In this issue
It is expected that a new version of Apache, 1.3.12, will be
released early next week. This new version includes the
patches released to address the issues from the CERT
advisory on cross-site scripting. If you are currently
using Apache you should ensure that you have read the comprehensive
details of the problem, updated your server, and checked
any scripts that you use.
As reported by CERT, this issue affects more than just
servers based on Apache. Earlier in the week Zeus Technology
provided patches to their customers after Apache Week
demonstrated a vulnerability in their server.
Apache Site: www.apache.org
Release: 1.3.11 (Released 21st January
Apache 1.3.11 is the current stable release. Users of Apache
1.3.9 and earlier on Unix systems should upgrade to this
version. Users of Apache on Windows can now upgrade to Apache
1.3.11 avoiding the previous problems with Apache 1.3.9. Read
to 1.3.11 for information about changes between 1.3.9 and
1.3.11 and the Guide to
1.3.9 for information about changes between 1.3.6 and
Most bugs listed below include a link to the entry in the
Apache bug database where the problem is being tracked. These
entries are called "PR"s (Problem Reports). Some bugs do not
correspond to problem reports if they are found by
Bugs in 1.3.11
Querying multiple variables through a single call to APXS
could cause ambiguous output if Apache was compiled with
embedded calls to Perl. For example when using
"-MExtUtils::Embed" in the command line
Alterations made to Apache 1.3.11 for OS/2 can cause
compilation problems on some Unix platforms as invalid
arguments are passed to a fopen.
The default path for suexec was inconsistent
if Apache was not configured via APACI
Apache will not compile on NEXT and UTS21 platforms due to
differences in ap_wait_t parameters. PR#5053
APACI configuration would fail on Ultrix. PR#4940
The implementation of the flag directives
AuthAuthoritative, MetaFiles, and
ExtendedStatus were not consistent with the
Patches for bugs in Apache 1.3.11 will be made available in
the apply_to_1.3.11 subdirectory of the patches
directory on the Apache site. Some new features and other
unofficial patches are available in the 1.3
patches directory. For details of all previously reported
bugs, see the Apache bug
database and known
bugs pages. Many common configuration questions are
answered in the Apache FAQ.
The majority of development work is now being focused on
Apache 2.0, with the hopes of a public beta-test version
being available within the first quarter of this year.
Improved charset handling
Handling of character sets has been improved as part of the
patches to address the cross-site scripting issues. Two new
directives have been added to Apache,
AddDefaultCharsetName. These directives allow
Apache to specify the given character set on any document
that does not have one explicitly specified in the headers.
Sending the correct character encoding allows a document to
be interpreted and displayed appropriately.
We've told those hoping to attend this year's ApacheCon 2000
conference that time is running out. By now, you'll have
heard all you can take about the seminars, BOFs, and
sponsoring companies. So let's take a moment to reflect on
how glorious Florida's weather will be in March, and that you
probably need a holiday anyway. If you're a sysadmin, you can
probably expense it anyway.
Netcraft show Apache at over 61%
The February Netcraft
Server Survey shows a huge leap in the number of sites
running Apache, now over 55%. The leap is due in part to a UK
ISP changing the version string returned by their server back
to Apache. However, this is by no means the only cause as the
total number of Apache-based servers has this month increased
to over 61%. The Netcraft survey is based on the largest
sample size of all the surveys, now looking at over 11
million sites. Unfortunately with a number of ISP's setting
up wildcard DNS it is going to be increasingly hard to obtain
meaningful statistics, allowing the results to be biased.
Wired think Apache is overlooked (but successful)
Wired News highlights Apache this week in
A Patchy Start: Apache's Strong. The article examines why
Apache is not as well known as other projects such as Linux
and finds that the companies providing support and services
based on Apache are not as visible. In issue #180 we took a brief look at
some of these commercial offerings, and the Apache related
projects page contains others.
Over the last couple of weeks we've changed the style of
Apache Week to make it easier to read and more consistent.
Whilst making the changes we also started an XML feed of the
headlines, so you can integrate Apache Week news into your
favourite sites. Apache Week can be added to
my.netscape.com and others
Apologies for last week's HTML edition which was sent out
twice to some readers due to a configuration mistake. We have
also fixed the problem in the HTML version which could not be
opened in some mail readers.