At the end of last week the Apache Software Foundation issued
advisory about a major security flaw found in Apache 2.0 releases
on non-Unix platforms. Full information about the vulnerability was
not given in the advisory but it is believed that an exploit
would allow a remote attacker to access or run arbitrary files. More
information about the vulnerability is expected in the upcoming weeks,
until then all users of Apache 2.0 on non-Unix platforms are advised
to implement the work-around given in the advisory or to upgrade to
Apache 2.0.40 which was released last Friday.
Apache 2.0.40 also contains fixes for two minor path-revealing
exposures. Under certain conditions it is possible for a remote attacker
to find out the full path details of particular documents. Whilst this
in itself doesn't enable a remote attacker to exploit a system, it does provide
them with information that might be useful if they can exploit
some other flaws in Apache or the operating system.
At the last moment before 2.0.40 was released a check was added
to stop Apache building with versions of OpenSSL prior to 0.9.6e.
This check was flawed and will cause Apache 2.0.40 to not build
with versions of OpenSSL 0.9.7 or later. This check will also
cause problems for people wanting to link against versions of OpenSSL
distributed by some OS vendors who have backported the security fixes
to previous versions of OpenSSL without moving to the new version. The
next release of Apache will correct this behaviour and just warn users who try
to link against older versions of OpenSSL.
Apache 2.0.40 was released on 9th August 2002 and is now
the latest version of the Apache server. This is the fourth stable
release of Apache 2.0, following up on 2.0.39 which was released on
18th June 2002. Read our special
feature for more information about the history of Apache
Apache 2.0.40 is available in source form for compiling on Unix or
Windows, for download from the main Apache site or from
any mirror download
This is a security, bug fix and minor upgrade release.
Due to security issues, any sites using versions of Apache 2
on Unix prior to
Apache 2.0.39 should upgrade to Apache 2.0.40. Sites using
any versions of Apache 2 on other platforms should upgrade to
The new features in this release (added since 2.0.39) are:
mod_rewrite can now set cookies using the CO extension
- Performance improvements for the code that reads request
- Proxy FTP now works over IPv6
- Changes to the internationalized error documents; they are no longer
included by default in the sample configuration file.
- Add a new directive, MaxMemFree.
MaxMemFree makes it possible
to configure the maximum amount of memory a particular
child's allocator will
hold on to for reuse. This directive is useful when uncommon large
peaks occur in memory usage.
- Support the -w flag on to keep the Win32 console open
- Add the ability to enable or disable a filter via
an environment variable.
- Apache on Netware will now pull requests off of the
listen queue as fast as winsock will allow without latency introduced by the
- During installation Apache will preserve existing installation
directories. Binaries, the build directory, the headers, and the man
pages are all copied. Everything else, the config, htdocs, manual,
error, icons, and cgi directories are not installed if the directories
The bugs fixed in this release include:
- Fix a long-standing bug in 2.0, CGI scripts were being called
with relative paths instead of absolute paths. Apache 1.3 used
absolute paths for everything except for SuExec, this brings back
- Restore the ability to specify host names on Listen directives.
- Accept multiple leading /'s for requests within the DocumentRoot.
- Fixed a mod_include error case in which no HTTP
response was sent to the client if an shtml document contained an
unterminated SSI directive
- Prevent infinite recursion if an ErrorDocument
gets an error
- Fix segfault in mod_mem_cache most frequently observed when
serving the same file to multiple clients on an multi-processor machine
- Various fixes to the experimental module mod_ext_filter
including: Look in the main server for
filter definitions when running in a vhost if the filter definition is
not found in the vhost, BZ#10147.
Fix a segmentation fault if the content-type was not set,
BZ#10617, and ignore any content-type parameters when checking if
the response should be filtered.
- Fix infinite loop due to two HTTP_IN filters being present for
internally redirected requests. BZ#10146
- Fixed the Content-Length filter so that HTTP/1.0 requests to CGI
scripts would not result in a truncated response.
- Fix proxy so that it is possible to access ftp: URLs via a proxy
- Fix perchild to work with apachectl by adding -k support to perchild.
- Fix the long-standing bug in ab where
ab -t10 would loop for 10000 seconds
instead of 10 as documented. Also fix an off-by-one-second error
- Fixed parsing of strings to longs which allows HTTPD to deal
with larger files correctly
mod-deflate now checks to make sure that
'gzip-only-text/html' is set so that BrowserMatch
can be used to control the module
- Add a filter_init parameter to the filter registration functions
so that a filter can execute arbitrary code before the handlers
are invoked. This resolves a problem where mod_include requests
would incorrectly return a 304. BZ#9673
- A problem with the keepalive enumeration caused problems
when mod_dav sends error responses
- Various minor fixes to the htpasswd utility including
The following platform-specific changes have been made:
- Solved the reports of .pdf byterange failures on Win32.
- Support WinNT CGI invocation through
'registry' for script interpreter paths and names with non-ascii
characters in the executable filepath
- Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
extended characters (non US-ASCII) in non-utf8 format. This brings
Win32 back into CGI/1.1 compliance, and leaves charset decoding up
to the cgi application itself
- When deciding on the default address family for listening sockets,
make sure we can actually bind to an AF_INET6 socket before
deciding that we should default to AF_INET6. This fixes a startup
problem on certain levels of OpenUNIX. BZ#10235
In this section we highlight some of the articles on the web that are of
interest to Apache users.
The Robert Frances Group take a look at the
Total Cost of Ownership for Linux in the Enterprise (PDF, 48k), comparing Linux
using Apache with Microsoft Windows using IIS and Solaris using Apache. The
study of fourteen mid- to large-sized enterprises showed Linux with
Apache was the least expensive platform to deploy and operate.
"What You Get Is What You See",
Jim Jagielski looks at a few important areas which may affect the
performance of your Web site. Among them are the design of Web
infrastructures and authentication processes. He also touches on how
SNMP monitoring could be implemented to obtain real-time
information on the health of your Web site. One SNMP solution
for the Apache Web server is the open source
O'Reilly OnJava.com introduces log4j, the new
logging tool in the Jakarta Apache project and shows you how to
build flexible logs with it.
It goes through the concepts of the tool and provides examples
using a Web-based application.
"Run PHP-GTK and PHP-Apache on Win32"
is meant for Windows users who have difficulty in getting PHP-GTK to
work on their platform. It reveals the two main reasons that may
cause it to fail and leads you back onto the correct path.
Here's a review of
"XML and PHP"
on the Developer Shed. The conclusion is that it is a good reference guide for beginners
in the two subjects.