🚀 go-pugleaf

                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                        Issue 306: 23rd August 2002

                                 In this issue

     * Under development
     * In the news
     * Featured articles

                               Under development

     A large discussion was sparked off this week by a report that in
     recent 2.0 releases (including 2.0.40), responses produced by
     mod_cgi and mod_proxy are being buffered in memory. Previous 2.0
     releases up to 2.0.32 as well as Apache 1.3 stream these responses
     directly to the client. The culprit was found to be the "content
     length" filter, but whilst fixing this problem, deeper issues with
     counting the number of bytes in a response (for logging purposes)
     were unearthed, and a patch is yet to be checked in.

     An obscure browser bug was tracked down recently in the handling of
     the content character set over an HTTP redirect. When an HTTP
     redirect response is received by a browser (for instance, with the
     302 status code), it must then make a second request to retrieve
     the actual content to display to the user. Both responses can
     include a Content-Type header, both of which may include a
     "charset" value indicating the character set in which the response
     is encoded (for example "ISO-8859-1" or "UTF-8").

     Version 4 of Netscape Navigator was discovered to use the character
     set indicated by the first response (the redirect) when displaying
     the content of the second, even if a different character set was
     specified in the second response. This bug was triggered for any
     redirects generated internally by Apache since these would include
     the default character set of ISO-8859-1. A workaround for the
     problem was committed to the 1.3 tree by adding a new environment
     variable suppress-error-charset, which can be used in a
     BrowserMatch statement to suppress the character set on redirect
     responses (in which case Netscape will display the content
     correctly using the character set from the second response).

                                  In the news

OpenSSL flaws also affect commercial crypto libraries

     At the beginning of August [1]a number of vulnerabilities were
     found during an audit of the OpenSSL library, commonly used to
     provide SSL support to Apache. Some of these issues were also
     [2]found to affect the BSAFE SSL library from RSA Security. The
     SSL-C library from RSA was based on SSLeay, the same open source
     library that was used to form the OpenSSL project. Yesterday, RSA
     made patches available to their customers for these issues. Apache
     vendors who use the RSA libraries include Covalent, who [3]expect
     to provide updated SSL modules to their customers next week.

Updated Apache surveys

     It has been a couple of months since we last reported on new
     figures from the [4]Netcraft survey of web sites. Overall there has
     been little change from month to month. In their August 2002
     survey, Netcraft found that Apache and servers based on Apache have
     over 65% market share, up considerably over last month due mostly
     to register.com. Netcraft also look at what sites have upgraded
     their versions of Apache:

     Almost half of the 22 million Apache HTTP sites found by the survey
     are running Apache/1.3.26, whilst only around a quarter of the
     Apache SSL sites are running this version, which fixes the chunked
     encoding vulnerability.

     However this information alone doesn't give the number of sites
     actually vulnerable to the recent security issues as a large number
     of sites simply apply patches for issues rather than upgrading to
     new versions. This is often the case for versions of Apache
     supplied by vendors such as Red Hat who, for compatibility reasons,
     often release errata packages based on older versions of Apache but
     with security fixes applied.

Apache Software Foundation gets new Chairperson

     At a recent board meeting the ASF decided to elect a new chairman
     and president as the same directors have served in those roles for
     the last three years. [5]Greg Stein replaces [6]Roy Fielding as
     Chairman, and [7]Dirk-Willem van Gulik replaces [8]Brian Behlendorf
     as President. Both Roy and Brian remain as directors.

PC Week get confused about Apache Security issue

     Last week, PC Week [9]posted an article about the recent [10]Apache
     2.0.40 security issues. They mention that one of the flaws
     ([11]CAN-2002-0654)

     "...can be used to gather information about an individual Apache
     Web server, such as who owns it, what operating system it is
     running on, names of files stored on the server, where it is
     physically located..."

     However this is not correct, the flaw simply allows a remote user
     to find out the full pathname of a document on the server. So, for
     example, you might find out that the www.example.com/test.var was
     actually located at c:\winapps\apache\htdocs\test.var.

                               Featured articles

     In this section we highlight some of the articles on the web that
     are of interest to Apache users.

     [12]"Will Apache 3.0 Sport Asynchronous I/O?" examines the
     possibility of Apache providing support for asynchronous I/O by
     quoting the views of several Apache developers. It touches on the
     benefits of this feature, how it may be implemented, and some
     speculations on when it may be available.

     O'Reilly Mac DevCenter shows you how to [13]integrate Tomcat with
     Apache via the mod_jk module on Mac OS X. This is a step-by-step
     guide on building the mod_jk module from source, installing and
     configuring it for Tomcat 4.0.4, and verifying that it works. If
     all goes well, your Mac can now be used to serve JSP and servlet
     applications.

     Michael Galloway provides a solution for serving Web sites using
     multiple builds of PHP with one instance of Apache in [14]"How to
     setup multiple PHP builds on the same server". His solution is to
     run PHP using the CGI interface and not as an Apache module. Then
     the AddHandler and Action directives in the httpd.conf file are
     configured accordingly so that any file ending with a ".php"
     extension will be executed as a PHP script.
       ______________________________________________________________

     This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan
     Comments or criticisms? Please email us at
     [15]editors@apacheweek.com.

     [16]Apache Week is copyright 1996-2002 by [17]Red Hat, Inc.

References

   1. http://www.apacheweek.com/features/security-13
   2. http://www.rsasecurity.com/go/sslsecurityupdates/
   3. http://www.covalent.net/products/rotate.php?page0
   4. http://www.netcraft.co.uk/
   5. http://httpd.apache.org/contributors/#stein
   6. http://httpd.apache.org/contributors/#fielding
   7. http://httpd.apache.org/contributors/#vangulik
   8. http://httpd.apache.org/contributors/#behlendorf
   9. http://www.pcworld.com/news/article/0%2caid%2c104073%2c00.asp
  10. http://www.apacheweek.com/features/security-20
  11. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2002-0654
  12. http://www.oetrends.com/cgi-bin/page_display.cgi?83
  13. http://www.macdevcenter.com/pub/a/mac/2002/08/20/tomcat_integration.html
  14. http://www.phpbuilder.com/columns/michael20020812.php3?page=1
  15. mailto:editors@apacheweek.com
  16. http://www.apacheweek.com/
  17. http://www.redhat.com/

----------------------------------------------------------------------
To unsubscribe: https://listman.redhat.com/mailman/listinfo/apacheweek
or send the message   "unsubscribe"  to  apacheweek-request@redhat.com
----------------------------------------------------------------------