You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@community.apache.org by William A Rowe Jr <wr...@rowe-clan.net> on 2016/07/18 14:14:57 UTC
Cross-project blog post?
In response to https://httpoxy.org/ (which has no actual ASF
vulnerability we are aware of) the HTTP, Tomcat and ATS projects
collected feedback, along with validation from the Perl project;
https://www.apache.org/security/asf-httpoxy-response.txt
Does it make sense to blog this, or at least R/T from @TheASF?
Re: Cross-project blog post?
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
No commentary required, but feel free to edit (including the source text
under www.a.o/security/) and add commentary as you see fit.
On Jul 18, 2016 4:57 PM, "Rich Bowen" <rb...@rcbowen.com> wrote:
> Oh, I see. I misunderstood. You want to post it as is, or did you want to
> add commentary? I have access.
>
> On Jul 18, 2016 2:40 PM, "William A Rowe Jr" <wr...@rowe-clan.net> wrote:
>
> > I'm happy to do this, but if someone is already set up with
> > blogs.apache.org,
> > please feel free to beat me to it, I am not set up at the moment
> >
> > On Jul 18, 2016 11:03 AM, "Rich Bowen" <rb...@rcbowen.com> wrote:
> >
> > Absolutely. We should be proactive about stuff like that. Be sure to cc
> > Sally with whatever you do.
> >
> > On 07/18/2016 10:14 AM, William A Rowe Jr wrote:
> > > In response to https://httpoxy.org/ (which has no actual ASF
> > > vulnerability we are aware of) the HTTP, Tomcat and ATS projects
> > > collected feedback, along with validation from the Perl project;
> > >
> > > https://www.apache.org/security/asf-httpoxy-response.txt
> > >
> > > Does it make sense to blog this, or at least R/T from @TheASF?
> > >
> >
> >
> > --
> > Rich Bowen - rbowen@rcbowen.com - @rbowen
> > http://apachecon.com/ - @apachecon
> >
>
Re: Cross-project blog post?
Posted by Rich Bowen <rb...@rcbowen.com>.
Oh, I see. I misunderstood. You want to post it as is, or did you want to
add commentary? I have access.
On Jul 18, 2016 2:40 PM, "William A Rowe Jr" <wr...@rowe-clan.net> wrote:
> I'm happy to do this, but if someone is already set up with
> blogs.apache.org,
> please feel free to beat me to it, I am not set up at the moment
>
> On Jul 18, 2016 11:03 AM, "Rich Bowen" <rb...@rcbowen.com> wrote:
>
> Absolutely. We should be proactive about stuff like that. Be sure to cc
> Sally with whatever you do.
>
> On 07/18/2016 10:14 AM, William A Rowe Jr wrote:
> > In response to https://httpoxy.org/ (which has no actual ASF
> > vulnerability we are aware of) the HTTP, Tomcat and ATS projects
> > collected feedback, along with validation from the Perl project;
> >
> > https://www.apache.org/security/asf-httpoxy-response.txt
> >
> > Does it make sense to blog this, or at least R/T from @TheASF?
> >
>
>
> --
> Rich Bowen - rbowen@rcbowen.com - @rbowen
> http://apachecon.com/ - @apachecon
>
Re: Cross-project blog post?
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
I'm happy to do this, but if someone is already set up with blogs.apache.org,
please feel free to beat me to it, I am not set up at the moment
On Jul 18, 2016 11:03 AM, "Rich Bowen" <rb...@rcbowen.com> wrote:
Absolutely. We should be proactive about stuff like that. Be sure to cc
Sally with whatever you do.
On 07/18/2016 10:14 AM, William A Rowe Jr wrote:
> In response to https://httpoxy.org/ (which has no actual ASF
> vulnerability we are aware of) the HTTP, Tomcat and ATS projects
> collected feedback, along with validation from the Perl project;
>
> https://www.apache.org/security/asf-httpoxy-response.txt
>
> Does it make sense to blog this, or at least R/T from @TheASF?
>
--
Rich Bowen - rbowen@rcbowen.com - @rbowen
http://apachecon.com/ - @apachecon
Re: Cross-project blog post?
Posted by Rich Bowen <rb...@rcbowen.com>.
Absolutely. We should be proactive about stuff like that. Be sure to cc
Sally with whatever you do.
