In this issue
Most of the Apache core developers met recently for the first
time. This meeting had two aims: to discuss the
organisational structure of the Apache group, and to discuss
the plans for "Apache 2.0". These discussions took place over
four days between 30th June and 3rd July 1998 (even though
the 3rd was a holiday for most other people in the US at the
Besides the official business, the week also gave the
opportunity for the developers to meet and socialise,
including a hike along the coast. For many, it was the first
time they had met more than one or two other developers. In
total, fourteen of the eighteen core developers made it in
person to the meeting in San Francisco. Some of those that
could not attend in person joined in via a telephone
At present, there is no such thing as an Apache organisation.
While all code is described as being owned by "The Apache
Group", this has no legal existance apart from the group of
individuals that make up the core developers. Part of the
plans for the future involve the creation of a real entity to
hold the Apache source code copyright. This entity could also
hold Apache trademarks, ensure that the Apache license is
enforced, and provide legal safeguards for Apache
contributors and developers. The meeting discussed possible
models for the Apache organisation, including some advice
from lawyers familiar with free and open source software
development. Nothing has yet been decided, but it seems
likely that a US corporation will be formed (issues that need
resolving include whether charitable or not-for-profit status
should be used, and which country or US state to incorporate
Whatever happens, the Apache organisation will be committed
to maintaining Apache as an open source, freely available
software project under terms very similar to the existing
license (i.e. allowing commercial use of the code with minor
advertising restrictions). Any funding necessary will come
from donations. The Apache group will not sell versions of
Apache or provide additional services.
After the 1.3.X series of minor releases, the next major
release will be Apache 2.0. This will be a very major
release, with significant code changes. Many of the plans for
Apache 2.0 have already been discussed in Apache Week.
Apache Site: www.apache.org
Release: 1.3.0 (Released 6th June 1998) (local download
Apache 1.3.0 is now the current stable release. Users of
Apache 1.2.6 and earlier should look at upgrading to this
version, which provides additional features and has been
subject to extensive testing.
The bugs listed below now include a link to the entry in the
Apache bug database where the problem is being tracked. These
entries are called "PR"s (Problem Reports). Some bugs do not
correspond to problem reports if they are found by
Bugs in 1.3.0
These bugs have been found in 1.3.0 and will be fixed in
The "handler not found" error was being given if the
handler did exist but declined to handle the request. PR#2529.
Add dynamic loadable module support on SCO 5. PR#2533.
Apache is not 8-bit clean, which can cause problems with
8-bit characters in URLs or in the configuration/.htaccess
The proxy module would cache partially completed transfers,
if the user cancelled the request. In the fixed version,
the proxy module will complete the transfer if over 90% has
already been obtained, else it will cancel the request and
remove the partially cached file. The 90% value can be
changed with the CacheForceCompletion directive.
suEXEC has some unclear error messages.
Add a port to UnixWare 7.
Patches for bugs in Apache 1.3.0 will be made available in
the apply_to_1.3.0 subdirectory of the patches
directory on the Apache site. Some new features and other
unofficial patches are available in the 1.3
patches directory. For details of all previously reported
bugs, see the Apache bug database and
bugs pages. Many common configuration questions are
answered in the Apache FAQ.
The next planned release will be 1.3.1 which will contain
mainly bug fixes for 1.3.0, with a few minor additional
features. There may be a beta period for 1.3.1, but
this has not yet been decided.
Apache for Windows has not yet been released because it is
being checked for security problems. A number of security
issues have been found with other NT servers which need to be
checked. Most of these recent problems occur because some
Windows API calls interpret filenames in special ways. For
example, opening a file called "file." actually opens a file
called "file" (if it exists). On Unix, where Apache was
originally developed, each file usually has only one name.
Having multiple names which open the same file can cause
security problems because (for example) access may be
restricted based on the name, but requests could be made for
the other names for that file which succeed.
The ways in which Windows has multiple names for files
Trailing dots are ignored, so "file." accesses "file"
Trailing spaces are ignored, so "file&" accesses "file"
Case is ignored, so "FILE", "File", "file" and "FiLe" all
access the same file.
Files have a long and short name, so for example, "Long
File" and "LONGFI~1" may refer to the same name (the actual
short name may be different and cannot be predicted in
On NT, the file "file::" is the same as "file"
Part of the problem with writing secure servers on Windows is
that not all of these equivalences are documented fully, and
they may vary between system calls. There may also be
additional problems which have not yet been identified.
While Apache is already aware of some of these issues (such
as long vs. short form names, and case insensitivity), there
may be more subtle problems, and some of the issues have only
been recently found (for example, the :: was recently found
to cause a security problem in IIS, although it appears that
Apache is not subject to this particular problem because it
does not use native Win32 API calls to access files).
In addition to the filename equivalences, there is also a
problem with paths which include "..." (three dots), which on
Windows means "../.." (i.e. go up two directories).
There has been some discussion over Year 2000 issues in
cookies. The problem seems to be that the original cookie
specification from Netscape used two-digit years. This was
used in Navigator 3.X browsers (and possibly others). Note
that years between "00" and "37" are interpreted as being
after 2000, so it is possible to set cookies which expire in
the years 2000 to 2037, but not after 2037.
Later Netscape upgraded the specification to use four digits
for years, but forgot to change the examples which continue
to show two digit dates. Navigator 4.X browsers can handle
both two and four digit dates. So server administrators that
want to set cookies which expire after 1999 which work with
versions 3.X and 4.X of Navigator should use two digit years
in the range 00 to 37. See the mod_usertrack
The July Netcraft
Server Survey once again shows Apache's share increasing
faster than any other major server. Apache itself is up 0.64%
to 49.64%, whilst Microsoft's servers increased by 0.36% to
22.70%. When Apache derivatives are included, Apache code is
in use on 54.38% of sites surveyed.