[lug] Apache security flaw
Evelyn Mitchell
efm at tummy.com
Tue Jun 18 09:35:58 MDT 2002
There was a discussion on Slashdot about this yesterday.
The concensus was that this was a known bug, which was fixed in the CVS
version of Apache. It was also generally agreed that this sort of 'Security
by Press Release' is annoying and probably harmful.
So, the maintainers already knew about and had fixed the bug. But some less
than reputable company decided to get a bit of press publicising it.
Evelyn
* On 2002-06-18 15:23 Ferdinand Schmid <fschmid at archenergy.com> wrote:
> HI,
> This came through on eWEEK today:
> Flaw Found in Apache HTTP Server
>
> A buffer overrun vulnerability in the Apache HTTP server
> included with many popular Web servers enables an attacker
> to execute code on vulnerable machines. To read the story,
> click here:
> http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eQhB0DDhnJ0E4J0n470AY
>
> It appears that security companies now alert hackers at the same time as alerting the
> maintainers of the code. I felt that giving 2 weeks notice to the code maintainers (be it
> a private business or a group of open source maintainers) would be the fair thing to do.
>
> Sorry for writing a bit irritated about this.
>
> Ferdinand
> --
> Ferdinand Schmid
> Architectural Energy Corporation
> Celebrating 20 Years of Improving Building Energy Performance
> http://www.archenergy.com
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
--
Regards, tummy.com, ltd
Evelyn Mitchell Linux Consulting since 1995
efm at tummy.com Senior System and Network Administrators
http://www.tummy.com/
More information about the LUG
mailing list