In this issue

Two denial of service attacks were found in the Apache 2.0 code this week - both concerned with memory usage when sending large requests. The first was that the server did not respect the maximum header field length, and would consume memory indefinitely while reading a header line. A fix for this was quickly checked in. The second problem remains unconfirmed; using an httpd.conf from an old installation of 2.0 with the current code can cause a GET request with a large body to leak memory. Neither of these problems are known to affect Apache 1.3.

The 2.0 tree was tagged for a 2.0.27 release, and the live server at apache.org was updated to this code from the CVS snapshot it was running previously. The snapshot had been live for a week without any significant problems. The group indicated that after the 2.0.27 code had been running for three days, a public release would be made (barring any problems).

A decision was taken recently to move the SSL configuration directives out of the default httpd.conf (as in an Apache 1.3/mod_ssl installation) into a separate file, ssl.conf, to simplify administration of the plethora of directives for this module. This file has now been populated with the default configuration from mod_ssl 2.8.

In this section we highlight some of the articles on the web that are of interest to Apache users.

This week, we deviate from our usual topic to bring you some food for thought with "The Open Dielectric" from ASF board member Ken Coar. What has this got to do with Apache, you may ask. As Apache is one of the major open-source software projects, Ken's musings apply to the Apache community of developers and users as well. Would you agree with him that the virtual environment appears to be almost completely insulated from the acts and consequences in the physical world?

At WebTechniques.com, Jim Jagielski has a few tips for those who are providing web-hosting services in "Customer Number One". He looks at two methods for Apache on how to provide every customer with dedicated server performance and quality guarantees in a shared server environment as if he or she is the only customer. The first uses mod_throttle to control various parameters, such as the number of requests or the total bandwidth used on a per server, virtual host, location, directory or user basis. The second allows CGI scripts to execute under its own user and group ID using suExec. He also discusses the pros and cons of running multiple instances of Apache simultaneously.

PHP provides a great assortment of functions ranging from Apache-specific functions to database functions. In "A Basic Introduction to PHP Images", Jon Perry examines how we can use the image functions to load existing images as templates, create images and transparency in images, and implement tiling in PHP. The source code used in the examples is available for download.

"Save Your Site from Spambots" teaches you how to use mod_rewrite to redirect "spambots", software packages that crawl the Web harvesting e-mail addresses and adding them to bulk e-mail lists, to a specific page that has "special" messages just for them. Since this method uses the content of the User-Agent: HTTP header to identify the "spambots", it won't prevent "spambots" that masquerade as other browsers from scraping e-mail addresses from your web site. Other solutions are presented as well and the one recommended is "spamtraps" - special addresses that are solely used for catching spammers. The author concludes that the best way to combat unwanted bulk e-mail is to immediately report spam to the ISP from which it originates as many times as it takes until the ISP takes the necessary actions.

Is there a lack of innovation in open source development? In Russell Pavlicek's opinion, the answer is no and he justifies it in "The Open Source".