In this issue

Discussion on the development list became tense this week as the 2.0.25 release appeared to be going the way of 2.0.24, which would make it the seventh tarball not getting through testing since the last public release. Recent problems have been with the mod_mime and mod_include modules. There was some debate as to whether the new release strategy was working; Roy Fielding, who proposed the strategy, pointed out that:

"the reason 2.0 doesn't have a good beta release is because it simply has not been ready for beta release -- the big fixes we have been making lately have vastly improved it over what it was two months ago."

Since its conception in July, the Apache HTTP Test project has been playing an increasingly important part in the progression of the 2.0 code.

The test project comprises a pair of programs: Flood, a profile-driven load tester, and Perl Framework, a regression testing kit. Flood can be used for stress testing HTTP and SSL servers, and uses an XML based configuration language. The Perl code is based on the mod_perl test harness, and has over 1500 tests at time of writing.

Jim Jagielski has been working on back-porting the AcceptMutex directive from 2.0 to 1.3. This directive allows run-time configuration of the mutex type used for accept serialization, currently a compile-time only setting in 1.3. Since different types of mutex have different performance characteristics on different platforms, this directive will allow administrators to tune their Apache server more easily.

RUS-CERT has discovered a vulnerability that affects several third-party Apache authentication modules that use SQL databases to store authentication information. An external attacker can make use of this vulnerability to obtain arbitrary data from your server. The modules known to be affected include:

• AuthPG
• mod_auth_mysql
• mod_auth_oracle
• mod_auth_pgsql
• mod_auth_pgsql_sys

According to this document, IBM have incorporated Apache 2.0 into their iSeries web server product line. One of the team at IBM commented to the development list that although the product internally used an alpha version of Apache, 2.0.18, their product is "not 'beta' but fully supported." and that they are "working on getting stuff back into the original code base."

In this section we highlight some of the articles on the web that are of interest to Apache users.

O'Reilly ONLamp.com brings you the latest information about filters for Apache 2.0 in Ryan Bloom's column. This article is just an introduction to the subject, covering some of the basic concepts of filtered I/O which is the ability for one module to modify the output of an earlier module, listing three standard filters included in the basic Apache distribution, and explaining what filter types are. According to Ryan, developers have improved the interface over the past few releases so that the complex task of writing filters becomes easier.

It's an overall thumbs up to the "Apache Desktop Reference" from Sys Admin magazine in this short book review by Elizabeth Zinkann. You'll need to scroll all the way down to read it. She describes it as a superbly written, well-organized, humorous, informative, insightful, extraordinary, essential, and indispensable guide to the Apache Web Server. What's more you can read the whole book online.

In the wake of the Code Red worm, Joe "Zonker" Brockmeier warns Unix and Linux administrators running the Apache Web Server not to let their guard down in this tongue-in-cheek but apt piece entitled "Thinking about Security". I'm sure many of you will find his advice on how to stop your boss from embarrassing himself useful.