🚀 go-pugleaf

                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                       Issue 309: 13th September 2002

                                 In this issue

     * Security Reports
     * Under development
     * In the news
     * Featured articles
     * Brand Survey

                               Security Reports

     An worm that exploits the [1]recent OpenSSL security issues was
     found in the wild this week. This particular exploit (for
     [2]CAN-2002-0656) looks for Apache servers running a vulnerable
     version of OpenSSL and uses compromised hosts to find others, in
     turn building a large platform for distributed denial-of-service
     attacks. Patched versions of OpenSSL have been available from the
     OpenSSL group and from OS vendors for some time so if you've been
     putting off upgrading you ought to do it now - you may already be
     too late.

                               Under development

     The Apache 2.0 CVS tree has been tagged in preparation for a 2.0.41
     release; as usual the live server at apache.org has been updated to
     run the new code, and no new problems have been found as of yet.
     The changes in the new release include many improvements and fixes
     to the 2.0 caching modules, and several performance fixes. The
     stylesheets used to produce the HTML documentation have been
     updated to give a greatly improved presentation, which can already
     be [3]viewed on-line.

     The usually good relationship between [4]Covalent and the Apache
     Software Foundation showed signs of strain this week after a
     proposal was made by Covalent developer Jon Travis to donate code
     to the ASF. Covalent were offering an HTML parser dubbed
     "El-Kabong" which they had found useful in writing Apache 2.0
     filters which modify HTML content. After two weeks passed with no
     decision by the ASF on whether or not (and how) to accept the
     "El-Kabong" code, the discussion began to turn sour, as the ASF
     offered to accept the code donation but without giving CVS commit
     access to Jon. The negotiations broke down at that point, and Jon
     decided to host the "El-Kabong" code [5]at SourceForge instead.

                                  In the news

mod_python becomes an Apache project

     [6]mod_python was [7]donated to the Apache Software Foundation
     earlier this week. mod_python does for Python what mod_perl did for
     Perl: it embeds a Python interpreter in the server allowing modules
     to be written in Python. mod_python is currently stable on Apache
     1.3 and beta on Apache 2.0. It is hoped that its adoption by the
     ASF will encourage wider adoption and hasten a stable mod_python
     for Apache 2.0.

Huge growth in mod_perl usage

     According to the August surveys from [8]Security Space, mod_perl is
     now installed on just over 36% of Apache sites surveyed, thats up
     by 20% in one month. Meanwhile use of PHP has slipped a few
     percentage points, now down to just over 38% of sites. Will
     mod_perl overtake PHP next month?

                               Featured articles

     In this section we highlight some of the articles on the web that
     are of interest to Apache users.

     [9]"Securing dynamic Web content" shows you how to secure dynamic
     content on an Apache Web server version 1.3. It covers common
     security risks encountered when implementing CGI (Common Gateway
     Interface) applications and SSI (Server Side Includes) web pages,
     and includes two popular CGI wrappers namely suEXEC and CGIWrap.

     The Developer Shed continues with the second ([10]"Designing For
     Simplicity") and third ([11]"Coding To A Plan") installments of the
     series on Web applications entitled "The Art Of Software
     Development". Part II walks you through the steps of designing the
     architecture of your application from the user requirements you
     have obtained from Part I. The deliverables from this phase are a
     project implementation plan, a software design document, a user
     interface design document, an acceptance test plan, and also a user
     interface prototype. Part III zooms in on the coding by providing
     some common techniques and approaches such as setting up naming
     conventions and coding standards before you begin, ensuring that
     the programs are modular, using a version control system,
     developing the Web application in a portable and maintainable
     fashion, and having frequent code inspections and peer reviews.

     For those who still can't make up their mind whether or not to buy
     "Professional Apache 2.0" after reading [12]our review, you may be
     interested to read another [13]review of the book. It is written by
     Robert Nagle and hosted on the Idiotprogrammer website.

                                 Brand Survey

     We don't do this very often, but we've a favour to ask. Apache Week
     is produced by Red Hat and we're extremely grateful to get the
     weight of Red Hat resources behind us whilst still being able to
     remain independent. Anyway, Red Hat are doing a survey of what
     people think about Red Hat and the brand. We'd love to get your
     views on Red Hat so we've set up a version of the survey just for
     Apache Week readers - all responses are anonymous.

     [14]Take the brand survey
       ______________________________________________________________

     This issue brought to you by: Gary Benson, Mark J Cox, Joe Orton,
     Min Min Tsan
     Comments or criticisms? Please email us at
     [15]editors@apacheweek.com.

     [16]Apache Week is copyright 1996-2002 by [17]Red Hat, Inc.

References

   1. http://www.apacheweek.com/issues/02-08-02#security
   2. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2002-0656
   3. http://httpd.apache.org/docs-2.0/
   4. http://www.covalent.net/
   5. http://ekhtml.sf.net/
   6. http://www.modpython.org/
   7. http://www.modpython.org/donation.txt
   8. https://secure1.securityspace.com/s_survey/data/man.200208/apachemods.html
   9. http://www-106.ibm.com/developerworks/security/library/s-wssec.html
  10. http://www.devshed.com/Talk/Practices/SoftwareDev/SoftwareDev2/page1.html
  11. http://www.devshed.com/Talk/Practices/SoftwareDev/SoftwareDev3/page1.html
  12. http://www.apacheweek.com/features/book-proapache2
  13. http://www2.idiotprogrammer.com:81/publishing/professionalapache2.php
  14. http://redhat.rsc03.net/servlet/website/ResponseForm?koE7iHJoL8kHgKzNkOLRzLimVTTV
  15. mailto:editors@apacheweek.com
  16. http://www.apacheweek.com/
  17. http://www.redhat.com/

----------------------------------------------------------------------
To unsubscribe: https://listman.redhat.com/mailman/listinfo/apacheweek
or send the message   "unsubscribe"  to  apacheweek-request@redhat.com
----------------------------------------------------------------------