Apache Week
   
   Issue 339, 19th December 2003:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Apache 2003 Review

It's that time of year when you look back over the events of the last 12 months and wonder just what you spent all your time doing and try to find the answers to those niggling little questions like why a weekly publication only produced 22 issues this year. As this is the last issue of Apache Week for 2003 we thought we'd give you a mini review of the year.

  • Under Development: The split in Apache 2 development between the "stable" 2.0 tree and the "development" branch (labelled 2.1), has produced five new minor releases this year, including various bug and security fixes: Apache 2.0.48, Apache 2.0.47, Apache 2.0.46, Apache 2.0.45, and Apache 2.0.44. These releases have all maintained backwards compatibility in the module interface, giving third party developers a stable platform for 2.0 module development.

    The CVS "review then commit" policy for the stable 2.0 branch, a departure from the normal "commit then review" mode used up until late 2002, has continued to be applied throughout 2003 with little contention. No releases have yet been made from the "development" 2.1 branch.

    The Apache Portable Runtime library (APR), which underpins Apache 2, has moved closer to a 1.0 release, making three point releases in 2003 up to the most recent 0.9.4 release. APR development was also recently split between a 0.9 maintenance branch and a 1.0 stabilisation branch.

    Most of the developers have spent the year focused on Apache 2 so there were only two new 1.3 releases this year: Apache 1.3.28 which fixed a few minor security issues, added a LimitInternalRecursion directive, and fixed some bugs, and Apache 1.3.29 to fix a minor security issue and a few bugs.

  • Security in Apache 1.3: No major security issues were found in Apache 1.3 this year, with only two minor issues being fixed by the 1.3.28 and 1.3.29 releases:

    • CAN-2003-0542 Local configuration regular expression overflow, (low risk)
    • CAN-2003-0460 RotateLogs DoS on Win32 and OS/2 (low risk)
  • Security in Apache 2.0: A number of security issues were found and fixed in Apache 2.0 this year:

    High risk:
    • CAN-2003-0245 APR remote crash. A bug in versions between 2.0.37 and 2.0.45 allowed the possibility of a remote attacker to crash or possibly execute arbitrary code through mod_dav, mod_ssl, and other mechanisms. No exploit has been seen for this issue.
    • CAN-2003-0132 Line feed memory leak DoS. A memory leak allowed remote attackers to cause a denial of service by sending lots of linefeed characters.

    Moderate risk:
    • CAN-2003-0017 Apache can serve unexpected files. This issue affected only Windows platforms and allowed remote attackers to build up a list of files in the document root even if indexes were disabled.

    Low risk:

  • In addition to vulnerabilities directly affecting Apache httpd, a critical issue was found in OpenSSL, a library providing cryptographic functions that is commonly used with Apache:

    All administrators should check their systems to make sure that Apache and all the supporting components being used have either been updated to the most recent releases, or to releases that contain back-ported patches to fix the security issues.

    SANS together with the FBI updated their Top 20 Vulnerabilities list in October, a list of the most commonly exploited vulnerable services.

    Apache gets a mention as one of the top ten vulnerable services for Unix, although most of the time it is third party applications or poorly written scripts that are to blame for successful attacks. A checklist provides useful advice on how to make Apache and the related components more secure.
  • Conferences: ApacheCon US 2003 was held in Las Vegas in November 2003. Although the conference was less extravagant than the previous ApacheCon conferences, the quality of the sessions and speakers was as impressive as ever. The O'Reilly Open Source Convention also had a large Apache presence.
  • Surveys: Netcraft show the total number of Apache-based servers found by their survey rising from 22 million in January to 31 million in December and with continuing rises in the market share - moving from 63% in January to end the year at over 68%. Netcraft also found that over 98% of SSL sites that had valid third party certificates were capable of using strong encryption. This percentage has increased dramatically since the expiration of the RSA patent and the opening of US export controls; In September 2000 only 79% of sites were capable of strong encryption.
  • Newsletter: The first issue of the official Apache Newsletter was launched in August. The bi-monthly newsletter aims to cover all of the Apache Software Foundation projects and is packed with development news as well as details of all the new releases.

Book Reviews

mod_perl embeds the Perl programming language in the Apache web server, giving rise to a fast and powerful web programming environment. "Practical mod_perl" from O'Reilly aims to be the definitive book on how to use, optimise and troubleshoot mod_perl.

The book is aimed at both server administrators and application developers, and is well organised so that both groups of readers can easily find what they need. The bulk of the book is split into four main parts, covering administration, performance tuning, database issues and troubleshooting, all in relation to mod_perl 1.0. A smaller fifth part covers the differences between mod_perl 1.0 and the as-yet-unreleased mod_perl 2.0, and finally there are a number of appendices containing example code for common tasks, information on useful Perl modules, and some information for ISPs wishing to offer mod_perl to their customers.....

The book as a whole is focused and well written, and the authors' knowledge of and passion about mod_perl is obvious. It's an excellent read and will undoubtedly make an excellent reference afterwards; O'Reilly have attempted to create the definitive book on mod_perl and they have succeeded admirably.

Read our full review

Apache Week festive giveaway

Our friends at O'Reilly have given us four copies of the book "Practical mod_perl" to give away in our festive competition. For a chance to get your hands on a copy, just match the punchline to this festive joke:

Which of these is not a popular scripting language?
A) Python
B) Perl
C) Penguin

Send your answer to santa@apacheweek.com to reach us no later than January 5th 2004. Your email address will not be used for anything other than to let you know if you won. Four winners will be drawn at random from all correct entries submitted. One entry per person (we disqualify anyone sending duplicates), no cash alternative (we're skint), editors' decision is final (bah Humbug!).


This issue brought to you by: Gary Benson, Mark J Cox, Joe Orton
Comments or criticisms? Please email us at editors@apacheweek.com