In this issue

An worm that exploits the recent OpenSSL security issues was found in the wild this week. This particular exploit (for CAN-2002-0656) looks for Apache servers running a vulnerable version of OpenSSL and uses compromised hosts to find others, in turn building a large platform for distributed denial-of-service attacks. Patched versions of OpenSSL have been available from the OpenSSL group and from OS vendors for some time so if you've been putting off upgrading you ought to do it now - you may already be too late.

The Apache 2.0 CVS tree has been tagged in preparation for a 2.0.41 release; as usual the live server at apache.org has been updated to run the new code, and no new problems have been found as of yet. The changes in the new release include many improvements and fixes to the 2.0 caching modules, and several performance fixes. The stylesheets used to produce the HTML documentation have been updated to give a greatly improved presentation, which can already be viewed on-line.

The usually good relationship between Covalent and the Apache Software Foundation showed signs of strain this week after a proposal was made by Covalent developer Jon Travis to donate code to the ASF. Covalent were offering an HTML parser dubbed "El-Kabong" which they had found useful in writing Apache 2.0 filters which modify HTML content. After two weeks passed with no decision by the ASF on whether or not (and how) to accept the "El-Kabong" code, the discussion began to turn sour, as the ASF offered to accept the code donation but without giving CVS commit access to Jon. The negotiations broke down at that point, and Jon decided to host the "El-Kabong" code at SourceForge instead.

mod_python was donated to the Apache Software Foundation earlier this week. mod_python does for Python what mod_perl did for Perl: it embeds a Python interpreter in the server allowing modules to be written in Python. mod_python is currently stable on Apache 1.3 and beta on Apache 2.0. It is hoped that its adoption by the ASF will encourage wider adoption and hasten a stable mod_python for Apache 2.0.

According to the August surveys from Security Space, mod_perl is now installed on just over 36% of Apache sites surveyed, thats up by 20% in one month. Meanwhile use of PHP has slipped a few percentage points, now down to just over 38% of sites. Will mod_perl overtake PHP next month?

In this section we highlight some of the articles on the web that are of interest to Apache users.

"Securing dynamic Web content" shows you how to secure dynamic content on an Apache Web server version 1.3. It covers common security risks encountered when implementing CGI (Common Gateway Interface) applications and SSI (Server Side Includes) web pages, and includes two popular CGI wrappers namely suEXEC and CGIWrap.

The Developer Shed continues with the second ("Designing For Simplicity") and third ("Coding To A Plan") installments of the series on Web applications entitled "The Art Of Software Development". Part II walks you through the steps of designing the architecture of your application from the user requirements you have obtained from Part I. The deliverables from this phase are a project implementation plan, a software design document, a user interface design document, an acceptance test plan, and also a user interface prototype. Part III zooms in on the coding by providing some common techniques and approaches such as setting up naming conventions and coding standards before you begin, ensuring that the programs are modular, using a version control system, developing the Web application in a portable and maintainable fashion, and having frequent code inspections and peer reviews.

For those who still can't make up their mind whether or not to buy "Professional Apache 2.0" after reading our review, you may be interested to read another review of the book. It is written by Robert Nagle and hosted on the Idiotprogrammer website.

We don't do this very often, but we've a favour to ask. Apache Week is produced by Red Hat and we're extremely grateful to get the weight of Red Hat resources behind us whilst still being able to remain independent. Anyway, Red Hat are doing a survey of what people think about Red Hat and the brand. We'd love to get your views on Red Hat so we've set up a version of the survey just for Apache Week readers - all responses are anonymous.

Take the brand survey