On 07/18/2016 10:14 AM, William A Rowe Jr wrote:
> In response to https://httpoxy.org/ (which has no actual ASF
> vulnerability we are aware of) the HTTP, Tomcat and ATS projects
> collected feedback, along with validation from the Perl project;
>
> https://www.apache.org/security/asf-httpoxy-response.txt
>
> Does it make sense to blog this, or at least R/T from @TheASF?
>
--
Rich Bowen - rbowen@rcbowen.com - @rbowen
http://apachecon.com/ - @apachecon
Re: Cross-project blog post?
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Wed, Jul 20, 2016 at 10:54 AM, Rich Bowen <rb...@rcbowen.com> wrote:
>
> https://blogs.apache.org/foundation/entry/httpoxy_cgi_vulnerability_response
>
Thanks Rich!
Re: Cross-project blog post?
Posted by Rich Bowen <rb...@rcbowen.com>.
https://blogs.apache.org/foundation/entry/httpoxy_cgi_vulnerability_response
On 07/20/2016 10:35 AM, William A Rowe Jr wrote:
> On Wed, Jul 20, 2016 at 6:27 AM, Konstantin Kolinko <kk...@apache.org>
> wrote:
>
>> 2016-07-20 12:37 GMT+03:00 Bertrand Delacretaz <bd...@apache.org>:
>>> On Tue, Jul 19, 2016 at 8:02 PM, William A Rowe Jr <wr...@rowe-clan.net>
>> wrote:
>>>> What if we digest the audience and list the scope (different projects
>> which
>>>> are impacted/offering mitigations) in a more conversational tone,
>> mention
>>>> the httpoxy URL and just point the reader to
>>>> https://www.apache.org/security/asf-httpoxy-response.txt for all the
>>>> detailed workarounds we've offered?...
>>>
>>> That sounds good to me, here's a minimal suggestion that we might
>>> publish at https://blogs.apache.org/foundation/ unless you want
>>> something more complete.
>>>
>>> ***
>>> Title: "httpoxy" CGI vulnerability response
>>>
>>> A group of ASF projects (HTTP, Tomcat, Traffic Server, Perl) has
>>> analyzed the CGI application vulnerability recently published at
>>> https://httpoxy.org/
>>>
>>> Their detailed analysis, targeted at Web server administrators and CGI
>>> developers and including mitigation information, can be found at
>>> https://www.apache.org/security/asf-httpoxy-response.txt
>>> ***
>>
>>
>> I think that perl in list of ASF projects should be spelled "Perl
>> (mod_perl)",
>> to distinguish it from Perl programming language as a whole.
>>
>> Also HTTP in that list to be spelled "HTTP Server"
>>
>
> Good points, think we can go with your text plus these edits, Bertrand.
>
> Thanks!
>
> Bill
>
--
Rich Bowen - rbowen@rcbowen.com - @rbowen
http://apachecon.com/ - @apachecon
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Cross-project blog post?
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Wed, Jul 20, 2016 at 6:27 AM, Konstantin Kolinko <kk...@apache.org>
wrote:
> 2016-07-20 12:37 GMT+03:00 Bertrand Delacretaz <bd...@apache.org>:
> > On Tue, Jul 19, 2016 at 8:02 PM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> >> What if we digest the audience and list the scope (different projects
> which
> >> are impacted/offering mitigations) in a more conversational tone,
> mention
> >> the httpoxy URL and just point the reader to
> >> https://www.apache.org/security/asf-httpoxy-response.txt for all the
> >> detailed workarounds we've offered?...
> >
> > That sounds good to me, here's a minimal suggestion that we might
> > publish at https://blogs.apache.org/foundation/ unless you want
> > something more complete.
> >
> > ***
> > Title: "httpoxy" CGI vulnerability response
> >
> > A group of ASF projects (HTTP, Tomcat, Traffic Server, Perl) has
> > analyzed the CGI application vulnerability recently published at
> > https://httpoxy.org/
> >
> > Their detailed analysis, targeted at Web server administrators and CGI
> > developers and including mitigation information, can be found at
> > https://www.apache.org/security/asf-httpoxy-response.txt
> > ***
>
>
> I think that perl in list of ASF projects should be spelled "Perl
> (mod_perl)",
> to distinguish it from Perl programming language as a whole.
>
> Also HTTP in that list to be spelled "HTTP Server"
>
Good points, think we can go with your text plus these edits, Bertrand.
Thanks!
Bill
Re: Cross-project blog post?
Posted by Konstantin Kolinko <kk...@apache.org>.
