In this issue

1.0.5 is the current stable public release. The beta test version, 1.1b, is still at version 2, but 1.1b3 and a full release should not be too far away now.

Directory indexing can fail when DocumentRoot has trailing slash

If the DocumentRoot directive is given a directory with a trailing slash, e.g. DocumentRoot /usr/local/etc/httpd/htdocs/, various parts of the directory indexing module do not operate correctly. A work-around is to not put a trailing slash on the DocumentRoot directory.

Problems with new Linux libc

There have been reports of some problems with the new version of Linux libc, version 5.3.*. This has a new implementation of malloc(), and the problem might be in the new libraries, or perhaps an Apache problem that has gone unnoticed until now. It looks most likely to be a libc problem, since similar problems have not been reported on other OSes. At the moment, it is probably better not to use the current libc 5.3.12 with Apache.

Imagemap module can give incomplete URLs

There was a problem with the imagemap module returning relative filenames in some circumstances. There is also a problem when the map entry URL starts with .. and base referer is in use, for some referred URLs. Fixes are being tested.

Other bugs

• All: Cookie Log incorrect format (output unwanted lines containing timezone offset) - fixed
• 1.1: TERM signal does not kill Apache Solaris 2.5 (and possible other SVR4) - fixed
• 1.1: Dead child processes are not reclaimed properly after a HUP signal when using Listen - fixed

'Anonymous' access to authenticated areas

A new version of mod_auth_anon is now available, and will be part of the next release. This module allows anonymous access to authenticated areas, rather like the 'anonymous' user in ftp connections. When the user goes into an area protected by this module, they enter a special username (typically 'anonymous'), with their email address as password. The module can be configured to work with other authentication modules so that people can access protected areas either with a valid username and password, or anonymously. The documentation is available now.

CGI stuff removed

Various programs and scripts from cgi-bin and cgi-src have been removed from the Apache distribution. This is because many of these are very old, not maintained by the Apache group, and might contain bugs and security problems that the Apache group do not want to be associated with. Also, a couple of changes have been made to make fresh Apache installations more secure: scripts that are left in cgi-bin are distributed without execute permission, and srm.conf now has the ScriptAlias command commented out, so that by default there is no cgi-bin directory anyway. The old cgi-bin and cgi-src files will be available in a cgi-pack archive.

Implementing Host header

The new HTTP/1.1 specification makes browsers send a Host: header containing the hostname of the resource being requested. This can be used by the server to identify the resource to be returned, as a way of implementing virtual hosts on a single IP address. The issue with supporting this is how to give a useful response to requests from old browsers that do not send a Host: header. While this connect be done totally transparently, there will probably be some extra directives to aid setting up a site that supports both old and new browsers.