Apache Week
Issue 214, 8thSeptember2000:

Copyright 2020 Red Hat, Inc

In this issue

Apache 1.3.13 status

We had an overwhelming number of messages this week asking for an update on the release of Apache 1.3.13. We had originally said that the release would take place in August, but summer holidays and concentration on the 2.0 alpha series have delayed this.

There are few new features in Apache 1.3.13 for Unix, most of the changes are minor bug fixes. Windows users will see vast improvements including the emulation of services for Windows 95 and 98 and the ability to be built using the latest compilers.

Apache 1.3.12 was released on the 25th February 2000.

SuSE Apache distribution vulnerable

If you are using any version of SuSE linux released since 6.0 you should read the security advisory released yesterday. Two mistakes in the default configuration file can cause security vulnerabilities. The first vulnerability allows remote users to read the source of CGI scripts in the /cgi-bin/ directory. The second is in the WebDAV package where no access control has been activiated in the default configuration, allowing users to remotely upload and edit files.

RSA Encryption released into Public Domain

One of the large obstacles blocking the use of secure versions of Apache inside the USA was a patent on RSA encryption methods. In order to use a secure server commercially that would interoperate with standard browsers you had to obtain a license from RSA Security. Users commented that they found it impossible to negotiate for a license simply so that they could run a secure site. The alternative way to legally use Apache with SSL in the USA was to purchase a packaged version from a company that had a license with RSA. C2Net, Covalent, IBM, and others provided packages although the majority used closed-source encryption libraries from RSA Security.

This RSA patent is due to expire later this month. Once it has expired, any user can legally run Apache with SSL for a commercial purpose inside the USA. In order to build your own secure server you need three pieces: Apache 1.3, a package that contains the cryptographic code such as the open-source OpenSSL library, and some glue logic to piece the two bits together. Two such packages exist with different functionality, mod_ssl from Ralf Engelschall and Apache-SSL from Ben Laurie.

However, in a bid to upstage the expiration parties and events planned, RSA announced this week they were releasing the algorithm into the public domain, two weeks prior to the expiration. They also staged a Free T-Shirt offer but this offer has managed to expire even before their patent does.