

Love this project. It changed the world and it still goes strong. The closest to "forever software"?


Up there with gcc and OpenSSH.




A Patchy Server has come such a long way.


Surprising to see stuff like this included in a patch release:

    core: Updated conf/mime.types:
     - .js moved from 'application/javascript' to 'text/javascript'
That’s probably going to break something for somebody.


Is HTTP/2 just too complex for a mere mortal to implement?


No, but QUIC definitely falls in the overly complicated category, spanning multiple, large RFCs.

This attack is just about failing to enforce the negotiated parameters during the start phase of the connection.


Wait till you see the TCP RFCs…


I guess it helps that TCP is usually covered to some extent in an undergrad course, and also that it's unencrypted.


I don't think this has too much to do with the spec and more about discovering and preventing DoS vectors.


Also HAProxy managed to predict and mitigate this issue 5 years ago.


Sounds like the OAuth2 spec.


Well have you seen oauth1? So much trouble to be able to support non-secure HTTP.


I'm on a project where OAuth 2.0 will be implemented. Please send help.


[flagged]


To be a bit less vitrolic than other comments.

The link is to a plain text file.

The indentation is formatting to give a clear delineation between various sections, such as each feature/fix/item of the changelog. Which makes it easier to read rather a run along blob of text with no clear markers.

You see this same indentation with un/ordered lists in HTML or word documents.


Whats wrong with that? I find it convenient to read with less.


Well, for one, in a mobile screen I can understand the difference between line wraps and new lines.


To make it look the same everywhere.


Because they keep rules you obviously don’t understand and know


I'm surprised people still actively use it and it seems on par with nginx, at least according to https://www.netcraft.com/blog/january-2023-web-server-survey...


Why surprised? It's rock solid, stable, fast, and does pretty much everything you need, and nothing is hidden behind premium tiers, unlike nginx where they leave bugs and awful behaviour in the open source version that aren't in the premium ones (e.g. nginx used to only resolve hostname entries on start-up, https://forum.nginx.org/read.php?2,215830,215832#msg-215832, so if you used a hostname in proxy_pass, and the DNS changed, oops sorry. Actual honouring of DNS TTLs used to be a premium only feature)


I love apache as much as anyone, cut my teeth with it and still work with it plenty.

It doesn’t strike me as odd to question its fit for people who have more experience with containers. If there’s a reverse proxy in the front, one may just need business logic in the back.


>If there’s a reverse proxy in the front, one may just need business logic in the back.

I'm trying to imagine what that haircut would look like


Full disclosure: I haven't cut my hair in awhile. It may be influencing my architecture decisions at this point.


Walk into your nearest Hot Topic.


I am actively trying to remove apache from a large chunk of projects mainly because at this point it is being used as a poor reverse proxy and not a web server which is its core competency.


Actually, its reverse proxy implementation is quite capable and performant.


I run all my microservices and web sites in containers behind Apache. It's not required to use any specific reverse proxy, nginx is Russian made, like Jetbrains' products so Google pushes them and that's why under-educated milenials assume nginx is the only reverse proxy on Earth.


Why do you believe Google "pushes" Russian software? That seems odd.


I guess referring to conspiracy theories is one way of evaluating software.


I'm surprised you're surprised. It's a good web server.


I'm surprised HN hasn't added a feature where if you start a comment with "I'm surprised" it asks you to tick a box to confirm that you're really sure you're contributing to the discussion.


I've found the experience when people are explicitly requested to never do this (feign surprise) to be excellent; for example, Recurse Center: https://www.recurse.com/manual#sub-sec-social-rules


Usually when I’m surprised about something, I realize that I am uninformed or out of touch.


I am strongly in favor of this. I would also like HN to implement a warning that your comment may be extremely uninteresting if it starts out with, "Unfortunately..." or, "Can we all just agree that..."


Also some of the snide comments beginning with “lol” and “I didn’t ask you”.


It's still in most distros default repos, unlike things like caddy, and also supports features like mod_ldap out of the box without enterprise, like nginx. If you just need a simple web server, potentially with some auth even for static files its a no brainier default for internal projects.


I wonder what "other" is and how it suddenly shot up while Apache was suddenly going down.


I agree after all Node.js is Bad Ass Rockstar Tech https://www.youtube.com/watch?v=bzkRVzciAZg&t=1s




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: