In this issue

Apache 1.3.2 was released on 23rd September. This is a minor upgrade in the 1.3.* series, which fixes a number of bugs, and adds some minor new features. All users for 1.3.0 and 1.3.1 servers should upgrade to 1.3.2 for the security fixes described below. However there is a different security problem in 1.3.2: error messages can include internal details such as local filenames. See the Apache bugs section, below.

The most important reason for upgrading is that Apache 1.3.2 has better protection against denial of service attacks. These are when people make excessive requests to the server to try and prevent other people using it. In 1.3.2 there are several new directives which can limit the size of requests (these directives all start with the word Limit).

In addition this release prevents a more serious problem when a client sends a large number of headers with the same header name. Apache uses up memory faster than the amount of memory required to simply store the received data itself. That is, memory use increases faster and faster as more headers are received, rather than increasing at a constant rate. This makes a denial of service attack based on this method more effective than methods which cause Apache to use memory at a constant rate, since the attacker has to send less data.

Note that all of these attacks can at worst cause the server to slow down and possibly eventually lock-up. They do not offer any way for the attacker to gain access to the server system.

A new Apache Week feature article, Guide to 1.3.2, shows all the changes between 1.2 and 1.3.2, as well as changes from 1.3.0 and 1.3.1 to the latest version. This feature may be particularly useful if you are still using a 1.2.* series version of Apache want to upgrade to 1.3.2.

Apache Site: www.apache.org
Release: 1.3.2 (Released 23^rd September 1998) (local download sites)
Beta: None

Apache 1.3.2 is the current stable release. Users of Apache 1.2.6 and earlier should look at upgrading to this version.

The bugs listed below now include a link to the entry in the Apache bug database where the problem is being tracked. These entries are called "PR"s (Problem Reports). Some bugs do not correspond to problem reports if they are found by developers.

These bugs have been found in 1.3.2 and will be fixed in the next version.

Because of the major differences between Windows and Unix, these are separated into bugs which affect Windows systems only, and other bugs (which may affect Windows as well). Unix users can ignore the bugs listed in the Windows section.

Windows-specific Bugs

• When Apache starts on the console it may display the message "[warn] pid file c:/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous apache run?. This message can be ignored. PR#3053.

Other Bugs

• There is a serious problem with error reports, since they may now include internal details such as local pathnames. This is because of a change in 1.3.2 to pass extra information to error documents via the ERROR_NOTES environment variable, since that information will be output instead of the normal error page. The error note information was being set to messages which included internal information. The combination of both problems meant that internal information could be displayed to users. PR#3071.
• When the mod_speling module finds an ambiguous URL, it fails to return the list of possible matches. PR#3052.
• Compiling on OS/2 gives warnings about HAVE_SYS_SELECT_H being redefined.
• Compilation fails on Amdahl UTS 2.1. PR#3054.
• Directory indexing options (IndexOptions) set in a parent will not be applied to a sub-directory if that sub-directory uses any other directory indexing directive. PR#3061.
• Add support for Pyramid DC/OSx.

The discount rate for ApacheCon '98 has been extended for a further week. You can now register at the reduced rate until 2nd October. In addition, the the hotel block at the San Francisco Hilton is filling up, so rooms should be reserved soon to get the ApacheCon discount rate.

A number of events are developing around ApacheCon. For instance, the conference exhibition will let you meet with commercial Apache-oriented software and hardware companies, including C2Net, Red Hat, Covalent, and IBM. Birds-Of-A-Feather sessions and other special events (including a large party at the San Francisco Exploratorium) have been scheduled. Several new sessions have been added to the agenda, including forums on server security, case studies, and configuration tuning.

To see the agenda or register, visit http://www.apachecon.com/.