perl-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoffrey Young <ge...@modperlcookbook.org>
Subject Re: Security Problems ???
Date Wed, 01 Apr 2009 16:31:58 GMT


Torsten Foertsch wrote:
> On Mon 23 Mar 2009, Philippe M. Chiasson wrote:
>>> almost a month ago there was this posting on the users list
>>>
>>>   http://www.gossamer-threads.com/lists/modperl/modperl/99170#99170
>>>
>>> stating there was a security related bug in modperl.
>>>
>>> Since then there were no svn updated touching the code. I'd like to
>>> know if my servers are secure. So, where can I get more information
>>> about the bug to perhaps help to fix it?
>>>
>>> Who knows more about the bug, please issue a statement if it is a
>>> bug or not. If it is but nobody has the resources to fix it, please
>>> let me know (privately) what it is. If I can I'll do it then.
>> AFAIK, the original submitter didn't follow up and explain what the
>> potential security problem was. He was told to contact
>> security@apache.org, but I haven't heard anything from them.
> 
> Just FYI, the bug is a simple cross site scripting thing in 
> Apache2::Status (and probably in mp1's Apache::Status as well)

just for clarification, do you know this because he contacted you
directly?  or are you on security@a.o.  I can't see any further
discussion of it in the archives, but I'm not on security@ so I don't
know what goes on there.

> 
> The mp2 stuff is fixed by the enclosed patch as the original submitter 
> has confirmed. I have committed it as revision 760926.

I guess it's not your fault, but I wish this had been attended to a bit
differently.

security@a.o exists for a reason.  when a security concern is raised
they (not us as individuals) are the "private channel."  the path ought
to be discussion between the reporter and security@, followed by
discussion by the pmc on how to best integrate any fix into our release
cycle.  security@ *just* brought the pmc into things this morning, so
that's where we *ought* to be at this moment in time...

bringing the vulnerability into the open with a patch that addresses
half our codebase isn't serving our users well.

anyway, we seem to go through this security exercise every few years, so
it's not unforgivable that things weren't handed in an ideal manner (we
have so few security bugs, thankfully :)  but if you hadn't committed
the patch then we wouldn't be telling the world about the vulnerability
 before we had started (or finished) a release cycle.

--Geoff

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org


Mime
View raw message