httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Richards <>
Subject Re: util.c hole and speed of security patch release
Date Mon, 22 Apr 1996 22:41:21 GMT
In reply to Jennifer Myers who said
> Curiously, a version of Apache was released after Feb 8th without the
> problem fixed.  Not until IBM-ERS, CERT, CIAC, etc. picked up the
> advisory in March did it seem that there was any interest in fixing
> the bug!  Meanwhile, I have received reports that the bug is being
> actively exploited, because a good majority of sites have installed
> phf by way of installing all of the sample CGI code which comes with
> Apache and NCSA httpd.  CERT has also indicated that the bug is being
> actively exploited.

I can't remember whether a release was made after Feb 8th with the
cgi script hole still present but that's not the current issue.

We promptly fixed the cgi hole (I think phf and some other cruft was
simply deleted from the distribution) but that same source also found it's
way into the main code. The current security report is regarding that and
as I said earlier, I don't believe it ever was a real security hole because
the problem was dealt with in other parts of the main code.

I believe Apache has been unfairly tainted by this current IBM report since
it pointed to the same piece of code but being used in a different manner
that appears to have been essentially safe. 

We welcome reports such as yours and act promptly on them. We
were never informed by IBM of this other potential problem and as soon
as we were it was dealt with immediately whether a real hole existed or

  Paul Richards. Originative Solutions Ltd.  (Netcraft Ltd. contractor)
  Elsevier Science TIS online journal project.
  Phone: 0370 462071 (Mobile), +44 (0)1865 843155

View raw message