httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m..@apache.org
Subject svn commit: r168007 - in /httpd/site/trunk: docs/security/impact_levels.html docs/security/vulnerabilities_13.html docs/security/vulnerabilities_20.html docs/security_report.html xdocs/security/impact_levels.xml xdocs/security_report.xml
Date Tue, 03 May 2005 22:18:03 GMT
Author: mjc
Date: Tue May  3 15:18:01 2005
New Revision: 168007

URL: http://svn.apache.org/viewcvs?rev=168007&view=rev
Log:
The creation of the vulnerabilities pages worked fine, so commit
the rest of the security updates.  We split security reports into
two sections "finding out about issues" and "reporting issues" and
replace the links to Apache Week with links to our own pages.  We
add the page explaining the impact levels and note these are what
the Apache security team rate issues as.  

We probably ought to have the security section have it's own
little lhs menu in the end as the navigation between these pages
is a little hard.
-- This line, and those below, will be ignored--

M    trunk/xdocs/security_report.xml
A    trunk/xdocs/security/impact_levels.xml
M    trunk/docs/security_report.html
M    trunk/docs/security/vulnerabilities_20.html
M    trunk/docs/security/vulnerabilities_13.html
A    trunk/docs/security/impact_levels.html

Added:
    httpd/site/trunk/docs/security/impact_levels.html
    httpd/site/trunk/xdocs/security/impact_levels.xml
Modified:
    httpd/site/trunk/docs/security/vulnerabilities_13.html
    httpd/site/trunk/docs/security/vulnerabilities_20.html
    httpd/site/trunk/docs/security_report.html
    httpd/site/trunk/xdocs/security_report.xml

