In this issue

Apache Week was at the LinuxWorld Conference and Expo in New York this week and looking for everything at the show that mentioned services or support based on Apache. We were suprised at the huge number of companies that were using Apache in some way; embedded into appliances or as part of larger products or offerings. Of particular note were the following announcements:

Borland released their Linux development tool, Kylix, which can be used to directly create dynamic applications for Apache. The tool has specific features designed to accelerate development and can directly produce dynamic shared object Apache modules.

Compaq have produced a number of guides to quickly getting Apache set up with PHP and MySQL on Linux in their ActiveAnswers technical guide.

Covalent Technologies had a number of announcements as they relaunched themselves with a new web site, logo, and second round of VC funding. Their business model is based on providing proprietary closed source add-ons to open source technologies, a "hybrid" model, under which they announced their secure server, commerce server, and managed server products.

O'Reilly released a new web site focusing their open source web development coverage. O'Reilly Network LAMP covers Linux, Apache, MySQL, and Perl technologies.

Red Hat announced their aquisition of Akopia, the developers behind the Interchange e-commerce platform. The Interchange project is being combined with the Apache-based Stronghold server and CCVS payment processing software to form a complete e-commerce solution stack.

Find more coverage of LinuxWorld at LinuxWorld or ZDNet.

Despite some last-minute Netware emergencies, Apache 1.3.17 was finally released on Monday. This was quickly followed by a bug report explaining that mod_rewrite was once again misinterpreting rewrite map rules: a problem that first surfaced after the patch for the earlier security bug was released. A fix was submitted by Christopher A. Bongaarts, and this got checked in on Wednesday. Jim Jagielski has proposed that 1.3.18 be released early next week.

There has been a lot of traffic on new-httpd this week about whether Apache 2.0 is ready for a beta release. The prerequisite the Apache group have for a beta release of Apache 2.0 is that the code is running on the production server at www.apache.org. To this end, production testing has continued for short periods of time, and more bugs exposed and fixed. Group members also expressed the desire for a useful mod_status output before a beta, and this culminated in Ryan Bloom checking in a forward-port of the Apache 1.3 mod_status.

Another hot topic on the list was Apache on Windows. Bill Rowe has been working on a new and improved graphical installer for Apache 1.3, and this has received thorough testing from the list members on the many different flavours of Windows. Apache 2.0's current performance on Windows is also under discussion as some fundamental changes to how APR (Apache's portability layer) examines files are being made.

Apache 1.3.17 was released on 26^th January 2001 and is now the latest version of the Apache server. The previous release was 1.3.14, released on the 13th October 2000. See what was new in Apache 1.3.14.

Apache 1.3.17 is available in source form for compiling on Unix or Windows, for download from the main Apache site or shortly from any mirror download site.

This is a bug fix and minor upgrade release, with a few new features. Users should upgrade if they have noticed particular bugs mentioned below or would like to use any of the new features.

Due to security issues any sites making use of the mass virtual hosting module mod_vhost_alias or mod_rewrite prior to Apache 1.3.14 should upgrade as soon as possible.

The main new features in 1.3.17 (compared to 1.3.14) are:

• The License agreement was updated to the Apache Software License 1.1, the main difference is the removal of the controversial advertising clause which required advertising materials mentioning Apache to include an acknowledgement sentance. From 1.3.17, the minimum requirement is that only the end user documentation included with a distribution (if any) has to contain such an acknowledgement.
• A new LogFormat directive, %c is available to log the connection status. The field distinguishes between a connection that was aborted before the response was completed, and a completed connection either closed or kept-alive.
• Apache running on Linux 2.2 kernels now use sysv semaphores instead of a serialised single listener in order to increase performance.
• There were problems with caching the results of a directory index generated by mod_autoindex. A new option for the IndexOptions directive has been added which will return the Last-Modified date of the directory in order to aid caches. This option will not work on all filesystems however.
• Shared library creation now works on OpenBSD 2.8
• Support has been added for BeOS BONE. BeOS BONE is much closer to Unix than BeOS R5.
• Apache modules on Unix are usually recognised by their .so filename extensions, but on Windows .dll has always been used. Now, Windows platforms also use .so filename extensions for Apache modules.
• Apache now needs the awk utility script to be compiled from the supplied Makefile.win or the InstallBin project in the Visual Studio IDE
• On Windows, a new command line option -k config can be used to reset the default options for a named service. These options are also displayed when testing the httpd.conf file with -t. If upgrading Apache from 1.3.14 or earlier you will need to use the syntax apache -k config -n servicename -f conffile to upgrade the service arguments.
• Cleanups and changes to the Apache makefiles for Windows have been made

