httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: Might as well be a CERT warning.
Date Sat, 11 Jan 1997 19:49:03 GMT
No.

You can make it break with http://host/ then 1000 '/'s; HUGE_STRING_LEN is
8192 or something.

But it doesn't seem to work against www.apache.org.  Does here with a
recent beta, even after my buffer overflow patches are applied.  I think
it may be something different.  Still looking.

On Sat, 11 Jan 1997, Randy Terbush wrote:

> 
> I'm assuming it is in read_request_line(). HUGE_STRING_LEN.
> 
> 
> > Anyone tracked down the exact location of the extra long url problem?
> > 
> > On Sat, 11 Jan 1997, Randy Terbush wrote:
> > 
> > > > Randy Terbush wrote:
> > > > > 
> > > > > 
> > > > > Looks like we have concensus to roll a 1.1.2 release with this patch
> > > > > applied. Shall I?  I raise the concern about all the other overflow
> > > > > problems that are being addressed in 1.2. Seems this could be used
> > > > > as a catalist to get these people to move to 1.2 instead of a 1.1.2.
> > > > > 
> > > > > *shrug*
> > > > 
> > > > In my view, we _must_ release a 1.1.2 which addresses the problem, though
> > > > it doesn't have to be that patch, of course. We can't have a server in
the
> > > > wild with a known security hole.
> > > > 
> > > > Cheers,
> > > > 
> > > > Ben.
> > > > 
> > > 
> > > *sigh*, But as the "Extra Long URL" email that just came in shows,
> > > there are a bunch of other problems.
> > > 
> > > Do we create a patched version backporting the changes that Marc Slemko
> > > is working on, or offer 1.2 as the fix?
> > > 
> > > 
> > > 
> 
> 
> 


Mime
View raw message