Added: httpd/site/trunk/docs/security/impact_levels.html
URL: http://svn.apache.org/viewcvs/httpd/site/trunk/docs/security/impact_levels.html?rev=168007&view=auto
==============================================================================
--- httpd/site/trunk/docs/security/impact_levels.html (added)
+++ httpd/site/trunk/docs/security/impact_levels.html Tue May  3 15:18:01 2005
@@ -0,0 +1,162 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+               "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html>
+ <head>
+  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
+       <meta name="author" content="Security Group" /><meta name="email" content="security@apache.org"
/>
+    <title>Apache httpd 1.3 vulnerabilities - The Apache HTTP Server Project</title>
+ </head>
+ <body bgcolor="#ffffff" text="#000000" link="#525D76">
+<p><a href="/"><img src="../images/httpd_logo_wide.gif" alt="The Apache HTTP
Server Project" border="0"/></a></p>
+ <table border="0" width="100%" cellspacing="4">
+   <tr>
+    <!-- LEFT SIDE NAVIGATION -->
+    <td valign="top" nowrap="nowrap">
+           <p><b>Essentials</b></p>
+    <menu compact="compact">
+          <li><a href="/ABOUT_APACHE.html">About</a></li>
+          <li><a href="http://www.apache.org/licenses/">License</a></li>
+          <li><a href="/docs/misc/FAQ.html">FAQ</a></li>
+          <li><a href="/security_report.html">Security<br />Reports</a></li>
+        </menu>
+      <p><b>Download!</b></p>
+    <menu compact="compact">
+          <li><a href="/download.cgi">from a mirror</a></li>
+        </menu>
+      <p><b><a 
+href="/docs-project/">Documentation</a></b></p>
+    <menu compact="compact">
+          <li><a href="/docs/">Apache 1.3</a></li>
+          <li><a href="/docs-2.0/">Apache 2.0</a></li>
+          <li><a href="/docs-2.1/">Apache 2.1</a> (alpha)</li>
+        </menu>
+      <p><b>Get Involved</b></p>
+    <menu compact="compact">
+          <li><a href="/lists.html">Mailing Lists</a></li>
+          <li><a href="/bug_report.html">Bug Reports</a></li>
+          <li><a href="/dev/">Developer Info</a></li>
+        </menu>
+      <p><b>Subprojects</b></p>
+    <menu compact="compact">
+          <li><a href="/docs-project/">Docs</a></li>
+          <li><a href="/test/">Test</a></li>
+          <li><a href="/test/flood/">Flood</a></li>
+          <li><a href="/apreq/">libapreq</a></li>
+          <li><a href="/modules/">Modules</a></li>
+          <li><a href="/cli/">cli (.NET)</a></li>
+        </menu>
+      <p><b><a 
+href="/info/">Miscellaneous</a></b></p>
+    <menu compact="compact">
+          <li><a href="/contributors/">Contributors</a></li>
+          <li><a href="/awards.html">Awards</a></li>
+          <li><a href="http://webring.com/hub?ring=apachesupport">Support<br
/>Webring</a></li>
+        </menu>
+    </td>
+    <!-- RIGHT SIDE INFORMATION -->
+    <td align="left" valign="top">
+                <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr><td bgcolor="#525D76">
+  <font color="#ffffff" face="arial,helvetica,sanserif">
+   <a name="top"><strong>Summary of security impact levels for Apache httpd</strong></a>
+  </font>
+ </td></tr>
+ <tr><td>
+  <blockquote>
+<p>The Apache Security Team rates the impact of each security flaw
+that affects the Apache web server.  We've chosen a rating scale quite
+similar to those used by other major vendors in order to be
+consistent.  Basically the goal of the rating system is to answer the
+question "How worried should I be about this vulnerability?".  </p>
+<p>Note that the rating chosen for each flaw is the worst possible
+case across all architectures.  In the past for example we've had
+flaws that have a Critical impact on some BSD architectures, whilst no
+real impact on others.  To determine the exact impact of a
+particular vulnerability on your own systems you will still need to 
+read the security advisories to find out more about the flaw.</p>
+<p>We use the following descriptions
+to decide on the impact rating to give each vulnerability:</p>
+  </blockquote>
+ </td></tr>
+</table>
+           <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr><td bgcolor="#525D76">
+  <font color="#ffffff" face="arial,helvetica,sanserif">
+   <a name="Critical"><strong>Critical</strong></a>
+  </font>
+ </td></tr>
+ <tr><td>
+  <blockquote>
+<p>A vulnerability rated with a Critical impact is one which could
+potentially be exploited by a remote attacker to get Apache to execute
+arbitrary code (either as the user the server is running as, or root).  These
+are the sorts of vulnerabilities that could be exploited automatically
+by worms.
+</p>
+  </blockquote>
+ </td></tr>
+</table>
+           <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr><td bgcolor="#525D76">
+  <font color="#ffffff" face="arial,helvetica,sanserif">
+   <a name="Important"><strong>Important</strong></a>
+  </font>
+ </td></tr>
+ <tr><td>
+  <blockquote>
+<p>A vulnerability rated as Important impact is one which could result
+in the compromise of data or availability of the server.  For the
+Apache web server this includes issues that allow an easy remote
+denial of service (something that is out of proportion to the attack
+or with a lasting consequence), access to arbitrary files outside of the
+document root, or access to files that should be otherwise prevented by
+limits or authentication.</p>
+  </blockquote>
+ </td></tr>
+</table>
+           <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr><td bgcolor="#525D76">
+  <font color="#ffffff" face="arial,helvetica,sanserif">
+   <a name="Moderate"><strong>Moderate</strong></a>
+  </font>
+ </td></tr>
+ <tr><td>
+  <blockquote>
+<p>A vulnerability is likely to be rated as Moderate if there is
+significant mitigation to make the issue less of an impact.  This
+might be because the flaw does not affect likely configurations, or it
+is a configuration that isn't widely used, or where a remote user 
+must be authenticated in order to exploit the issue.  Flaws that
+allow Apache to serve directory listings instead of index files are
+included here, as are flaws that might crash an Apache child process
+in Apache 1.3</p>
+  </blockquote>
+ </td></tr>
+</table>
+           <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr><td bgcolor="#525D76">
+  <font color="#ffffff" face="arial,helvetica,sanserif">
+   <a name="Low"><strong>Low</strong></a>
+  </font>
+ </td></tr>
+ <tr><td>
+  <blockquote>
+<p>All other security flaws are classed as a Low impact.  This rating
+is used for issues that are believed to be extremely hard to
+exploit, or where an exploit gives minimal consequences.</p>
+  </blockquote>
+ </td></tr>
+</table>
+         </td>
+   </tr>
+   <!-- FOOTER -->
+   <tr><td colspan="2"><hr noshade="noshade" size="1"/></td></tr>
+   <tr><td colspan="2" align="center">
+        <font size="-1">
+         <em>Copyright &#169; 1999-2005, The Apache Software Foundation</em>
+        </font>
+       </td>
+   </tr>
+  </table>
+ </body>
+</html>

