mark :: blog :: security

<< prev [ 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 ]


What a busy couple of days. It all started last month with a seemingly innocent DOS being reported to the Apache security team. jorton and I spent some time analysing it and found that although it wasn't exploitable on 32 bit until platforms it may well be exploitable on some 64 bit machines. Then started the co- ordination work with CERT.

Then, suddenly, the ISS team announced the same issue publically causing us to go into firefighting mode and release the advisory (which I'd fortunately already drafted and got positive feedback on), followed by seemingly hundreds of press calls, lots of additional analysis, and reading ISS say I was untrustworthy in some Chicago newspaper ;-)

Now for some sleep


Ploughed through the cvs commits and created a plausible Announcement file for Apache 1.3.22. Held off releasing Apache Week until the mirrors caught up, but /. found the tarballs so released it a little early. Took some time to write some scripts to tidy up the past 265 issues for bad tags, all modules and directives are marked as such

CVE Worked with the Mitre guys so that the Apache vulnerabilities in 1.3.20 get described correctly, all went rather smoothly.


I've got to present "the state of Apache SSL solutions" at Linux World next week so need to start working out what the state is. Basically, Apache 2.0 needs to be beta before we'll start working on the SSL layer and then Red Hat, Covalent, Ralf, Ben and others will jointly work on a built-in SSL module. I've been following the Linux World press announcements and there are some interesting releases, it should be a great show.

<< prev [ 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 ]

Hi! I'm Mark Cox. This blog gives my thoughts and opinions on my security work, open source, fedora, home automation, and other topics.