Thread View: gmane.comp.apache.apacheweek
1 messages
1 total messages
Started by Apache Week
Fri, 28 Jun 2002 15:30
Apache Week issue 300
Author: Apache Week
Date: Fri, 28 Jun 2002 15:30
Date: Fri, 28 Jun 2002 15:30
193 lines
9633 bytes
9633 bytes
APACHE WEEK
The essential weekly guide for users of the world's most popular Web server.
Issue 300: 28th June 2002
========================== Advert ===========================
The O'Reilly Open Source Convention - July 22-26, San Diego
Learn the Latest and Greatest in Open Source Software
Apache 2.0, Perl 6, PHP, XML, MySQL, PostgreSQL,
Python and Zope, Mac OS X, Linux, Java, and more ...
With Prices that are SO 1999! Register NOW - Save $450!
http://conferences.oreilly.com/oscon/
=============================================================
In this issue
* Apache Week 300 giveaway
* Security Reports
* O'Reilly Open Source Convention 2002
* Featured articles
Apache Week 300 giveaway
It's our 300th edition and our colleagues at Wrox Press have given
us two copies of their book "Professional Apache 2.0" to give away
to help us celebrate. It seems like [1]only 100 issues ago that we
were running a competition to give away the book on which this is
based, "Professional Apache".
Written by Apache Week reader and space tourism evangelist Peter
Wainwright, the book covers all aspects of serving web sites using
the Apache 2.0 web server. The target audience of this book is
experienced Apache users and web server administrators who are
using Apache for the first time. It requires you to have a
fundamental knowledge of the Web, operating systems, and network
configuration although the first chapter revisits the basics of
networking, HTTP, and how Apache works. Overall this is a
comprehensive book for users interested in the Apache web server in
general and for those intending to set up a secure Apache web
server.
For a chance to get your hands a copy of the book, answer this
simple question:
Which one of the following is the name of the security group that
posted the first working exploit for the Apache chunked encoding
vulnerability?
A) GRUMBLES, B) GOBBLES, or C) GURGLES
Send your answer to [2]googles@apacheweek.com to reach us no later
than July 10th 2002. Your email address will not be used for
anything other than to let you know if you won. Two winners will be
drawn at random from all correct entries submitted, books will be
dispatched direct by Wrox Press. One entry per person, no cash
alternative, editors' decision is final, so there.
That's not all. We've kept a copy for ourselves and have written a
[3]comprehensive review all about it.
Security Reports
[4]Last week we covered the details of the Chunked encoding
vulnerability. We had said that although the issue was remotely
exploitable it could not be exploited on 32-bit platforms. This was
proven wrong shortly after publication when security team GOBBLES
published an exploit for OpenBSD and mentioned that exploits were
possible for other platforms. This prompted the Apache Software
Foundation to update the [5]Official Security Advisory.
We therefore strongly suggest that all users of Apache update their
distributions to 1.3.26 or 2.0.39 or [6]apply this patch to
existing installations.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name [7]CAN-2002-0392 to this issue.
In the News
The security issue got a fair amount of media coverage, and after
one week, there are still many new articles about the Apache
chunked encoding vulnerability:
* [8]"Apache and OpenSSH Vulnerabilities " by Don Marti at Linux
Journal
* [9]"Irresponsible Disclosure" by columnist Jon Lasser at
SecurityFocus online
* [10]"Kremlin Site Vulnerable to Attack" by Brian McWilliams at
Wired News
* [11]"Threat Becomes Vulnerability Becomes Exploit" by Eric Lubow
at LinuxSecurity.com
* [12]"Flaw Found in Apache HTTP Server" by Dennis Fisher at eWEEK
* [13]"Apache Warning Fuels Security Feud " by Dennis Fisher at
eWEEK
* [14]"Exploit Code Released for Apache Flaw" by Dennis Fisher at
eWEEK
* [15]"mod_blowchunks" at Freshports.org
* [16]"Hackers Reveal Apache Web Server Attack Program" at theWHIR
* [17]"High Risk Apache Exploit Circulating" by Ryan Naraine at
InternetNews.com
* [18]"Apache Update: Two days till web meltdown" by Robert Jaques
at vnunet.com
* [19]"Apache exploit on the warpath" by Robert Jaques at vnunet.com
* [20]"Gobbles Releases Apache Exploit" by Brian McWilliams at
SecurityFocus online
O'Reilly Open Source Convention 2002
San Diego, California plays host to this key conference between
July 22nd and 26th, and brings together the leaders of all the
critical open source technologies - including Apache - to give you
an inside look at how to configure, optimise, code, and manage
them.
