Subject: Not really an advocacy :-(
To: None <netbsd-advocacy@netbsd.org, tech-security@netbsd.org>
From: Ing.,BcA. Ivan Dolezal <ivan.dolezal@vsb.cz>
List: netbsd-advocacy
Date: 06/21/2002 17:09:04
Hello.

Question # 1 :


June 17, 2002

- Internet Security Systems Security Advisory: Remote Compromise
   Vulnerability in Apache HTTP Server
- Apache Security Bulletin
- CERT Advisory

June 18, 2002

- updated Apache Security Bulletin


June 19, 2002

- FBI's National Infrastructure Protection Center Advisory
- Linux Weekly News report
- Apache releases 1.3.26
- Debian, Red Hat Linux release their packages (for free)
- "Package apache-1.3.24 has a remote-root-shell vulnerability"
   message from audit-packages

June 20, 2002

- Gobbles aka apache_scalp.c presented


June 21, 2002

...problem still not mentioned at netbsd.org/Security/
...problem still not mentioned at
ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/www/apache/README.html
(last audit from Jun 6 05:00)
...insecure 1.3.24 still available from the package collection

Unfortunately the same situation with OpenBSD web (the primary target of 
apache_scalp.c).

How should I believe to *BSD commitment to security? While BSD is 
talking about high quality software, Linux people actually did something.
Am I missing something?






Question # 2:

What are my chances to do something like Openwall's stuff 
(http://www.openwall.com/linux/README) with *BSD?