In this issue

Most of the Apache core developers met recently for the first time. This meeting had two aims: to discuss the organisational structure of the Apache group, and to discuss the plans for "Apache 2.0". These discussions took place over four days between 30th June and 3rd July 1998 (even though the 3rd was a holiday for most other people in the US at the time).

Besides the official business, the week also gave the opportunity for the developers to meet and socialise, including a hike along the coast. For many, it was the first time they had met more than one or two other developers. In total, fourteen of the eighteen core developers made it in person to the meeting in San Francisco. Some of those that could not attend in person joined in via a telephone conference call.

At present, there is no such thing as an Apache organisation. While all code is described as being owned by "The Apache Group", this has no legal existance apart from the group of individuals that make up the core developers. Part of the plans for the future involve the creation of a real entity to hold the Apache source code copyright. This entity could also hold Apache trademarks, ensure that the Apache license is enforced, and provide legal safeguards for Apache contributors and developers. The meeting discussed possible models for the Apache organisation, including some advice from lawyers familiar with free and open source software development. Nothing has yet been decided, but it seems likely that a US corporation will be formed (issues that need resolving include whether charitable or not-for-profit status should be used, and which country or US state to incorporate in).

Whatever happens, the Apache organisation will be committed to maintaining Apache as an open source, freely available software project under terms very similar to the existing license (i.e. allowing commercial use of the code with minor advertising restrictions). Any funding necessary will come from donations. The Apache group will not sell versions of Apache or provide additional services.

After the 1.3.X series of minor releases, the next major release will be Apache 2.0. This will be a very major release, with significant code changes. Many of the plans for Apache 2.0 have already been discussed in Apache Week.

Apache Site: www.apache.org
Release: 1.3.0 (Released 6^th June 1998) (local download sites)
Beta: None

Apache 1.3.0 is now the current stable release. Users of Apache 1.2.6 and earlier should look at upgrading to this version, which provides additional features and has been subject to extensive testing.

The bugs listed below now include a link to the entry in the Apache bug database where the problem is being tracked. These entries are called "PR"s (Problem Reports). Some bugs do not correspond to problem reports if they are found by developers.

These bugs have been found in 1.3.0 and will be fixed in 1.3.1.

• The "handler not found" error was being given if the handler did exist but declined to handle the request. PR#2529.
• Add dynamic loadable module support on SCO 5. PR#2533.
• Apache is not 8-bit clean, which can cause problems with 8-bit characters in URLs or in the configuration/.htaccess files. PR#800, PR#2282, PR#2553.
• The proxy module would cache partially completed transfers, if the user cancelled the request. In the fixed version, the proxy module will complete the transfer if over 90% has already been obtained, else it will cancel the request and remove the partially cached file. The 90% value can be changed with the CacheForceCompletion directive.
• suEXEC has some unclear error messages.
• Add a port to UnixWare 7.

Patches for bugs in Apache 1.3.0 will be made available in the apply_to_1.3.0 subdirectory of the patches directory on the Apache site. Some new features and other unofficial patches are available in the 1.3 patches directory. For details of all previously reported bugs, see the Apache bug database and known bugs pages. Many common configuration questions are answered in the Apache FAQ.

The next planned release will be 1.3.1 which will contain mainly bug fixes for 1.3.0, with a few minor additional features. There may be a beta period for 1.3.1, but this has not yet been decided.

Apache for Windows has not yet been released because it is being checked for security problems. A number of security issues have been found with other NT servers which need to be checked. Most of these recent problems occur because some Windows API calls interpret filenames in special ways. For example, opening a file called "file." actually opens a file called "file" (if it exists). On Unix, where Apache was originally developed, each file usually has only one name. Having multiple names which open the same file can cause security problems because (for example) access may be restricted based on the name, but requests could be made for the other names for that file which succeed.

The ways in which Windows has multiple names for files include

• Trailing dots are ignored, so "file." accesses "file"
• Trailing spaces are ignored, so "file&" accesses "file"
• Case is ignored, so "FILE", "File", "file" and "FiLe" all access the same file.
• Files have a long and short name, so for example, "Long File" and "LONGFI~1" may refer to the same name (the actual short name may be different and cannot be predicted in advance)
• On NT, the file "file::" is the same as "file"

Part of the problem with writing secure servers on Windows is that not all of these equivalences are documented fully, and they may vary between system calls. There may also be additional problems which have not yet been identified.

While Apache is already aware of some of these issues (such as long vs. short form names, and case insensitivity), there may be more subtle problems, and some of the issues have only been recently found (for example, the :: was recently found to cause a security problem in IIS, although it appears that Apache is not subject to this particular problem because it does not use native Win32 API calls to access files).

In addition to the filename equivalences, there is also a problem with paths which include "..." (three dots), which on Windows means "../.." (i.e. go up two directories).

There has been some discussion over Year 2000 issues in cookies. The problem seems to be that the original cookie specification from Netscape used two-digit years. This was used in Navigator 3.X browsers (and possibly others). Note that years between "00" and "37" are interpreted as being after 2000, so it is possible to set cookies which expire in the years 2000 to 2037, but not after 2037.

Later Netscape upgraded the specification to use four digits for years, but forgot to change the examples which continue to show two digit dates. Navigator 4.X browsers can handle both two and four digit dates. So server administrators that want to set cookies which expire after 1999 which work with versions 3.X and 4.X of Navigator should use two digit years in the range 00 to 37. See the mod_usertrack documentation.

The July Netcraft Server Survey once again shows Apache's share increasing faster than any other major server. Apache itself is up 0.64% to 49.64%, whilst Microsoft's servers increased by 0.36% to 22.70%. When Apache derivatives are included, Apache code is in use on 54.38% of sites surveyed.