Apache Week
Issue 217, 29thSeptember2000:

Copyright 2020 Red Hat, Inc

In this issue

Apache status

Apache Site: www.apache.org/httpd
Release: 1.3.12 (Released 25th February 2000) (local download sites)
Beta: None
Alpha: 2.0a6 (Released 18th August 2000) (local download sites)

Apache 1.3.12 is the current stable release. Users of Apache 1.3.11 and earlier on Unix and Windows systems should upgrade to this version. Read the Guide to 1.3.12, the Guide to 1.3.11 for information about changes between 1.3.9 and 1.3.11 and the Guide to 1.3.9 for information about changes between 1.3.6 and 1.3.9.

We last reported on changes and fixes to Apache 1.3.12 in July (Apache Week issue 206). Since then there have been a number of additions and fixes made.

Recent security vulnerabilities

  • A security problem exists in the Rewrite module. Apache is only vulnerable if you use mod_rewrite and a specific case of the directive RewriteRule. If the result of a RewriteRule is a filename that contains regular expression references then an attacker may be able to access any file on the web server. (See Apache Week issue 216)
  • A security problem exists in the handling of Host: headers in mass virtual hosting configurations. Under certain circumstances an attacker may be able to access any file on the web server

Recent feature additions

  • Support for the new FreeBSD accept filters feature. This feature postpones the requirement for a child process to handle a new connection until a HTTP request has arrived, therefore increasing the number of connections that a given number of child processes can handle
  • Support name-based virtual hosting without needing to specify an IP address in the Apache configuration file. This enables sites that use dynamic IP address to support name-based virtual hosting as well as allowing identical machines to share a configuration file, say in a load-balanced cluster. PR#5595, PR#4455
  • Updated configuration script to allow building on IBM's IA-64 version of AIX
  • An update to the bundled dbmmanage program to add back group support, and overhaul the other commands to add a comment argument
  • Bundle the DBM package sdbm with Apache for Win32 platforms. sdbm is used by default by mod_auth_dbm in the core Win32 distribution. sdbm support may be compiled into Apache on other platforms in the future.
  • A number of alterations for the MPE platform including fixing error reporting, updating the DSO code to be compatible with a recent OS patch, refining user and group management, and initial support for the proxy module

Recent bugs fixed

  • Win32 has a bug in network read select() that is noticed specifically when using SSL enabled Apache and Server Gated Cryptography certificates. Sometimes the SSL handshake does not complete and the user sees a network error message.
  • The bundled dbmmanage script did not work correctly when files contained groups. The seed calculation was incorrect on windows platforms. PR#3810, PR#5527
  • The AddDefaultCharset directive was being incorrectly merged. PR#5827
  • The Remove* MIME directives were being incorrectly merged. PR#5597
  • On Windows platforms the handling of '/' characters in URL parsing of directory blocks is inconsistent. Using directives such as <Directory /> should match the root directory of any drive for example
  • On Windows platforms mod_isapi has a number of problems. The fixes make ISAPI support for Apache more complete, but there are still some discrepancies.

In the news

LinuxWorld report this week that "Murdoch's News Interactive Commits to Open Source". News Interactive is the online arm of News Corporation and has over 100 servers and 20 web sites in Australia. But cost was not a factor that determined their use of Apache:

"News Interactive has complete control and confidence when it uses open source solutions, because it's all there -- nothing is hidden.... You can put your trust in open source."

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

If you fancy contributing to the Apache Web Server project but programming is not your field, now there is a chance for you to be involved in the Apache Web Server Documentation Project which started in July 2000. Apache Today brings you an article about this subproject and shows you how your effort could improve the documentation of the most popular open-source HTTP server.

In Aug 2000, (Apache Week issue 212), we mentioned that the biggest new feature in Apache 2.0 alpha 6 is initial support for filtering. Now that the Apache developers have designed and written some filters for Apache 2.0, in his new "Filtering I/O in Apache 2.0" series, Ryan Bloom explains how it works, how modules can make use of it, and the basic concepts for writing filters.

Since its inception in May 2000, the Developer Shed's continuing Perl 101 series have finally moved beyond writing basic Perl programs to writing CGI scripts in Perl. It starts off with an explanation of the hash variable (variable name beginning with a % symbol). Movie buffs will simply love the given examples.