mark ::
blog :: apache
Had an interesting week wading through vulnerability details and the various advisories which never really seem to match the facts. Take one Linux vendor for example who got confused about the Oracle mod_dav vulnerability and, even though they were not affected by the vulnerability, released new Apache mod_dav packages. To add to the confusion their newly released errata packages had actually added a patch which added in the vulnerability. So they started out not vulnerable, but then released a patch which was meant to remove the vulnerability but actually really made them vulnerable. No wonder folks are confused. Wrote a bit of a rant about it in
Apache Week this week.
What a busy couple of days. It all started last month
with a seemingly innocent DOS being reported to the Apache
security team.
jorton and I spent some
time analysing it and found that although it wasn't
exploitable on 32 bit until platforms it may well be
exploitable on some 64 bit machines. Then started the co-
ordination work with CERT.
Then, suddenly, the ISS team announced the same issue
publically causing us to go into firefighting mode and
release the advisory (which I'd fortunately already
drafted and got positive feedback on), followed by
seemingly hundreds of press calls, lots of additional
analysis, and reading ISS say I was untrustworthy in some
Chicago newspaper ;-)
Now for some sleep
A discussion about XML status output in
Apache came up this week and so I pointed out a
mod_status_xml I wrote a month or two ago. It would be
great to
get something like this module (or a patch to mod_status)
into the core as once you can get XML status output you can
do all sorts of cool things like historic graphs, real time
graphs, and so on. Kind of like the stuff from 1995 that
graphed server status but now using SVG.