In this issue

Apache Site: www.apache.org
Release: 1.2.4 (Released 22^nd August 1997) (local download sites)
Beta: 1.3b2 (Released 16^th October 1997) (local download sites)

• Attempts to do a PUT to a directory do not work, instead Apache reports "method not implemented".
• Apache does not accept continuation lines in the header output of CGI scripts. The CGI specification does not define whether this is valid. For now, CGI scripts should not use continuation lines.

Apache 1.2.4 is the current stable release. Users of Apache 1.2.3 and earlier should upgrade to this version. The next release will be 1.3. A beta test release of 1.3 is available now for both Unix and Windows 95/NT systems. It is currently only available as source code.

Apache 1.3 is now in beta test. The most recent release is 1.3b2 (there was no 1.3b1). This is available in source form for both Unix and Windows 95/NT. It was hoped to get a binary release for Windows, but this is likely to be available for the next beta because of a number of important bugs found and fixed in 1.3b2.

These bugs have been reported in 1.3b2 and are either not fixed, or have not been reproduced by the Apache developers.

• Apache fails if a command line argument contains spaces, for example Apache -d "Program FilesApache". This appears to be a bug in NT, but a work-around will be implemented for future releases.
• Windows only: reports of servers being unable to serve more that 16kB files. This has not been reproduced.
• OS specific problems: i386 AIX does not compile, some versions of HPUX have problems with regular expressions, some versions of NETBSD did not get correct compilation information, Unixware 2.x does not compile, Ultrix does not compile, UnixWare 5 not supported, SVR4 systems should all use shared memory. Fixes for all these are under development and test.

These bugs have been found and fixed in 1.3b3. Because of the major differences between Windows and Unix, these are separated into bugs which affect Windows systems only, and other bugs (which may affect Windows as well). Unix users can ignore the bugs listed in the Windows section.

Windows-specific Bugs

• Data sent to a CGI used DOS "text" mode, making it impossible to send in arbitary POST data. Next release will use "binary" pipes.
• Calling a CGI with a query string which did not include an = sign caused Apache to crash.
• Windows 95 only: DirectoryIndex fails, returning a "Not Found" error instead of the file.
• if a CGI process was not created correctly, Apache would log a "premature end of headers" rather than a process-creation error.
• Compiling Apache requires that the ODBC import libraries are installed.

• Various "global" directives, such as StartServers are valid inside <VirtualHost> sections, which might make people think they are configurable on a per-vhost basis. They should instead give an error if used inside a virtual host definition.
• LogLevel does not give an error if its argument is invalid
• The mod_speling module logs modifications it makes to request URLs as errors instead of informational messages.
• mod_speling gives some warnings during compilation on 64-bit machines.
• None of the section directives (<Directory>, <VirtualHost>, etc) checked that the block was closed before the end of file.
• <Directory>, <Location> and <Files> ignored extra arguments, which could hide problems if people try to restrict multiple directories or files at once.
• When Apache starts servers quickly it logs "[error] server seems busy, spawning 4 children". This is not necessarily an error.
• mod_unique's UNIQUE_ID environment variable is not part of the environment of scripts launched via suEXEC.
• Error messages directive syntax error can have the wrong line number, because blank lines are not counted properly.

Patches for bugs in Apache 1.2.4 may be made available in the apply to 1.2.4 directory on the Apache site. Some new features and other unofficial patches are available in the 1.2 patches directory. For details of all previously reported bugs, see the Apache bug database and known bugs pages. Also many common configuration questions are answered in the Apache FAQ.

Development has slowed down over the last couple of weeks to prepare for the release of Apache 1.3. Now that the first beta is out, Apache is in a "feature freeze" where no new features will be added. The only changes from now on will be bug-fixes.

Microsoft's FrontPage 98 server extensions for Apache had serious security holes, which could lead to anyone on the local system becoming any other user. This was reported on Ziff-Davis' UK site, as MS patches IE hole, FrontPage still gaping (along with an Internet Explorer 4.0 security problem).

Microsoft have now released an updated set of server extensions, which it is claimed fix the security problems. The description of how the new server extensions work does appear much better than the previous version.