In this issue

Earlier this week a CERT advisory detailed how malicious HTML tags can be embedded in client web requests. The problem is not specific to Apache and has wide reaching consequences for anyone who uses web servers or writes scripts for them. The Apache Software Foundation has published comprehensive details of the problem which includes a patch that can be applied to Apache 1.3.11 to address some of the issues.

Apache Site: www.apache.org
Release: 1.3.11 (Released 21^st January 2000) (local download sites)
Beta: None

Apache 1.3.11 is the current stable release. Users of Apache 1.3.6 and earlier on Unix systems should upgrade to this version. Users of Apache on Windows can now upgrade to Apache 1.3.11 avoiding the previous problems with Apache 1.3.6. Read the Guide to 1.3.11 for information about changes between 1.3.9 and 1.3.11 and the Guide to 1.3.9 for information about changes between 1.3.6 and 1.3.9.

Most bugs listed below include a link to the entry in the Apache bug database where the problem is being tracked. These entries are called "PR"s (Problem Reports). Some bugs do not correspond to problem reports if they are found by developers.

• Fix the default path to the suexec binary if it is not specified by the configure stage
• The Apache process ID file, httpd.pid would be written with the default umask, causing problems if this umask was not sensible.

Patches for bugs in Apache 1.3.11 will be made available in the apply_to_1.3.11 subdirectory of the patches directory on the Apache site. Some new features and other unofficial patches are available in the 1.3 patches directory. For details of all previously reported bugs, see the Apache bug database and known bugs pages. Many common configuration questions are answered in the Apache FAQ.

The majority of development work is now being focussed on Apache 2.0, with the hopes of a public beta-test version being available within the first quarter of this year.

A Windows binary for Apache 1.3.11 has now been made available from the Apache Site.

If you've not booked your vacation for this year, consider a luxurious week at the glorious ApacheCon 2000 World Resort in the heart of Orlando, Florida. You'll be surrounded by all your favourite Apache characters (comedy ears and all), and have the opportunity to experience white-knuckle rides such as "Secure Financal Transactions with Open Source" and "Everything you always wanted to know about XML parsing".

The Gartner Group published a report last month; Debunking Open-Source Myths: Origins and Players, aimed to show that businesses should take Open Source seriously. The report tries to debunk the myths and hype surrounding Open Source, but in doing so manages to create myths of its own. One example is the statement, "The Apache and PERL projects are maintained in large part by full-time employees of O'Reilly and Associates." which is certainly not true for Apache (none of the core developers are employees of O'Reilly) and not even true for Perl.

Little change for Apache in the January Netcraft server survey with Apache-based servers commanding a fraction under 60% market share.