Apache gives early warning for security

Corporate IT managers have been advised that they might receive earlier notification of flaws in the Apache Web server if they join the Apache Group's developer mailing list.

The advice came from a member of the Apache Group, responding to recent criticism from Oracle that Apache had been slow to inform it of a recently-discovered flaw. Apache said that firms contributing to its developer mailing group would receive early warnings of flaws.

The news follows suggestions that some firms received late warning of a vulnerability in the Apache Web server, which Oracle uses as the core Web server in its 9i Application Server. Apache first disclosed news of the flaw on 17 June, and several other Apache distributors, including IBM and Red Hat, posted advisory notices to their users on the same day. But the news did not reach the Oracle Web site until 20 June. As a result, the systems of Oracle customers may have been vulnerable in the interim - allowing hackers to obtain remote control of unprotected servers.

This sequence of events prompted Oracle's chief security officer, Mary Anne Davidson, to launch an investigation into the way the firm works with partners such as Apache.

A source at the Apache Group said that the organisation's developer mailing list is open to the public, and most distributors of its software are active members of the group.

"All we ask is that people with an interest in this type of information join the list and demonstrate they are not simply a hacker looking for leads," he commented.

Have your say: contact IT Week

See also:

Web sites reject Apache 2

Regular changes to the Apache 2 API has developers questioning its usability  05 Sep 2002

Apache quells scaling doubts

Apache plus Red Hat gives Windows 2000 and IIS a run for their money on four-way Intel servers  21 Jun 2002

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!