Re: apache security issue (with upstream new release)
- To: <debian-security@lists.debian.org>
- Subject: Re: apache security issue (with upstream new release)
- From: <roman@rs-labs.com>
- Date: Sat, 1 Nov 2003 11:03:16 +0100 (CET)
- Message-id: <[🔎] 1219.80.103.155.210.1067680996.squirrel@www.hosting-seguridad.com>
- In-reply-to: <20031031172342.GY6350@dijkstra.csh.rit.edu>
- References: <200310291513.h9TFDcB23039@mms-r00.iijmio.jp> <20031030060940.GA6350@dijkstra.csh.rit.edu> <200310300804.h9U84ma21199@mms-r00.iijmio.jp> <20031030163443.GD6350@dijkstra.csh.rit.edu> <44749.80.58.1.46.1067532574.squirrel@www.hosting-seguridad.com> <20031030172109.GJ6350@dijkstra.csh.rit.edu> <cgn2qv8ri3g7dcqarjd8vi248pm5952c9i@4ax.com> <20031030190435.GN6350@dijkstra.csh.rit.edu> <u155qvo92kfljja6mump9fq36mir7n9o3k@4ax.com> <20031031172342.GY6350@dijkstra.csh.rit.edu>
> On Fri, Oct 31, 2003 at 06:06:15PM +0100, Roman Medina wrote:
>
>> My opinion is that if a security bug is discovered it should be fixed
>> ASAP. It's really simple. The argument: "We believe that there is no
>> security update required because intentionally exploiting this
>> vulnerability requires access to apache's configuration (either
>> http.conf or .htaccess)." is equivalent to:
>> "yes, we know that our .deb is vulnerable but we are not going to fix
>> it because it is difficult to exploit or the exploitability is
>> limited".
>
> With any security issue, the risk of exploitation is weighed against
> the risk of an update (instability, introducing new bugs, human errors,
> etc.). If the risk of an update is greater than the risk of the bug
> itself, an update is not desirable.
I agree with that in general terms. Apply to this particular case:
- I trust the Apache team. I mean, they're usually cool maintaining and
fixing Apache bugs. I suppose it's a responsability when your software is
very highly used on Internet.- in other words, the quality of this kind of fix would be high
- the bug is quite serious (local root, at minimun) -> bug risk is
medium/high.- summary: risk of bug > risk of update. Yes, this is my point of view,
but I've also heard similar comments from many more people. I also wanted
you knew it. I'm not trying to create a flamewar or similar. This is my
last post regarding this issue is nobody throws light to us :-)
> For example, people sometimes file bugs about buffer overflows in
> "simple" programs (which run with no privileges and do not act on any
> untrusted input) just because they are buffer overflows, a type of bug
> which is associated with many security exposures. While these are
> bugs, no privileges can be gained from them, so they do not represent a
> security exposure.
I also agree with that. But this is not clearly the case. Some typical
scenario are buffer overflows in games (clients, not servers) and other
client apps (although depending of the particular cases could also be
abused/exploited). I stated this is not the case because:- Apache Httpd is a very spreaded software on Internet.
- It is a server so it could be remotely attacked and it's the perfect
door for any hacker.- The bug discovered could be used to obtain root remotely (well, the
terms "remote" and "local" could be confussing; I'm pretty sure you follow
Bugtraq and have seen recent posts regarding this; it's not a new issue
though :-)).
> I am not as well-versed on the internals of Apache as our Apache
> maintainers, so I am trusting their word that this does not put our
> users at risk.
Do you know any page which I could trust with last Apache releases for
woody/3.0 (=reliable backports)?
Reply to: