Apache Week
   
   Issue 340, 9th January 2004:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Under development

A new module, mod_log_forensic, was committed to both the 2.1 development tree and the 1.3 tree by Ben Laurie over the New Year. The module writes each request (including headers) to a log file before request processing begins, including a unique request ID. After request processing is completed, the unique ID is again logged to the log file. If a security issue is exploited on a server running mod_log_forensic, crashing a child process, the log can then be used to discover exactly what request was used in the exploit, allowing further investigation.

There has been some discussion about a security fix committed last month; the patch for CAN-2003-0020 ensures that any unsafe characters are escaped before being written to the error log. This prevents attackers from being able to create fake log entries and also prevents the error log being used for exploits of escape sequence processing bugs in terminal emulators. However, some users are used to being able to log multi-line error messages from modules or CGI scripts: such messages now get the newline character escaped. A compile-time option has been proposed to disable the error log escaping as a workaround.


Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

Rich Bowen shares his dislike for the word 'virtual' in day two of "A Day in the Life of #Apache". This article looks at some of the problems users have dealing with the configuration of virtual hosts.

The Mercury News talks to Brian Behlendorf in their article "Luminary in open-source movement developed the Apache Web server"

"Who's Patching Open Source?" asks Enterprise Linux IT. The answer of course depends on what the software is, and the article looks at the differences between support and security updates in closed source and open source software.


Apache Week giveaway

Congratulations to the four lucky winners of our last book competition. Amongst the winners were Simon Boase (UK), Erik Abele (Germany), and Michael Zaleski (USA) - your books are in the post.

We were pretty impressed with this O'Reilly book. Read the Apache Week review of Practical mod_perl and look out for more book competitions and reviews of Apache related books coming soon.


This issue brought to you by: Mark J Cox, Joe Orton
Comments or criticisms? Please email us at editors@apacheweek.com