At 11:46 PM 9/16/2002, Stephen R Smoot wrote: >In message ><[EMAIL PROTECTED]> > > Wouldn't it be a good idea for us to put out an advisory to the usual > > places (announce@...) summarizing all the recent security stuff including > > the openssl worm (commonly called an "apache worm")? Neither the openssl > > site, nor the mod_ssl site, nor the apache-ssl site seem to have any > > prominent mention of this thing. > >Ditto. For other reasons, I was on apache.org today and noticed to my >surprise there was no mention of it.
I agree it would be nice to repost an OpenSSL/mod_ssl advisory on our pages (mod_ssl is a sister project, after all.) But understand that the ASF took ownership of mod_ssl for Apache 2.0, not 1.3, and we not married to any particular SSL library (although many of us are very proud of the OpenSSL project, and several major contributors overlap between the projects.) So +1 to rebroadcasting mod_ssl's or OpenSSL's announce, but I'm not losing sleep over it. This is clearly OpenSSL's little bugger (inherited in part or in full by other implementations, depending on their code affinity.) Bill
