Earlier this week it was found that PHP 4.2.0 and 4.2.1 allow
remote attackers to cause a denial of service and possibly execute
arbitrary code via an HTTP POST request with certain arguments
in a multipart/form-data form, which generates an error condition that is
not properly handled and causes improper memory to be freed. Earlier
versions of PHP are not affected. For more information
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0717 to this issue.
There was discussion on the development list this week about what
configuration files "make install" should install if
installing over an existing Apache installation; the main issue
concerning whether the reference "-std.conf" files should be installed
alongside existing configuration files.
Preparations for an Apache 2.0.40 are underway, with the CVS tree
being tagged, and tarballs prepared for testing by developers. As
usual, the live server at apache.org is
already running the new code.
A frequently asked question on the mailing lists is why any Apache
server will process a request with a URI such as
http://www.yahoo.com/; often an administrator will notice
such requests in the access log with a "200" response code, and worry
that the server is being used as a proxy. The answer is simply that
if the hostname used in the request URI does not match any of the
configured virtual hosts, the default vhost configuration is used to
serve the request; no proxying takes place regardless of the hostname
used, unless Apache is specifically configured as a proxy server.
Paul Weinstein took time out after giving his presentation on Apache
and SSL to report for Apache Week on the main news of the O'Reilly Open Source
Conference. Interesting keynotes included the well-matched
pair Lawrence Lessing, a vigilant
defender of freedom of content, and Richard Stallman, a vigilant defender of
freedom of software. Read the Apache Week
feature from the first day of the conference
Earlier this month a
a new beta of Red Hat Linux was announced. What makes this release
interesting is that it includes by default
Apache 2.0 along with a number of modules that
work with the 2.0 infrastructure. Apache 1.3 is not included in the
release. Netcraft found
this month that the adoption of Apache 2.0 is happening a lot slower than
expected, fewer than 50,000 sites have switched.
The inclusion of Apache 2.0 by default in a mainstream operating
system should help prove whether or not it is ready for primetime.
At the O'Reilly Open Source Conference this week
a new module, mod_asp.net for Apache 2.0 on Windows.
The module provides integration of ASP.NET applications into
the Apache server framework. The module is only available as part of
Covalent's Enterprise Ready Server which is based on Apache and is not
In this section we highlight some of the articles on the web that are of
interest to Apache users.
Pier Fumagalli who actively codes for the Apache Jakarta and
HTTPD/APR projects reveals how the VNU news web site running on the
Apache Web server and Tomcat has been designed to handle high loads
"Web Development in Heavy Traffic".
The tricks are to let another instance of Apache handles all the static
traffic, cache articles in the servlet container itself, and execute each
application in a different container in a different Java Virtual Machine.
UnixReview.com looks at
two tools for benchmarking web sites
and shows us how to use them. First
run to gather a list of URLs into a file. Then
will use this file to bombard a web server with requests from
concurrent simulated users to stress test it.
"Building XML Portals with Cocoon"
explores the Cocoon portal and authentication frameworks, and
provides a few examples on how to use them. You need to be familiar
with the basic Cocoon concepts before reading this.
There is a new kid in town - a Java-based open-source Apache GUI
for yourself and decide whether it is as loony as it sounds.
"Apache and SSL"
was presented by Paul Weinstein at the 2002 O'Reilly Open Source
Conference recently. It introduces the basic concepts and configuration
of Apache and SSL, and is also available to be downloaded as a