Apache 1.3.28 was released on 18th July 2003 and
is now the latest version of the Apache 1.3 server. The previous
release was 1.3.27, released on the 3rd October
what was new in Apache 1.3.27.
is available for download
This is a security, bug fix and minor upgrade release. Due
to security issues, any sites using versions of Apache 1.3
prior to Apache
1.3.28 should upgrade to Apache 1.3.28; the security issues
fixed in this release are covered in the Security Reports section below. Read more
about the other security issues that affect Apache 1.3.
The main new features added since 1.3.27:
- Win32: the build system can now produce pdb files for
mod_auth_digest will use the arc4random
interface on OpenBSD
mod_setenvif defines a new
SERVER_ADDR environment variable, giving the IP
address on which the request was received
The following bugs have been fixed in 1.3.28:
mod_rewrite: fix handling of absolute
URIs and paths on non-Unix systems; allow
RewriteEngine Off regardless of Options
settings; prevent infinite loops in redirects (BZ#12902, BZ#12395, BZ#17452)
- Platform-specific changes: fix loading modules written in
C++ on HP-UX; choose a safer default accept locking mechanism
on AIX; fix suexec compilation on SunOS 4 (PR#5913,
- The original query string is appended to the redirect
destination when a Redirect configured in directory
- Fixes for potential buffer overflows or crashes in
htdigest and ab (BZ#21085)
- Performance fix: prevent the server from being limited to
serving one CGI request every 3 seconds per persistent
connection (BZ#6961, BZ#8664)
Last week, new security issues were announced that affect
version 1.3 of the Apache HTTP server; these issues were fixed in the
The rotatelogs support program on Win32 and OS/2 would quit
logging and exit if it received special control characters such as
This issue was originally discovered by the Hitachi Incident
Response team and reported to the Apache security team on July 4th
The Common Vulnerabilities and Exposures project
has assigned the name
to this issue.
It is possible to get Apache 1.3 to get into an infinite
loop handling internal redirects and nested subrequests. A patch
for this issue appears in Apache 1.3.28 which adds a new
There were some leaks of file descriptors to child processes
spawned by third-party modules.
More details of security issues that affect Apache 1.3 are available
Over the last few weeks we've been receiving a number of reports
where people running Apache servers have found that their servers have
been used to send out Spam email messages.
It appears that the Spammers are using an automated tool to
find open Apache proxies. If the tool finds an open proxy on your
machine it sends a POST request through the proxy to the local SMTP port (25), passing
on the spam messages it wishes to send. Since most people will
have set up their mail transfer agent to allow relaying of mail
sent from the local host, the messages get sent out from your
Some of the reporters believe that this is a vulnerability of
the Apache web server by allowing proxy connections to arbitrary
ports. However the majority of sites that run open Apache proxies
are doing so because of a misconfiguration rather than by design.
Open proxies allow attackers wanting to target vulnerabilities at
other sites (such as Cross site scripting attacks, SQL injection
attacks and so on) to hide or complicate their real origin.
If you are running the Apache web server we'd recommend that
you take a look at your configuration files and make sure that you
have not inadvertently set up an open proxy.
If you do not need to act as a proxy server at all then make
sure that the directive "ProxyRequests On"
does not appear in your configuration file. Note that you do not
need to use the ProxyRequests directive if you only want to use
Apache as a reverse proxy.
However if you do need to act as a proxy server, make sure that
you only allow authorised hosts to connect. For example using
the following configuration sample:
Deny from all
Allow from fred.example.com
A couple of bugs in the mod_include
filtering logic in 2.0 have been under investigation for a few
weeks; the relevant fixes have now been identified and checked
in after the problems were narrowed down to specific test
A bug introduced in the 1.3.28 release was tracked down by
users a few days after the announcement; BZ#21737 describes how
CGI scripts run under suexec may be left as "zombie" processes.
The bug report includes a patch which has been reported to fix
There was discussion of a patch which would allow modules to
implement UDP-based protocols in the 2.1 tree, following the
announcement of a module produced by the Globule Project as part of a
content replication system. There was interest in supporting
such protocols but no decisions were made on exactly how to do
In this section we highlight some of the articles on the web
that are of interest to Apache users.
"Integrating mod_perl with Apache 2.1 Authentication"
covers how to support the new authentication provider API in Apache
2.1 and Digest authentication through mod_perl 2.0
by walking you through the source code of a few modules. It also talks
about how Digest authentication over HTTP works.
In the April 2003 issue of Linux Magazine,
"PHP Caching and Optimization"
lays the groundwork for a look at three PHP add-ons that will improve
the performance of PHP web applications in upcoming issues. It
summarises the way Apache processes requests for a PHP-based
application into six steps and then explains the various optimisations
that could be done at some of the steps.
Martin Brown shows you how to use the Perl Framework component of the
Apache HTTP Test Project
to ensure that your Apache configuration and modules are working
correctly. First, it points out the various situations where you would
need to test an existing Apache setup that is running well. Then it
guides you through the steps of installing the Framework, executing
the tests, and ends with a brief note on how to locate the cause of a