[ISN] Study: Admins slow in patching Apache-SSL servers

From: InfoSec News (isnat_private)
Date: Wed Aug 21 2002 - 01:34:58 PDT

  • Next message: InfoSec News: "[ISN] IRS loses track of computers"

    By Joris Evers
    IDG News Service
    Many Web servers running Apache-SSL remain vulnerable to attacks,
    although a June security alert prompted administrators to patch
    standard Apache Web installations, according to a survey released
    About 75% of Web sites hosted on Apache-SSL servers are vulnerable, as
    the software has not been upgraded to fix a serious flaw uncovered in
    June, according to a survey by Web server information firm Netcraft,
    of Bath, England.
    Administrators seem to have given priority to patching regular Apache
    installations, as about half of the 22 million Web sites that rely on
    Apache are protected through an Apache software upgrade, Netcraft
    Apache-SSL is a combination of the Apache Web server and OpenSSL
    security software meant to offer secure Web site connections.  
    Apache-SSL is used for electronic commerce Web sites, for example.  
    Both Apache and OpenSSL are open-source products developed by
    The Apache Software Foundation, which supports the Apache open-source
    project, in June advised administrators to upgrade their Apache
    installations because of a flaw in the way the Web server parses
    uploaded data, a so-called chunked encoding vulnerability.
    The flaw affects all versions of Apache 1.2, versions of Apache 1.3 up
    to 1.3.24 and versions of Apache 2 up to 2.0.36, according to a
    statement from the Foundation released on June 20.
    Apache is the most used Web server software in the world, with 66% of
    active sites running Apache, according to Netcraft.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Aug 21 2002 - 03:53:35 PDT