Barence writes "Mozilla has announced plans to redraft the open-source license underpinning projects such as Firefox. The Mozilla Public License 1.1 has been used to distribute numerous projects including Firefox, Thunderbird, OpenSolaris and Flex for over a decade. In the first phase of this process, Mozilla will release an alpha draft based on feedback already received. This will be followed by 'commentary, discussion, and further drafting, followed by beta and release candidate drafts.' Mozilla intends to 'seriously investigate' whether it can make the MPL compatible with the Apache license, in an effort to 'help projects using the MPL become more flexible about using Apache-licensed code.'"

bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit." Note: according to the advisory, this exploit is exclusive to Windows.

Kyle Hamilton writes "The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 1.3.42 of the Apache HTTP Server ('Apache'). This release is intended as the final release of version 1.3 of the Apache HTTP Server, which has reached end of life status There will be no more full releases of Apache HTTP Server 1.3. However, critical security updates may be made available."

darthcamaro writes "As expected, Facebook today announced a new runtime for PHP, called HipHop. What wasn't expected were a few key revelations disclosed today by Facebook developer David Recordan. As it turns out, Facebook has been running HipHop for months and it now powers 90 percent of their servers — it's not a skunkworks project; it's a Live production technology. It's also not just a runtime, it's also a new webserver. 'In general, Apache is a great Web server, but when we were looking at how we get the next half percent or percent of performance, we didn't need all the features that Apache offers," Recordon said. He added, however, that he hopes an open source project will one day emerge around making HipHop work with Apache Web servers.'"

Martijn de Boer writes "For a long time now Apache's webserver software has been serving up the Web. Because Internet usage is still growing every day, securing your growing number of servers has become very important. ModSecurity 2.5 has been written to illustrate and educate you the ease of use and inner workings of the ModSecurity module for the most widespread webserver." Read below for the rest of Martijn's review.

Dan Jones writes "The Apache Software Foundation may stop releasing new versions of the older 1.3 and 2.0 series of its flagship Web server product with most development now focused on the 2.2 series. Nothing is final yet, but messages to the Apache httpd developer mailing list recommend the formal deprecation of the 1.3.x branch, with most citing a lack of development activity. The Apache HTTP server project is one of the most successful and popular open source projects and has become an integral part of the technology stack for thousands of Web and SaaS applications. The first generation of Apache was released in 1995, and the 2.0 series began in 2002. Apache httpd 2.2 began in 2005, with the latest release (October 2009) being 2.2.14. However, the most recent releases of the 1.3 and 2.0 series servers were back in January 2008. With the combined total of active 1.3 and 2.0 series Apache Web servers well into the millions, any decision to end-of-life either product will be watched closely."

An anonymous reader writes "Two weeks ago, The Daily WTF's Alex Papadimoulis announced Bad Code Offsets, a join venture between many big names in the software development community (including StackOverflow's Jeff Atwood and Jon Skeet and SourceGear's Eric Sink). The premise is that you can offset bad code by purchasing Bad Code Offsets (much in the same way a carbon-footprint is offset). The profits are donated to Free Software projects which work to eliminate bad code, such as the Apache Foundation and FreeBSD. The first cheques were sent out earlier today." Hopefully, they work better than carbon offsets, actually.

An anonymous reader writes "Back in July, Microsoft announced it was making .NET available under its Community Promise, which in theory allowed free software developers to use the technology without fear of patent lawsuits. Not surprisingly, many free software geeks were unconvinced by the promise (after all, what's a promise compared to an actual open licence?), but now Microsoft has taken things to the next level by releasing the .NET Micro Framework under the Apache 2.0 licence. Yes, you read that correctly: a sizeable chunk of .NET is about to go open source."

bednarz writes with this excerpt from Network World: "Vulnerabilities discovered in XML libraries from Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them, according to Codenomicon. The security vendor found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and delivery of a malicious payload using XML-based content. Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available Wednesday. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI)."

worb writes "Opera Unite comes with a web server which is supposedly going to 'redefine the web.' But how well does it actually perform? Is it a threat to other server solutions? Someone put it to the test, and published the results. While nginx, one of the fastest web servers available, is 5 times faster, a PHP+Apache+MySQL server is only 2 times as fast. A compiled C++ server, the MadFish WebToolkit, is 6 times faster. He concludes that Opera Unite's server is impressive, and that the others come nowhere close to the ease of use."

ruphus13 writes "Yahoo has been a vociferous Apache Hadoop user and supporter for several years now, and uses it extensively within its Search technologies. Hadoop has been gaining popularity in the Cloud Computing space, with companies like the NYTimes converting 4TB and 11 million articles to PDFs in under 24 hours using Hadoop and EC2 in late 2007. Hadoop has been made available in Amazon's cloud and Yahoo has now released its own Hadoop version. From the article: 'At today's Hadoop Summit in Silicon Valley, Yahoo! announced the availability of the Yahoo! Distribution of Hadoop, a source-only version of Apache Hadoop that Yahoo! uses within its own search engine. [Hadoop] is an open source software framework that helps process very large data sets, and is widely used in large-scale data mining applications as well as in search tools at sites like Facebook and many others. For developers and users interested in Hadoop, it's worth noting that the Yahoo! Distribution of Hadoop has been widely tested and developed at Yahoo! for years now.'"

