Yesterday must have been Webserver Wednesdsay, because two things happened. A new version of Apache was released, and a new tool for testing the vulnerability of webservers to denial of service (DoS) was released.
First, Apache 2.2.20 was released. This fixes the weird DoS vulnerability that surfaced last week, and it should be considered a mandatory upgrade for anyone running Apache. Hopefully you don’t have any Apache 1.3 servers still hanging around… But I know how things operate in the real world. There’s probably stuff even older than that hanging around.
Second, if you’re curious about your other web servers, you can use Slowhttptest to evaluate their vulnerability to several similar DoS conditions. Some may be fixable by installing patches; though others may not be, due to a vendor discontinuing a product or going out of business. If you have a site that can’t be fixed, you’ll have a decision to make; perhaps bringing it inside the intranet or at least inside a VPN. My current employer dragged a bunch of stuff into a VPN environment earlier this year as a precautionary measure.
And in semi-related news, Firefox 6.01 was released to provide protection against a compromised Google SSL certificate, but some early adopters are already reporting issues so you might not want to upgrade right away. If it didn’t already do it automatically, that is.
David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.