Apache Week
Issue 325, 11thApril2003:

Copyright 2020 Red Hat, Inc

In this issue

Under development

Few new bugs have been found in the 2.0.45 release so far; a problem with the --enable-layout flag broke a few builds, for which Jeff Trawick quickly posted a patch. The 2.0.45 release is the first to be based on the stable branch of the 2.0 tree under the new dual-branch strategy adopted for 2.0 development in January this year. The strategy appears to be working well, with the development of new features on the "unstable" branch continuing alongside efforts to further stabilise the server.

Security Reports

Last week we reported on the release of Apache 2.0.45 which contained a fix for an undisclosed security vulnerability, CAN-2003-0132.

iDefense released an advisory which explains the details of the vulnerability. A remote attacker can send requests with a large number of linefeed characters causing a large amount of memory to be allocated by Apache, resulting in denial of service.

The fix for this issue was to limit the number of blank lines that Apache would accept to 100, and this fix was incorporated into Apache 2.0.45

All users of Apache 2 should upgrade to Apache 2.0.45 or use a backported fix for this issue. An example exploit for this issue has already been released.

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

"Enabling WebDAV on Apache" shows you how to integrate the mod_dav module into Apache version 1.3.x and 2.x on Unix, Mac OS X, and MS Windows. It covers the DAVLockDB and DAVMinTimeout directives, and explains how to restrict access to individual DAV-enabled directories by using basic authentication.

WebReference.com continues with its final excerpt from "Chapter 5: Authentication" of "Apache: The Definitive Guide, 3rd Edition", courtesy of O'Reilly. It covers digest authentication, enabling anonymous access, the pros and cons of using the .htaccess file, the AllowOverride directive, and also the directives provided by the mod_auth_digest and mod_auth_anon modules.

In "Using OpenBSD's chrooted httpd", Marc Balmer examines the impact a chrooted Apache has on CGI scripts and shared libraries. A chrooted web server that uses PHP4 to access a PostgreSQL database is provided as an example. He concludes that this is a good security enhancement despite the inconvenience it causes system administrators. The article is available to be downloaded in PDF format.

IBM developerWorks presents the benefits of using the Java platform for server applications and then looks at how to safely deploy Java services on Linux with a standalone implementation of Tomcat as an example. It provides two solutions for redirecting port 80 requests to Tomcat's default port 8080 - by using either the redirection feature in xinetd or by adding a rule to the PREROUTING chain in the nat (Network Address Translation) table in iptables. It ends by giving you an overview of how to confine Tomcat inside a chroot prison.

This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan