General discussion

Locked

Views on Apache's latest vulnerability

By debate ·
Tell us what you think about the latest Apache vulnerability, as featured in the latest Internet Security Focus e-newsletter. Were you surprised to learn that security problems exist in open source software? Why or why not? What's your take on how Internet Security Systems notified the public about the vulnerability? Do you think they should have allowed Apache to develop a fix for the problem first?

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Consider there is No problem at all

by andy520 In reply to Views on Apache's latest ...

I also use opensource software and most of all
'cause it give opportunity to use ANY small
'block' in the 'whole bilding' - Apache one
well documented and good product and there MUST
be bugs that are not founded yet in and code -
open or closed no matter!
Speed (dates between vulnearbillity found and
reaction )of new solutions in case of last
vulnerabillity in Apache from distributiors of
packages including http service and apache itself
I consider much higher then any from most of
official vendors ( including MS ) in same
situations. Public must be notified but let's
respect vendor - Apache must be notified in such
case first!
I consider open source show itself from the best
side in this situation.

Andrew Kostuyk

Collapse -

The public needs to know

Whether it is MS or Sun or any open source software, if a "critical" bug exists, the public needs to know and soon so that it can be resolved.

What ISS did appears to be in keeping with other exploits that have been reported. The difference appears to be one that I would anticipate with "open source" in which a single vendor or manufacturer can not be pinpointed. Whether it is Apache or Linux, in which literally thousands of people are making contributions to the source code and a single vendor cannot be found, then I think the user community needs to be informed and quickly.

If a single vendor can be found, then they should be notified first, given a period of time to come up with a fix and then have it reported. The time to fix is needed so that unscrupulous entities cannot exploit the issue prior to a fix. At the same time the time to announce, should be short because - "if you found it, someone else probably has too!"

Collapse -

Apache Vendor

by charleshagen In reply to The public needs to know

ISS did not follow it's established procedure. Open Source Apache has a 'vendor' in the Apache Foundation. Now let's be honest; did ISS notify Apache of the bug in a timely manner in order for a patch to be posted?

NO.

Shame on ISS.

Collapse -

Public expects some Ethics

by romeroGT In reply to The public needs to know

I agree with the article, ISS must have informed to Apache Project first, telling you cannot point a responsible is not knowing Open Source way of work. Of course there is allways a place to tell thins.
Bad for ISS, for realising the announce andfor posting a "patch", that did't fix the problem and didn't consider Open Source way of work.
It gives the impression they try to lever one Apache's bug with "all" the bug other productos have shown.

Collapse -

Article Doesn't Match Title

by schmoo In reply to Views on Apache's latest ...

I reread the article a few times, just to see if it ever got to the point that the title of "Why Apache doesn't get an A+ for security" proclaims.

I do not see where he makes that point. If anything, I see that he's taking ISS to task for releasing the details of a bug before Apache could come up with the fix, nothing more. It still doesn't make his case as to the title.

Collapse -

ISS horribly irresponsible!

by john.mckean In reply to Views on Apache's latest ...

While I agree that the public has a "right to know" it is blatently irresponsible for a vulnerability to be publized before a vendor has had an opportunity to correct the defect. After a resonable time has passed (I'll leave the definition of "resonable" up to the reader) the vulnerability should be disclosed even it the vendor has not corrected the problem. For ISS to disclose the problem before Apache.org had an opportunity to correct the defect is a crime.

Collapse -

Was it JUST bad procedures?

by datempleton In reply to Views on Apache's latest ...

Since they have been able to get the process right for Microsoft before one wonders whether this was a mistake or something else?

Collapse -

I don't trust MS

by szbylot In reply to Was it JUST bad procedure ...

MS would like nothing more than to knock Apache down a few notches while discrediting security of all open source software. There would definitely be a clear motive, just a matter or whether MS had any influence on the "Bad Procedure" or not.

Back to IT Employment Forum
8 total posts (Page 1 of 1)  

Related Discussions

General Discussion Forums