Apache Weekly Newsletter (text)

Apache Week | 1 Oct 2004 17:21

Picon

Apache Week issue 349


                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                        Issue 349: 1st October 2004

                                 In this issue

     * Apache httpd 2.0.52 Released
     * In the news

                         Apache httpd 2.0.52 Released

     Apache httpd 2.0.52 was released on 28^th September 2004 and is now
     the  latest  version  of the httpd 2.0 server. The previous version
     was  2.0.51,  released on the 15^th September 2004. [1]See what was
     new in Apache httpd 2.0.51.

     [2]Apache httpd 2.0.52 is available for download.

     This is a security, bug fix and minor upgrade release, correcting a
     security  issue that was introduced in the 2.0.51 build. Due to the
     security  issues fixed in recent versions, any sites using versions
     of  2.0  prior  to Apache httpd 2.0.52 should consider upgrading to
     Apache  httpd  2.0.52. [3]Read more about the other security issues
     that affect 2.0.

Security issues

     * Fix  a  problem introduced in the 2.0.51 release in the merging of

(Continue reading)

Apache Week | 23 Sep 2004 19:26

Picon

Apache Week issue 348


                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                       Issue 348: 23rd September 2004

                                 In this issue

     * Apache httpd 2.0.51 Released
     * Under development

                         Apache httpd 2.0.51 Released

     Apache httpd 2.0.51 was released on 15^th September 2004 and is now
     the  latest  version  of the httpd 2.0 server. The previous version
     was  2.0.50, released on the 1^st July 2004. [1]See what was new in
     Apache httpd 2.0.50.

     [2]Apache httpd 2.0.51 is available for download.

     IMPORTANT NOTE: A serious security issue has been discovered in the
     2.0.51  release, which is fixed by applying [3]CAN-2004-0811.patch;
     this  issue  does  not  affect 2.0.50 and earlier releases. See the
     [4]Under Development section for more details.

     This  is  a  security,  bug  fix  and minor upgrade release. Due to
     security  issues,  any  sites using versions of 2.0 prior to Apache
     httpd  2.0.50  should  consider  upgrading  to Apache httpd 2.0.50.
     [5]Read more about the other security issues that affect 2.0.

(Continue reading)

Apache Week | 2 Jul 2004 19:35

Picon

Apache Week issue 347


                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                          Issue 347: 2nd July 2004

                                 In this issue

     * Apache httpd 2.0.50 Released
     * In the news
     * Featured articles

                         Apache httpd 2.0.50 Released

     Apache  httpd  2.0.50 was released on 1^st July 2004 and is now the
     latest  version  of  the httpd 2.0 server. The previous version was
     2.0.49,  released  on  the 19^th March 2004. [1]See what was new in
     Apache httpd 2.0.49.

     [2]Apache httpd 2.0.50 is available for download.

     This  is  a  security,  bug  fix  and minor upgrade release. Due to
     security  issues,  any  sites using versions of 2.0 prior to Apache
     httpd  2.0.50  should  upgrade to Apache httpd 2.0.50. [3]Read more
     about the other security issues that affect 2.0.

Security issues

     * A  memory  leak  in parsing of HTTP headers which can be triggered
       remotely  may  allow  a  denial of service attack due to excessive

(Continue reading)

Apache Week | 11 Jun 2004 16:51

Picon

Apache Week issue 346


                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                         Issue 346: 11th June 2004

                                 In this issue

     * Security Reports
     * Under development
     * In the news
     * Featured articles

                               Security Reports

CAN-2004-0492: Important flaw in mod_proxy

     An  important  [1]security  issue  was reported in mod_proxy on the
     10th  June.  The  Common  Vulnerabilities and Exposures project has
     assigned the name [2]CAN-2004-0492 to this issue.

     The  flaw  affects  Apache  httpd  versions 1.3.26, 1.3.27, 1.3.28,
     1.3.29  and  1.3.31  that  have  mod_proxy  enabled and configured.
     Apache  httpd  2.0  and  other  versions  of  Apache  httpd 1.3 are
     unaffected.

