RE: [cobalt-developers] Fwd: CERT Advisory CA-2002-17 ApacheWebServer Chunk HandlingVulnerability

["Matthew Nuzum" <cobalt@xxxxxxxxxxxxx>]

> True, but is that a reason to ignore the vunerability, and not upgrade
> Apache?
> 
> --
> Sincerely,
> William L. Thomson Jr.
> Obsidian-Studios, Inc.
> 439 Amber Way
> Petaluma, Ca. 94952
> Phone  707.766.9509
> Fax    707.766.8989
> http://www.obsidian-studios.com

Need a good reason to not upgrade apache?  I'll give you several...
mod_casp (chilli asp), mod_php, mod_perl, mod_fp (front page),
mod_auth_pam, mod_ssl, perl, openssl, and most importantly, QC (Quality
Control).

I've recently spent the time to recompile and install the above
packages.  To put it lightly, it's very hard.  Getting the dependencies
correct is no walk in the park.

How long would it take Sun Cobalt to get it working?  How long would you
like them to test it before they release it to us?  What happens when
your customer's sites stop working because you upgraded Perl or PHP?

If Sun released a hotfix, would you even apply it?  I don't know if I
would.  I certainly wouldn't rush to do it.  Every time Sun releases a
new patch of any size/substance the list is flooded with messages about
it and the problems it caused.

Next, think about it from Sun/Cobalt's point of view.  They would be
supporting old systems that no longer provide revenue.  Many of these
systems never provided revenue to Sun (directly, only to Cobalt), and
are therefore "Legacy" systems.  How long does Dell provide
patches/drivers/software updates for the PCs they sell?  I'll bet the
updates start to slow down after the first year and by the second it's
forgotten.

If you're talking about a root exploit, I'd have a different stance.
We're not talking about that though.  If someone wanted to DOS a server,
they don't need buggy software to get the job done.

A better direction for this discussion is, "How do I detect and prevent
Dos and DDos attacks on my server?"

Matthew Nuzum
www.bearfruit.org
cobalt@xxxxxxxxxxxxx