In this issue

A security problem with a number of HTTP servers (including Apache) was noted this week. The problem lies in some of the example C code that is used for the cgi-bin programs. There is a patch available and the sample programs have been changed for release 1.1

Version 1.0.3 remains the stable, public, released version.

A number of patches for 1.1b0a were submitted. This will probably be released to the public as 1.1b1 in March.

Scoreboard Performance

As discussed previously a patch for shared memory was uploaded and tested. Machines that can support it will now use memory instead of a temporary file for the process scoreboard. This should slightly increase performance of the server.

NCSA Satisfy

A few users have mentioned that they would like conditional access such as "allow if from .ukweb.com or ask for a password". The NCSA server allows this by having a "Satisfy Any" directive. The current API of Apache does not allow such a directive to be added without changing the way the auth and access modules interact.

Don't Log some hosts

Discussions about logging of accesses took place. It could be useful to be able to block logging accesses from certain sites. A patch was uploaded to do this although several comments were made that a log file should be complete. Removing host accesses is better performed by a log analyser. The CERN server has such a "NoLog" directive.

DNS Minimal

When apache is compiled to do minimal DNS lookups it will not accept domain-based access using qualified names such as "allow from .ukweb.com". A patch was submitted to do a DNS lookup for authentication even when minimal DNS is selected.

CVS

A strategy for dealing with the new configuration management tool was proposed. The current version 1.1b0 of Apache was submitted to the head branch of the CVS tree and other waiting patches were then applied. Using CVS should greatly speed up the voting and patch submission process for the developers.