Modified: httpd/site/trunk/docs/security/vulnerabilities_13.html
URL: http://svn.apache.org/viewcvs/httpd/site/trunk/docs/security/vulnerabilities_13.html?rev=168007&r1=168006&r2=168007&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_13.html (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_13.html Tue May  3 15:18:01 2005
@@ -821,7 +821,7 @@
    <tr><td colspan="2"><hr noshade="noshade" size="1"/></td></tr>
    <tr><td colspan="2" align="center">
         <font size="-1">
-         <em>Copyright &#169; 1999-2004, The Apache Software Foundation</em>
+         <em>Copyright &#169; 1999-2005, The Apache Software Foundation</em>
         </font>
        </td>
    </tr>

Modified: httpd/site/trunk/docs/security/vulnerabilities_20.html
URL: http://svn.apache.org/viewcvs/httpd/site/trunk/docs/security/vulnerabilities_20.html?rev=168007&r1=168006&r2=168007&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_20.html (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_20.html Tue May  3 15:18:01 2005
@@ -849,7 +849,7 @@
    <tr><td colspan="2"><hr noshade="noshade" size="1"/></td></tr>
    <tr><td colspan="2" align="center">
         <font size="-1">
-         <em>Copyright &#169; 1999-2004, The Apache Software Foundation</em>
+         <em>Copyright &#169; 1999-2005, The Apache Software Foundation</em>
         </font>
        </td>
    </tr>

Modified: httpd/site/trunk/docs/security_report.html
URL: http://svn.apache.org/viewcvs/httpd/site/trunk/docs/security_report.html?rev=168007&r1=168006&r2=168007&view=diff
==============================================================================
--- httpd/site/trunk/docs/security_report.html (original)
+++ httpd/site/trunk/docs/security_report.html Tue May  3 15:18:01 2005
@@ -58,21 +58,34 @@
                 <table border="0" cellspacing="0" cellpadding="2" width="100%">
  <tr><td bgcolor="#525D76">
   <font color="#ffffff" face="arial,helvetica,sanserif">
-   <a name="reporting"><strong>Reporting Security Problems with Apache</strong></a>
+   <a name="discovering"><strong>Security Updates</strong></a>
   </font>
  </td></tr>
  <tr><td>
   <blockquote>
-<p>The Apache Group takes a very active stance in eliminating security
-problems and denial of service attacks against the Apache web server.</p>
-<p>Lists of security problems in released versions of the Apache HTTP
-Server are available from <a href="http://www.apacheweek.com/">ApacheWeek</a>:</p>
+<p>Lists of security problems fixed in released versions of the Apache HTTP
+Server are available:</p>
 <ul>
-<li><a href="http://www.apacheweek.com/features/security-13">Apache 1.3
+  <li><a href="/security/vulnerabilities_13.html">Apache 1.3
 Security Vulnerabilities</a></li>
-<li><a href="http://www.apacheweek.com/features/security-20">Apache 2.0
+  <li><a href="/security/vulnerabilities_20.html">Apache 2.0
 Security Vulnerabilities</a></li>
 </ul>
+<p>To get notification of when new security issues are fixed, join
+the <a href="http://httpd.apache.org/lists.html#http-announce">Apache Server Announcements
list</a></p>
+  </blockquote>
+ </td></tr>
+</table>
+           <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr><td bgcolor="#525D76">
+  <font color="#ffffff" face="arial,helvetica,sanserif">
+   <a name="reporting"><strong>Reporting New Security Problems with Apache</strong></a>
+  </font>
+ </td></tr>
+ <tr><td>
+  <blockquote>
+<p>The Apache Group takes a very active stance in eliminating security
+problems and denial of service attacks against the Apache web server.</p>
 <p>We strongly encourage folks to report such problems to our private
 security mailing list first, before disclosing them in a public forum.</p>
 <p><strong>We cannot accept regular bug reports or other queries at

