In this issue

It's our 300th edition and our colleagues at Wrox Press have given us two copies of their book "Professional Apache 2.0" to give away to help us celebrate. It seems like only 100 issues ago that we were running a competition to give away the book on which this is based, "Professional Apache".

Written by Apache Week reader and space tourism evangelist Peter Wainwright, the book covers all aspects of serving web sites using the Apache 2.0 web server. The target audience of this book is experienced Apache users and web server administrators who are using Apache for the first time. It requires you to have a fundamental knowledge of the Web, operating systems, and network configuration although the first chapter revisits the basics of networking, HTTP, and how Apache works. Overall this is a comprehensive book for users interested in the Apache web server in general and for those intending to set up a secure Apache web server.

For a chance to get your hands a copy of the book, answer this simple question:

Which one of the following is the name of the security group that posted the first working exploit for the Apache chunked encoding vulnerability?
A) GRUMBLES, B) GOBBLES, or C) GURGLES

Send your answer to googles@apacheweek.com to reach us no later than July 10th 2002. Your email address will not be used for anything other than to let you know if you won. Two winners will be drawn at random from all correct entries submitted, books will be dispatched direct by Wrox Press. One entry per person, no cash alternative, editors' decision is final, so there.

That's not all. We've kept a copy for ourselves and have written a comprehensive review all about it.

Last week we covered the details of the Chunked encoding vulnerability. We had said that although the issue was remotely exploitable it could not be exploited on 32-bit platforms. This was proven wrong shortly after publication when security team GOBBLES published an exploit for OpenBSD and mentioned that exploits were possible for other platforms. This prompted the Apache Software Foundation to update the Official Security Advisory.

We therefore strongly suggest that all users of Apache update their distributions to 1.3.26 or 2.0.39 or apply this patch to existing installations.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2002-0392 to this issue.

The security issue got a fair amount of media coverage, and after one week, there are still many new articles about the Apache chunked encoding vulnerability:

• "Apache and OpenSSH Vulnerabilities " by Don Marti at Linux Journal
• "Irresponsible Disclosure" by columnist Jon Lasser at SecurityFocus online
• "Kremlin Site Vulnerable to Attack" by Brian McWilliams at Wired News
• "Threat Becomes Vulnerability Becomes Exploit" by Eric Lubow at LinuxSecurity.com
• "Flaw Found in Apache HTTP Server" by Dennis Fisher at eWEEK
• "Apache Warning Fuels Security Feud " by Dennis Fisher at eWEEK
• "Exploit Code Released for Apache Flaw" by Dennis Fisher at eWEEK
• "mod_blowchunks" at Freshports.org
• "Hackers Reveal Apache Web Server Attack Program" at theWHIR
• "High Risk Apache Exploit Circulating" by Ryan Naraine at InternetNews.com
• "Apache Update: Two days till web meltdown" by Robert Jaques at vnunet.com
• "Apache exploit on the warpath" by Robert Jaques at vnunet.com
• "Gobbles Releases Apache Exploit" by Brian McWilliams at SecurityFocus online

San Diego, California plays host to this key conference between July 22nd and 26th, and brings together the leaders of all the critical open source technologies - including Apache - to give you an inside look at how to configure, optimise, code, and manage them.

This years event looks pretty exciting for Apache users as it includes a whole conference dedicated to PHP (including a look at PHP 4.1 and Beyond), a track on Apache 2.0, and a keynote presentation "Open Source and Java: Lessons from the Apache Experience". It is expected that a large number of Apache Software Foundation members will be attending so be sure to look out for them and invite them out for dinner or buy them beer.

Register now or find out more at the conference web site. Read our in-depth account of the 2001 Convention which proves this is certainly a conference you cannot afford to miss.

In this section we highlight some of the articles on the web that are of interest to Apache users.

In an interview with SearchWebManagement, Ryan Bloom, a core developer of Apache 2.0, dissects the subject of Apache vs IIS and opens a window into his thoughts about the advantages of Apache over IIS. He also attempts to explain why some web server administrators chose IIS over Apache.

"Customizing Apache for maximum performance" is a Linux-based tutorial on how to fine-tune the operating system and Apache for optimum performance. You'll need to register as well as enable JavaScript on your browser to be able to access this tutorial.

In conjunction with gifting the Web Service Invocation Framework (WSIF) to the Apache Software Foundation, IBM provides this article entitled "Applying the Web services invocation framework" to explain what WSIF is all about. It is a Java API that enables developers to create Web services independent of SOAP.