This years event looks pretty exciting for Apache users as it
includes a whole conference dedicated to PHP (including a look at
PHP 4.1 and Beyond), a track on Apache 2.0, and a keynote
presentation "Open Source and Java: Lessons from the Apache
Experience". It is expected that a large number of Apache Software
Foundation members will be attending so be sure to look out for
them and invite them out for dinner or buy them beer.
Register now or find out more at the [21]conference web site. Read
our in-depth account of [22]the 2001 Convention which proves this
is certainly a conference you cannot afford to miss.
Featured articles
In this section we highlight some of the articles on the web that
are of interest to Apache users.
In an interview with SearchWebManagement, Ryan Bloom, a core
developer of Apache 2.0, dissects the subject of [23]Apache vs IIS
and opens a window into his thoughts about the advantages of Apache
over IIS. He also attempts to explain why some web server
administrators chose IIS over Apache.
[24]"Customizing Apache for maximum performance" is a Linux-based
tutorial on how to fine-tune the operating system and Apache for
optimum performance. You'll need to register as well as enable
JavaScript on your browser to be able to access this tutorial.
In conjunction with gifting the Web Service Invocation Framework
(WSIF) to the Apache Software Foundation, IBM provides this article
entitled [25]"Applying the Web services invocation framework" to
explain what WSIF is all about. It is a Java API that enables
developers to create Web services independent of SOAP.
______________________________________________________________
This issue brought to you by: Gary Benson, Mark J Cox, Joe Orton,
Min Min Tsan
Comments or criticisms? Please email us at
[26]editors@apacheweek.com.
[27]Apache Week is copyright 1996-2002 by [28]Red Hat, Inc.
References
1. http://www.apacheweek.com/issues/00-05-26#aw200
2. mailto:googles@apacheweek.com
3. http://www.apacheweek.com/features/book-proapache2
4. http://www.apacheweek.com/issues/02-06-21#security
5. http://httpd.apache.org/info/security_bulletin_20020620.txt
6. http://www.apache.org/dist/httpd/patches/apply_to_1.3.22/SECURITY_chunk_size_patch.txt
7. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392
8. http://www.linuxjournal.com/article.php?sid=6171
9. http://online.securityfocus.com/columnists/91
10. http://www.wired.com/news/technology/0,1282,53412,00.html
11. http://www.linuxsecurity.com/feature_stories/feature_story-113.html
12. http://www.eweek.com/article2/0,3959,548,00.asp
13. http://www.eweek.com/article2/0,3959,803,00.asp
14. http://www.eweek.com/article2/0,3959,174825,00.asp
15. http://www.freshports.org/www/mod_blowchunks/
16. http://thewhir.com/marketwatch/hac062102.cfm
17. http://www.internetnews.com/dev-news/article.php/10792_1369501
18. http://www.vnunet.com/News/1132795
19. http://www.vnunet.com/News/1132865
20. http://online.securityfocus.com/news/493
21. http://conferences.oreilly.com/oscon/
22. http://www.apacheweek.com/features/oscon2001
23. http://searchwebmanagement.techtarget.com/qna/0,289202,sid27_gci834211,00.html
24. http://www-105.ibm.com/developerworks/education.nsf/web-onlinecourse-bytitle/710FF42F0DDDAC1986256BD700604384?open&l=866,t=gr
25. http://www-106.ibm.com/developerworks/webservices/library/ws-appwsif.html?open&l=866,t=gr
26. mailto:editors@apacheweek.com
27. http://www.apacheweek.com/
28. http://www.redhat.com/
----------------------------------------------------------------------
To unsubscribe: https://listman.redhat.com/mailman/listinfo/apacheweek
or send the message "unsubscribe" to apacheweek-request@redhat.com
----------------------------------------------------------------------
Thread Navigation
This is a paginated view of messages in the thread with full content displayed inline.
Messages are displayed in chronological order, with the original post highlighted in green.
Use pagination controls to navigate through all messages in large threads.
Back to All Threads