In this issue

Apache httpd 2.0.50 was released on 1^st July 2004 and is now the latest version of the httpd 2.0 server. The previous version was 2.0.49, released on the 19^th March 2004. See what was new in Apache httpd 2.0.49.

Apache httpd 2.0.50 is available for download.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions of 2.0 prior to Apache httpd 2.0.50 should upgrade to Apache httpd 2.0.50. Read more about the other security issues that affect 2.0.

• A memory leak in parsing of HTTP headers which can be triggered remotely may allow a denial of service attack due to excessive memory consumption. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0493 to this issue.
• A buffer overflow in the mod_ssl FakeBasicAuth code could be exploited by an attacker using a (trusted) client certificate with a subject DN field which exceeds 6K in length. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0488 to this issue.

The following new features have been added in httpd 2.0.50:

• inclusion of new forensic logging module, mod_log_forensic
• mod_headers: the RequestHeader directive can be used conditionally
• mod_alias: warnings will be issued at startup if aliases which overlap are configured

The following bugs have been fixed in httpd 2.0.50:

• core: a VirtualHost specified by hostname will be used for all addresses which that hostname resolves to; log files can exceed the 2Gb size limit on some 32-bit platforms (BZ#13511); correctly NUL-terminate long request lines before logging (BZ#28376); fix crash with no Listen directives
• mod_ldap/mod_auth_ldap: many stability and LDAP connection handling issues fixed along with several other bug fixes (BZ: #24801, #22602, #26390, #28250, #19304, #24437, #27748, #17274)
• mod_cgi: fix handling of CGI script stderr output (BZ: #22030, #18348)
• mod_ssl: fix a segfault in SSL shutdown handling, and several session caching fixes (BZ: #27945, #26562, #27751)
• mod_rewrite: fix handling of forward proxy requests (BZ#295292)
• mod_dav: fix a MKCOL response code and a crash in lock handling on some platforms (BZ#29034)
• mod_isapi: header and variable handling bugs (BZ: #20656, #20619, #20617)
• misc: fix memory consumption in mod_deflate, handling of empty headers in mod_headers, a segfault in mod_expires
• support tools: htpasswd uses APR temporary file handling, and handles files with empty lines; htdbm handles comments correctly
• Unix-specific: handle new connections even when the number of file descriptors in use exceeds the platform's FD_SETSIZE definition; check that the suexec binary is really setuid root again (BZ#28287)
• Win32-specific: prevent a server hang when the number of Listen directives exceeds the configured ThreadsPerChild

Less than a month to go before the annual O'Reilly Open Source Convention opens its doors in Portland, Oregon. This year the conference runs from July 26-30 with many tracks of interest to Apache users.

Got a great idea for a presentation that would interest ApacheCon attendees? The conference planners recently released a Call for Papers for the upcoming conference in Las Vegas in November this year. Proposals are due in just a few weeks.

If the prospect of early Christmas shopping in Vegas doesn't appeal how about submitting a proposal to "OSCOM.4 with ApacheTracks" in Zurich in October?

In this section we highlight some of the articles on the web that are of interest to Apache users.

Rich Bowen publishes more often than Apache Week, and this time he's helping users choose between Apache 1.3 and 2.0 in another "A Day in the Life of #Apache".

Fortunately the first step in the SecurityFocus article "Securing Apache 2: Step-by-Step" isn't to turn off your server. Instead, this short guide gives a good set of tips and tricks including how to get Apache 2 running in a chroot jail.

Dan Wellman gives Dev Shed readers a brief insight into "Configuring and Using Virtual Hosts in Apache".