🚀 go-pugleaf

                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                         Issue 323: 21st March 2003

                                 In this issue

     * Under development
     * Security Reports
     * Featured articles

                               Under development

     There  was  some discussion this week about developing a new module
     which  would  ease  some  of  the  pains  of  mass  virtual hosting
     environment using Apache. Currently, the mod_vhost_alias module can
     be  used  to  implement  a  simple form of mass-vhosting, though it
     provides  little  assistance for storing per-vhost configuration. A
     commonly  requested  Apache  enhancement  is  the  ability  to pull
     configuration  data  from  an  LDAP  database; whilst this approach
     seems  attractive  developers  have  pointed out that it introduces
     some  significant  complications,  such  as  how  to  cope with the
     database  being  inaccessible  when  Apache  is  restarted. Another
     approach  suggested  has  been  to  develop a tool which can output
     normal  Apache configurations files from structured data in an LDAP
     database.

     A  new stable 2.0 release (2.0.45) is slowly inching closer, as bug
     fixes committed to the httpd-2.1 unstable tree have continued to be
     back-ported to the stable 2.0 tree in a regular fashion.

     The  set  of  modules  enabled  by  default in Apache received some
     attention  this  week  as a proposal was made to not build mod_imap
     (and   possibly  mod_asis)  unless  requested.  There  was  general
     agreement  that  the  default  module  list could be trimmed in the
     unstable 2.1 tree, but should remain intact for future 2.0 releases
     to avoid surprising users.

                               Security Reports

More OpenSSL vulnerabilities

     Exactly  a month ago, in [1]Apache Week issue 321, we reported on a
     timing-based  attack  on  OpenSSL,  ([2]CAN-2003-0078). In the last
     couple of weeks two new attacks to OpenSSL have been publicised:

     OpenSSL  does  not  use RSA blinding by default, which allows local
     and  remote  attackers  to  obtain  the  server's  private  key  by
     determining factors using timing differences on the number of extra
     reductions  during  Montgomery  reduction, and the use of different
     integer  multiplication  algorithms  ("Karatsuba"  and normal). The
     Common  Vulnerabilities and Exposures project has assigned the name
     [3]CAN-2003-0147 to this issue.

     The  SSL  and  TLS components for OpenSSL allow remote attackers to
     perform  an  unauthorized  RSA private key operation via a modified
     Bleichenbacher  attack  that  uses  a  large  number  of SSL or TLS
     connections  using  PKCS #1 v1.5 padding that cause OpenSSL to leak
     information  regarding  the relationship between ciphertext and the
     associated   plaintext,   also  known  as  the  "Klima-Pokorny-Rosa
     attack."  The  Common  Vulnerabilities  and  Exposures  project has
     assigned the name [4]CAN-2003-0131 to this issue.

     All  three  OpenSSL  vulnerabilities  this  year  are significantly
     difficult  to  exploit  in  production  environments,  and all have
     mitigating  factors  reducing  their  impact.  Whilst we advise all
     users  of  Apache  that  uses OpenSSL to upgrade to new versions of
     OpenSSL this certainly isn't a critical vulnerability that requires
     immediate attention. But, as with all security vulnerabilities, you
     need  to  make  your  own  risk assessment based on your individual
     circumstances.

                               Featured articles

     In  this  section we highlight some of the articles on the web that
     are of interest to Apache users.

     [5]"Multiuser  Subversion"  shows  you  how  to build and configure
     Apache  2  with  the mod_dav_svn module. After doing this, you will
     have  a  Subversion  server  that  will  respond to common HTTP and
     WebDAV (read-only) clients via the network.

     WebReference.com  continues  with  the [6]second part of an excerpt
     from  "Chapter 5: Authentication" of "Apache: The Definitive Guide,
     3rd Edition", courtesy of O'Reilly. It covers the Order, Allow, and
     Deny   directives,   and   also  the  directives  provided  by  the
     mod_auth_dbm module.

     This  brief  tutorial  entitled  [7]"Verify  a User's Email Address
     Using  PHP"  ensures  that the email addresses you ask for actually
     correspond  to  real email domains. It does this by using the PHP's
     checkdnsrr  function  on non-Windows platform and provides the code
     for a Windows version of the function.
       ______________________________________________________________

     This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan
     Comments or criticisms? Please email us at
     [8]editors@apacheweek.com.

     [9]Apache Week is Copyright 2003 [10]Red Hat, Inc.

References

   1. http://www.apacheweek.com/issues/20030221
   2. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2003-0078
   3. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2003-0147
   4. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2003-0131
   5. http://www.onlamp.com/pub/a/apache/2002/12/19/svn2.html
   6. http://www.webreference.com/internet/apache/chap5/2/
   7. http://www.sitepoint.com/article/1051
   8. mailto:editors@apacheweek.com
   9. http://www.apacheweek.com/
  10. http://www.redhat.com/

----------------------------------------------------------------------
To unsubscribe: https://listman.redhat.com/mailman/listinfo/apacheweek
or send the message   "unsubscribe"  to  apacheweek-request@redhat.com
----------------------------------------------------------------------