In this issue
It's that time of year when you look back over the events of the last
12 months and wonder just what you spent all your time doing and why you
didn't get around to redecorating the spare bedroom. As this
is the first issue of Apache Week for 2003 we thought we'd give you a mini
review of 2002.
Under Development: April saw the launch of the first general
availability release of Apache 2.0 with a few subsequent minor releases
for security and bug fixes.
Apache 2.0.43 was released
in October and remains the most recent release of 2.0.
Internally, development has now split into a "stable" 2.0
branch, and a "development" branch, labelled 2.1.
Most of the developers have spent the year focused on Apache 2.0, but a
number of new 1.3 releases were made,
Apache 1.3.23 which added
HTTP/1.1 support to mod_proxy,
Apache 1.3.24 to fix a security
flaw affecting Windows,
Apache 1.3.26 to fix the chunked
encoding security vulnerability, and
Apache 1.3.27 to fix some
other minor vulnerabilities.
A benchmark of Apache 2.0
in April found that, on Windows, Apache 2.0 kept pace with Microsoft IIS
during the entire test with little performance difference
After a long break, the Apache group found a new conference management
company and organised
ApacheCon US 2002
held in Las Vegas in November. Although the conference was less
extravagant than the previous ApacheCon conferences, the quality of the
sessions and speakers was as impressive as ever.
The O'Reilly Open Source Convention
also had a large Apache presence.
A couple of major security vulnerabilities were found in Apache this year.
The first can allow remote attackers to cause denial of service by
sending an invalid
The issue could also lead to remote code execution
on some BSD or 64-bit platforms.
The second affects only Apache 2.0 on Windows platforms and could allow remote attackers
to execute commands, CAN-2002-0661.
few other minor vulnerabilities were found throughout the year, but none of them were particularly serious. Here is the complete list
of vulnerabilities affecting Apache in 2002:
In addition to vulnerabilities directly affecting Apache httpd, a few
issues were found in software that is commonly used with Apache. Some of
these are serious issues. These included:
All administrators should check their systems to make sure that Apache and all
the supporting components being used have either been updated to the most
recent releases, or to releases that contain back-ported patches to fix the
show the total number of Apache-based servers found by their survey
rising only slightly from 21 million in January to 22 million in November,
and with continuing rises in
the market share - moving from 56% to end the year at 62%.
Netcraft also found that 97% of SSL sites that had valid third party
certificates were capable of using strong encryption. This percentage
has increased dramatically since the expiration of the RSA patent and
the opening of US export controls; In September 2000 only 79% of sites
were capable of strong encryption.
At a conference, Marcus Sachs, a director of the White House
cyber-security office said that
"nearly one-third of all government Web sites use Apache...
The number of military Web sites
using it is 22 percent, second to Microsoft's server software, but
military use of Apache is growing rapidly."
A few role changes in the Apache Software Foundation as
Greg Stein replaced
Roy Fielding as Chairman, and
Dirk-Willem van Gulik replaced
Brian Behlendorf as President. Also
Ryan Bloom decided to leave the
HTTP development team after having a defining role in the creation of
The stable Apache 2.0 tree was tagged this week to prepare for a
2.0.44 release; the new snapshot was installed on the live server at
apache.org to give it the usual exposure. The release process stalled
again when binary compatibility issues arose: the new 2.0.44 release
is intended to be compatible with binary modules compiled against
2.0.43, but some changes have been made in the APR portability library
which break compatibility. Several solutions are under
After a report that the in-memory cache module
mod_mem_cache (added in Apache 2.0) was not
reliable under high load there was some interesting discussion about
when it is appropriate to use this module; Brian Pane gave a summary of why
mod_mem_cache is likely to be less useful for caching
In this section we highlight some of the articles on the web that are of
interest to Apache users.
"Setting Up Your Own Web Server"
explains why it is better for companies to install their own web servers
instead of using web hosting services provided by ISPs. Then it gives
an overview of how to set up your own web server using Linux and the
Apache web server.
In the October 2002 issue of Linux Magazine, the article entitled
"Getting a Handle on Traffic"
shows you how to configure Apache to log every request into a MySQL
database in addition to your access_log files by using
mod_log_sql. After that, you would be able to
obtain real-time statistics by just writing the appropriate SQL
queries to analyse your database. Initially you may need to refer to
the four examples given if you are not familiar with SQL queries.
Peter Laurie exposes the
behind "Apache: The Definitive Guide, 3rd Edition". Read it to discover
what changes have been made and the reasons behind them. A
of chapter 11: Security of the book in PDF format is now available online.
ZDNet introduces four Apache XML projects in
"Learn about these four Apache XML tools".
A short description is provided for each project with a reference URL
to get more information. Do AxKit,
Forrest, Xang, and
Xindice ring a bell?
Congratulations to the lucky winner of our last book
competition Nick Urbanik in Hong Kong - your books will be in the post.
Read the Apache Week
review of "Linux Apache Web Server Administration" as well
as two other books from this series, and look out for
more book competitions and reviews of Apache related books coming soon.
brought to you by: Mark J Cox, Joe Orton, Min Min Tsan
Comments or criticisms? Please email us at firstname.lastname@example.org