Apache Week
   
   Issue 323, 21st March 2003:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Under development

There was some discussion this week about developing a new module which would ease some of the pains of mass virtual hosting environment using Apache. Currently, the mod_vhost_alias module can be used to implement a simple form of mass-vhosting, though it provides little assistance for storing per-vhost configuration. A commonly requested Apache enhancement is the ability to pull configuration data from an LDAP database; whilst this approach seems attractive developers have pointed out that it introduces some significant complications, such as how to cope with the database being inaccessible when Apache is restarted. Another approach suggested has been to develop a tool which can output normal Apache configurations files from structured data in an LDAP database.

A new stable 2.0 release (2.0.45) is slowly inching closer, as bug fixes committed to the httpd-2.1 unstable tree have continued to be back-ported to the stable 2.0 tree in a regular fashion.

The set of modules enabled by default in Apache received some attention this week as a proposal was made to not build mod_imap (and possibly mod_asis) unless requested. There was general agreement that the default module list could be trimmed in the unstable 2.1 tree, but should remain intact for future 2.0 releases to avoid surprising users.


Security Reports

More OpenSSL vulnerabilities

Exactly a month ago, in Apache Week issue 321, we reported on a timing-based attack on OpenSSL, (CAN-2003-0078). In the last couple of weeks two new attacks to OpenSSL have been publicised:

OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on the number of extra reductions during Montgomery reduction, and the use of different integer multiplication algorithms ("Karatsuba" and normal). The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0147 to this issue.

The SSL and TLS components for OpenSSL allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, also known as the "Klima-Pokorny-Rosa attack." The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0131 to this issue.

All three OpenSSL vulnerabilities this year are significantly difficult to exploit in production environments, and all have mitigating factors reducing their impact. Whilst we advise all users of Apache that uses OpenSSL to upgrade to new versions of OpenSSL this certainly isn't a critical vulnerability that requires immediate attention. But, as with all security vulnerabilities, you need to make your own risk assessment based on your individual circumstances.


Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

"Multiuser Subversion" shows you how to build and configure Apache 2 with the mod_dav_svn module. After doing this, you will have a Subversion server that will respond to common HTTP and WebDAV (read-only) clients via the network.

WebReference.com continues with the second part of an excerpt from "Chapter 5: Authentication" of "Apache: The Definitive Guide, 3rd Edition", courtesy of O'Reilly. It covers the Order, Allow, and Deny directives, and also the directives provided by the mod_auth_dbm module.

This brief tutorial entitled "Verify a User's Email Address Using PHP" ensures that the email addresses you ask for actually correspond to real email domains. It does this by using the PHP's checkdnsrr function on non-Windows platform and provides the code for a Windows version of the function.


This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan
Comments or criticisms? Please email us at editors@apacheweek.com