In this issue

The next beta of Apache 1.3 is now available. This is the third public beta, but two more betas were never released, so this is actually called 1.3b5. A binary Windows version of this beta will be made available shortly.

There are a lot of bug fixes in this beta, for both Unix and Windows. All users of previous betas of 1.3 should upgrade to beta 5. The major other non-bugfix changes are:

• New command line options -C and -c to specify directives to run before and after (respectively) the configuration files have been read
• mod_dld has been removed and replaced by mod_so for loading modules when Apache starts
• New UseCanonicalName directive can be used to make Apache generate URL's referring to itself which contain the client supplied host and port
• Header files are now in a new src/include directory
• Environment variables passed to subprocesses (e.g. CGIs) will only ever contain letters, numbers and underscore in their names

Details of all the bugs fixed in beta 5 are in the src/CHANGES file in the distribution

Apache Site: www.apache.org
Release: 1.2.5 (Released 5^th January 1998) (local download sites)
Beta: 1.3b5 (Released 19^th February 1998) (local download sites)

Apache 1.2.5 is the current stable release. Users of Apache 1.2.4 and earlier should upgrade to this version since it fixes a number of bugs and potential security problems. A new version, 1.2.6, is expected soon which fixes some more bugs.

The bugs listed below now include a link to the entry in the Apache bug database where the problem is being tracking where possible. These entries are called "PR"s (Problem Reports). Some bugs do not correspond to problem reports if they are found by developers.

• If argument to a UserDir directive is an absolute path with no wildcard ("*") character, a request for /~.. or /~. would bypass security checks. PR#1701

These bugs have been found in 1.3 and will be fixed in the next beta (1.3b6)

• If argument to a UserDir directive is an absolute path with no wildcard ("*") character, a request for /~.. or /~. would bypass security checks. PR#1701
• Under some circumstances the accept system call could fail. Apache would log this with an accept: (client socket) error, then loop around to the accept again. However in most cases the error occurs again, leading to a loop and an error_log consisting of the repeated copies of that error message. From the next release the affected child process will exit. This same change has also been applied to the select system call. PR#1787 and others
• Linux 2.0 and above did not limit memory use correctly with RLimitMem. PR#1816
• Compilation problems on HP-UX. PR#1639
• The AIX OS on systems with multiple processors would run all the child processes on the same processor. Apache now implements a work-round to get the OS to use different processors.
• Some <Files> configurations involving the "*" wildcard which worked under 1.2.* no longer work in 1.3 betas. See "Under Development" below for the explanation. PR#1817
• <Files> sections are not valid inside <Location> but Apache would allow it without signalling an error. It is now a configuration error. PR#379
• <Files> sections could be ended by a </FilesMatch> directive, and similarly for <Location> and <Directory>.
• mod_info could produce slightly incorrect HTML output when directives had no arguments.

Patches for bugs in Apache 1.2.5 may be made available in the apply_to_1.2.5 directory on the Apache site (this directory may not exist if no patches are available). Some new features and other unofficial patches are available in the 1.2 patches directory (these may not apply cleanly to 1.2.5). For details of all previously reported bugs, see the Apache bug database and known bugs pages. Many common configuration questions are answered in the Apache FAQ.

Development has slowed down to prepare for the release of Apache 1.3. During the beta release cycle Apache is in a "feature freeze" where no major new features will be added.

In both 1.2.* and 1.3 beta, the <Files> directive can be used to apply restrictions to certain files. The files to be restricted can be given as a "shell" style wildcard, using * to represent any sequence of characters. However when Apache 1.2.* uses the name given in the <Files> section it matches it against the full path of the file, not just the filename. This tended to work in 1.2.* because the "*" matched any sequence of characters, including slash characters. But in Apache 1.3 the "*" no longer matches slash characters. This makes it work more like the shell "*" when matching filenames (e.g. as in ls *).

Since <Files> is intended to match against filenames, the next release of 1.3 will do just that. The filenames given in the argument to <Files> will be matched against just the filename of the file, not the full path. This will let restrictions such as <Files a*b> work correctly. It will also fix some configurations which worked under 1.2.*, but broke under the current 1.3 betas, such as <Files *.pl>.

The Java Servlet module, mod_jserv, lets you use Java servlets with Apache. These are server-side extensions written in Java and conforming to the interface described in the JSDK.

The latest version, 0.9.10, works with JDK 1.1 which incorporates the JSDK. It is available from java.apache.org.

Apache for NT is reviewed by InfoWorld in Apache fits the bill for NT sites considering alternatives (16 Feb 1998). Unlike many articles, they got beyond the fact that Apache does not have a GUI configuration interface, and found some of the real problems with Apache on NT. For example, rotating log files is not easy, and Apache loads ISAPI DLL files for each request rather than caching them. Overall, though, this article was very positive about Apache on NT, saying that "if you want a fairly lightweight yet powerful Web server Apache is one of the best choices available".