Thread View: gmane.comp.apache.apacheweek
1 messages
1 total messages
Started by Apache Week
Fri, 19 Dec 2003 17:21
Apache Week issue 339
Author: Apache Week
Date: Fri, 19 Dec 2003 17:21
Date: Fri, 19 Dec 2003 17:21
205 lines
11288 bytes
11288 bytes
APACHE WEEK
The essential weekly guide for users of the world's most popular Web server.
Issue 339: 19th December 2003
In this issue
* Apache 2003 Review
* Book Reviews
* Apache Week festive giveaway
Apache 2003 Review
It's that time of year when you look back over the events of the
last 12 months and wonder just what you spent all your time doing
and try to find the answers to those niggling little questions like
why a weekly publication only produced 22 issues this year. As this
is the last issue of Apache Week for 2003 we thought we'd give you
a mini review of the year.
* Under Development: The split in Apache 2 development between the
"stable" 2.0 tree and the "development" branch (labelled 2.1), has
produced five new minor releases this year, including various bug
and security fixes: [1]Apache 2.0.48, [2]Apache 2.0.47, [3]Apache
2.0.46, [4]Apache 2.0.45, and [5]Apache 2.0.44. These releases
have all maintained backwards compatibility in the module
interface, giving third party developers a stable platform for 2.0
module development.
The CVS "review then commit" policy for the stable 2.0 branch, a
departure from the normal "commit then review" mode used up until
late 2002, has continued to be applied throughout 2003 with little
contention. No releases have yet been made from the "development"
2.1 branch.
The Apache Portable Runtime library (APR), which underpins Apache
2, has moved closer to a 1.0 release, making three point releases
in 2003 up to the most recent 0.9.4 release. APR development was
also recently split between a 0.9 maintenance branch and a 1.0
stabilisation branch.
Most of the developers have spent the year focused on Apache 2 so
there were only two new 1.3 releases this year: [6]Apache 1.3.28
which fixed a few minor security issues, added a
LimitInternalRecursion directive, and fixed some bugs, and
[7]Apache 1.3.29 to fix a minor security issue and a few bugs.
* Security in Apache 1.3: No major security issues were found in
Apache 1.3 this year, with only two minor issues being fixed by
the 1.3.28 and 1.3.29 releases:
+ [8]CAN-2003-0542 Local configuration regular expression
overflow, (low risk)
+ [9]CAN-2003-0460 RotateLogs DoS on Win32 and OS/2 (low risk)
* Security in Apache 2.0: A number of security issues were found and
fixed in Apache 2.0 this year:
High risk:
+ [10]CAN-2003-0245 APR remote crash. A bug in versions between
2.0.37 and 2.0.45 allowed the possibility of a remote
attacker to crash or possibly execute arbitrary code through
mod_dav, mod_ssl, and other mechanisms. No exploit has been
seen for this issue.
+ [11]CAN-2003-0132 Line feed memory leak DoS. A memory leak
allowed remote attackers to cause a denial of service by
sending lots of linefeed characters.
Moderate risk:
+ [12]CAN-2003-0017 Apache can serve unexpected files. This
issue affected only Windows platforms and allowed remote
attackers to build up a list of files in the document root
even if indexes were disabled.
Low risk:
+ [13]CAN-2003-0789 CGI output information leak
+ [14]CAN-2003-0542 Local configuration regular expression
overflow
+ [15]CAN-2003-0254 Remote DoS via IPv6
+ [16]CAN-2003-0253 Remote DoS with multiple Listen directives
+ [17]CAN-2003-0192 mod_ssl renegotiation issue
+ [18]CAN-2003-0189 Basic Authentication DoS
+ [19]CAN-2003-0134 OS2 device name DoS
+ [20]CAN-2003-0083 Filtered escape sequences
+ [21]CAN-2003-0016 MSDOS device names cause DoS
* In addition to vulnerabilities directly affecting Apache httpd, a
critical issue was found in OpenSSL, a library providing
cryptographic functions that is commonly used with Apache:
+ [22]CAN-2003-0545: [23]A remotely exploitable vulnerability
in OpenSSL
All administrators should check their systems to make sure that
Apache and all the supporting components being used have either
been updated to the most recent releases, or to releases that
contain back-ported patches to fix the security issues.
SANS together with the FBI updated their [24]Top 20
Vulnerabilities list in October, a list of the most commonly
exploited vulnerable services.
Apache gets a mention as one of the top ten vulnerable services
for Unix, although most of the time it is third party applications
or poorly written scripts that are to blame for successful
attacks. A checklist provides useful advice on how to make Apache
and the related components more secure.
