httpd response to openssl worm

[Joshua Slive <jo...@slive.ca>]

Wouldn't it be a good idea for us to put out an advisory to the usual
places (announce@...) summarizing all the recent security stuff including
the openssl worm (commonly called an "apache worm")?  Neither the openssl
site, nor the mod_ssl site, nor the apache-ssl site seem to have any
prominent mention of this thing.

Even though it is not apache code at fault, I think it would be a good
service to our users to make the problem and solution more widely known.
It would also be a good opportunity to remind people to upgrade to safe
versions of httpd to fix the chunking bug, etc.

Joshua.

Re: httpd response to openssl worm

[Joshua Slive <jo...@slive.ca>]

William A. Rowe, Jr. wrote:

> I agree it would be nice to repost an OpenSSL/mod_ssl advisory on our
> pages (mod_ssl is a sister project, after all.)
> 
> But understand that the ASF took ownership of mod_ssl for Apache 2.0,
> not 1.3, and we not married to any particular SSL library (although many
> of us are very proud of the OpenSSL project, and several major contributors
> overlap between the projects.)
> 
> So +1 to rebroadcasting mod_ssl's or OpenSSL's announce, but I'm not
> losing sleep over it.  This is clearly OpenSSL's little bugger 
> (inherited in
> part or in full by other implementations, depending on their code 
> affinity.)

Certainly I'm talking about doing this as a service to our users, not as 
an obligation.

I've updated the httpd.apache.org homepage with a few words on the 
subject.  I'll wait a couple hours before I make it live in case anyone 
who is more familiar with this stuff wants to fine-tune it.

I think it would also be a good idea to send an email to the announce@ 
lists, but I'm not pgp-enabled at the moment, so I can't do it.

Joshua.

Re: httpd response to openssl worm

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

At 11:46 PM 9/16/2002, Stephen R Smoot wrote:
>In message 
><Pi...@garibaldi.commerce.ubc.ca>
> > Wouldn't it be a good idea for us to put out an advisory to the usual
> > places (announce@...) summarizing all the recent security stuff including
> > the openssl worm (commonly called an "apache worm")?  Neither the openssl
> > site, nor the mod_ssl site, nor the apache-ssl site seem to have any
> > prominent mention of this thing.
>
>Ditto.  For other reasons, I was on apache.org today and noticed to my
>surprise there was no mention of it.

I agree it would be nice to repost an OpenSSL/mod_ssl advisory on our
pages (mod_ssl is a sister project, after all.)

But understand that the ASF took ownership of mod_ssl for Apache 2.0,
not 1.3, and we not married to any particular SSL library (although many
of us are very proud of the OpenSSL project, and several major contributors
overlap between the projects.)

So +1 to rebroadcasting mod_ssl's or OpenSSL's announce, but I'm not
losing sleep over it.  This is clearly OpenSSL's little bugger (inherited in
part or in full by other implementations, depending on their code affinity.)

Bill