Subject: Re: Not really an advocacy :-(
To: Ing.,BcA. Ivan Dolezal <ivan.dolezal@vsb.cz>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: tech-security
Date: 06/25/2002 16:52:07
On Fri, Jun 21, 2002 at 05:09:04PM +0200, Ing.,BcA. Ivan Dolezal wrote:
> 
> Hello.
> 
> Question # 1 :
> 
> 
> June 17, 2002
> 
> - Internet Security Systems Security Advisory: Remote Compromise
>    Vulnerability in Apache HTTP Server
> - Apache Security Bulletin
> - CERT Advisory
> 
> June 18, 2002
> 
> - updated Apache Security Bulletin
> 
> 
> June 19, 2002
> 
> - FBI's National Infrastructure Protection Center Advisory
> - Linux Weekly News report
> - Apache releases 1.3.26
> - Debian, Red Hat Linux release their packages (for free)
> - "Package apache-1.3.24 has a remote-root-shell vulnerability"
>    message from audit-packages
> 
> June 20, 2002
> 
> - Gobbles aka apache_scalp.c presented
> 
> 
> June 21, 2002
> 
> ...problem still not mentioned at netbsd.org/Security/

apache is not part of the base system, so NetBSD has no reasons to issue
an advisatory for it. audit-package will catch it, and point to the
appropriate advisatory.

> ...problem still not mentioned at
> ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/www/apache/README.html
> (last audit from Jun 6 05:00)

This is a description of the package, I can't see why secrity issues should
be discussed here. Refer to the software home page for security infos.

> ...insecure 1.3.24 still available from the package collection

No, the apache and apache2 packages have been updated on Jun, 19. 
Check the cvs logs.

> 
> Unfortunately the same situation with OpenBSD web (the primary target of 
> apache_scalp.c).
> 
> How should I believe to *BSD commitment to security? While BSD is 
> talking about high quality software, Linux people actually did something.
> Am I missing something?

The NetBSD peoples have done what had to be done (update the package, and
add an entry to audit-package). IMHO it's not the responsability of the
NetBSD group to issue advisatories for software that they don't maintain,
and is not part of the base system.
The apache group issued an advisatory. You know you have installed apache
(if you don't you have a problem), so once you know you have a problem with
apache, check for updates (either directly from apache.org, or from pkgsrc
depending on your favorite way of installing third-party packages).
If you don't want to track each third-party software security infos,
audit-package is for you.

> 
> 
> 
> 
> 
> 
> Question # 2:
> 
> What are my chances to do something like Openwall's stuff 
> (http://www.openwall.com/linux/README) with *BSD?

Some of these stuffs are already present in  NetBSD (or just
not relevant: NetBSD runs just fine without /proc for example).
Some others are comming, like non-executable stack.
The systrace stuff which is being worked on also looks very promising.

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--