In this issue

It is expected that a new version of Apache, 1.3.12, will be released early next week. This new version includes the patches released to address the issues from the CERT advisory on cross-site scripting. If you are currently using Apache you should ensure that you have read the comprehensive details of the problem, updated your server, and checked any scripts that you use.

As reported by CERT, this issue affects more than just servers based on Apache. Earlier in the week Zeus Technology provided patches to their customers after Apache Week demonstrated a vulnerability in their server.

Apache Site: www.apache.org
Release: 1.3.11 (Released 21^st January 2000) (local download sites)
Beta: None

Apache 1.3.11 is the current stable release. Users of Apache 1.3.9 and earlier on Unix systems should upgrade to this version. Users of Apache on Windows can now upgrade to Apache 1.3.11 avoiding the previous problems with Apache 1.3.9. Read the Guide to 1.3.11 for information about changes between 1.3.9 and 1.3.11 and the Guide to 1.3.9 for information about changes between 1.3.6 and 1.3.9.

Most bugs listed below include a link to the entry in the Apache bug database where the problem is being tracked. These entries are called "PR"s (Problem Reports). Some bugs do not correspond to problem reports if they are found by developers.

• Querying multiple variables through a single call to APXS could cause ambiguous output if Apache was compiled with embedded calls to Perl. For example when using "-MExtUtils::Embed" in the command line options.
• Alterations made to Apache 1.3.11 for OS/2 can cause compilation problems on some Unix platforms as invalid arguments are passed to a fopen.
• The default path for suexec was inconsistent if Apache was not configured via APACI
• Apache will not compile on NEXT and UTS21 platforms due to differences in ap_wait_t parameters. PR#5053
• APACI configuration would fail on Ultrix. PR#4940
• The implementation of the flag directives AuthAuthoritative, MetaFiles, and ExtendedStatus were not consistent with the documentation. PR#5642

Patches for bugs in Apache 1.3.11 will be made available in the apply_to_1.3.11 subdirectory of the patches directory on the Apache site. Some new features and other unofficial patches are available in the 1.3 patches directory. For details of all previously reported bugs, see the Apache bug database and known bugs pages. Many common configuration questions are answered in the Apache FAQ.

The majority of development work is now being focused on Apache 2.0, with the hopes of a public beta-test version being available within the first quarter of this year.

Handling of character sets has been improved as part of the patches to address the cross-site scripting issues. Two new directives have been added to Apache, AddDefaultCharset and AddDefaultCharsetName. These directives allow Apache to specify the given character set on any document that does not have one explicitly specified in the headers. Sending the correct character encoding allows a document to be interpreted and displayed appropriately.

We've told those hoping to attend this year's ApacheCon 2000 conference that time is running out. By now, you'll have heard all you can take about the seminars, BOFs, and sponsoring companies. So let's take a moment to reflect on how glorious Florida's weather will be in March, and that you probably need a holiday anyway. If you're a sysadmin, you can probably expense it anyway.

The February Netcraft Server Survey shows a huge leap in the number of sites running Apache, now over 55%. The leap is due in part to a UK ISP changing the version string returned by their server back to Apache. However, this is by no means the only cause as the total number of Apache-based servers has this month increased to over 61%. The Netcraft survey is based on the largest sample size of all the surveys, now looking at over 11 million sites. Unfortunately with a number of ISP's setting up wildcard DNS it is going to be increasingly hard to obtain meaningful statistics, allowing the results to be biased.

Wired News highlights Apache this week in A Patchy Start: Apache's Strong. The article examines why Apache is not as well known as other projects such as Linux and finds that the companies providing support and services based on Apache are not as visible. In issue #180 we took a brief look at some of these commercial offerings, and the Apache related projects page contains others.

Over the last couple of weeks we've changed the style of Apache Week to make it easier to read and more consistent. Whilst making the changes we also started an XML feed of the headlines, so you can integrate Apache Week news into your favourite sites. Apache Week can be added to my.netscape.com and others

Apologies for last week's HTML edition which was sent out twice to some readers due to a configuration mistake. We have also fixed the problem in the HTML version which could not be opened in some mail readers.