* Conferences: [25]ApacheCon US 2003 was held in Las Vegas in
November 2003. Although the conference was less extravagant than
the previous ApacheCon conferences, the quality of the sessions
and speakers was as impressive as ever. The O'Reilly Open Source
Convention also had a large Apache presence.
* Surveys: [26]Netcraft show the total number of Apache-based
servers found by their survey rising from 22 million in January to
31 million in December and with continuing rises in the market
share - moving from 63% in January to end the year at over 68%.
Netcraft also found that over 98% of SSL sites that had valid
third party certificates were capable of using strong encryption.
This percentage has increased dramatically since the expiration of
the RSA patent and the opening of US export controls; In September
2000 only 79% of sites were capable of strong encryption.
* Newsletter: The first issue of the official [27]Apache Newsletter
was launched in August. The bi-monthly newsletter aims to cover
all of the Apache Software Foundation projects and is packed with
development news as well as details of all the new releases.
Book Reviews
mod_perl embeds the Perl programming language in the Apache web
server, giving rise to a fast and powerful web programming
environment. "Practical mod_perl" from O'Reilly aims to be the
definitive book on how to use, optimise and troubleshoot mod_perl.
The book is aimed at both server administrators and application
developers, and is well organised so that both groups of readers
can easily find what they need. The bulk of the book is split into
four main parts, covering administration, performance tuning,
database issues and troubleshooting, all in relation to mod_perl
1.0. A smaller fifth part covers the differences between mod_perl
1.0 and the as-yet-unreleased mod_perl 2.0, and finally there are a
number of appendices containing example code for common tasks,
information on useful Perl modules, and some information for ISPs
wishing to offer mod_perl to their customers.....
The book as a whole is focused and well written, and the authors'
knowledge of and passion about mod_perl is obvious. It's an
excellent read and will undoubtedly make an excellent reference
afterwards; O'Reilly have attempted to create the definitive book
on mod_perl and they have succeeded admirably.
[28]Read our full review
Apache Week festive giveaway
Our friends at O'Reilly have given us four copies of the book
"Practical mod_perl" to give away in our festive competition. For a
chance to get your hands on a copy, just match the punchline to
this festive joke:
Which of these is not a popular scripting language?
A) Python
B) Perl
C) Penguin
Send your answer to [29]santa@apacheweek.com to reach us no later
than January 5th 2004. Your email address will not be used for
anything other than to let you know if you won. Four winners will
be drawn at random from all correct entries submitted. One entry
per person (we disqualify anyone sending duplicates), no cash
alternative (we're skint), editors' decision is final (bah
Humbug!).
______________________________________________________________
This issue brought to you by: Gary Benson, Mark J Cox, Joe Orton
Comments or criticisms? Please email us at
[30]editors@apacheweek.com.
[31]Apache Week is Copyright 2003 [32]Red Hat, Inc.
References
1. http://www.apacheweek.com/issues/03-11-07#apache2048
2. http://www.apacheweek.com/issues/03-07-11#apache2047
3. http://www.apacheweek.com/issues/03-05-30#apache2046
4. http://www.apacheweek.com/issues/03-04-04#apache2045
5. http://www.apacheweek.com/features/apache2044
6. http://www.apacheweek.com/issues/03-07-25#apache1328
7. http://www.apacheweek.com/issues/03-11-07#apache1329
8. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0542
9. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0460
10. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0245
11. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0132
12. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0017
13. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0789
14. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0542
15. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0254
16. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0253
17. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0192
18. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0189
19. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0134
20. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0083
21. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0016
22. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĆN-2003-0545
23. http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
24. http://www.sans.org/top20/#u3
25. http://www.apachecon.com/2003/US/index.html
26. http://www.netcraft.co.uk/survey/
27. http://www.apache.org/newsletter/
28. http://www.apacheweek.com/features/book-practicalmodperl
29. mailto:santa@apacheweek.com
30. mailto:editors@apacheweek.com
31. http://www.apacheweek.com/
32. http://www.redhat.com/
----------------------------------------------------------------------
To unsubscribe visit https://www.redhat.com/mailman/listinfo/apacheweek
or send the message "unsubscribe" to apacheweek-request@redhat.com
----------------------------------------------------------------------
Thread Navigation
This is a paginated view of messages in the thread with full content displayed inline.
Messages are displayed in chronological order, with the original post highlighted in green.
Use pagination controls to navigate through all messages in large threads.
Back to All Threads