Added: httpd/site/trunk/xdocs/security/impact_levels.xml
URL: http://svn.apache.org/viewcvs/httpd/site/trunk/xdocs/security/impact_levels.xml?rev=168007&view=auto
==============================================================================
--- httpd/site/trunk/xdocs/security/impact_levels.xml (added)
+++ httpd/site/trunk/xdocs/security/impact_levels.xml Tue May  3 15:18:01 2005
@@ -0,0 +1,70 @@
+<?xml version="1.0"?>
+<document>
+<properties>
+<author email="security@apache.org">Security Group</author>
+<title>Apache httpd 1.3 vulnerabilities</title>
+</properties>
+
+<body>
+<section id="top">
+  <title>Summary of security impact levels for Apache httpd</title>
+
+<p>The Apache Security Team rates the impact of each security flaw
+that affects the Apache web server.  We've chosen a rating scale quite
+similar to those used by other major vendors in order to be
+consistent.  Basically the goal of the rating system is to answer the
+question "How worried should I be about this vulnerability?".  </p>
+
+<p>Note that the rating chosen for each flaw is the worst possible
+case across all architectures.  In the past for example we've had
+flaws that have a Critical impact on some BSD architectures, whilst no
+real impact on others.  To determine the exact impact of a
+particular vulnerability on your own systems you will still need to 
+read the security advisories to find out more about the flaw.</p>
+
+<p>We use the following descriptions
+to decide on the impact rating to give each vulnerability:</p>
+
+</section>
+
+<section id="Critical">
+  <title>Critical</title>
+<p>A vulnerability rated with a Critical impact is one which could
+potentially be exploited by a remote attacker to get Apache to execute
+arbitrary code (either as the user the server is running as, or root).  These
+are the sorts of vulnerabilities that could be exploited automatically
+by worms.
+</p>
+</section>
+
+<section id="Important">
+  <title>Important</title>
+<p>A vulnerability rated as Important impact is one which could result
+in the compromise of data or availability of the server.  For the
+Apache web server this includes issues that allow an easy remote
+denial of service (something that is out of proportion to the attack
+or with a lasting consequence), access to arbitrary files outside of the
+document root, or access to files that should be otherwise prevented by
+limits or authentication.</p>
+</section>
+
+<section id="Moderate">
+  <title>Moderate</title>
+<p>A vulnerability is likely to be rated as Moderate if there is
+significant mitigation to make the issue less of an impact.  This
+might be because the flaw does not affect likely configurations, or it
+is a configuration that isn't widely used, or where a remote user 
+must be authenticated in order to exploit the issue.  Flaws that
+allow Apache to serve directory listings instead of index files are
+included here, as are flaws that might crash an Apache child process
+in Apache 1.3</p>
+</section>
+
+<section id="Low">
+  <title>Low</title>
+<p>All other security flaws are classed as a Low impact.  This rating
+is used for issues that are believed to be extremely hard to
+exploit, or where an exploit gives minimal consequences.</p>
+</section>
+</body>
+</document>

Modified: httpd/site/trunk/xdocs/security_report.xml
URL: http://svn.apache.org/viewcvs/httpd/site/trunk/xdocs/security_report.xml?rev=168007&r1=168006&r2=168007&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security_report.xml (original)
+++ httpd/site/trunk/xdocs/security_report.xml Tue May  3 15:18:01 2005
@@ -5,20 +5,27 @@
     <title>Reporting Security Problems with Apache</title>
   </properties>
 <body>
-<section id="reporting">
-<title>Reporting Security Problems with Apache</title>
-<p>The Apache Group takes a very active stance in eliminating security
-problems and denial of service attacks against the Apache web server.</p>
+<section id="discovering">
+<title>Security Updates</title>
 
-<p>Lists of security problems in released versions of the Apache HTTP
-Server are available from <a
-href="http://www.apacheweek.com/">ApacheWeek</a>:</p>
+<p>Lists of security problems fixed in released versions of the Apache HTTP
+Server are available:</p>
 <ul>
-<li><a href="http://www.apacheweek.com/features/security-13">Apache 1.3
+  <li><a href="/security/vulnerabilities_13.html">Apache 1.3
 Security Vulnerabilities</a></li>
-<li><a href="http://www.apacheweek.com/features/security-20">Apache 2.0
+  <li><a href="/security/vulnerabilities_20.html">Apache 2.0
 Security Vulnerabilities</a></li>
 </ul>
+
+<p>To get notification of when new security issues are fixed, join
+the <a href="http://httpd.apache.org/lists.html#http-announce">Apache Server Announcements
list</a></p>
+
+</section>
+
+<section id="reporting">
+<title>Reporting New Security Problems with Apache</title>
+<p>The Apache Group takes a very active stance in eliminating security
+problems and denial of service attacks against the Apache web server.</p>
 
 <p>We strongly encourage folks to report such problems to our private
 security mailing list first, before disclosing them in a public forum.</p>



Mime
View raw message