httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@nueva.pvt.k12.ca.us>
Subject Re: [PATCH] various security problems
Date Mon, 23 Jun 1997 06:32:57 GMT
On Mon, 23 Jun 1997, Randy Terbush wrote:

> *sigh* I was hoping this email had been my imagination...
> 
> This sounds pretty serious, and by virtue of it being posted on 
> this list, I think we had better move quickly to release a 1.2.1.

If we are going to release a 1.2.1, I think we need to ensure that we
put all the bug fixes out there into it. These include most of the
patches put into HEAD in the last few days, as well as some
others. Dean was keeping a list, I think. Some of those patches have
been committed, some haven't. I don't think any have been committed to
the 1.2 branch, only the head.

> Are these problems worth creating a vendor initiated CERT advisory?

I don't think so. Most of these problems are, to my thinking,
essentially configuration issues. There is nothing that someone on the
outside of the web server could really do to take advantage of these
on most sites, but they could cause the web server admin to
accidentally enable the server to do things he might not have
intended, especially if the server is being used to serve pages of
untrusted users.

-- 
________________________________________________________________________
Alexei Kosut <akosut@nueva.pvt.k12.ca.us>      The Apache HTTP Server
URL: http://www.nueva.pvt.k12.ca.us/~akosut/   http://www.apache.org/


Mime
View raw message