Re: apache security issue (with upstream new release)

To: Matt Zimmerman <mdz@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: apache security issue (with upstream new release)
From: Roman Medina <roman@rs-labs.com>
Date: Fri, 31 Oct 2003 18:06:15 +0100
Message-id: <[🔎] u155qvo92kfljja6mump9fq36mir7n9o3k@4ax.com>
In-reply-to: <[🔎] 20031030190435.GN6350@dijkstra.csh.rit.edu>
References: <[🔎] 200310291513.h9TFDcB23039@mms-r00.iijmio.jp> <[🔎] 20031030060940.GA6350@dijkstra.csh.rit.edu> <[🔎] 200310300804.h9U84ma21199@mms-r00.iijmio.jp> <[🔎] 20031030163443.GD6350@dijkstra.csh.rit.edu> <44749.80.58.1.46.1067532574.squirrel@www.hosting-seguridad.com> <20031030172109.GJ6350@dijkstra.csh.rit.edu> <[🔎] cgn2qv8ri3g7dcqarjd8vi248pm5952c9i@4ax.com> <[🔎] 20031030190435.GN6350@dijkstra.csh.rit.edu>

Sorry, I missunderstood your answer. I thought you were redirecting me
to the other ml. I've also read the answer sent by Matthew Wilcox
<willy@debian.org> to this same thread (amongst other related messages
and likes).

My opinion is that if a security bug is discovered it should be fixed
ASAP. It's really simple. The argument: "We believe that there is no
security update required because intentionally exploiting this
vulnerability requires access to apache's configuration (either
http.conf or .htaccess)." is equivalent to:
"yes, we know that our .deb is vulnerable but we are not going to fix
it because it is difficult to exploit or the exploitability is
limited".

Wrong, wrong, wrong. We're talking about a known security issue. Why
not fixing it?  All security issues should be taken into account and
should be fixed!!! What would it happen if someone has discovered a
different attack vector for the *same* bug? Should we wait for this
event to occur? Not really a good idea...

 Regards,
 --Roman

--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

On Thu, 30 Oct 2003 14:04:35 -0500, you wrote:

>On Thu, Oct 30, 2003 at 07:58:50PM +0100, Roman Medina wrote:
>
>> On Thu, 30 Oct 2003 12:21:09 -0500, you wrote:
>> >> > Ask debian-apache@lists.debian.org.
>> >
>> >See above.
>> 
>>  I'm not subscribed to debian-apache neither I'm going to subscribe only
>>  to ask this. If this is a security issue in Debian, why not to discuss it
>>  in a Debian security ml? I repeat it: I have segfaults in my apache
>>  error-logs and this happened only recently (this week) so I probably have
>>  reasons to be scared... or not?
>
>I didn't say that you should subscribe.  I told you where the decision came
>from so that you could ask someone who could give you a more specific
>answer, and in exchange for this, you keep complaining to me about your
>server error logs.  If you cared enough about this issue, you would make the
>effort to investigate it yourself.
>
>-- 
> - mdz

Reply to:

Follow-Ups:
- Re: apache security issue (with upstream new release)
  - From: Matt Zimmerman <mdz@debian.org>

References:
- apache security issue (with upstream new release)
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: apache security issue (with upstream new release)
  - From: Matt Zimmerman <mdz@debian.org>
- Re: apache security issue (with upstream new release)
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: apache security issue (with upstream new release)
  - From: Matt Zimmerman <mdz@debian.org>
- Re: apache security issue (with upstream new release)
  - From: Roman Medina <roman@rs-labs.com>
- Re: apache security issue (with upstream new release)
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: Transparent bridge firewall with bridge-nf
Next by Date: Re: apache security issue (with upstream new release)
Previous by thread: Re: apache security issue (with upstream new release)
Next by thread: Re: apache security issue (with upstream new release)
Index(es):
- Date
- Thread