The following bugs were found in Apache 1.3.14 and have been fixed in Apache 1.3.17

• HTTP byterange handling code was rewritten so that the syntax (RFC 2616) and 416 error code was handled properly.
• Content-Length calculations when doing Range header processing are incorrect. This causes problems for example when serving byte-ranged PDF files. PR#6711
• The mass virtual hosting module, mod_vhost_alias, has had a number of security issues in the past due to it's handling of the Host: header. Although these issues have been fixed, the Host: header checking was too strict and could not handle internationalised DNS for example. PR#6635
• The processing of the Expect header was not consistant with the HTTP specification. Apache now makes sure that modules have a chance to be able to handle an Expect extension token before returning an error to the client.
• The recent security fix to mod_rewrite had broken some of the functionality of that module. PR#6671
• The mod_auth_dbm.c workaround for glibc 2.1 systems failed on Red Hat Linux 7 (which is based on a beta glibc 2.2) as

• NetWare is a case insensitive file system so all directory and file names are now compared in a case insensitive manner to avoid security holes.
• Some media types have been updated. PR#6613, PR#4600
• UnixWare 7 did not work correctly with some DSOs (such as PHP) due to a missing library. PR#6780
• On Win32 and NetWare, directives using paths with a syntax like c:oo were incorrectly appended to the server root rather than replacing it.
• RewriteMap truncated the string if the lookup had a syntax error
• Threads in Netware are now allocated in their own group
• When using mass virtual hosting the cgi-bin directory was treated specially even if there were no VirtualScriptAlias directives. PR#6829
• The rotatelogs utility would not work if the destination for the logs was out of space
• On OS/2 the Etags header changed on every request therefore breaking any caching based on that header
• The recent performance tweak to Configure broke the DSO detection on Linux, which caused problems when compiling
• The Mac OS layout has been updated
• mod_status did not test the refresh value to make sure it was a valid integer. This caused page refreshes at very high speed. PR#5067
• mod_auth_dbm did not build correctly on Red Hat Linux 7 due to changes in the location of db1 headers
• Apache would crash with a segmentation fault if a LoadModule directive was incorrectly placed inside a VirtualHost container. PR#6942
• The proxy module, mod_proxy, did not set a default garbage collection interval time if none was specified in a configuration file
• Fixes were required for Netware to append the default volume name to paths as well as detect them. PR#5826, PR#6283

• There were problems with the bundled dbm library, sdbm, which caused the first user added with the dbmmanage Perl script not to be recognised.
• Apache would hang during logoff or shutdown when run on Windows 2000
• There were problems with intepreters failing to run cgi scripts that have slash delimiters
• There was a handle leak problem if a child process failed to be created
• Apache now flags console processes as services on Win9x platforms in order to avoid them being shut down when a user logs off.
• Win9x problems were caused when Apache creates a child process to handle CGI scripts. Apache creates a 16 bit CGI process with it's own console window, but this was known to not correctly close it's pipes
• Incorrect status messages were displayed when starting and restarting Apache as a service on Win9x platforms
• Not all script interpeters like long path names, so Apache now decides if cgi script paths are to be converted or not.
• When Apache reads the registry to find the script intepreter it now is able to do environment variable expansion
• mod_cgi on Win32 and Netware was not always capturing stderr output from scripts. PR#6161