In this issue

This week Brian Atkins tracked down a case where a malformed Host request header could cause a NULL pointer dereference; it was discovered that this could occur if using server-parsed error pages with mod_include. The fix was checked in to the 2.1 tree.

A common question from developers of Apache modules is that a module function called to implement a post_config hook gets called twice during startup: in response to the question arising on the development list, a pair of macros was posted which explain how to deal with this correctly.

One feature in 1.3 enjoyed by mod_perl users was the use of <Perl>...</Perl> blocks in configuration files, which cause a parse error if used in 2.0. Philippe M. Chiasson discovered this was due to a simple bug in the parser code, and submitted a patch. The bug can also be avoided by including a trailing space in the opening directive, <Perl >.

The test tarballs prepared for the forthcoming 2.0.48 release received several votes for release; Greg Ames installed the code on the live server at apache.org as usual, and no problems have been reported so far. A release date of Sunday 19th October has been suggested.

Linux distribution vendor MandrakeSoft recently issued a security advisory for their httpd 2.0 package, entitled "Updated apache2 packages fix CGI scripting deadlock". The update concerns a long-standing problem in the current design of mod_cgi in 2.0 - if a CGI script tries to write more than 4096 bytes of data to stderr without writing any data to stdout, a deadlock occurs and the script will hang. This issue only affects mod_cgi in 2.0, where pipes are used to communicate with CGI scripts; in 1.3, scripts are invoked with direct access to the error log and TCP socket.

The advisory has caused confusion on several fronts. Firstly, the bug in mod_cgi only has security implications if a remote user can force a CGI script to produce the necessary amount of data on stderr (for instance, as debugging output). Secondly, the advisory states that the updated packages "use the latest mod_cgi.c from the Apache 2.1 CVS version", which was not correct - no version of mod_cgi in the CVS tree currently contains a fix for this problem. In fact the update used a "work-in-progress" version of mod_cgi.c written by Jeff Trawick which was referenced from the Apache bug database entry on this issue, BZ#22030. Jeff, who is working on ways of fixing the bug, states that the particular version included by MandrakeSoft has some undesirable side-effects, such as causing the CGI response to be entirely buffered in memory.

Whilst development continues on an improved mod_cgi for 2.0, the advice for server administrators is to ensure that CGI scripts do not produce large volumes of output on stderr.

The second issue of the official Apache Newsletter was launched this week. The bi-monthly newsletter aims to cover all of the Apache Software Foundation projects and is packed with development news as well as details of all the new releases. Of particular interest this month are details of ApacheCon 2003, and some statistics from the first few weeks of the Geronimo project, an effort to made a J2EE compatible container.

SANS together with the FBI have updated their Top 20 Vulnerabilities, a list of the most commonly exploited vulnerable services.

Apache gets a mention as one of the top ten vulnerable services for Unix, although most of the time it is third party applications or poorly written scripts that are to blame for successful attacks. A checklist provides useful advice on how to make Apache and the related components more secure.

In this section we highlight some of the articles on the web that are of interest to Apache users.

If you think mod_python has something to do with John Cleese or dead parrots then you should find the O'Reilly article, "Introducing mod_python" of help. Lead author Gregory Trubetskoy gives an overview of the module as well as some reasons why you'd want to use it on your server.

Following on the animal theme, we have Joe Stump providing an article on "Building an Advanced Mail Server, Part 2". Joe uses SquirrelMail, a PHP-based webmail package, together with Apache, to provide an interface to his IMAP mail server.

Finishing off the tutorials for this week, the Linux Gazette provides step by step instructions on "Integrating Tomcat and Apache on RedHat 9.0". Mike Millson provides everything you need to get Tomcat up and running from scratch.