General discussion

  • Creator
    Topic
  • #2325565

    Views on Apache’s latest vulnerability

    Locked

    by debate ·

    Tell us what you think about the latest Apache vulnerability, as featured in the latest Internet Security Focus e-newsletter. Were you surprised to learn that security problems exist in open source software? Why or why not? What’s your take on how Internet Security Systems notified the public about the vulnerability? Do you think they should have allowed Apache to develop a fix for the problem first?

All Comments

  • Author
    Replies
    • #3665880

      Consider there is No problem at all

      by andy520 ·

      In reply to Views on Apache’s latest vulnerability

      I also use opensource software and most of all
      ’cause it give opportunity to use ANY small
      ‘block’ in the ‘whole bilding’ – Apache one
      well documented and good product and there MUST
      be bugs that are not founded yet in and code –
      open or closed no matter!
      Speed (dates between vulnearbillity found and
      reaction )of new solutions in case of last
      vulnerabillity in Apache from distributiors of
      packages including http service and apache itself
      I consider much higher then any from most of
      official vendors ( including MS ) in same
      situations. Public must be notified but let’s
      respect vendor – Apache must be notified in such
      case first!
      I consider open source show itself from the best
      side in this situation.

      Andrew Kostuyk

      • #3665805

        The public needs to know

        by richard j. sullivan – florida ·

        In reply to Consider there is No problem at all

        Whether it is MS or Sun or any open source software, if a “critical” bug exists, the public needs to know and soon so that it can be resolved.

        What ISS did appears to be in keeping with other exploits that have been reported. The difference appears to be one that I would anticipate with “open source” in which a single vendor or manufacturer can not be pinpointed. Whether it is Apache or Linux, in which literally thousands of people are making contributions to the source code and a single vendor cannot be found, then I think the user community needs to be informed and quickly.

        If a single vendor can be found, then they should be notified first, given a period of time to come up with a fix and then have it reported. The time to fix is needed so that unscrupulous entities cannot exploit the issue prior to a fix. At the same time the time to announce, should be short because – “if you found it, someone else probably has too!”

        • #3412878

          Apache Vendor

          by charleshagen ·

          In reply to The public needs to know

          ISS did not follow it’s established procedure. Open Source Apache has a ‘vendor’ in the Apache Foundation. Now let’s be honest; did ISS notify Apache of the bug in a timely manner in order for a patch to be posted?

          NO.

          Shame on ISS.

        • #3412869

          Public expects some Ethics

          by romerogt ·

          In reply to The public needs to know

          I agree with the article, ISS must have informed to Apache Project first, telling you cannot point a responsible is not knowing Open Source way of work. Of course there is allways a place to tell thins.
          Bad for ISS, for realising the announce andfor posting a “patch”, that did’t fix the problem and didn’t consider Open Source way of work.
          It gives the impression they try to lever one Apache’s bug with “all” the bug other productos have shown.

    • #3665863

      Article Doesn’t Match Title

      by schmoo ·

      In reply to Views on Apache’s latest vulnerability

      I reread the article a few times, just to see if it ever got to the point that the title of “Why Apache doesn’t get an A+ for security” proclaims.

      I do not see where he makes that point. If anything, I see that he’s taking ISS to task for releasing the details of a bug before Apache could come up with the fix, nothing more. It still doesn’t make his case as to the title.

    • #3412842

      ISS horribly irresponsible!

      by john.mckean ·

      In reply to Views on Apache’s latest vulnerability

      While I agree that the public has a “right to know” it is blatently irresponsible for a vulnerability to be publized before a vendor has had an opportunity to correct the defect. After a resonable time has passed (I’ll leave the definition of “resonable” up to the reader) the vulnerability should be disclosed even it the vendor has not corrected the problem. For ISS to disclose the problem before Apache.org had an opportunity to correct the defect is a crime.

    • #3408182

      Was it JUST bad procedures?

      by datempleton ·

      In reply to Views on Apache’s latest vulnerability

      Since they have been able to get the process right for Microsoft before one wonders whether this was a mistake or something else?

      • #3408131

        I don’t trust MS

        by szbylot ·

        In reply to Was it JUST bad procedures?

        MS would like nothing more than to knock Apache down a few notches while discrediting security of all open source software. There would definitely be a clear motive, just a matter or whether MS had any influence on the “Bad Procedure” or not.

Viewing 3 reply threads