Apache (HTTPD) Server Patch Process and Example

The process used to be submitted through the developer’s mailing list and a bug database.
The process is now automated through the bug database Bugzilla:
(http://bz.apache.org/bugzilla/)

The basic requirements for Bugzilla:
(Process is from: https://httpd.apache.org/dev/patches.html)
-Must have a Bugzilla account; Process found here:

https://bz.apache.org/bugzilla/createaccount.cgi
-Fill in a bug report
-Must specify APR(if the patch is for srclib/apr or srclib/apr-util)
-Carefully explain the process of reproducing the bug and how the patch has been tested
-Edit the bug report to have a “PatchAvailable” keyword with a patch attached as the final step

If the patch is ignored:
-Be persist but polite
-Get other Apache users to review the patch
-Make the patch easy to read and apply
-Research if there are any current or similar patches already being discussed in the community
-Help with other bugs to gain recognition in the community

This is a small community as stated by Apache.

An example is from (https://httpd.apache.org/security/vulnerabilities_24.html)

mod_md, DoS via Coredumps on specially crafted requests (CVE-2018-8011)
-Reported on 29 Jun 2018
-Update Released on 15 Jul 2018

Additional Detail:
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8011)
(https://www.securitytracker.com/id/1041401)

Basically the exploit can cause the child process to crash from the remote user.

The process seems relatively fast (About half a month). First the process has to be found by a community user and reported (In this case it was through: https://www.securitytracker.com/id/1041401). The patch is tested through Bugzilla and sent to be released.

The process to patching seems straightforward but will not be fast if I were to start as a newcomer of the community.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s