Another vulnerability has recently been found in Apache 1.3.20. This
issue has already been fixed in the code base in preparation for the 1.3.21
- A vulnerability was found when Multiviews
are used to negotiate the directory index. In some
configurations, requesting a URI with a QUERY_STRING of
return a directory listing rather than the expected index page.
The Common Vulnerabilities and Exposures project
has assigned the name
to this issue.
A busy week on the development list saw testing begin for the
1.3.21 release. The CVS tree was tagged on Wednesday and a tarball is
expected today. Several minor problems have been discovered and fixed
in the meantime.
A long-standing point of confusion for many Apache users (and often
developers) has been the difference between the Listen and Port
directive. In Apache 1.3, the Listen directive specifies a port on
which the server should accept connections, and the Port directive
makes the server think it is listening on a particular port: so
that redirects are generated for this port. In 2.0, the Port
directive has now been removed, and a port may now be specified in
ServerName to achieve the same effect. Or as Ryan Bloom put it:
"If the port is specified to the ServerName, the server will
report that port whenever it reports the port that it is listening
One really wonders how far Microsoft will go in spreading anti-Apache
FUD with its misinformed sales circular. The experts refute it
point by point with a thorough analysis and straighten the facts out.
Strike while the iron is hot! Many companies offering Apache services are
doing just that. One of them is Starnix which has come up with a
customised program - "Starnix Managed Web
Migration Program" to assist IIS migration towards the Apache web
server. Another tool which is available on the market is LSP from DAS
Technology and ZDNET reviews it in "LSP: migrate
from Windows NT to Linux" .
In this section we highlight some of the articles on the web that are of
interest to Apache users.
In Ryan Bloom's swan song for the Apache 2.0 Basics series, he talks about
of the least publicised new features in Apache 2.0 which is allowing
one module to call into another module to execute an operation. In Apache
1.3, for two modules to execute the same operation, the feature has to
be implemented in both of the modules, making synchronisation of changes a
tedious task. He uses the mod_include and
mod_cgi modules to illustrate his points.
Noel Davis looks at how to overcome an Apache
on Mac OS X security issue which only involves those who store files
on Mac OS X's HFS+ file system. Three workarounds are available for this
Linuxfocus.org brings us the first article
in a new series about using lire to analyse the log files of many
different services including the Apache Web Server. It introduces lire,
gives us an overview of the installation process, and various
configurations to generate reports.
Virtual Exhibits on Open-Source and J2EE[tm] Technology" is a case
study where the Apache Web Server is used in a mission-critical
environment. Apache is chosen because it is easy to customise and its
redirect feature is used to implement automatic fail-over.
Know any IIS user who is thinking of moving on but is not quite
convinced? Do them a service by referring them to "Migrate With
Confidence From Microsoft Windows NT, 2000, and XP to UNIX/Linux" by
Jon C. LeBlanc which is updated recently. It provides strategic
information for IT managers when making the difficult decision of which
platform to choose. For those who still can't make up their mind, a look
Silverman's operating system comparison page and another white
paper may be able to settle it once and for all.
The "Apache Desktop Reference" by Ralf S. Engelschall, published by
Addison Wesley is a concise and complete quick reference meant for web
server administrators who are already familiar with Apache. However
newbies can also use it as a companion to the numerous Apache "text" books
available in the market.
Ralf, a member of the Apache Software Foundation (ASF), is well known as
the author of mod_rewrite and
mod_ssl. In his foreword, Roy T. Fielding, chairman of
the board of directors of the ASF commented that this book provides
a level of
insight regarding the inner-workings of Apache that you won't find in a
typical user manual.
Although Apache Week covered the release of the book in
January, we didn't get around to reviewing it. In our
features section you can read the rest of our
We have four copies of the "Apache Desktop Reference"
to give away to lucky readers.
For a chance to get your hands on a copy of this book, answer
this simple question:
Which of the following servers is vulnerable to the Code Red worm:
A) Apache, B) Tux, C) IIS
Send your answer (A, B, or C) to email@example.com to
reach us no later than 22nd October 2001. We do read all the
entries, so if you have something on your mind about Apache Week,
Apache, or life in general, add it after your answer.
Your e-mail address
will not be used for anything other than to let you know if
you won. Four winners will be drawn at random
from all correct entries
submitted, we disquality people who make more than one entry,
no cash alternative, void where prohibited,
editors' decision is final, so there.