In this issue

It's that time of year when you look back over the events of the last 12 months and wonder just what you spent all your time doing and why you didn't get around to redecorating the spare bedroom. As this is the first issue of Apache Week for 2003 we thought we'd give you a mini review of 2002.

• Under Development: April saw the launch of the first general availability release of Apache 2.0 with a few subsequent minor releases for security and bug fixes. Apache 2.0.43 was released in October and remains the most recent release of 2.0. Internally, development has now split into a "stable" 2.0 branch, and a "development" branch, labelled 2.1.
  Most of the developers have spent the year focused on Apache 2.0, but a number of new 1.3 releases were made, Apache 1.3.23 which added HTTP/1.1 support to mod_proxy, Apache 1.3.24 to fix a security flaw affecting Windows, Apache 1.3.26 to fix the chunked encoding security vulnerability, and Apache 1.3.27 to fix some other minor vulnerabilities.
  A benchmark of Apache 2.0 in April found that, on Windows, Apache 2.0 kept pace with Microsoft IIS during the entire test with little performance difference
• Conferences: After a long break, the Apache group found a new conference management company and organised ApacheCon US 2002 held in Las Vegas in November. Although the conference was less extravagant than the previous ApacheCon conferences, the quality of the sessions and speakers was as impressive as ever. The O'Reilly Open Source Convention also had a large Apache presence.
• Security: A couple of major security vulnerabilities were found in Apache this year. The first can allow remote attackers to cause denial of service by sending an invalid chunk-encoded request. The issue could also lead to remote code execution on some BSD or 64-bit platforms. The second affects only Apache 2.0 on Windows platforms and could allow remote attackers to execute commands, CAN-2002-0661. A few other minor vulnerabilities were found throughout the year, but none of them were particularly serious. Here is the complete list of vulnerabilities affecting Apache in 2002:
  • CGI scripts source revealed using WebDAV, CAN-2002-1156
  • Buffer overflows in ab utility, CAN-2002-0843
  • Error page XSS using wildcard DNS, CAN-2002-0840
  • Shared memory permissions lead to local privilege escalation, CAN-2002-0839
  • Path revealing exposures, CAN-2002-0654
  • Apache 2.0 path vulnerability, CAN-2002-0661
  • Apache Chunked encoding vulnerability, CVE-2002-0392
  • Win32 Apache Remote command execution, CVE-2002-0061
  In addition to vulnerabilities directly affecting Apache httpd, a few issues were found in software that is commonly used with Apache. Some of these are serious issues. These included:
  • Remotely exploitable vulnerabilities in OpenSSL. The OpenSSL issues were commonly confused with issues in Apache because a worm was released that targeted vulnerable versions of OpenSSL through Apache. CAN-2002-0655, CAN-2002-0656, CAN-2002-0659
  • PHP 4.2.0 and 4.2.1 allow remote attackers to execute arbitrary code via POST requests, CAN-2002-0717
  • PHP 3.10-3.18 and 4.0.1 to 4.0.6 allow remote attackers to execute code if file_uploads is enabled, CAN-2002-0081
  • Versions of MM up to and including 1.1.3 open temporary files in an unsafe manner, CAN-2002-0658
  All administrators should check their systems to make sure that Apache and all the supporting components being used have either been updated to the most recent releases, or to releases that contain back-ported patches to fix the security issues.
• Surveys: Netcraft show the total number of Apache-based servers found by their survey rising only slightly from 21 million in January to 22 million in November, and with continuing rises in the market share - moving from 56% to end the year at 62%. Netcraft also found that 97% of SSL sites that had valid third party certificates were capable of using strong encryption. This percentage has increased dramatically since the expiration of the RSA patent and the opening of US export controls; In September 2000 only 79% of sites were capable of strong encryption.
  At a conference, Marcus Sachs, a director of the White House cyber-security office said that "nearly one-third of all government Web sites use Apache... The number of military Web sites using it is 22 percent, second to Microsoft's server software, but military use of Apache is growing rapidly."
• People: A few role changes in the Apache Software Foundation as Greg Stein replaced Roy Fielding as Chairman, and Dirk-Willem van Gulik replaced Brian Behlendorf as President. Also Ryan Bloom decided to leave the HTTP development team after having a defining role in the creation of Apache 2.0.

The stable Apache 2.0 tree was tagged this week to prepare for a 2.0.44 release; the new snapshot was installed on the live server at apache.org to give it the usual exposure. The release process stalled again when binary compatibility issues arose: the new 2.0.44 release is intended to be compatible with binary modules compiled against 2.0.43, but some changes have been made in the APR portability library which break compatibility. Several solutions are under discussion.

After a report that the in-memory cache module mod_mem_cache (added in Apache 2.0) was not reliable under high load there was some interesting discussion about when it is appropriate to use this module; Brian Pane gave a summary of why mod_mem_cache is likely to be less useful for caching large files.

In this section we highlight some of the articles on the web that are of interest to Apache users.

"Setting Up Your Own Web Server" explains why it is better for companies to install their own web servers instead of using web hosting services provided by ISPs. Then it gives an overview of how to set up your own web server using Linux and the Apache web server.

In the October 2002 issue of Linux Magazine, the article entitled "Getting a Handle on Traffic" shows you how to configure Apache to log every request into a MySQL database in addition to your access_log files by using mod_log_sql. After that, you would be able to obtain real-time statistics by just writing the appropriate SQL queries to analyse your database. Initially you may need to refer to the four examples given if you are not familiar with SQL queries.

Peter Laurie exposes the story behind "Apache: The Definitive Guide, 3rd Edition". Read it to discover what changes have been made and the reasons behind them. A sample of chapter 11: Security of the book in PDF format is now available online.

ZDNet introduces four Apache XML projects in "Learn about these four Apache XML tools". A short description is provided for each project with a reference URL to get more information. Do AxKit, Forrest, Xang, and Xindice ring a bell?

Congratulations to the lucky winner of our last book competition Nick Urbanik in Hong Kong - your books will be in the post.

Read the Apache Week review of "Linux Apache Web Server Administration" as well as two other books from this series, and look out for more book competitions and reviews of Apache related books coming soon.