Gianluca writes "Web sites get defaced every day -- that's routine practice for aspiring crackers who want to gain popularity by proving their bravery. Too often their attacks are aimed at unprepared, defenceless servers which were improperly secured by clumsy administrators. Just reading a book won't save you from the next cracker attack. However, having a solid knowledge of the basics of web security and a list of effective checkpoints for configuring your server, will definitely help you to prevent at least the most trivial mistakes." Gianluca reviews here Wrox Press' Professional Apache Security to see how well it can provide that kind of knowledge -- read on below.

markcox writes "Apache Week had written an article examining the Apache packages distributed by 10 popuplar Linux vendors. The survey found that all the vendors added some patches to virgin Apache including build patches, backported security patches, changing the product name through to dubious patches, and missed security fixes."

Saint Aardvark writes "The good folks at PHP.net have warned of a serious vulnerability in PHP 4.3.0: 'Anyone with access to websites hosted on a web server which employs the CGI module may exploit this vulnerability to gain access to any file readable by the user under which the webserver runs. A remote attacker could also trick PHP into executing arbitrary PHP code if attacker is able to inject the code into files accessible by the CGI. This could be for example the web server access-logs.' It's recommend that you upgrade to 4.3.1 right away."

hardcorejon writes "Am I the only person who didn't notice that on November 18th 2002, the Apache Ant Project had migrated out from under the Jakarta Project umbrella to become a top-level Apache project, joining the ranks of the Apache HTTP Server Project? Well, for those of us who use Ant on a regular basis, this is great news. Ant is an incredibly powerful tool, increasingly a standard build system for many new projects."

rbowen writes "The Apache Software Foundation is pleased to announce the release of Apache 2.0.44, which addresses a number of security issues. Download it from your favorite mirror." Rich notes that it fixes some important security problems (under Windows) for the Windows version. Also interesting is that now there truly is a split between a development and regular releases, adopting the Linux kernel model, with 2.1 being the dev Apache tree and 2.0 being the release tree.

semanticgap writes "The beauty of Python at Apache speeds! A couple of months after donation to ASF, a new mod_python is out under the Apache license. Main feature of this release is Apache 2.0 compatibility, including support for filters and connection handlers and many more enhancements. More info at www.modpython.org. Note that this release is not compatible with Apache 1.3."

pdw writes "Apache Week this week has a feature detailing the happenings at last week's ApacheCon in Vegas. Read up to find out what's new in the world of Apache."

Gentu writes "There is a pretty new and little known, lite web server in town, named Boa. The server can run very fast on older machines, even on embedded devices, but it is only CGI-based. OSNews introduces Boa (running under Linux) and it includes some preliminary benchmarks against Apache and thttpd."

Liam writes "Tomcat is a subproject of the Apache Software Foundation's Jakarta project, its purpose being to serve Java Servlets and JavaServer Pages. It's a complex piece of software and though the documentation is very comprehensive, it helps to have a good reference work to hand. There aren't many books on the subject to choose from, so a publisher could make a fast buck putting out an incomplete work lacking in depth. Fortunately Wrox Press has done a great job with its new publication Professional Apache Tomcat." Read on for the rest of Liam's review.

ruiner5000 writes "Well it is official. AMD has just sent out a press release announcing that Covalent and Redhat are developing a 64 bit version of Apache. "Covalent is developing 64-bit compatibility because we believe the upcoming AMD Opteron processor-based server systems will deliver superior performance and reliability for our easy-to-install Apache project server software," said Mark Douglas, senior vice president of engineering, Covalent Technologies. "Compatibility is essential, and we are cooperatively working to ensure optimal performance with the upcoming AMD Opteron processors." "

Network Dweebs Corporation writes "A new Apache DoS mod, called mod_dosevasive (short for dos evasive maneuvers) is now available for Apache 1.3. This new module gives Apache the ability to deny (403) web page retrieval from clients requesting more than one or two pages per second, and helps protect bandwidth and system resources in the event of a single-system or distributed request-based DoS attack. This freely distributable, open-source mod can be found at http://www.networkdweebs.com/stuff/security.html"

Triumph The Insult C writes "Apache 1.3.27 is out, addressing 3 security problems and includes some other updates. Check out cve.mitre.org for CAN-2002-0839, CAN-2002-0840 and CAN-2002-0843. You can grab .27 from the mirrors. Details on the security problems and the other updates to .27 can be found here."

jimmy writes ""A vulnerability exists in the SSI error pages of Apache 2.0 that involves incorrect filtering of server signature data. The vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host." This Cross site scripting (or XSS) hole has been found in all versions of apache prior to 2.0.43. The advisory can be found here and users are urged to upgrade to address this problem."

i-got-a-long-name writes "The Apache HTTP Server Project is proud to announce the fifth public release of Apache 2.0. This is primarily a bug-fix release, including updates to the experimental caching module, the removal of several memory leaks, and fixes for several segfaults, one of which could have been used as a denial-of-service against mod_dav. A complete list of the changes since 2.0.40 are available.". Just keep in mind that if you upgrade be prepared to recompile all of your modules since binary-compatibility is no longer the case. Which I am sure will help with the adoption rate.

KingARP writes "This article details how to secure dynamic content on an Apache Web server. Topics covered include general security issues pertaining to dynamic content, securing Server Side Includes, configuring Apache's Common Gateway Interface, and wrapping dynamic content. The article is targeted primarily at Webmasters and system administrators responsible for maintaining and securing a Web server; however, anyone with a need or desire to server dynamic content will benefit from the topics covered."

rbowen writes "Early-bird registration for ApacheCon closes on October 1. Sign up now to save $200 on the premier Apache event in the world. Don't miss out on a chance to mingle with the folks that wrote Apache, and get your Apache dilemmas solved by the leading experts in the field."

randomErr writes "The worms, Slapper.B and Slapper.C, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure Corp., a computer and network security company. "

joe writes "Apache has released a security warning in its popular server Tomcat. This security hole allows non authenticated users to retrieve source code of web applications on the server."

corz writes "Has PHP got you down? Are you tired of writing those Perl CGI scripts? Why not check out The Moto Programming Language. Released under the GPL, Moto allows for two modes of execution: interpreted and compiled. Moto is different from the rest of the field in that you can develop a site using interpreted mode for quick testing, then when the site is ready for production you can compile the it into an Apache DSO and serve it straight from memory. If you are looking to learn a new language, or would like to help with development, consider giving Moto a chance. Go download it now."

sverrehu writes "A GNU/Linux worm exploiting a bug in OpenSSL spreads through vulnerable Apache web servers, according to Symantec. The worm, which was first reported in Europe, targets several popular Linux distributions. See also the SecurityFocus vulnerability listing for the OpenSSL bug." sionide also writes: "Netcraft recently published a report which explains that a large portion of Apache systems are still unpatched (halfway down). To protect yourself please upgrade to OpenSSL 0.9.6g."