httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: httpd response to openssl worm
Date Tue, 17 Sep 2002 04:53:19 GMT
At 11:46 PM 9/16/2002, Stephen R Smoot wrote:
>In message 
><Pine.GSO.4.31.0209161852570.27402-100000@garibaldi.commerce.ubc.ca>
> > Wouldn't it be a good idea for us to put out an advisory to the usual
> > places (announce@...) summarizing all the recent security stuff including
> > the openssl worm (commonly called an "apache worm")?  Neither the openssl
> > site, nor the mod_ssl site, nor the apache-ssl site seem to have any
> > prominent mention of this thing.
>
>Ditto.  For other reasons, I was on apache.org today and noticed to my
>surprise there was no mention of it.

I agree it would be nice to repost an OpenSSL/mod_ssl advisory on our
pages (mod_ssl is a sister project, after all.)

But understand that the ASF took ownership of mod_ssl for Apache 2.0,
not 1.3, and we not married to any particular SSL library (although many
of us are very proud of the OpenSSL project, and several major contributors
overlap between the projects.)

So +1 to rebroadcasting mod_ssl's or OpenSSL's announce, but I'm not
losing sleep over it.  This is clearly OpenSSL's little bugger (inherited in
part or in full by other implementations, depending on their code affinity.)

Bill



Mime
View raw message