In this issue

Earlier this week it was found that PHP 4.2.0 and 4.2.1 allow remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP POST request with certain arguments in a multipart/form-data form, which generates an error condition that is not properly handled and causes improper memory to be freed. Earlier versions of PHP are not affected. For more information read the full advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0717 to this issue.

There was discussion on the development list this week about what configuration files "make install" should install if installing over an existing Apache installation; the main issue concerning whether the reference "-std.conf" files should be installed alongside existing configuration files.

Preparations for an Apache 2.0.40 are underway, with the CVS tree being tagged, and tarballs prepared for testing by developers. As usual, the live server at apache.org is already running the new code.

A frequently asked question on the mailing lists is why any Apache server will process a request with a URI such as http://www.yahoo.com/; often an administrator will notice such requests in the access log with a "200" response code, and worry that the server is being used as a proxy. The answer is simply that if the hostname used in the request URI does not match any of the configured virtual hosts, the default vhost configuration is used to serve the request; no proxying takes place regardless of the hostname used, unless Apache is specifically configured as a proxy server.

Paul Weinstein took time out after giving his presentation on Apache and SSL to report for Apache Week on the main news of the O'Reilly Open Source Conference. Interesting keynotes included the well-matched pair Lawrence Lessing, a vigilant defender of freedom of content, and Richard Stallman, a vigilant defender of freedom of software. Read the Apache Week feature from the first day of the conference

Earlier this month a a new beta of Red Hat Linux was announced. What makes this release interesting is that it includes by default Apache 2.0 along with a number of modules that work with the 2.0 infrastructure. Apache 1.3 is not included in the release. Netcraft found this month that the adoption of Apache 2.0 is happening a lot slower than expected, fewer than 50,000 sites have switched. The inclusion of Apache 2.0 by default in a mainstream operating system should help prove whether or not it is ready for primetime.

At the O'Reilly Open Source Conference this week Covalent announced a new module, mod_asp.net for Apache 2.0 on Windows. The module provides integration of ASP.NET applications into the Apache server framework. The module is only available as part of Covalent's Enterprise Ready Server which is based on Apache and is not open source.

In this section we highlight some of the articles on the web that are of interest to Apache users.

Pier Fumagalli who actively codes for the Apache Jakarta and HTTPD/APR projects reveals how the VNU news web site running on the Apache Web server and Tomcat has been designed to handle high loads in "Web Development in Heavy Traffic". The tricks are to let another instance of Apache handles all the static traffic, cache articles in the servlet container itself, and execute each application in a different container in a different Java Virtual Machine.

UnixReview.com looks at two tools for benchmarking web sites and shows us how to use them. First Scout is run to gather a list of URLs into a file. Then Seige will use this file to bombard a web server with requests from concurrent simulated users to stress test it.

"Building XML Portals with Cocoon" explores the Cocoon portal and authentication frameworks, and provides a few examples on how to use them. You need to be familiar with the basic Cocoon concepts before reading this.

There is a new kid in town - a Java-based open-source Apache GUI named NetLoony. Read the user guide for yourself and decide whether it is as loony as it sounds.

"Apache and SSL" was presented by Paul Weinstein at the 2002 O'Reilly Open Source Conference recently. It introduces the basic concepts and configuration of Apache and SSL, and is also available to be downloaded as a PDF file.