Thread View: gmane.comp.apache.apacheweek
1 messages
1 total messages
Started by Apache Week
Fri, 14 May 2004 18:06
Apache Week issue 345
Author: Apache Week
Date: Fri, 14 May 2004 18:06
Date: Fri, 14 May 2004 18:06
180 lines
8251 bytes
8251 bytes
APACHE WEEK
The essential weekly guide for users of the world's most popular Web server.
Issue 345: 14th May 2004
In this issue
* Apache httpd 1.3.31 Released
* Under development
* In the news
* Featured articles
Apache httpd 1.3.31 Released
Apache httpd 1.3.31 was released on 11^th May 2004 and is now the
latest version of the Apache httpd 1.3 server. The previous release
was 1.3.29, released on the 29^th October 2003. [1]See what was new
in Apache httpd 1.3.29.
[2]Apache httpd 1.3.31 is available for download
This is a security, bug fix and minor upgrade release. Due to
security issues, any sites using versions of Apache httpd 1.3 prior
to Apache httpd 1.3.31 should upgrade to Apache httpd 1.3.31.
[3]Read more about the other security issues that affect Apache
httpd 1.3.
Security issues
* When using multiple listening sockets, a denial of service attack
is possible on some platforms due to a race condition in the
handling of short-lived connections. This issue is known to affect
some versions of AIX, Solaris, and Tru64; it is known to not
affect FreeBSD or Linux. The Common Vulnerabilities and Exposures
project has assigned the name [4]CAN-2004-0174 to this issue.
* Arbitrary client-supplied strings can be written to the error log
which can lead to exploits of certain terminal emulators. The
Common Vulnerabilities and Exposures project has assigned the name
[5]CAN-2003-0020 to this issue.
* mod_digest was not checking the nonce value returned by clients;
use of mod_auth_digest is recommended in place of mod_digest. The
Common Vulnerabilities and Exposures project has assigned the name
[6]CAN-2003-0987 to this issue.
* Allow/Deny rules using IP addresses without a netmask were not
interpreted correctly on big-endian 64-bit platforms. The Common
Vulnerabilities and Exposures project has assigned the name
[7]CAN-2003-0993 to this issue.
New features
The following new features have been added since 1.3.29:
* the source code is now licensed under the [8]Apache License,
Version 2.0
* mod_whatkilledus, mod_backtrace: New diagnostic modules which log
information about child process crashes
* mod_log_forensic: New module which performs "forensic" logging
Bugs fixed
The following bugs have been fixed in 1.3.31:
* mod_usertrack: fix segfault if CookieName was omitted
([9]BZ#24483); fixed to not overwrite other cookies
([10]BZ#26002), and to not inspect the Cookie2 request header
([11]BZ#11475)
* mod_rewrite: fix double-slash bug in RewriteBase; export the
REMOTE_PORT variable ([12]BZ#25882); fail on lookup keys
containing a newline are used with external rewrite maps
([13]BZ#14453)
* mod_include: fix handling of expressions which begin with an
escaped token
* fix a memory corruption problem in the ap_custom_response function
Under development
The 1.3.30 release process was abandoned last month after a short
period of testing, so that the mod_digest security issue could be
resolved. The new 1.3.31 release candidate tarball gained more
attention than normal after a story posted to Slashdot announced
that the tarball produced was in fact the final release. No vetoes
were posted for the tarball so the release went ahead otherwise as
normal.
1.3.31's Release Manager Jim Jagielski proposed that the apache-1.3
CVS repository be migrated to a [14]Subversion repository.
Subversion has been under evaluation at apache.org for some time;
several ASF projects in the [15]Incubator process have been using
the [16]Subversion repository which has been set up, notably
SpamAssassin.
In the news
O'Reilly Open Source Convention 2004
Only a couple of months to go before the highly anticipated
O'Reilly Open Source Convention opens it's doors in Portland,
Oregon. This year the conference runs from July 26-30 with many
tracks of interest to Apache users. A [17]dedicated Apache track
features such sessions as "HTTP Caching and Cache-busting", "Using
WebDAV", and "The Incubator: How to Start a Successful Apache
Project".
Happy 8th Birthday Apache httpd
In a press release the Apache httpd project announced its [18]8th
birthday. The first release of the Apache httpd server was in April
1995. The first issue of Apache Week was nine months later, in
[19]February 1996.
Interview with Brian Behlendorf
Netcraft interviews Apache co-founder [20]Brian Behlendorf. Brian
talks about Apache's growth, security, and how to change the world
through software.
Featured articles
In this section we highlight some of the articles on the web that
are of interest to Apache users.
LinuxInsider want [21]"Open Source Scripting Made Easy". This short
article takes a look at development environments available for
popular PHP.
Martin Brown covers some [22]Apache Maintenance Basics at Server
Watch. The article looks at how to monitor Apache logs and
real-time status, as well as configuration and patch management
issues.
Linux Journal takes a look at [23]Compressing Web Content and how
to use mod_gzip and mod_deflate to get the most out of your
bandwidth.
O'Reilly look at how to use web server logs for monitoring server
performance in the article [24]Profiling LAMP Applications with
Apache's Blackbox Logs.
______________________________________________________________
This issue brought to you by: Mark J Cox, Joe Orton
Comments or criticisms? Please email us at
[25]editors@apacheweek.com.
[26]Apache Week is Copyright 2004 [27]Red Hat, Inc.
References
1. http://www.apacheweek.com/issues/03-11-07#apache1329
2. http://httpd.apache.org/download.cgi#apache13
3. http://www.apacheweek.com/features/security-13
4. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĂŠN-2004-0174
5. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĂŠN-2003-0020
6. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĂŠN-2003-0987
7. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĂŠN-2003-0993
8. http://www.apache.org/licenses
9. http://nagoya.apache.org/bugzilla/show_bug.cgi?id$483
10. http://nagoya.apache.org/bugzilla/show_bug.cgi?id&002
11. http://nagoya.apache.org/bugzilla/show_bug.cgi?id475
12. http://nagoya.apache.org/bugzilla/show_bug.cgi?id%882
13. http://nagoya.apache.org/bugzilla/show_bug.cgi?id453
14. http://subversion.tigris.org/
15. http://incubator.apache.org/
16. http://svn.apache.org/repos/asf/
17. http://conferences.oreillynet.com/pub/w/29/track_apache.html
18. http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=SVBIZINK3.story&STORY=/www/story/05-11-2004/0002172126
19. http://www.apacheweek.com/issues/96-02-09
20. http://news.netcraft.com/archives/2004/05/05/interview_brian_behlendorf_cofounder_of_apache.html
21. http://www.linuxinsider.com/story/online/33792.html
22. http://www.serverwatch.com/tutorials/article.php/3353701
23. http://www.linuxjournal.com/article.php?sidh02
24. http://www.onlamp.com/pub/a/apache/2004/04/22/blackbox_logs.html
25. mailto:editors@apacheweek.com
26. http://www.apacheweek.com/
27. http://www.redhat.com/
----------------------------------------------------------------------
To unsubscribe visit https://www.redhat.com/mailman/listinfo/apacheweek
or send the message "unsubscribe" to apacheweek-request@redhat.com
----------------------------------------------------------------------
Thread Navigation
This is a paginated view of messages in the thread with full content displayed inline.
Messages are displayed in chronological order, with the original post highlighted in green.
Use pagination controls to navigate through all messages in large threads.
Back to All Threads