Apache Week
Issue 306, 23rdAugust2002:

Copyright 2020 Red Hat, Inc

In this issue

Under development

A large discussion was sparked off this week by a report that in recent 2.0 releases (including 2.0.40), responses produced by mod_cgi and mod_proxy are being buffered in memory. Previous 2.0 releases up to 2.0.32 as well as Apache 1.3 stream these responses directly to the client. The culprit was found to be the "content length" filter, but whilst fixing this problem, deeper issues with counting the number of bytes in a response (for logging purposes) were unearthed, and a patch is yet to be checked in.

An obscure browser bug was tracked down recently in the handling of the content character set over an HTTP redirect. When an HTTP redirect response is received by a browser (for instance, with the 302 status code), it must then make a second request to retrieve the actual content to display to the user. Both responses can include a Content-Type header, both of which may include a "charset" value indicating the character set in which the response is encoded (for example "ISO-8859-1" or "UTF-8").

Version 4 of Netscape Navigator was discovered to use the character set indicated by the first response (the redirect) when displaying the content of the second, even if a different character set was specified in the second response. This bug was triggered for any redirects generated internally by Apache since these would include the default character set of ISO-8859-1. A workaround for the problem was committed to the 1.3 tree by adding a new environment variable suppress-error-charset, which can be used in a BrowserMatch statement to suppress the character set on redirect responses (in which case Netscape will display the content correctly using the character set from the second response).

In the news

OpenSSL flaws also affect commercial crypto libraries

At the beginning of August a number of vulnerabilities were found during an audit of the OpenSSL library, commonly used to provide SSL support to Apache. Some of these issues were also found to affect the BSAFE SSL library from RSA Security. The SSL-C library from RSA was based on SSLeay, the same open source library that was used to form the OpenSSL project. Yesterday, RSA made patches available to their customers for these issues. Apache vendors who use the RSA libraries include Covalent, who expect to provide updated SSL modules to their customers next week.

Updated Apache surveys

It has been a couple of months since we last reported on new figures from the Netcraft survey of web sites. Overall there has been little change from month to month. In their August 2002 survey, Netcraft found that Apache and servers based on Apache have over 65% market share, up considerably over last month due mostly to register.com. Netcraft also look at what sites have upgraded their versions of Apache:

Almost half of the 22 million Apache HTTP sites found by the survey are running Apache/1.3.26, whilst only around a quarter of the Apache SSL sites are running this version, which fixes the chunked encoding vulnerability.
However this information alone doesn't give the number of sites actually vulnerable to the recent security issues as a large number of sites simply apply patches for issues rather than upgrading to new versions. This is often the case for versions of Apache supplied by vendors such as Red Hat who, for compatibility reasons, often release errata packages based on older versions of Apache but with security fixes applied.

Apache Software Foundation gets new Chairperson

At a recent board meeting the ASF decided to elect a new chairman and president as the same directors have served in those roles for the last three years. Greg Stein replaces Roy Fielding as Chairman, and Dirk-Willem van Gulik replaces Brian Behlendorf as President. Both Roy and Brian remain as directors.

PC Week get confused about Apache Security issue

Last week, PC Week posted an article about the recent Apache 2.0.40 security issues. They mention that one of the flaws (CAN-2002-0654)

"...can be used to gather information about an individual Apache Web server, such as who owns it, what operating system it is running on, names of files stored on the server, where it is physically located..."
However this is not correct, the flaw simply allows a remote user to find out the full pathname of a document on the server. So, for example, you might find out that the www.example.com/test.var was actually located at c:\winapps\apache\htdocs\test.var.

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

"Will Apache 3.0 Sport Asynchronous I/O?" examines the possibility of Apache providing support for asynchronous I/O by quoting the views of several Apache developers. It touches on the benefits of this feature, how it may be implemented, and some speculations on when it may be available.

O'Reilly Mac DevCenter shows you how to integrate Tomcat with Apache via the mod_jk module on Mac OS X. This is a step-by-step guide on building the mod_jk module from source, installing and configuring it for Tomcat 4.0.4, and verifying that it works. If all goes well, your Mac can now be used to serve JSP and servlet applications.

Michael Galloway provides a solution for serving Web sites using multiple builds of PHP with one instance of Apache in "How to setup multiple PHP builds on the same server". His solution is to run PHP using the CGI interface and not as an Apache module. Then the AddHandler and Action directives in the httpd.conf file are configured accordingly so that any file ending with a ".php" extension will be executed as a PHP script.

This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan