Apache 1.3.12 was released on 25th February 2000
and is now the latest version of the Apache server. The
previous release was 1.3.11, released on the 21st January
what was new in Apache 1.3.11.
Apache 1.3.12 is available in source form for compiling on
Unix or Windows, for download from any Apache local
download site. Binary packages for a few platforms are
Apache 1.3.12 has been released following the recent CERT
advisory on cross-site scripting. It was shown that
malicious HTML tags can be embedded in client web requests if
the server or script handling the request does not carefully
encode all information displayed to the user. Using these
vulnerabilities attackers could, for example, obtain copies
of your private cookies used to authenticate you to other
The problem is not specific to Apache and has wide reaching
consequences for anyone who uses or writes scripts for web
servers. The Apache Software Foundation has published comprehensive
details of the problem and you should check any scripts
that you use.
After the initial patches to address this vulnerability in
Apache 1.3.11 were released an additional interaction between
Apache and Netscape Navigator was found. If you are currently
running Apache 1.3.11 with these patches you should check
that you have applied the most recently available patches or
look at upgrade to Apache 1.3.12.
As part of the fixes for these vulnerabilities the handling
of character sets has been improved. Two new directives have
been added to Apache, AddDefaultCharset and
AddDefaultCharsetName. These directives allow
Apache to specify the given character set on any document
that does not have one explicitly specified in the headers.
Sending the correct character encoding allows a document to
be interpreted and displayed appropriately.
The following bugs were found in Apache 1.3.11 and fixed in
Alterations made to Apache 1.3.11 for OS/2 can cause
compilation problems on some Unix platforms as invalid
arguments are passed to a fopen.
Querying multiple variables through a single call to APXS
could cause ambiguous output if Apache was compiled with
embedded calls to Perl. For example when using
"-MExtUtils::Embed" in the command line
The default path for suexec was inconsistent
if Apache was not configured via APACI
Apache will not compile on NEXT and UTS21 platforms due to
differences in ap_wait_t parameters. PR#5053
The implementation of the flag directives
AuthAuthoritative, MetaFiles, and
ExtendedStatus were not consistent with the
APACI configuration would fail on Ultrix. PR#4940
The Apache process ID file, httpd.pid would be
written with the default umask, causing problems if this
umask was not sensible.
Apache does not compile out-of-the-box on BeOS
The default path to the suexec binary was wrong if it was
not specified by the configure stage
Whilst mod_mime_magic is not one of the
default modules compiled into Apache, the
binbuild script for building binaries does
include the module causing a problem for EBCDIC platforms
due to mod_mime_magic not being able to
distinguish between EBCDIC and ASCII.
The Portuguese translation of the default successful Apache
installation page is actually Brazilian Portuguese.
This really is the last time we're going to remind you about
because, quite frankly, we've got better things to do with
our time - like buying buckets and spades and sun block. You
can now even find out
who else is attending. Last-minute reservations are on
the up so if you want to be there, now's the time to organise
it to avoid disappointment.
The O'Reilly Network Apache DevCenter
was launched last week. As well as bringing together Apache
news from various sources such as Freshmeat, Slashdot and
Apache Week, it contains an
Apache Forum where you can ask Apache-related questions.
"Introducing Apache" by Rael Dornfest is the first in a
series of articles about Apache, the most popular web server
software available. In the coming weeks, Rael will talk about
how to install Apache, its care and feeding, simple tricks to
keep it running smoothly, and powerful modules you can add to
extend its capabilities.