Re: apache security issue (with upstream new release)
Please respect my Mail-Followup-To header and the Debian mailing list
guidelines, and do not CC me on replies.
On Fri, Oct 31, 2003 at 06:06:15PM +0100, Roman Medina wrote:
> My opinion is that if a security bug is discovered it should be fixed
> ASAP. It's really simple. The argument: "We believe that there is no
> security update required because intentionally exploiting this
> vulnerability requires access to apache's configuration (either
> http.conf or .htaccess)." is equivalent to:
> "yes, we know that our .deb is vulnerable but we are not going to fix
> it because it is difficult to exploit or the exploitability is
> limited".
>
> Wrong, wrong, wrong. We're talking about a known security issue. Why
> not fixing it? All security issues should be taken into account and
> should be fixed!!! What would it happen if someone has discovered a
> different attack vector for the *same* bug? Should we wait for this
> event to occur? Not really a good idea...
With any security issue, the risk of exploitation is weighed against the
risk of an update (instability, introducing new bugs, human errors, etc.).
If the risk of an update is greater than the risk of the bug itself, an
update is not desirable.
For example, people sometimes file bugs about buffer overflows in "simple"
programs (which run with no privileges and do not act on any untrusted
input) just because they are buffer overflows, a type of bug which is
associated with many security exposures. While these are bugs, no
privileges can be gained from them, so they do not represent a security
exposure.
I am not as well-versed on the internals of Apache as our Apache
maintainers, so I am trusting their word that this does not put our users at
risk.
--
- mdz
Reply to: