You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Stephen R Smoot <sm...@alum.mit.edu> on 2002/09/17 06:46:31 UTC
Re: httpd response to openssl worm
In message <Pi...@garibaldi.commerce.ubc.ca>
> Wouldn't it be a good idea for us to put out an advisory to the usual
> places (announce@...) summarizing all the recent security stuff including
> the openssl worm (commonly called an "apache worm")? Neither the openssl
> site, nor the mod_ssl site, nor the apache-ssl site seem to have any
> prominent mention of this thing.
Ditto. For other reasons, I was on apache.org today and noticed to my
surprise there was no mention of it.
-s
Re: httpd response to openssl worm
Posted by Joshua Slive <jo...@slive.ca>.
William A. Rowe, Jr. wrote:
> I agree it would be nice to repost an OpenSSL/mod_ssl advisory on our
> pages (mod_ssl is a sister project, after all.)
>
> But understand that the ASF took ownership of mod_ssl for Apache 2.0,
> not 1.3, and we not married to any particular SSL library (although many
> of us are very proud of the OpenSSL project, and several major contributors
> overlap between the projects.)
>
> So +1 to rebroadcasting mod_ssl's or OpenSSL's announce, but I'm not
> losing sleep over it. This is clearly OpenSSL's little bugger
> (inherited in
> part or in full by other implementations, depending on their code
> affinity.)
Certainly I'm talking about doing this as a service to our users, not as
an obligation.
I've updated the httpd.apache.org homepage with a few words on the
subject. I'll wait a couple hours before I make it live in case anyone
who is more familiar with this stuff wants to fine-tune it.
I think it would also be a good idea to send an email to the announce@
lists, but I'm not pgp-enabled at the moment, so I can't do it.
Joshua.
Re: httpd response to openssl worm
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 11:46 PM 9/16/2002, Stephen R Smoot wrote:
>In message
><Pi...@garibaldi.commerce.ubc.ca>
> > Wouldn't it be a good idea for us to put out an advisory to the usual
> > places (announce@...) summarizing all the recent security stuff including
> > the openssl worm (commonly called an "apache worm")? Neither the openssl
> > site, nor the mod_ssl site, nor the apache-ssl site seem to have any
> > prominent mention of this thing.
>
>Ditto. For other reasons, I was on apache.org today and noticed to my
>surprise there was no mention of it.
I agree it would be nice to repost an OpenSSL/mod_ssl advisory on our
pages (mod_ssl is a sister project, after all.)
But understand that the ASF took ownership of mod_ssl for Apache 2.0,
not 1.3, and we not married to any particular SSL library (although many
of us are very proud of the OpenSSL project, and several major contributors
overlap between the projects.)
So +1 to rebroadcasting mod_ssl's or OpenSSL's announce, but I'm not
losing sleep over it. This is clearly OpenSSL's little bugger (inherited in
part or in full by other implementations, depending on their code affinity.)
Bill