     The  security  issue is a buffer overflow which can be triggered by
     getting  mod_proxy  to  connect to a remote server which returns an
     invalid  (negative) Content-Length. This results in a memcpy to the
     heap  with a large length value, which will in most cases cause the

(Continue reading)

Apache Week | 14 May 2004 18:06

Picon

Apache Week issue 345


                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                          Issue 345: 14th May 2004

                                 In this issue

     * Apache httpd 1.3.31 Released
     * Under development
     * In the news
     * Featured articles

                         Apache httpd 1.3.31 Released

     Apache  httpd  1.3.31 was released on 11^th May 2004 and is now the
     latest version of the Apache httpd 1.3 server. The previous release
     was 1.3.29, released on the 29^th October 2003. [1]See what was new
     in Apache httpd 1.3.29.

     [2]Apache httpd 1.3.31 is available for download

     This  is  a  security,  bug  fix  and minor upgrade release. Due to
     security issues, any sites using versions of Apache httpd 1.3 prior
     to  Apache  httpd  1.3.31  should  upgrade  to Apache httpd 1.3.31.
     [3]Read  more  about  the  other security issues that affect Apache
     httpd 1.3.

Security issues

(Continue reading)

Apache Week | 26 Mar 2004 17:48

Picon

Apache Week issue 344


                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                         Issue 344: 26th March 2004

                                 In this issue

     * Apache httpd 2.0.49 Released

                         Apache httpd 2.0.49 Released

     Apache httpd 2.0.49 was released on 19^th March 2004 and is now the
     latest  version  of  the httpd 2.0 server. The previous version was
     2.0.48,  released on the 29^th October 2003. [1]See what was new in
     Apache httpd 2.0.48.

     [2]Apache httpd 2.0.49 is available for download.

     This  is  a  security,  bug  fix  and minor upgrade release. Due to
     security  issues,  any  sites using versions of 2.0 prior to Apache
     httpd  2.0.49  should  upgrade to Apache httpd 2.0.49. [3]Read more
     about the other security issues that affect 2.0.

Security issues

     * A  remotely triggered memory leak in mod_ssl can allow a denial of
       service  attack  due  to  excessive memory consumption. The Common
       Vulnerabilities  and  Exposures  project  has  assigned  the  name
       [4]CAN-2004-0113 to this issue.

(Continue reading)

Apache Week | 12 Mar 2004 17:06

Picon

Apache Week issue 343


                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                         Issue 343: 12th March 2004

                                 In this issue

     * Security Reports
     * Under development
     * Apache Conferences
     * Featured articles

                               Security Reports

     Over  the last few weeks a number of minor security vulnerabilities
     that affect the Apache HTTP server have become known to the public.
     New  releases that contain fixes to these issues are expected to be
     made available soon.

CAN-2004-0113: mod_ssl memory leak leads to DoS

     A  memory  leak  was found in the mod_ssl module included in Apache
     2.0.  By  sending  plain HTTP requests to the SSL port, an attacker
     can  cause Apache to consume increasing amounts of memory which can
     lead to a denial of service.

     This  issue  was  reported  to  the public Apache bugzilla database
     ([1]BZ#27106) on 20th February 2004. The Common Vulnerabilities and
     Exposures  project  has  assigned the name [2]CAN-2004-0113 to this

(Continue reading)

Apache Week | 13 Feb 2004 17:04

Picon

Apache Week issue 342


                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                       Issue 342: 13th February 2004

                                 In this issue

     * Under development
     * Security Reports
     * In the news
     * Featured articles
     * Apache Week Celebrates Its Eighth Birthday

                               Under development

     Greg  Ames  has  been  working  on  a  patch  to  speed  up request
     processing  when  a  handler is configured for a specific Location.
     Currently in such configurations, the directory tree mapping to the
     location  is  still  traversed after a handler has been determined,
     which  is  unnecessary  when  the handler of the request is already
     known  to  be  "virtual" (rather than based in the filesystem). The
     performance overhead of this unnecessary directory tree walk can be
     significant;  discussion of how to eliminate it in continues as the
     developers  try  to  determine  how  this  "virtual-ness" should be
     decided: whether manually by configuration option, or automatically
     by logic in the module itself.

     The  default  hard  limit on the number of httpd child processes in
     2.0's  prefork  MPM stood at the already unreasonably high value of

(Continue reading)

Apache Week | 23 Jan 2004 18:43

Picon

Apache Week issue 341


                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                        Issue 341: 23rd January 2004

                                 In this issue

     * Under development
     * Security Reports
     * In the news
     * Featured articles

                               Under development

     A  change was proposed recently to allow the ServerTokens directive
     to  change  the  product  name  returned  in the Server header, for
     example  using ServerTokens Set IIS/5.0. Some server administrators
     request such a feature in the belief that it will improve security,
     under the assumption that attackers will not try Apache exploits if
     the  server  is running IIS. In reality, a determined attacker will
     easily  be  able  to  determine what software the server is running
     without  relying  on the Server header, so this feature has no real
     security  benefit.  As  usual,  there  was strong opposition to the
     change:  determined  server  administrators  can  still  change the
     Server  string  at  compile-time  without  needing  a configuration
     option.

