In this issue

A vulnerability in the Win32 and OS/2 ports of Apache 1.3 was PR#7522 last month, involving requests with an extremely long string of characters in the Request-URI. Such requests could crash the server causing denial of service, but would not allow unauthorised access to data. A fix was checked in this week by William Rowe, who also proposed that 1.3.20 be released soon. This vulnerability does not affect Apache running on Unix.

Talk of a new 1.3 release prompted some testing of the current code and it was found that a change made since 1.3.19 had portability problems, which were quickly fixed by Jim Jagielski. Some issues with the updated ApacheBench utility were also uncovered.

The APR list has seen a large amount of traffic concerning the "stackable memory system" which has been contributed to APR by members of the Samba-TNG team. The code was checked in, though some group members found the volume of discussion overwhelming.

The most CVS activity seen recently came in a flurry of over 30 commits in two days, as Ralf Engelschall imported the source to version 2.8.3 of mod_ssl into the Apache 2.0 CVS tree and began the process of porting the code to Apache 2.0 and APR.

Two Apache Software Foundation projects have been chosen as finalists in the 2001 JavaWorld Editors' Choice Awards. Tomcat has been nominated for the "Most Innovative Java Product", and Xalan-Java has been selected for the "Best Java-XML Technology". Winners will be announced in June this year. Back in 1999, the JServ servlet engine won JavaWorld Readers' Choice Awards "Best Free Product".

E-Soft have updated their Apache Module report. This report gives a breakdown of the popular add-on modules for Apache and gives the percentage of Apache sites the module is found on. What makes this report even more interesting is that for each module there is a complete history of penetration rates spanning nearly three years.

Meanwhile, their April 2001 secure web server survey found that Apache (and Apache-based servers) still power over 60% of all secure sites.

In this section we highlight some of the articles on the web that are of interest to Apache users.

Information Security Magazine presents an article on improving Apache and a case study on companies that swear by (not at) Apache in its April issue. It starts off by refuting the mindset that running Apache guarantees security although it readily admits that Apache deserves its reputation for being a secure Web server. Then it provides the steps for installing Apache and mod_ssl, securing the underlying Linux server, and testing Web applications for vulnerabilities.

"Setting up Apache with mySQL, Frontpage 2000 Extensions, and PHP NHF" is a Newbieized Help File (NHF) written by Dallas Engelken for newbies to get Apache up and running with Frontpage support in no time at all.

At first glance, it may seem pointless to generate dynamic PDFs but John Coggeshall discovers that the PDF features of PHP can be implemented in all sorts of ways to make Web sites more efficient. Read about it in "Creating PDF Files in PHP".