Few new bugs have been found in the 2.0.45 release so far; a
problem with the --enable-layout flag broke a few
builds, for which Jeff Trawick quickly posted
a patch. The 2.0.45 release is the first to be based on
the stable branch of the 2.0 tree under the new dual-branch
strategy adopted for 2.0 development in January this year.
The strategy appears to be working well, with the development
of new features on the "unstable" branch continuing alongside
efforts to further stabilise the server.
Last week we reported on the release of Apache 2.0.45 which contained
a fix for an undisclosed security vulnerability,
iDefense released an
advisory which explains the details of the vulnerability. A remote
attacker can send requests with a large number of linefeed characters
causing a large amount of memory to be allocated by Apache, resulting in
denial of service.
The fix for this issue was to limit the number of blank lines
that Apache would accept to 100, and this fix was incorporated into
All users of Apache 2 should upgrade to Apache 2.0.45 or use a
backported fix for this issue. An example exploit for this issue has
already been released.
In this section we highlight some of the articles on the web
that are of interest to Apache users.
"Enabling WebDAV on Apache"
shows you how to integrate the mod_dav
module into Apache version 1.3.x and 2.x on Unix, Mac OS X, and MS
Windows. It covers the DAVLockDB
and DAVMinTimeout directives, and explains
how to restrict access to individual DAV-enabled directories by using
WebReference.com continues with its
from "Chapter 5: Authentication" of "Apache: The Definitive Guide,
3rd Edition", courtesy of O'Reilly. It covers digest authentication,
enabling anonymous access, the pros and cons of using the
.htaccess file, the
AllowOverride directive, and also the
directives provided by the mod_auth_digest
and mod_auth_anon modules.
"Using OpenBSD's chrooted httpd",
Marc Balmer examines the impact a chrooted Apache has on CGI scripts
and shared libraries. A chrooted web server that uses PHP4 to access a
PostgreSQL database is provided as an example. He concludes that
this is a good security enhancement despite the inconvenience it
causes system administrators. The article is available to be
IBM developerWorks presents the benefits of using the Java platform
for server applications and then looks at how to safely deploy Java
services on Linux with
a standalone implementation of Tomcat
as an example. It provides two solutions for redirecting port 80
requests to Tomcat's default port 8080 - by using either the
redirection feature in xinetd or by adding a rule to the PREROUTING
chain in the nat (Network Address Translation) table in iptables. It
ends by giving you an overview of how to confine Tomcat inside a