1.0.5 is the current stable public release. This is the same
as 1.0.3, except that it 'fixes' a possible security problem.
The beta test version, 1.1b, is now at version 2.
The IBM Emergency Response Service released a security
vulerability alert for Apache and NCSA servers. The
Apache group immediately released a fixed distribution,
version 1.0.5, based on the information in the alert. However
detailed analysis later showed that this 'problem' probably
did not comprise a security risk in Apache 1.0.3. The
reported problem affected the way that the server removes
potentially dangerous characters from input which is later
passed onto CGI scripts (for example, the back-tick
character). In this case, the newline character was not being
removed from CGI input. Only very old CGI scripts which use
arguments passed on their command line are vulnerable, and
only if the CGI author was very careless in their checking of
There was a real problem reported back in February which
affected some of the programs distributed in cgi-bin and
cgi-src. This has been fixed for some time. That problem was
caused by a section of code which also occured in the main
server source. The alert assumed that because the code was
the same, there was the same vulernability. But the code in
the server is used in a different way, which means it is very
unlikely to cause a security problem. Nonetheless the Apache
group released a 'fixed' version of the server.
The alert did raise the issue of what level of support the
Apache group provide for the CGI examples supplied with
Apache. They are mostly scripts and programs which were
originally distributed with NCSA 1.3, and they are not
considered to be supported by the Apache group. Most will
probably be dropped from future distributions of Apache.
There are lots of other sites with detailed information on
CGI programming, such as the CGI information at
Since 1.1 is currently has just gone into public beta, there
have been quite a few this week. Many have already been fixed
in version 2 of the 1.1 beta, and more will be no doubt fixed
in further beta releases.
Bugs affecting 1.0.5 and before will be listed here:
Hostnames truncated in log file
Some hostnames were being truncated in the log files. This
only occured when the cookies module was being used. This
is fixed in 1.1beta.
Apache to go: McDonalds Corp. are
using Apache to serve pages. But can you get fries with them?
Microsoft eats pages: Robots at Microsoft have been
repeatedly requesting pages - one site reports 10,000
requests for the same page from one robot. Obviously
Microsoft have answered their question "Where do your want to
go today" with "the same place.... 10,000 times".
Web weak? The April 96 issue of Web Week reportly
announces that Apache is Mac-only: "While the commercial
market is growing, free servers still dominate. According to
the lastest Netcraft Web Server Survey, the National Center
for Supercomputing Applications Web server enjoys 28 percent
of the market, followd by the Macintosh-based Apache HTTP
Server Product, with 27 percent. Third is Netscape with 17
percent." (page 8).