Glyn Moody writes "The February 2009 Netcraft survey is not the usual 'Apache continues to trounce Microsoft IIS' story: there's a new entrant — from China. 'This majority of this month's growth is down to the appearance of 20 million Chinese sites served by QZHTTP. This web server is used by QQ to serve millions of Qzone sites beneath the qq.com domain.' What exactly is this QZHTTP, and what does it all mean for the world of Web servers?"

A week ago, we discussed Microsoft's contribution to the Apache Foundation. Now, Bruce Perens has written an analysis "exploring the new relationship of Microsoft and the Apache project, how it works as an anti-Linux move on Microsoft's part, and what some of the Open Sourcers are going to do about having Microsoft as a rather untrustworthy partner." In particular, he notes: "...Microsoft can still influence how things go from here on. If they have to live with open source, the Apache project is Microsoft's preferred direction. Apache doesn't use the dreaded GPL and its enforced sharing of source-code. Instead, the Apache license is practically a no-strings gift, with a weak provision against patent lawsuits as its most relevant term. Microsoft can take Apache software and embrace and enhance, providing their own versions of the project's software with engineered incompatibility and no available source, just as they forced incompatibility into the Web by installing IE with every Windows upgrade."

Penguinisto writes "According to a somewhat jaw-dropping story in The Register, it appears that Microsoft has performed a trifecta of geek-scaring feats: They have joined the Apache Software Foundation as a Platinum member(at $100K USD a year), submitted LGPL-licensed patches for ADOdb, and have pledged to expand their Open Specifications Promise by adding to the list more than 100 protocols for interoperability between its Windows Server and the Windows client. While I sincerely doubt they'll release Vista under a GPL license anytime soon, this is certainly an unexpected series of moves on their part, and could possibly lead to more OSS (as opposed to 'Shared Source') interactivity between what is arguably Linux' greatest adversary and the Open Source community." (We mentioned the announced support for the Apache Foundation earlier today, as well.)

gbjbaanb writes "Ars Technica reports that Microsoft is to sponsor the Apache Foundation to the tune of $100k. From the article: 'I asked him if this could possibly be the beginning of a broader initiative by Microsoft to increase Apache compatibility with .NET web development technologies, but he says it's still too early to guess Microsoft's future plans for Apache participation. ... He doesn't anticipate a confrontational response from the developers working on individual Apache projects ... The response of the broader open source software community, however, is harder to predict.' (In related news, MS also intends to participate in the RubySpec project.)"

os2man writes "ApacheCon Europe 2008, the official user conference of the Apache Software Foundation will be held 7 April through 11 April in Amsterdam, The Netherlands. Some of the tracks will be broadcast via live streaming: System Administration (Wednesday), Web Security (Thursday) and Web Services and Web 2.0 (Friday). There's a 99 euro registration fee for the tracks, although all keynote sessions and the opening plenary are available free of charge."

SkiifGeek writes "Zone-H have recently posted the statistical breakdown of the collected website defacements from the last few years. Surprisingly, in 2007 more Linux servers suffered a successful attack than all versions of Windows, combined. Similarly, more Apache installations were successfully attacked than all IIS versions combined. A day after posting this data, Zone-H have questioned the appropriateness of continuing to operate the archive. Despite the valuable information that can be gleaned from the service, it may soon be lost to the world. The natural successor to the now-defunct Alldas archive of defaced websites, Zone-H's archive maintains records of over 2.6 million defaced sites but may be shut down due to the continuous accusations of impropriety leveled against them any time they disclose and mirror a reported defacement."

lisah writes "Reports are beginning to surface that some Web servers running Linux and Apache are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if you're unable to create a directory name beginning with a numeral. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked the Apache Software Foundation if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Mark Cox of the Apache security team, "Whilst details are thin as to how the attackers gained root access to the compromised servers, we currently have no evidence that this is due to an unfixed vulnerability in the Apache HTTP Server." We sent a similar query to Red Hat, the largest vendor of Linux, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."'"

jschauma writes "Yahoo published a press release announcing that it has become a platinum sponsor of the Apache Software Foundation. In their company blog, Yahoo points out their particular interest in the Apache projects Lucene and Hadoop, and that they have hired Doug Cutting, creator of both projects and VP at Apache. (Lucene powers the search on Wikipedia; Yahoo also provides hosting capacity to Wikimedia.)"

eldavojohn writes "According to Google, Microsoft's server software is at least twice as likely to host viruses or malware. The reason why? 'Google reports that IIS is likely used to distribute malware more often than Apache because many IIS installs are on pirated Windows versions which aren't configured to automatically download patches. (Even pirated Windows versions can automatically receive security fixes, however.) Our analysis demonstrates how important it is to keep web servers patched to the latest patch level,' Google notes."