2016-07-20 12:37 GMT+03:00 Bertrand Delacretaz <bd...@apache.org>:
> On Tue, Jul 19, 2016 at 8:02 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>> What if we digest the audience and list the scope (different projects which
>> are impacted/offering mitigations) in a more conversational tone, mention
>> the httpoxy URL and just point the reader to
>> https://www.apache.org/security/asf-httpoxy-response.txt for all the
>> detailed workarounds we've offered?...
>
> That sounds good to me, here's a minimal suggestion that we might
> publish at https://blogs.apache.org/foundation/ unless you want
> something more complete.
>
> ***
> Title: "httpoxy" CGI vulnerability response
>
> A group of ASF projects (HTTP, Tomcat, Traffic Server, Perl) has
> analyzed the CGI application vulnerability recently published at
> https://httpoxy.org/
>
> Their detailed analysis, targeted at Web server administrators and CGI
> developers and including mitigation information, can be found at
> https://www.apache.org/security/asf-httpoxy-response.txt
> ***
I think that perl in list of ASF projects should be spelled "Perl (mod_perl)",
to distinguish it from Perl programming language as a whole.
Also HTTP in that list to be spelled "HTTP Server"
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Cross-project blog post?
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Tue, Jul 19, 2016 at 8:02 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> What if we digest the audience and list the scope (different projects which
> are impacted/offering mitigations) in a more conversational tone, mention
> the httpoxy URL and just point the reader to
> https://www.apache.org/security/asf-httpoxy-response.txt for all the
> detailed workarounds we've offered?...
That sounds good to me, here's a minimal suggestion that we might
publish at https://blogs.apache.org/foundation/ unless you want
something more complete.
***
Title: "httpoxy" CGI vulnerability response
A group of ASF projects (HTTP, Tomcat, Traffic Server, Perl) has
analyzed the CGI application vulnerability recently published at
https://httpoxy.org/
Their detailed analysis, targeted at Web server administrators and CGI
developers and including mitigation information, can be found at
https://www.apache.org/security/asf-httpoxy-response.txt
***
-Bertrand
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Cross-project blog post?
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
What if we digest the audience and list the scope (different projects which
are impacted/offering mitigations) in a more conversational tone, mention
the httpoxy URL and just point the reader to
https://www.apache.org/security/asf-httpoxy-response.txt for all the
detailed workarounds we've offered?
FWIW I've requested a Security Team blog topic and listed some key team
members including MarkT, MJC and Dirk as initial admins, but that may take
a bit more time to provision.
On Jul 19, 2016 7:36 AM, "Rich Bowen" <rb...@rcbowen.com> wrote:
> Ok, well, let me know what you want posted, and I'll be glad to
> facilitate. I presume we want this done soon or not at all, so I'll be
> ready whenever you let me know.
>
> On Jul 19, 2016 04:06, "Bertrand Delacretaz" <bd...@apache.org>
> wrote:
>
> > On Mon, Jul 18, 2016 at 4:14 PM, William A Rowe Jr <wr...@rowe-clan.net>
> > wrote:
> > > ...Does it make sense to blog this, or at least R/T from @TheASF? ...
> >
> > I'd say tweet and maybe also write a foundation blog post to announce
> > that advisory, but do not duplicate the advisory content on the blog
> > (assuming the URL that you mention is meant to be permanent).
> >
> > -Bertrand
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > For additional commands, e-mail: dev-help@community.apache.org
> >
> >
>
Re: Cross-project blog post?
Posted by Rich Bowen <rb...@rcbowen.com>.
Ok, well, let me know what you want posted, and I'll be glad to
facilitate. I presume we want this done soon or not at all, so I'll be
ready whenever you let me know.
On Jul 19, 2016 04:06, "Bertrand Delacretaz" <bd...@apache.org> wrote:
> On Mon, Jul 18, 2016 at 4:14 PM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> > ...Does it make sense to blog this, or at least R/T from @TheASF? ...
>
> I'd say tweet and maybe also write a foundation blog post to announce
> that advisory, but do not duplicate the advisory content on the blog
> (assuming the URL that you mention is meant to be permanent).
>
> -Bertrand
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
>
Re: Cross-project blog post?
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Mon, Jul 18, 2016 at 4:14 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> ...Does it make sense to blog this, or at least R/T from @TheASF? ...
I'd say tweet and maybe also write a foundation blog post to announce
that advisory, but do not duplicate the advisory content on the blog
(assuming the URL that you mention is meant to be permanent).
-Bertrand
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org