This week Brian Atkins tracked down a case where a malformed
Host request header could cause a NULL pointer dereference;
it was discovered that this could occur if using server-parsed error
pages with mod_include. The fix was checked in
to the 2.1 tree.
A common question from developers of Apache modules is that a
module function called to implement a post_config
hook gets called twice during startup: in response to the
question arising on the development list, a pair of macros was posted which
explain how to deal with this correctly.
One feature in 1.3 enjoyed by mod_perl users
was the use of <Perl>...</Perl> blocks
in configuration files, which cause a parse error if used in
2.0. Philippe M. Chiasson discovered this was due to a simple
bug in the parser code, and submitted a patch. The bug can also
be avoided by including a trailing space in the opening
directive, <Perl >.
The test tarballs prepared for the forthcoming 2.0.48 release
received several votes for release; Greg Ames installed the code on the
live server at apache.org as usual, and no problems have been
reported so far. A release date of Sunday 19th October has been
Linux distribution vendor MandrakeSoft recently
issued a security advisory for their httpd 2.0 package, entitled
"Updated apache2 packages
fix CGI scripting deadlock". The update concerns a
long-standing problem in the current design of
mod_cgi in 2.0 - if a CGI script tries to write
more than 4096 bytes of data to stderr without writing any data to
stdout, a deadlock occurs and the script will hang. This issue
only affects mod_cgi in 2.0, where pipes are used
to communicate with CGI scripts; in 1.3, scripts are invoked with
direct access to the error log and TCP socket.
The advisory has caused confusion on several fronts. Firstly,
the bug in mod_cgi only has security
implications if a remote user can force a CGI script to produce
the necessary amount of data on stderr (for instance, as debugging
output). Secondly, the advisory states that the updated packages
"use the latest mod_cgi.c from the Apache 2.1 CVS version", which
was not correct - no version of mod_cgi in the CVS tree currently
contains a fix for this problem. In fact the update used a
"work-in-progress" version of mod_cgi.c written by
Jeff Trawick which was
referenced from the Apache bug database entry on this issue, BZ#22030. Jeff, who is working on ways of fixing the bug,
states that the particular version included by MandrakeSoft has
some undesirable side-effects, such as causing the CGI response to
be entirely buffered in memory.
Whilst development continues on an improved
mod_cgi for 2.0, the advice for server administrators
is to ensure that CGI scripts do not produce large
volumes of output on stderr.
The second issue of the official Apache
Newsletter was launched this week. The bi-monthly newsletter
aims to cover all of the Apache Software Foundation projects and
is packed with development news as well as details of all the new
releases. Of particular interest this month are details of
ApacheCon 2003, and some statistics from the first few weeks of
the Geronimo project, an effort to made a J2EE compatible
SANS together with the FBI have updated their Top 20 Vulnerabilities, a
list of the most commonly exploited vulnerable services.
Apache gets a mention as one of the top ten vulnerable services
for Unix, although most of the time it is third party applications
or poorly written scripts that are to blame for successful
attacks. A checklist provides useful advice on how to make
Apache and the related components more secure.
In this section we highlight some of the articles on the web
that are of interest to Apache users.
If you think mod_python has something to do
with John Cleese or dead parrots then you should find the O'Reilly
mod_python" of help. Lead author Gregory Trubetskoy gives an
overview of the module as well as some reasons why you'd want to
use it on your server.
Following on the animal theme, we have Joe Stump providing an
article on "Building
an Advanced Mail Server, Part 2". Joe uses SquirrelMail, a
PHP-based webmail package, together with Apache, to provide an
interface to his IMAP mail server.
Finishing off the tutorials for this week, the Linux Gazette
provides step by step instructions on "Integrating
Tomcat and Apache on RedHat 9.0". Mike Millson provides
everything you need to get Tomcat up and running from scratch.