Apache Week
   
   Issue 182, 14th January 2000:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Apache Status

Apache Site: www.apache.org
Release: 1.3.9 (Released 20th August 1999) (local download sites)
Beta: None

Apache 1.3.9 is the current stable release. Users of Apache 1.3.6 and earlier on Unix systems should upgrade to this version. Users of Apache on Windows can now upgrade to Apache 1.3.9 avoiding the previous problems with Apache 1.3.6. Read the Guide to 1.3.9 for information about changes between 1.3.6 and 1.3.9.

Most bugs listed below include a link to the entry in the Apache bug database where the problem is being tracked. These entries are called "PR"s (Problem Reports). Some bugs do not correspond to problem reports if they are found by developers.

Bugs in 1.3.9

A number of patches have been made to the 1.3.9 code this week in preparation for the release of Apache 1.3.10.

  • HPUX binary building fails when building dynamic modules due to changes made since 1.3.9.
  • HPUX build problems when using ./configure as the HPUX native compiler requires the addition of the -Ae flags to ensure that ANSI C can be parsed.
  • Compilation in AIX machines sometimes fails to link due to problems with dynamic libraries with AIX versions prior to
  • OS/390 builds were failing when DSO support was enabled.
  • suExec should set a umask before invoking a script. A new option has been added to the configure script, --suexec-umask. PR#4178
  • Apache can conflict with third-party libraries due to the export of a symbol named lookup (part of the Expat XML library). The symbol is renamed to hashTableLookup in 1.3.10.
  • The ProxyPass code erroneously converted authentication protection to proxy authentication requests, causing problems with browsers.
  • Actions set in a Location that didn't correspond to a file failed.

1.3.10 release planned

The next release of Apache will be version 1.3.10, due for release around the 19th January 2000. The original schedule was for a public release on the 14th, but this has been delayed due to a number of significant last minute issues.


Common Security Problem

There is a common bug report with Apache concerning failed access control, but the problem is due to incorrect configuration rather than the Apache code itself. The problem is quite common because the incorrect example was part of the original Apache documentation as well being explained in at least one book.

A typical way to limit resources to particular clients or users is to use a <Limit> section, such as this

  <Limit GET POST>
  ...
  access restriction directives such as require or allow
  ...
  </Limit>

The effect of the <Limit> section is to limit the restriction to only the listed methods - GET and POST in this example. This means that other methods such as PUT are not subject to the restriction, which is potentially a security problem. The correct solution is to remove the <Limit> and </Limit> lines, making the restriction apply to all request methods.

Note that while GET, HEAD, POST, and PUT are the commonly used methods today, other methods have been and can be defined and used at any time. The above example configuration would allow these additional methods through as well. This is particularly important if the restricted area includes CGI scripts which do not bother to check the method with which they are called. These CGI scripts should also be fixed, and Apache Week issue 81 has more information.


Apache Week at LinuxWorld

Apache Week will be exhibiting at the LinuxWorld Conference and Expo in New York in February. You'll be able to find Apache Week's current editor, Mark Cox, on the O'Reilly network stand, and he'll be on-hand to talk about all things Apache. The conference runs from February 1st to 4th 2000, and entry to the exhibits can be obtained with a free pass if you register today (January 14th 2000) online at www.linuxworldexpo.com.

ApacheCon 2000 status

The second official Apache conference, ApacheCon 2000, takes place March 8th-10th 2000 in Orlando, Florida. Apache Week is a sponsor of ApacheCon 2000 and will keep you updated on conference news between now and March.

You can now register on-line for ApacheCon 2000 using a credit card and a secure web browser. By registering for the conference early, ApacheCon are offering a discount of US$225 off the full conference price.


Apache-Related Jobs

This occasional section contains short announcements of jobs which require significant Apache experience. If you have a suitable job announcement, send the text (less than fifty words) to editors@apacheweek.com. We reserve the right to refuse or edit any announcement.

Software Development Engineer (USA)

Covalent technologies seeks Software Development Engineer with strong Unix, Internet, programming (C/C++, Java, Tk, Perl), and Apache skills. Duties may include Apache server development, PKI cryptography applications, as well as product development and GUI design. More information is available.

Software Engineer (England)

C2Net Europe seeks self-motivated software engineer with strong C and Unix skills to work on the Stronghold web server as well as get involved and contribute directly to the Apache, mod_ssl, and OpenSSL projects. More information is available.


Comments or criticisms? Please email us at editors@apacheweek.com