Information about the security hole and fix are now available at http://hoohoo.ncsa.uiuc.edu/docs/patch_desc.html If you picked up a precompiled binary prior to noon on Mon. (2/20/95) you may not have received a patched version and your server may still be vulnerable.
13 Feb 1995, 21:02
Thomas Lopatic reported a Vulnerability in NCSA HTTPD v1.3 via the bugtraq world-wide mailing list
13 Feb 1995, 21:25
Thomas Lopatic's EMail is forwarded to the Navy OnLine Working Group with a strong suggestion for immediate action
13 Feb 1995, 21:30
Another EMail message is sent to the NOLWG, since the multiple exclamation marks in the "Subject" field were inadvertently translated by a Unix command shell (duh!)
13 Feb 1995, 22:41
NCSA is notified by private EMail to a group of individuals within that organization
13 Feb 1995, 23:01
The www-managers mailing list is warned by EMailing a reference to Lopatic's message, available from a W3 browsable bugtraq archive
14 Feb 1995, 08:07
Paul "Shag" Walmsley confirms the problem and re-iterates the solution implied by Mr. Lopatic
14 Feb 1995, 08:30
The Computer Incident Advisory Capability (CIAC) publishes Advisory Notice F-11
14 Feb 1995, 13:26
Randy Taylor posts a copy of the CIAC notice to the NRL ADP-Security Usenet news group
14 Feb 1995, 13:47
NRLSSC Webmasters are directed to a browsable copy of the fix
15 Feb 1995, 07:29
A local webmaster expresses doubts
15 Feb 1995, 09:25
A different local webmaster clarifies the location of the errant line of code
15 Feb 1995, 10:47
Yet another local webmaster draws attention to the NRL ADP-Security news group, and requests a collection of related EMail (etc), resulting in this extended chronology of events
15 Feb 1995, 13:06
An NRL Employee forwards a copy of the CIAC advisory and inquires as to the "extent" of the vulnerability.
15 Feb 1995, 13:30
Still no word from NCSA, www-managers, nor on any of the infosystems.www Usenet groups.
15 Feb 1995, 22:00 (approximate)
A posting to comp.security.unix from 07:12 finally percolates down to the NRLSSC News Server. It's the F-11 advisory along with a claim that the Unix NCSA HTTPD Vulnerability has gotten little attention so far.
16 Feb 1995, 13:00 (approximate)
F-11 was also posted to comp.infosystems.www.providers at 08:51 on 14 Feb 1995, though it took more than a day to get posted at the NRLSSC News server.
17 Feb 1995, 15:00 (approximate)
F-11 is forwarded by a Systems Administrator in its latest guise as Defense Data Network (DDN) Security Coordination Center (SCC) Security Bulletin 9506.
17 Feb 1995, 11:35 (approximate)
CERT Advisory CA-95:04 is published.
20 Feb 1995, 13:34
NCSA HTTPD v1.3R becomes available via FTP from NCSA.
21 Feb 1995, 14:43:50
Elizabeth Frank, representing the HTTPD Development Team at NCSA, posts an article to comp.infosystems.www.providers announcing the availability of information about the security hole and its fix.
27 Feb 1995, 14:56
A copy of NAVCIRT Computer Security Advisory 95-09 arrives via a local mailing list.