It's our 300th edition and our
colleagues at Wrox Press have given us two copies of their
book "Professional Apache 2.0" to give away to help us celebrate.
It seems like only 100 issues ago
that we were running a competition to give away the book on
which this is based, "Professional Apache".
Written by Apache Week reader and space tourism evangelist
Peter Wainwright, the book covers all aspects of serving web
sites using the Apache 2.0 web server.
The target audience of this book is experienced Apache
users and web server administrators who are using Apache
for the first time. It requires you to have a fundamental
knowledge of the Web, operating systems, and network
configuration although the first chapter revisits the basics of
networking, HTTP, and how Apache works.
Overall this is a comprehensive book for users interested
in the Apache web server in general and for those intending
to set up a secure Apache web server.
For a chance to get your hands a copy of the book, answer this simple
Which one of the following is the name of the security group
that posted the first working exploit for the Apache chunked
A) GRUMBLES, B) GOBBLES, or C) GURGLES
Send your answer to firstname.lastname@example.org
to reach us no later than July 10th 2002.
Your email address will not be used for
anything other than to let you know if you won. Two winners
will be drawn at random from all correct entries submitted, books
will be dispatched direct by Wrox Press.
One entry per person, no cash alternative, editors' decision
is final, so there.
That's not all. We've kept a copy for ourselves and have
written a comprehensive
review all about it.
Last week we covered the
details of the Chunked encoding vulnerability. We had said that although
the issue was remotely exploitable it could not be exploited
on 32-bit platforms. This was proven wrong shortly after publication
when security team GOBBLES published an exploit for OpenBSD and mentioned
that exploits were possible for other platforms. This prompted the
Apache Software Foundation to update the
We therefore strongly suggest that all users of Apache update their
distributions to 1.3.26 or 2.0.39 or
apply this patch to existing installations.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2002-0392 to this issue.
The security issue got a fair amount of media coverage, and
after one week, there are still many new
articles about the Apache chunked encoding vulnerability:
San Diego, California plays host to this key conference
between July 22nd and 26th, and brings together the leaders
of all the critical open source technologies - including
Apache - to give you an inside look at how to configure,
optimise, code, and manage them.
This years event looks pretty exciting for Apache users
as it includes a whole conference dedicated to PHP (including
a look at PHP 4.1 and Beyond), a track on Apache 2.0,
and a keynote presentation
"Open Source and Java: Lessons from the Apache Experience". It is
expected that a large number of Apache Software Foundation members
will be attending so be sure to look out for them and invite them out
for dinner or buy them beer.
Register now or find out more at the conference web
site. Read our in-depth account of the
2001 Convention which proves this is certainly a conference
you cannot afford to miss.
In this section we highlight some of the articles on the web that are of
interest to Apache users.
In an interview with SearchWebManagement, Ryan Bloom, a core developer of
Apache 2.0, dissects the subject of
Apache vs IIS
and opens a window into his thoughts about the advantages of Apache over
IIS. He also attempts to explain why some web server administrators chose
IIS over Apache.
"Customizing Apache for maximum performance"
is a Linux-based tutorial on how to fine-tune the operating system and
Apache for optimum performance. You'll need to register as well as enable
In conjunction with gifting the Web Service Invocation Framework (WSIF) to
the Apache Software Foundation, IBM provides this article entitled
"Applying the Web services invocation framework"
to explain what WSIF is all about. It is a Java API that enables
developers to create Web services independent of SOAP.