>From our operations team: 1) Chunked Encoding issue is being handled by a work-around Perl handler - this doesn't really affect us anyway since this only comes into effect during uploads (which we don't do) 2) SSL vulnerabilities are being taken care of as well by local configuration. The other vulnerabilities mentioned are client side, so don't affect us :)
Thank you for your concerns. Charles Daminato OpenSRS Product Manager Tucows Inc. - [EMAIL PROTECTED] > -----Original Message----- > From: Paul Chvostek [mailto:[EMAIL PROTECTED]] > Sent: October 15, 2002 11:16 AM > To: Charles Daminato > Cc: [EMAIL PROTECTED] > Subject: Re: Apache and security (WAS: RE: What is "Manage Authorized > Reseller Profile" in the RWI?) > > > > On Tue, Oct 15, 2002 at 10:02:20AM -0400, Charles Daminato wrote: > > > > Note that all our services, even if "older/outdated", are not > vulnerable and > > appropriate measures have been taken to ensure they are secure. > rr-n1-tor > > is NOT running SSLv2, which is where the OpenSSL buffer overflow is > > exploitable - so there's no concern there. > > It appears to be running Apache 1.3.20 which is mentioned all over the > place: http://httpd.apache.org/info/security_bulletin_20020617.txt and > http://www.cert.org/advisories/CA-2002-17.html and a specific > vulnerability is also mentioned at http://www.kb.cert.org/vuls/id/944335 > > How has rr-n1-tor been secured if not by upgrading Apache? > > It also seems to be running OpenSSL 0.9.6b which has vulnerabilities in > more than just SSLv2, according to security advisories. Check out > http://www.openssl.org/news/secadv_20020730.txt as well as > http://www.cert.org/advisories/CA-2002-23.html with multiple > vulnerabilities linked to from there. > > Again, how has rr-n1-tor been secured if not by upgrading OpenSSL? > > Or are you guys being insanely clever and compiling new versions of > software with old version numbers in an attempt to entrap would-be > attackers? > > -- > Paul Chvostek <[EMAIL PROTECTED]> > Operations / Abuse / Whatever +1 416 598-0000 > it.canada - hosting and development http://www.it.ca/ >