                               Security Reports

(Continue reading)

Apache Week | 9 Jan 2004 17:17

Picon

Apache Week issue 340


                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                        Issue 340: 9th January 2004

                                 In this issue

     * Under development
     * Featured articles
     * Apache Week giveaway

                               Under development

     A  new  module,  mod_log_forensic,  was  committed  to both the 2.1
     development  tree  and  the  1.3 tree by [1]Ben Laurie over the New
     Year.  The  module writes each request (including headers) to a log
     file  before  request processing begins, including a unique request
     ID.  After  request processing is completed, the unique ID is again
     logged  to  the  log  file.  If  a security issue is exploited on a
     server  running mod_log_forensic, crashing a child process, the log
     can  then  be used to discover exactly what request was used in the
     exploit, allowing further investigation.

     There  has been some discussion about a security fix committed last
     month;  the  patch  for  [2]CAN-2003-0020  ensures  that any unsafe
     characters  are escaped before being written to the error log. This
     prevents  attackers  from being able to create fake log entries and
     also  prevents  the  error  log  being  used for exploits of escape
     sequence processing bugs in terminal emulators. However, some users

(Continue reading)

Apache Week | 19 Dec 2003 17:21

Picon

Apache Week issue 339


                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                       Issue 339: 19th December 2003

                                 In this issue

     * Apache 2003 Review
     * Book Reviews
     * Apache Week festive giveaway

                              Apache 2003 Review

     It's  that  time  of year when you look back over the events of the
     last  12  months and wonder just what you spent all your time doing
     and try to find the answers to those niggling little questions like
     why a weekly publication only produced 22 issues this year. As this
     is  the last issue of Apache Week for 2003 we thought we'd give you
     a mini review of the year.
     * Under  Development:  The split in Apache 2 development between the
       "stable" 2.0 tree and the "development" branch (labelled 2.1), has
       produced  five new minor releases this year, including various bug
       and  security fixes: [1]Apache 2.0.48, [2]Apache 2.0.47, [3]Apache
       2.0.46,  [4]Apache  2.0.45,  and  [5]Apache 2.0.44. These releases
       have   all   maintained  backwards  compatibility  in  the  module
       interface, giving third party developers a stable platform for 2.0
       module development.
       The  CVS  "review then commit" policy for the stable 2.0 branch, a
       departure  from the normal "commit then review" mode used up until

(Continue reading)

Group

gmane.comp.apache.apacheweek.

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11

May 2013

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

Apache Week issue 349 (1 Oct 2004)
Apache Week issue 348 (23 Sep 2004)
Apache Week issue 347 (2 Jul 2004)
Apache Week issue 346 (11 Jun 2004)
Apache Week issue 345 (14 May 2004)
Apache Week issue 344 (26 Mar 2004)
Apache Week issue 343 (12 Mar 2004)
Apache Week issue 342 (13 Feb 2004)
Apache Week issue 341 (23 Jan 2004)
Apache Week issue 340 (9 Jan 2004)
Apache Week issue 339 (19 Dec 2003)
Apache Week issue 338 (5 Dec 2003)
Apache Week issue 337 (7 Nov 2003)
Apache Week issue 336 (17 Oct 2003)
Apache Week issue 335 (26 Sep 2003)
Apache Week issue 333 (1 Aug 2003)
Apache Week issue 332 (26 Jul 2003)
Apache Week issue 330 (20 Jun 2003)
Apache Week issue 329 (30 May 2003)
Apache Week issue 328 (23 May 2003)
Apache Week issue 327 (9 May 2003)

Archives

1	October 2004
1	September 2004
1	July 2004
1	June 2004
1	May 2004
2	March 2004
1	February 2004
2	January 2004
2	December 2003
1	November 2003
1	October 2003
2	September 2003
1	August 2003
1	July 2003
1	June 2003
3	May 2003
3	April 2003
2	March 2003
2	February 2003
2	January 2003
2	December 2002
2	November 2002
3	October 2002
4	September 2002
3	August 2002
3	July 2002
4	June 2002
4	May 2002
3	April 2002
2	March 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template