In this issue

Another vulnerability has recently been found in Apache 1.3.20. This issue has already been fixed in the code base in preparation for the 1.3.21 release.

• A vulnerability was found when Multiviews are used to negotiate the directory index. In some configurations, requesting a URI with a QUERY_STRING of M=D could return a directory listing rather than the expected index page. The Common Vulnerabilities and Exposures project has assigned the name CVE-2001-0731 to this issue.

A busy week on the development list saw testing begin for the 1.3.21 release. The CVS tree was tagged on Wednesday and a tarball is expected today. Several minor problems have been discovered and fixed in the meantime.

A long-standing point of confusion for many Apache users (and often developers) has been the difference between the Listen and Port directive. In Apache 1.3, the Listen directive specifies a port on which the server should accept connections, and the Port directive makes the server think it is listening on a particular port: so that redirects are generated for this port. In 2.0, the Port directive has now been removed, and a port may now be specified in ServerName to achieve the same effect. Or as Ryan Bloom put it:

"If the port is specified to the ServerName, the server will report that port whenever it reports the port that it is listening on."

One really wonders how far Microsoft will go in spreading anti-Apache FUD with its misinformed sales circular. The experts refute it point by point with a thorough analysis and straighten the facts out.

Strike while the iron is hot! Many companies offering Apache services are doing just that. One of them is Starnix which has come up with a customised program - "Starnix Managed Web Migration Program" to assist IIS migration towards the Apache web server. Another tool which is available on the market is LSP from DAS Technology and ZDNET reviews it in "LSP: migrate from Windows NT to Linux" .

In this section we highlight some of the articles on the web that are of interest to Apache users.

In Ryan Bloom's swan song for the Apache 2.0 Basics series, he talks about one of the least publicised new features in Apache 2.0 which is allowing one module to call into another module to execute an operation. In Apache 1.3, for two modules to execute the same operation, the feature has to be implemented in both of the modules, making synchronisation of changes a tedious task. He uses the mod_include and mod_cgi modules to illustrate his points.

Noel Davis looks at how to overcome an Apache on Mac OS X security issue which only involves those who store files on Mac OS X's HFS+ file system. Three workarounds are available for this problem.

Linuxfocus.org brings us the first article in a new series about using lire to analyse the log files of many different services including the Apache Web Server. It introduces lire, gives us an overview of the installation process, and various configurations to generate reports.

"Packexpo.com: Building Virtual Exhibits on Open-Source and J2EE[tm] Technology" is a case study where the Apache Web Server is used in a mission-critical environment. Apache is chosen because it is easy to customise and its redirect feature is used to implement automatic fail-over.

Know any IIS user who is thinking of moving on but is not quite convinced? Do them a service by referring them to "Migrate With Confidence From Microsoft Windows NT, 2000, and XP to UNIX/Linux" by Jon C. LeBlanc which is updated recently. It provides strategic information for IT managers when making the difficult decision of which platform to choose. For those who still can't make up their mind, a look at Jeff Silverman's operating system comparison page and another white paper may be able to settle it once and for all.

The "Apache Desktop Reference" by Ralf S. Engelschall, published by Addison Wesley is a concise and complete quick reference meant for web server administrators who are already familiar with Apache. However newbies can also use it as a companion to the numerous Apache "text" books available in the market.

Ralf, a member of the Apache Software Foundation (ASF), is well known as the author of mod_rewrite and mod_ssl. In his foreword, Roy T. Fielding, chairman of the board of directors of the ASF commented that this book provides a level of insight regarding the inner-workings of Apache that you won't find in a typical user manual.

Although Apache Week covered the release of the book in January, we didn't get around to reviewing it. In our features section you can read the rest of our belated review.

We have four copies of the "Apache Desktop Reference" to give away to lucky readers. For a chance to get your hands on a copy of this book, answer this simple question:

Which of the following servers is vulnerable to the Code Red worm:
A) Apache, B) Tux, C) IIS

Send your answer (A, B, or C) to worms@apacheweek.com to reach us no later than 22nd October 2001. We do read all the entries, so if you have something on your mind about Apache Week, Apache, or life in general, add it after your answer. Your e-mail address will not be used for anything other than to let you know if you won. Four winners will be drawn at random from all correct entries submitted, we disquality people who make more than one entry, no cash alternative, void where prohibited, editors' decision is final, so there.