httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject FOSSA - EU-Free and Open Source Software Auditing project instigated by the European Parliament - report on httpd/apr (final)
Date Wed, 16 Nov 2016 17:49:32 GMT
Folks,

Most of you will recall the ‘security and  freedom - we can have both!’ discussion[1]
and may have seen the resulting announcements of the FOSSA[2] project. 

One of the things the European Parliament asked the European Commission to do was a number
of security audits of key infrastructure open source software. 

After a public consultation - the apache httpd/apr project was one of the targets that got
the most votes (the other was KeePass).

Everis Aeroespacial y Defensa, S.L.U., a multinational firm from Madrid, Spain, has since
carried out this review. The result is attached[3]. 

By and large the result is positive; with no major issues found. (Note that not all of httpd/apr
was reviewed).

The report (!! rightly !!) points out that we do have serious quality issues with our buildtools
(specifically the libtool that comes with apr) - but they found no security issues of substance
in the parts of httpd or apr that run in production.

The main points to fix/consider/suggestions (see the full report at [3]) are:

-       An unsafe sprintf rather than snprintf() in the debugging code of apr_dbg_log() (when
apr_dbg_win32_handles.h is actually enabled).

-       NAME_MAX has a risk of a conflict with reserved macro’s and unexpected side effects.

-       Low quality code in libtool and friends.

-       Use of InitializeCriticalSection() on windows()

-       Old legacy code for legacy platforms (alloca, getpass) — though we generally use
this guarded or as a last resort.

This report is the final and complete. Everis did not find or report any other issues; nor
are we keeping anything under a responsible/delayed disclosure timeline.

So thanks to all involved - those who voted for apache to get this review, the European Parliament
for recognising the importance of open source software in our society and for democratic discourse
and the EC and Everis for their work. 

As you may have seen - the European Parliament has since voted to extend Free Software security
audits; and the Pirate party helped ensure that  significant budget was allocated[4]. So lets
hope we can help make this internetted world a better place. 

With kind regards,

Dw.

1: https://juliareda.eu/2014/12/1-million-for-open-source-security/
2: https://joinup.ec.europa.eu/community/eu-fossa/home
3:https://joinup.ec.europa.eu/sites/default/files/ckeditor_files/files/DLV%20WP6%20-01-%20ApacheCoreAPR%20Code%20Review_published.pdf
4: https://juliareda.eu/2016/10/ep-votes-to-extend-fossa/


Mime
View raw message