Apache Week
   
   Issue 188, 25th February 2000:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Apache 1.3.12 Released

Apache 1.3.12 was released on 25th February 2000 and is now the latest version of the Apache server. The previous release was 1.3.11, released on the 21st January 2000. See what was new in Apache 1.3.11.

Apache 1.3.12 is available in source form for compiling on Unix or Windows, for download from any Apache local download site. Binary packages for a few platforms are available.

Security Fixes

Apache 1.3.12 has been released following the recent CERT advisory on cross-site scripting. It was shown that malicious HTML tags can be embedded in client web requests if the server or script handling the request does not carefully encode all information displayed to the user. Using these vulnerabilities attackers could, for example, obtain copies of your private cookies used to authenticate you to other sites.

The problem is not specific to Apache and has wide reaching consequences for anyone who uses or writes scripts for web servers. The Apache Software Foundation has published comprehensive details of the problem and you should check any scripts that you use.

After the initial patches to address this vulnerability in Apache 1.3.11 were released an additional interaction between Apache and Netscape Navigator was found. If you are currently running Apache 1.3.11 with these patches you should check that you have applied the most recently available patches or look at upgrade to Apache 1.3.12.

As part of the fixes for these vulnerabilities the handling of character sets has been improved. Two new directives have been added to Apache, AddDefaultCharset and AddDefaultCharsetName. These directives allow Apache to specify the given character set on any document that does not have one explicitly specified in the headers. Sending the correct character encoding allows a document to be interpreted and displayed appropriately.

Bugs fixed

The following bugs were found in Apache 1.3.11 and fixed in Apache 1.3.12

  • Alterations made to Apache 1.3.11 for OS/2 can cause compilation problems on some Unix platforms as invalid arguments are passed to a fopen.
  • Querying multiple variables through a single call to APXS could cause ambiguous output if Apache was compiled with embedded calls to Perl. For example when using "-MExtUtils::Embed" in the command line options.
  • The default path for suexec was inconsistent if Apache was not configured via APACI
  • Apache will not compile on NEXT and UTS21 platforms due to differences in ap_wait_t parameters. PR#5053
  • The implementation of the flag directives AuthAuthoritative, MetaFiles, and ExtendedStatus were not consistent with the documentation. PR#5642
  • APACI configuration would fail on Ultrix. PR#4940
  • The Apache process ID file, httpd.pid would be written with the default umask, causing problems if this umask was not sensible.
  • Apache does not compile out-of-the-box on BeOS
  • The default path to the suexec binary was wrong if it was not specified by the configure stage
  • Whilst mod_mime_magic is not one of the default modules compiled into Apache, the binbuild script for building binaries does include the module causing a problem for EBCDIC platforms due to mod_mime_magic not being able to distinguish between EBCDIC and ASCII.
  • The Portuguese translation of the default successful Apache installation page is actually Brazilian Portuguese.

ApacheCon 2000 status

This really is the last time we're going to remind you about ApacheCon 2000 because, quite frankly, we've got better things to do with our time - like buying buckets and spades and sun block. You can now even find out who else is attending. Last-minute reservations are on the up so if you want to be there, now's the time to organise it to avoid disappointment.


Apache DevCenter launched

The O'Reilly Network Apache DevCenter was launched last week. As well as bringing together Apache news from various sources such as Freshmeat, Slashdot and Apache Week, it contains an Apache Forum where you can ask Apache-related questions.

Introducing Apache

"Introducing Apache" by Rael Dornfest is the first in a series of articles about Apache, the most popular web server software available. In the coming weeks, Rael will talk about how to install Apache, its care and feeding, simple tricks to keep it running smoothly, and powerful modules you can add to extend its capabilities.


Comments or criticisms? Please email us at editors@apacheweek.com