Older blog entries for mjcox (starting at number 115)

Apache Critical Flaw!

So according to a Secunia advisory I just read there is a new flaw in Apache that allows attackers to "compromise a vulnerable system". [source]

They got that information from a Connectiva security advisory. That advisory actually says "trigger the execution of arbitrary commands" but if you read the context you'll find that in fact what it means is that a cunning attacker could use a minor flaw in Apache that allows it to log escape characters in order to exploit possible flaws in terminal emulators to execure arbitrary commands if you view the log file. [source].

So we've magically turned an issue which is of quite minor risk and minor severity into one classed as "Moderately Critical". Using the same logic you could then use publicised (but fixed) flaws in the Linux kernel to gain root privileges and we've got a remote root exploit in Apache folks! It's Chinese Whisper Security Advisories at their best.

7 Apr 2004 (updated 7 Apr 2004 at 08:11 UTC) »
95% of statistics....

So our joint statement in response to the Forrester Study is now available and it got to slashdot and other places. It should be an identical statement from each vendors site - although I think the European -ise's got replaced with -ize's in some of the statements. It's quite an event to have four competing Linux distributions giving a joint statement on an issue - but behind the scenes this goes on all the time. Every day we work with our competitors in the other Linux vendor security teams to make sure that Linux users get quality, peer-reviewed, security fixes in a timely fashion.

Embargoed Diary

During my short part of the world tour I got asked why I didn't keep my blog up to date with interesting stuff about what I do. The problem working on security vulnerabilities is many of them are embargoed; I spent many hours working on the recent OpenSSL issues, many days working on the Forrester Study, and all these things I couldn't talk about. Then when the embargo gets lifted I've moved onto something new and it doesn't seem worth dredging up the past.

So in the last month: I've learnt that sending the press a written statement usually gets you a better and more accurate quote than talking to them. It's probably the British accent that throws them. I've learnt that no matter how hard you try you can't find everyone who uses OpenSSL in their product to tell them in advance about security issues, and the ones you miss end up being annoyed. I've learnt that the latest attempt to cure my migraines has a side effect in that I don't get nervous before giving presentations (it felt like I was watching myself from above). I've learnt that April fools jokes on the web are not funny (well apart from the "Klingon Eye for the Human Guy" one and our Apache PDA one from a few years ago).

Just a month before the end of life of Red Hat Linux 9 I finally got around to upgrading some old Red Hat 7.1 machines to run Advanced Server 2.1AS; only one reboot and about 20 minutes of my time required. I was so pleased with myself I spent an hour sending in one of my patches for ZoneMinder which is used to record and upload cctv stuff that goes on outside my house.

Red Hat World Tour

Just back from a couple of days in London with the Red Hat world tour folks. It was awesome fun and I got to meet loads of interesting people. I've no idea how these guys have managed it, especially their rule on having no checked-in luggage. Two weeks without scissors or sharp instruments. Actually, given their close confinement that's probably a good thing.

I'm sure at the end of the Linux user group meeting yesterday a guy walked off with a couple of dozen of the world tour t-shirts we were giving away; wonder if they'll turn up on ebay.

My attempt to photo blog the event with my phone camera failed as I ended up sending all the pictures to the wrong email address. D'oh.

What a busy day; doing the OpenSSL release manager role for the recent security updates, testing packages, dealing with the third parties, being a third party, rolling, pushing, correcting.

What is disturbing is a report from a third party company who is vulnerable to one of the Denial of service issues that said that it wasn't a security issue as their were hundreds of other possible DoS attacks. Actually, this attack causes OpenSSL to crash. We've got a proof of concept, you don't have to send more than a kb of data to get OpenSSL to crash remotely. This can be quite serious if you have a service that can't recover from that. Things like Apache (when running in its default prefork memory model) can recover quite well - they just spawn off a new child to replace the dead one. This is going to use up some extra resources, but depending on the platform it's quite minor (and will stop as soon as the attacker stops sending malicious packets). Not everything that listens to the network that uses OpenSSL is so resiliant.

Going to be in London next weekend?

I'm off to London in a couple of weeks to be part of the Red Hat world tour. Looks like the event is going to be pretty busy (so if you want to come see us you'd better register now). There are a few different things I want to talk about, but I've not had the chance to write it up yet as I've spent the weekend most entirely dealing with a migraine and talking to folks about the Red Hat security response team.

11 Mar 2004 (updated 11 Mar 2004 at 21:07 UTC) »

ZOË rocks. www.zoe.nu. It's built on Apache Lucene and it actually works. I've just let it spend 3 days importing and indexing over 100k messages (8 years worth, after stripping mailing lists). Now I can search my old emails in seconds, get threaded lists, and easily find all the attachments. It even dealt with duplicates perfectly, which given the state of my mail archives is definately no easy task. 3 days is a long time, but then it was running on a 512Mb 450MHz old machine. I've already found mails I never thought I had and pictures in attachments I didn't remember. Awesome stuff.

So I nearly missed a staff meeting last week, my iPAQ forgot to remind me. In fact it now doesn't bother reminding me about any appointments. To cut a very long and annoying story short it turns out to be a known problem with Microsoft Pocket PC 2003 where in some circumstances alarms don't work. Hold on, this is a PDA, and isn't one of the main functions of a PDA the ability to keep alarms? I'm glad I didn't sell my Palm vX now, looks like I'll be switching back to it.

As I was commiting the template for this weeks issue of Apache Week I noticed that it has now been exactly eight years since I wrote the first issue. Back then Apache wasn't so popular and the documentation was lacking. Apache Week was designed specifically to give administrators the confidence to try the Apache web server on their machines without having to parse the hundreds of messages each week on the developer mailing list. That first issue was written over a 64k ISDN dial-up line from a computer perched on stark IKEA tabletop. Friday afternoons were spent writing up what had happened during the week. Not much has changed. Actually, I think that IKEA tabletop is still sitting in storage somewhere at Red Hat in Guildford. I wish I'd kept hold of it, it would have been useful for my girlfriends sons train layout.

Over the years there have been many times when we've thought about stopping production, usually when a competitor announced some other Apache magazine that we thought would do a better job than we do. But most of them gave up. They probably realised that there wasn't any money to be made from an Apache httpd journal.

UK Web became C2Net which became Red Hat, and Apache Week is still going strong. We'll have to think of something exciting to do for our tenth birthday.

24 Jan 2004 (updated 24 Jan 2004 at 15:00 UTC) »

I wrote a Windows application last night! Then realised that I'd actually not written any windows stuff for over ten years. The last Windows app I wrote was with Paul Sutton back in 1993 when the Windows Sockets Library had just been brought out. We wrote a winsock Connect-4-type game. When I visited Microsoft whilst working at C2Net I actually met one of the winsock original authors who even remembered using our game. Anyway, Windows applications seem to be a whole different world; with hundreds of web sites trying to sell you utilities. Awful utilities. Things you could do with 3 lines of Perl that the author has made shareware and wants you to pay $15 to unlock.

So to spread some good Karma my OTP OPIE S/KEY client thingy is free, with source. Although I have to admit that it's probably about 40 lines of code linking to existing libraries, and it probably took me longer to write the web page and draw the icon than write the app.

Now I can get back to doing the work on the system that I needed to use the OTP calculator to log into in the first place ;)

106 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!