Apache Vulnerability in WebTen

[Erik Lotspeich <erik@xxxxxxxxx>]

To all WebTen users:

By now most of you have probably see the recent CERT Advisory about
an Apache Vulnerability:
http://www.cert.org/advisories/CA-2002-17.html

The Apache in WebTen is subject to this vulnerability.  Since WebTen
is a Mac OS 9 product and since Tenon firmly believes that Macintosh
webmasters should transition to Apple's new (and much stronger) Mac
OS X, we have chosen not to update WebTen's Apache.

However, since WebTen includes Squid, turning Squid ON will alleviate
concerns about this new vulnerability.  In essence, running Squid as
an HTTPD accelerator for Apache, shields the user from the invalid
chunked-encoding requests that Apache is vulnerable to.

So our advice is 1) make plans to transition to Mac OS X.  And 2), in
the interim, make sure that you turn Squid ON.

Note:  Although Tenon recommends the use of Squid for performance reasons,
there may be a specific reason why you are running WebTen without Squid.
If you are in this situation, please contact Tenon Technical Support
(support@xxxxxxxxx) for further guidance.

As has been discussed on this list, a new paper that helps webmasters
move from Mac OS (WebTen or WebSTAR) to Mac OS X (with iTools) is in
process and should be available early next week.   Meanwhile, if
you're ready to make the move (iTools 6.5 has been updated to Apache
1.3.26, so it is not subject to being exploited by this
vulnerability), just give Tenon a call and we'll be happy to help you
make the transition.

Erik.

-- 
Erik Lotspeich                          Lead Engineer
Tenon Intersystems                      erik@xxxxxxxxx
1123 Chapala Street Ste 200             805-963-6983
Santa Barbara, CA 93101-3142            http://www.tenon.com/