Apache 1.3.2 was released on 23rd September. This is a minor
upgrade in the 1.3.* series, which fixes a number of bugs,
and adds some minor new features. All users for 1.3.0 and
1.3.1 servers should upgrade to 1.3.2 for the security fixes
described below. However there is a different security
problem in 1.3.2: error messages can include internal details
such as local filenames. See the Apache bugs section, below.
The most important reason for upgrading is that Apache 1.3.2
has better protection against denial of service attacks.
These are when people make excessive requests to the server
to try and prevent other people using it. In 1.3.2 there are
several new directives which can limit the size of requests
(these directives all start with the word Limit).
In addition this release prevents a more serious problem when
a client sends a large number of headers with the same header
name. Apache uses up memory faster than the amount of memory
required to simply store the received data itself. That is,
memory use increases faster and faster as more headers are
received, rather than increasing at a constant rate. This
makes a denial of service attack based on this method more
effective than methods which cause Apache to use memory at a
constant rate, since the attacker has to send less data.
Note that all of these attacks can at worst cause the server
to slow down and possibly eventually lock-up. They do not
offer any way for the attacker to gain access to the server
A new Apache Week feature article, Guide to
1.3.2, shows all the changes between 1.2 and 1.3.2, as
well as changes from 1.3.0 and 1.3.1 to the latest version.
This feature may be particularly useful if you are still
using a 1.2.* series version of Apache want to upgrade to
Apache Site: www.apache.org
Release: 1.3.2 (Released 23rd September
Apache 1.3.2 is the current stable release. Users of Apache
1.2.6 and earlier should look at upgrading to this version.
The bugs listed below now include a link to the entry in the
Apache bug database where the problem is being tracked. These
entries are called "PR"s (Problem Reports). Some bugs do not
correspond to problem reports if they are found by
These bugs have been found in 1.3.2 and will be fixed in the
Because of the major differences between Windows and Unix,
these are separated into bugs which affect Windows systems
only, and other bugs (which may affect Windows as well). Unix
users can ignore the bugs listed in the Windows section.
When Apache starts on the console it may display the
message "[warn] pid file
c:/apache/logs/httpd.pid overwritten -- Unclean shutdown of
previous apache run?. This message can be
There is a serious problem with error reports, since they
may now include internal details such as local pathnames.
This is because of a change in 1.3.2 to pass extra
information to error documents via the ERROR_NOTES environment variable,
since that information will be output instead of the normal
error page. The error note information was being set to
messages which included internal information. The
combination of both problems meant that internal
information could be displayed to users. PR#3071.
When the mod_speling module finds an ambiguous URL, it
fails to return the list of possible matches. PR#3052.
Compiling on OS/2 gives warnings about HAVE_SYS_SELECT_H being
Compilation fails on Amdahl UTS 2.1. PR#3054.
Directory indexing options (IndexOptions) set in a parent
will not be applied to a sub-directory if that
sub-directory uses any other directory indexing directive.
Add support for Pyramid DC/OSx.
The discount rate for ApacheCon '98 has been extended for a
further week. You can now register at the reduced rate until
2nd October. In addition, the the hotel block at the San
Francisco Hilton is filling up, so rooms should be reserved
soon to get the ApacheCon discount rate.
A number of events are developing around ApacheCon. For
instance, the conference exhibition will let you meet with
commercial Apache-oriented software and hardware companies,
including C2Net, Red Hat, Covalent, and IBM.
Birds-Of-A-Feather sessions and other special events
(including a large party at the San Francisco Exploratorium)
have been scheduled. Several new sessions have been added to
the agenda, including forums on server security, case
studies, and configuration tuning.
To see the agenda or register, visit http://www.apachecon.com/.