Apache Week
   
   Issue 345, 14th May 2004:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Apache httpd 1.3.31 Released

Apache httpd 1.3.31 was released on 11th May 2004 and is now the latest version of the Apache httpd 1.3 server. The previous release was 1.3.29, released on the 29th October 2003. See what was new in Apache httpd 1.3.29.

Apache httpd 1.3.31 is available for download

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions of Apache httpd 1.3 prior to Apache httpd 1.3.31 should upgrade to Apache httpd 1.3.31. Read more about the other security issues that affect Apache httpd 1.3.

Security issues

  • When using multiple listening sockets, a denial of service attack is possible on some platforms due to a race condition in the handling of short-lived connections. This issue is known to affect some versions of AIX, Solaris, and Tru64; it is known to not affect FreeBSD or Linux. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0174 to this issue.
  • Arbitrary client-supplied strings can be written to the error log which can lead to exploits of certain terminal emulators. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0020 to this issue.
  • mod_digest was not checking the nonce value returned by clients; use of mod_auth_digest is recommended in place of mod_digest. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0987 to this issue.
  • Allow/Deny rules using IP addresses without a netmask were not interpreted correctly on big-endian 64-bit platforms. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0993 to this issue.

New features

The following new features have been added since 1.3.29:

  • the source code is now licensed under the Apache License, Version 2.0
  • mod_whatkilledus, mod_backtrace: New diagnostic modules which log information about child process crashes
  • mod_log_forensic: New module which performs "forensic" logging

Bugs fixed

The following bugs have been fixed in 1.3.31:

  • mod_usertrack: fix segfault if CookieName was omitted (BZ#24483); fixed to not overwrite other cookies (BZ#26002), and to not inspect the Cookie2 request header (BZ#11475)
  • mod_rewrite: fix double-slash bug in RewriteBase; export the REMOTE_PORT variable (BZ#25882); fail on lookup keys containing a newline are used with external rewrite maps (BZ#14453)
  • mod_include: fix handling of expressions which begin with an escaped token
  • fix a memory corruption problem in the ap_custom_response function

Under development

The 1.3.30 release process was abandoned last month after a short period of testing, so that the mod_digest security issue could be resolved. The new 1.3.31 release candidate tarball gained more attention than normal after a story posted to Slashdot announced that the tarball produced was in fact the final release. No vetoes were posted for the tarball so the release went ahead otherwise as normal.

1.3.31's Release Manager Jim Jagielski proposed that the apache-1.3 CVS repository be migrated to a Subversion repository. Subversion has been under evaluation at apache.org for some time; several ASF projects in the Incubator process have been using the Subversion repository which has been set up, notably SpamAssassin.


In the news

O'Reilly Open Source Convention 2004

Only a couple of months to go before the highly anticipated O'Reilly Open Source Convention opens it's doors in Portland, Oregon. This year the conference runs from July 26-30 with many tracks of interest to Apache users. A dedicated Apache track features such sessions as "HTTP Caching and Cache-busting", "Using WebDAV", and "The Incubator: How to Start a Successful Apache Project".

Happy 8th Birthday Apache httpd

In a press release the Apache httpd project announced its 8th birthday. The first release of the Apache httpd server was in April 1995. The first issue of Apache Week was nine months later, in February 1996.

Interview with Brian Behlendorf

Netcraft interviews Apache co-founder Brian Behlendorf. Brian talks about Apache's growth, security, and how to change the world through software.


Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

LinuxInsider want "Open Source Scripting Made Easy". This short article takes a look at development environments available for popular PHP.

Martin Brown covers some Apache Maintenance Basics at Server Watch. The article looks at how to monitor Apache logs and real-time status, as well as configuration and patch management issues.

Linux Journal takes a look at Compressing Web Content and how to use mod_gzip and mod_deflate to get the most out of your bandwidth.

O'Reilly look at how to use web server logs for monitoring server performance in the article Profiling LAMP Applications with Apache's Blackbox Logs.


This issue brought to you by: Mark J Cox, Joe Orton
Comments or criticisms? Please email us at editors@apacheweek.com