mark :: blog :: apache

<< prev [ 1 | 2 ]


Had an interesting week wading through vulnerability details and the various advisories which never really seem to match the facts. Take one Linux vendor for example who got confused about the Oracle mod_dav vulnerability and, even though they were not affected by the vulnerability, released new Apache mod_dav packages. To add to the confusion their newly released errata packages had actually added a patch which added in the vulnerability. So they started out not vulnerable, but then released a patch which was meant to remove the vulnerability but actually really made them vulnerable. No wonder folks are confused. Wrote a bit of a rant about it in Apache Week this week.


What a busy couple of days. It all started last month with a seemingly innocent DOS being reported to the Apache security team. jorton and I spent some time analysing it and found that although it wasn't exploitable on 32 bit until platforms it may well be exploitable on some 64 bit machines. Then started the co- ordination work with CERT.

Then, suddenly, the ISS team announced the same issue publically causing us to go into firefighting mode and release the advisory (which I'd fortunately already drafted and got positive feedback on), followed by seemingly hundreds of press calls, lots of additional analysis, and reading ISS say I was untrustworthy in some Chicago newspaper ;-)

Now for some sleep


A discussion about XML status output in Apache came up this week and so I pointed out a mod_status_xml I wrote a month or two ago. It would be great to get something like this module (or a patch to mod_status) into the core as once you can get XML status output you can do all sorts of cool things like historic graphs, real time graphs, and so on. Kind of like the stuff from 1995 that graphed server status but now using SVG.

<< prev [ 1 | 2 ]

Hi! I'm Mark Cox. This blog gives my thoughts on security work, open source, home automation, and other topics.