A large discussion was sparked off this week by a report that in
recent 2.0 releases (including 2.0.40), responses produced by
mod_cgi and mod_proxy are being
buffered in memory. Previous 2.0 releases up to 2.0.32 as well
as Apache 1.3 stream these responses directly to the client.
The culprit was found to be the "content length" filter, but whilst
fixing this problem, deeper issues with counting the number of bytes
in a response (for logging purposes) were unearthed, and a patch
is yet to be checked in.
An obscure browser bug was tracked down recently in the handling of
the content character set over an HTTP redirect. When an HTTP
redirect response is received by a browser (for instance, with the
302 status code), it must then make a second request to
retrieve the actual content to display to the user. Both responses
can include a Content-Type header, both of which may
include a "charset" value indicating the character set in which the
response is encoded (for example "ISO-8859-1" or "UTF-8").
Version 4 of Netscape Navigator was discovered to use the character
set indicated by the first response (the redirect) when
displaying the content of the second, even if a different
character set was specified in the second response. This bug was
triggered for any redirects generated internally by Apache since these
would include the default character set of ISO-8859-1. A workaround
for the problem was committed to the 1.3 tree by adding a new
environment variable suppress-error-charset, which can be
used in a BrowserMatch statement to suppress
the character set on redirect responses (in which case Netscape will
display the content correctly using the character set from the second
At the beginning of August a number
of vulnerabilities were found during an audit of the OpenSSL library,
commonly used to provide SSL support to Apache. Some of these
issues were also found to
affect the BSAFE SSL library from RSA Security. The SSL-C library
from RSA was based on SSLeay, the same open source library that
was used to form the OpenSSL project.
Yesterday, RSA made patches available to their customers for
these issues. Apache vendors who use the RSA libraries include Covalent, who
provide updated SSL modules to their customers next week.
It has been a couple of months since we last reported on new
figures from the Netcraft
survey of web sites. Overall there has been little change from
month to month. In their August 2002 survey, Netcraft
found that Apache and servers
based on Apache have over 65% market share, up considerably over
last month due mostly to register.com. Netcraft also look at
what sites have upgraded their versions of Apache:
Almost half of the 22 million Apache HTTP sites found by the survey
are running Apache/1.3.26, whilst only around a quarter of the Apache
SSL sites are running this version, which fixes the chunked encoding
However this information alone doesn't give the number of sites actually
vulnerable to the recent security issues as a large number of sites simply
apply patches for issues rather than upgrading to new versions.
This is often the case for versions of Apache supplied by vendors
such as Red Hat who, for compatibility reasons,
often release errata packages based on older
versions of Apache but with security fixes applied.
At a recent board meeting the ASF decided to elect a new chairman and
president as the same directors have served in those roles for the
last three years.
Greg Stein replaces
Roy Fielding as Chairman, and
Dirk-Willem van Gulik replaces
Brian Behlendorf as President.
Both Roy and Brian remain as directors.
Last week, PC Week posted
an article about the recent
Apache 2.0.40 security issues.
They mention that one of the flaws (CAN-2002-0654)
"...can be used to gather information about an individual
Apache Web server, such as who owns it, what operating system it is
running on, names of files stored on the server, where it is
However this is not correct, the flaw simply allows a remote user to
find out the full pathname of a document on the server. So, for
example, you might find out that the
www.example.com/test.var was actually located at
In this section we highlight some of the articles on the web that are of
interest to Apache users.
"Will Apache 3.0 Sport Asynchronous I/O?"
examines the possibility of Apache providing support for asynchronous
I/O by quoting the views of several Apache developers. It touches on
the benefits of this feature, how it may be implemented, and some
speculations on when it may be available.
O'Reilly Mac DevCenter shows you how to
integrate Tomcat with Apache
via the mod_jk module on Mac OS X. This is a
step-by-step guide on building the mod_jk module
from source, installing and configuring it for Tomcat 4.0.4, and
verifying that it works. If all goes well, your Mac can now be used to
serve JSP and servlet applications.
Michael Galloway provides a solution for serving Web sites using
multiple builds of PHP with one instance of Apache in
"How to setup multiple PHP builds on the same server". His solution
is to run PHP using the CGI interface and not as an Apache module. Then the
AddHandler and Action
directives in the httpd.conf file are configured accordingly so that any
file ending with a ".php" extension will be executed as
a PHP script.