| |
mark :: blog :: apache
What a busy couple of days. It all started last month
with a seemingly innocent DOS being reported to the Apache
security team. jorton and I spent some
time analysing it and found that although it wasn't
exploitable on 32 bit until platforms it may well be
exploitable on some 64 bit machines. Then started the co-
ordination work with CERT.
Then, suddenly, the ISS team announced the same issue
publically causing us to go into firefighting mode and
release the advisory (which I'd fortunately already
drafted and got positive feedback on), followed by
seemingly hundreds of press calls, lots of additional
analysis, and reading ISS say I was untrustworthy in some
Chicago newspaper ;-)
Now for some sleep
Ploughed through the cvs commits and created a
plausible Announcement file for Apache 1.3.22. Held off
releasing Apache Week until the mirrors caught up, but /.
found the tarballs so released it a little early. Took some
time to write some scripts to tidy up the past 265 issues
for bad tags, all modules and directives are marked as such
CVE Worked with the Mitre guys so that the Apache
vulnerabilities in 1.3.20 get described correctly, all went
rather smoothly.
A discussion about XML status output in
Apache came up this week and so I pointed out a
mod_status_xml I wrote a month or two ago. It would be
great to
get something like this module (or a patch to mod_status)
into the core as once you can get XML status output you can
do all sorts of cool things like historic graphs, real time
graphs, and so on. Kind of like the stuff from 1995 that
graphed server status but now using SVG.
Spent a very very large number of hours converting the old
Apache Week site to completely use XML throughout. This
meant going through 257 back issues that had been written
with poor HTML (missing closing tags, no paragraph opens and
closes). Fortunately the w3c HTML-tidy and some perl did
90% of the work, leaving just 12 hours of manual labour.
If you visit the site you can get the XML and XSLT source if
try hard enough :)
Hmmmmmm SmartTags. Someone posted a link to a site that
said in order to stop SmartTags parsing your documents you
add this to each one:
<meta name="MSSmartTagsPreventParsing" content="TRUE">
Well, with Apache it should be even easier. I wonder if
adding this to httpd.conf would be enough?
Header add MSSmartTagsPreventParsing "TRUE"
Depends how MS implemented their checks, I've not bothered
looking if IE is available that supports this yet.
Finally committed the raw XML
for the apache.org in the news page. I've been meaning
to get that all updated for months, but never had the time.
Random other fun I can't talk about yet.
I can't believe I wrote the first issue
of Apache Week five years ago today. Happy Birthday! It's
interesting looking through the past issues to see when we
expected a 2.0 beta release; one year ago we were expecting
it "inside a month". We're currently expecting it "inside
a month".
I've got to present "the state of Apache SSL solutions" at
Linux World next week so need to start working out what the
state is. Basically, Apache 2.0 needs to be beta before
we'll start working on the SSL layer and then Red Hat,
Covalent, Ralf, Ben and others will jointly work on a
built-in SSL module. I've been following the Linux World
press announcements and there are some interesting releases,
it should be a great show.
|
|
|
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.
pics from my twitter:
popular tags:
[all],
apache,
apachecon,
apacheweek,
cve,
cvss,
fedora,
financial,
geocaching,
ha,
metrics,
microsoft,
nashville,
north carolina,
red hat summit,
redhat,
security,
trips
|
|
