In this issue

At the end of last week the Apache Software Foundation issued an advisory about a major security flaw found in Apache 2.0 releases on non-Unix platforms. Full information about the vulnerability was not given in the advisory but it is believed that an exploit would allow a remote attacker to access or run arbitrary files. More information about the vulnerability is expected in the upcoming weeks, until then all users of Apache 2.0 on non-Unix platforms are advised to implement the work-around given in the advisory or to upgrade to Apache 2.0.40 which was released last Friday.

Apache 2.0.40 also contains fixes for two minor path-revealing exposures. Under certain conditions it is possible for a remote attacker to find out the full path details of particular documents. Whilst this in itself doesn't enable a remote attacker to exploit a system, it does provide them with information that might be useful if they can exploit some other flaws in Apache or the operating system.

At the last moment before 2.0.40 was released a check was added to stop Apache building with versions of OpenSSL prior to 0.9.6e. This check was flawed and will cause Apache 2.0.40 to not build with versions of OpenSSL 0.9.7 or later. This check will also cause problems for people wanting to link against versions of OpenSSL distributed by some OS vendors who have backported the security fixes to previous versions of OpenSSL without moving to the new version. The next release of Apache will correct this behaviour and just warn users who try to link against older versions of OpenSSL.

Apache 2.0.40 was released on 9^th August 2002 and is now the latest version of the Apache server. This is the fourth stable release of Apache 2.0, following up on 2.0.39 which was released on 18^th June 2002. Read our special feature for more information about the history of Apache 2.0.

Apache 2.0.40 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions of Apache 2 on Unix prior to Apache 2.0.39 should upgrade to Apache 2.0.40. Sites using any versions of Apache 2 on other platforms should upgrade to 2.0.40.

• Certain URIs will bypass security and allow users to invoke or access any file depending on the system configuration. (CAN-2002-0661)

• A path-revealing exposure is present in multiview type map negotiation (such as the default error documents) where a module would report the full path of the typemapped .var file when multiple documents or no documents could be served. (CAN-2002-0654)

• A path-revealing exposure in cgi/cgid when Apache fails to invoke a script. The modules would report "couldn't create child process /path-to-script/script.pl" revealing the full path of the script. (CAN-2002-0654)

The new features in this release (added since 2.0.39) are:

• mod_rewrite can now set cookies using the CO extension
• Performance improvements for the code that reads request headers
• Proxy FTP now works over IPv6
• Changes to the internationalized error documents; they are no longer included by default in the sample configuration file.
• Add a new directive, MaxMemFree. MaxMemFree makes it possible to configure the maximum amount of memory a particular child's allocator will hold on to for reuse. This directive is useful when uncommon large peaks occur in memory usage.
• Support the -w flag on to keep the Win32 console open on error
• Add the ability to enable or disable a filter via an environment variable.
• Apache on Netware will now pull requests off of the listen queue as fast as winsock will allow without latency introduced by the accept mutex
• During installation Apache will preserve existing installation directories. Binaries, the build directory, the headers, and the man pages are all copied. Everything else, the config, htdocs, manual, error, icons, and cgi directories are not installed if the directories already exist

The bugs fixed in this release include:

• Fix a long-standing bug in 2.0, CGI scripts were being called with relative paths instead of absolute paths. Apache 1.3 used absolute paths for everything except for SuExec, this brings back that standard
• Restore the ability to specify host names on Listen directives. BZ#11030
• Accept multiple leading /'s for requests within the DocumentRoot. BZ#10946
• Fixed a mod_include error case in which no HTTP response was sent to the client if an shtml document contained an unterminated SSI directive
• Prevent infinite recursion if an ErrorDocument gets an error
• Fix segfault in mod_mem_cache most frequently observed when serving the same file to multiple clients on an multi-processor machine
• Various fixes to the experimental module mod_ext_filter including: Look in the main server for filter definitions when running in a vhost if the filter definition is not found in the vhost, BZ#10147. Fix a segmentation fault if the content-type was not set, BZ#10617, and ignore any content-type parameters when checking if the response should be filtered.
• Fix infinite loop due to two HTTP_IN filters being present for internally redirected requests. BZ#10146
• Fixed the Content-Length filter so that HTTP/1.0 requests to CGI scripts would not result in a truncated response.
• Fix proxy so that it is possible to access ftp: URLs via a proxy chain.
• Fix perchild to work with apachectl by adding -k support to perchild. BZ#10074
• Fix the long-standing bug in ab where ab -t10 would loop for 10000 seconds instead of 10 as documented. Also fix an off-by-one-second error
• Fixed parsing of strings to longs which allows HTTPD to deal with larger files correctly
• mod-deflate now checks to make sure that 'gzip-only-text/html' is set so that BrowserMatch can be used to control the module
• Add a filter_init parameter to the filter registration functions so that a filter can execute arbitrary code before the handlers are invoked. This resolves a problem where mod_include requests would incorrectly return a 304. BZ#9673
• A problem with the keepalive enumeration caused problems when mod_dav sends error responses
• Various minor fixes to the htpasswd utility including BZ#10422

The following platform-specific changes have been made:

• Solved the reports of .pdf byterange failures on Win32. BZ#10781
• Support WinNT CGI invocation through ScriptInterpreterSource 'registry' for script interpreter paths and names with non-ascii characters in the executable filepath
• Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include extended characters (non US-ASCII) in non-utf8 format. This brings Win32 back into CGI/1.1 compliance, and leaves charset decoding up to the cgi application itself
• When deciding on the default address family for listening sockets, make sure we can actually bind to an AF_INET6 socket before deciding that we should default to AF_INET6. This fixes a startup problem on certain levels of OpenUNIX. BZ#10235

In this section we highlight some of the articles on the web that are of interest to Apache users.

The Robert Frances Group take a look at the Total Cost of Ownership for Linux in the Enterprise (PDF, 48k), comparing Linux using Apache with Microsoft Windows using IIS and Solaris using Apache. The study of fourteen mid- to large-sized enterprises showed Linux with Apache was the least expensive platform to deploy and operate.

In "What You Get Is What You See", Jim Jagielski looks at a few important areas which may affect the performance of your Web site. Among them are the design of Web infrastructures and authentication processes. He also touches on how SNMP monitoring could be implemented to obtain real-time information on the health of your Web site. One SNMP solution for the Apache Web server is the open source mod_snmp module.

O'Reilly OnJava.com introduces log4j, the new logging tool in the Jakarta Apache project and shows you how to build flexible logs with it. It goes through the concepts of the tool and provides examples using a Web-based application.

"Run PHP-GTK and PHP-Apache on Win32" is meant for Windows users who have difficulty in getting PHP-GTK to work on their platform. It reveals the two main reasons that may cause it to fail and leads you back onto the correct path.

Here's a review of "XML and PHP" on the Developer Shed. The conclusion is that it is a good reference guide for beginners in the two subjects.