🚀 go-pugleaf

                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                         Issue 303: 26th July 2002

                                 In this issue

     * Security Reports
     * Under development
     * In the news
     * Featured articles

                               Security Reports

PHP 4.2.0/4.2.1 remote vulnerability

     Earlier this week it was found that PHP 4.2.0 and 4.2.1 allow
     remote attackers to cause a denial of service and possibly execute
     arbitrary code via an HTTP POST request with certain arguments in a
     multipart/form-data form, which generates an error condition that
     is not properly handled and causes improper memory to be freed.
     Earlier versions of PHP are not affected. For more information
     [1]read the full advisory. The Common Vulnerabilities and Exposures
     project (cve.mitre.org) has assigned the name [2]CAN-2002-0717 to
     this issue.

                               Under development

     There was discussion on the development list this week about what
     configuration files "make install" should install if installing
     over an existing Apache installation; the main issue concerning
     whether the reference "-std.conf" files should be installed
     alongside existing configuration files.

     Preparations for an Apache 2.0.40 are underway, with the CVS tree
     being tagged, and tarballs prepared for testing by developers. As
     usual, the live server at apache.org [3]is already running the new
     code.

     A frequently asked question on the mailing lists is why any Apache
     server will process a request with a URI such as
     http://www.yahoo.com/; often an administrator will notice such
     requests in the access log with a "200" response code, and worry
     that the server is being used as a proxy. The answer is simply that
     if the hostname used in the request URI does not match any of the
     configured virtual hosts, the default vhost configuration is used
     to serve the request; no proxying takes place regardless of the
     hostname used, unless Apache is specifically configured as a proxy
     server.

                                  In the news

O'Reilly Open Source Conference

     Paul Weinstein took time out after giving his presentation on
     Apache and SSL to report for Apache Week on the main news of the
     O'Reilly Open Source Conference. Interesting keynotes included the
     well-matched pair Lawrence Lessing, a vigilant defender of freedom
     of content, and Richard Stallman, a vigilant defender of freedom of
     software. [4]Read the Apache Week feature from the first day of the
     conference

Apache 2 makes debut in Red Hat Linux beta

     Earlier this month a [5]a new beta of Red Hat Linux was announced.
     What makes this release interesting is that it includes by default
     Apache 2.0 along with a number of modules that work with the 2.0
     infrastructure. Apache 1.3 is not included in the release.
     [6]Netcraft found this month that the adoption of Apache 2.0 is
     happening a lot slower than expected, fewer than 50,000 sites have
     switched. The inclusion of Apache 2.0 by default in a mainstream
     operating system should help prove whether or not it is ready for
     primetime.

Covalent announce ASP.NET

     At the O'Reilly Open Source Conference this week [7]Covalent
     announced a new module, mod_asp.net for Apache 2.0 on Windows. The
     module provides integration of ASP.NET applications into the Apache
     server framework. The module is only available as part of
     Covalent's Enterprise Ready Server which is based on Apache and is
     not open source.

                               Featured articles

     In this section we highlight some of the articles on the web that
     are of interest to Apache users.

     Pier Fumagalli who actively codes for the Apache Jakarta and
     HTTPD/APR projects reveals how the VNU news web site running on the
     Apache Web server and Tomcat has been designed to handle high loads
     in [8]"Web Development in Heavy Traffic". The tricks are to let
     another instance of Apache handles all the static traffic, cache
     articles in the servlet container itself, and execute each
     application in a different container in a different Java Virtual
     Machine.

     UnixReview.com looks at [9]two tools for benchmarking web sites and
     shows us how to use them. First [10]Scout is run to gather a list
     of URLs into a file. Then [11]Seige will use this file to bombard a
     web server with requests from concurrent simulated users to stress
     test it.

     [12]"Building XML Portals with Cocoon" explores the Cocoon portal
     and authentication frameworks, and provides a few examples on how
     to use them. You need to be familiar with the basic Cocoon concepts
     before reading this.

     There is a new kid in town - a Java-based open-source Apache GUI
     named [13]NetLoony. Read the [14]user guide for yourself and decide
     whether it is as loony as it sounds.

     [15]"Apache and SSL" was presented by Paul Weinstein at the 2002
     O'Reilly Open Source Conference recently. It introduces the basic
     concepts and configuration of Apache and SSL, and is also available
     to be downloaded as a [16]PDF file.
       ______________________________________________________________

     This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan
     Comments or criticisms? Please email us at
     [17]editors@apacheweek.com.

     [18]Apache Week is copyright 1996-2002 by [19]Red Hat, Inc.

References

   1. http://security.e-matters.de/advisories/022002.html
   2. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2002-0717
   3. http://uptime.netcraft.com/up/graph/?host=www.apache.org
   4. http://www.apacheweek.com/features/oscon2002
   5. https://listman.redhat.com/pipermail/redhat-watch-list/2002-July/000538.html
   6. http://www.netcraft.com/survey/
   7. http://www.covalent.net/company/pressrelease.php?press_idG
   8. http://www.onjava.com/pub/a/onjava/2002/07/17/web.html
   9. http://www.unixreview.com/documents/st58/uni1026336671481/0207f.htm
  10. http://www.joedog.org/scout/index.shtml
  11. http://www.joedog.org/siege/index.shtml
  12. http://www.xml.com/pub/a/2002/07/24/xmlportal.html?page=1
  13. http://netloony.sourceforge.net/
  14. http://netloony.sourceforge.net/userguide/index.html
  15. http://weinstein.org/work/presentations/oscon02/apache_ssl/index.html
  16. http://weinstein.org/work/presentations/oscon02/apache_ssl.pdf
  17. mailto:editors@apacheweek.com
  18. http://www.apacheweek.com/
  19. http://www.redhat.com/

----------------------------------------------------------------------
To unsubscribe: https://listman.redhat.com/mailman/listinfo/apacheweek
or send the message   "unsubscribe"  to  apacheweek-request@redhat.com
----------------------------------------------------------------------