Torsten Foertsch wrote: > On Mon 23 Mar 2009, Philippe M. Chiasson wrote: >>> almost a month ago there was this posting on the users list >>> >>> http://www.gossamer-threads.com/lists/modperl/modperl/99170#99170 >>> >>> stating there was a security related bug in modperl. >>> >>> Since then there were no svn updated touching the code. I'd like to >>> know if my servers are secure. So, where can I get more information >>> about the bug to perhaps help to fix it? >>> >>> Who knows more about the bug, please issue a statement if it is a >>> bug or not. If it is but nobody has the resources to fix it, please >>> let me know (privately) what it is. If I can I'll do it then. >> AFAIK, the original submitter didn't follow up and explain what the >> potential security problem was. He was told to contact >> secur...@apache.org, but I haven't heard anything from them. > > Just FYI, the bug is a simple cross site scripting thing in > Apache2::Status (and probably in mp1's Apache::Status as well)
just for clarification, do you know this because he contacted you directly? or are you on secur...@a.o. I can't see any further discussion of it in the archives, but I'm not on security@ so I don't know what goes on there. > > The mp2 stuff is fixed by the enclosed patch as the original submitter > has confirmed. I have committed it as revision 760926. I guess it's not your fault, but I wish this had been attended to a bit differently. secur...@a.o exists for a reason. when a security concern is raised they (not us as individuals) are the "private channel." the path ought to be discussion between the reporter and security@, followed by discussion by the pmc on how to best integrate any fix into our release cycle. security@ *just* brought the pmc into things this morning, so that's where we *ought* to be at this moment in time... bringing the vulnerability into the open with a patch that addresses half our codebase isn't serving our users well. anyway, we seem to go through this security exercise every few years, so it's not unforgivable that things weren't handed in an ideal manner (we have so few security bugs, thankfully :) but if you hadn't committed the patch then we wouldn't be telling the world about the vulnerability before we had started (or finished) a release cycle. --Geoff --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@perl.apache.org For additional commands, e-mail: dev-h...@perl.apache.org
