Yesterday must have been Webserver Wednesdsay, because two things happened. A new version of Apache was released, and a new tool for testing the vulnerability of webservers to denial of service (DoS) was released.
First, Apache 2.2.20 was released. This fixes the weird DoS vulnerability that surfaced last week, and it should be considered a mandatory upgrade for anyone running Apache. Hopefully you don’t have any Apache 1.3 servers still hanging around… But I know how things operate in the real world. There’s probably stuff even older than that hanging around.
Second, if you’re curious about your other web servers, you can use Slowhttptest to evaluate their vulnerability to several similar DoS conditions. Some may be fixable by installing patches; though others may not be, due to a vendor discontinuing a product or going out of business. If you have a site that can’t be fixed, you’ll have a decision to make; perhaps bringing it inside the intranet or at least inside a VPN. My current employer dragged a bunch of stuff into a VPN environment earlier this year as a precautionary measure.
And in semi-related news, Firefox 6.01 was released to provide protection against a compromised Google SSL certificate, but some early adopters are already reporting issues so you might not want to upgrade right away. If it didn’t already do it automatically, that is.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.