In this issue

The first public beta release of Apache 1.3 is now available from www.apache.org and mirrors. This is version 1.3b2 (the first beta, 1.3b1 was never publically released). This is now the start of the release process for Apache 1.3. The betas allow for widespread public testing of Apache, and bugs found will be fixed in subsequent beta releases. When it is stable the final release will be made. Since this is the first public beta it is very likely to have bugs.

Apache 1.3 will also be the first release of Apache to support Windows 95 and Windows NT systems. At the moment it is only available as source code (and requires MSVC++ version 5.0 to compile), but a proper binary installation will be available next week. It is designed mainly for NT systems, but will compile and work on Windows 95 as well. However the Windows version has not been as extensively tested or performance tuned as the Unix version.

There are many new features in Apache 1.3 compared to the Apache 1.2 series. Amongst the most important changes are

• Support for Windows 95 and Windows NT
• Considerable performance tuning for Unix systems, including more efficient code, less system calls, optimisations of various aspects of request handling, less overhead managing the 'scoreboard', and less copying of data being written to the network.
• Ability to reliably use pipes to handle transaction log messages
• Better configuration for name-based virtual hosts
• Re-organisation of the source code files
• Unbuffered CGI output: Apache sends the data it has so far whenever it has to wait for more from the CGI program
• Various module API changes

There have also been some changes to the modules included with Apache. These are:

• New module mod_uniqueid to create a unique identifier for every request
• New module mod_speling to fix certain typos made in user-entered URLs
• New module mod_setenvif to set environment variables based on the details of the incoming request. This replaces mod_browser which has been removed.
• The mod_dir module has been simplified to only deal with directory index files. Full directory indexes can be suppied by a new mod_autodir module.
• New module mod_mime_magic which can guess the mime type of a file based on its contents (similar to the Unix file command).

Apache Site: www.apache.org
Release: 1.2.4 (Released 22^nd August 1997) (local download sites)
Beta: 1.3b2 (Released 16^th October 1997) (local download sites)

Bugs fixed in 1.3b2:

• The htpasswd program did not set the exit code before exiting.

Patches for bugs in Apache 1.2.4 may be made available in the apply to 1.2.4 directory on the Apache site. Some new features and other unofficial patches are available in the 1.2 patches directory. For details of all previously reported bugs, see the Apache bug database and known bugs pages. Also many common configuration questions are answered in the Apache FAQ.

Development has slowed down over the last couple of weeks to prepare for the release of Apache 1.3. Now that the first beta is out, Apache is in a "feature freeze" where no new features will be added. The only changes from now on will be bug-fixes.

The memory allocation routines in alloc.c have been updated to include optional error checking. Apache does not use the normal way of allocating memory, which is to call malloc() for each piece of memory and to later call free() to free the memory. This would be too slow and would mean that the server would have to track every piece of memory so that it could be freed again to ensure that there is not memory leak.

Instead it allocates larger blocks of memory then hands smaller pieces of this memory out as required. The whole block of memory can then be freed when the request is finished. (Apache also keeps track of other server resources such as open files, child processes and sockets in a similar way so that they can be released at the appropriate time). A collection of memory and other resources which is tracked like this is called a pool.

The use of pools of memory, rather than individual malloc and free for each piece of memory, means traditional memory checkers such as Purify do not work very well. For example, the memory tracker would not notice if there was an overrun. To help with memory tracking, Apache can be compiled to use malloc for every bit of memory. This is enabled when the ALLOC_USE_MALLOC define is set in alloc.c. This will have an effect on performance, so a lower overhead method of trying to prevent memory overruns and errors is also supported.

If compiled with ALLOC_DEBUG, Apache writes 0xa5 characters in memory it has obtained with malloc before it is handed out (in pieces) to the program, and also puts the bytes into memory pools which are being freed. Whenever a request is made to hand out some memory, Apache checks that it has this byte in it - if not, there is a memory error.

Neither of these modifications are turned on by default, and they should only be enabled if you think that there is a memory error somewhere within Apache.

Microsoft's FrontPage 98 product allows content providers to publish pages onto a web server. To do this the web server needs to be updated to support FrontPage's publishing ability. Microsoft provide a set of files and programs to add this support to Apache, which consists of an Apache module, several publishing CGI programs, and a program (called fpexe) which is used to switch user identifiers (uids) so that pages can be published as the correct user. They also supply source code for this program. Apache includes a similar program, called suexec which takes great care to try and ensure that there are no security holes. Unfortunately Microsoft's program does not take such care, and in fact has a number of very serious security problems. These are documented on this page by Marc Slemko.

Probably the most serious problem is that the fpexe program needs a special "key" string to work, which is passed from the server to the fpexe. This is designed to prevent other users running fpexe from the command line, which would let them change to any other user, including root (via the bin user). Of course the key must remain hidden for this to be secure, but instead it is passed as an environment variable from the server to the fpexe CGI. So any ps eww command (or similar) would show the key value, and allow any local user to change to any other local user.

There are also a number of other security problems which could also lead to similar results. Microsoft describe the problem, and recommend that users do not use fpexe until it is fixed. They will be releasing an updated version soon, including source code.

This issue demonstrates the value of providing source code for this sort of application. If the source code was not available for inspection this (and other) security problems may not have been noticed until they were being exploited. However they do not offer the source code to the CGI programs which run by fpexe so security holes could still exist.

Apache and three other web servers are reviewed in TechWeb's InternetWeek online publication. In Unix Web Servers: Unhyped But Not Forgotten they compare four Unix servers: Apache, Netscape FastTrack, Stronghold and Sun Web Server (SWS). Apache is rated just below Stronghold, losing out for poorer installation and documentation, and a lack of SSL support. Overall they state that "Apache excels as a well-designed, flexible server."