Date: Sun, 22 Jun 1997 23:32:57 -0700 (PDT)
From: Alexei Kosut <akosut@nueva.pvt.k12.ca.us>
To: new-httpd@apache.org
Subject: Re: [PATCH] various security problems 
In-Reply-To: <199706230600.BAA08008@sierra.zyzzyva.com>
Message-Id: <Pine.HPP.3.95.970622232951.24758A-100000@ace.nueva.pvt.k12.ca.us>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

On Mon, 23 Jun 1997, Randy Terbush wrote:

> *sigh* I was hoping this email had been my imagination...
> 
> This sounds pretty serious, and by virtue of it being posted on 
> this list, I think we had better move quickly to release a 1.2.1.

If we are going to release a 1.2.1, I think we need to ensure that we
put all the bug fixes out there into it. These include most of the
patches put into HEAD in the last few days, as well as some
others. Dean was keeping a list, I think. Some of those patches have
been committed, some haven't. I don't think any have been committed to
the 1.2 branch, only the head.

> Are these problems worth creating a vendor initiated CERT advisory?

I don't think so. Most of these problems are, to my thinking,
essentially configuration issues. There is nothing that someone on the
outside of the web server could really do to take advantage of these
on most sites, but they could cause the web server admin to
accidentally enable the server to do things he might not have
intended, especially if the server is being used to serve pages of
untrusted users.

-- 
________________________________________________________________________
Alexei Kosut <akosut@nueva.pvt.k12.ca.us>      The Apache HTTP Server
URL: http://www.nueva.pvt.k12.ca.us/~akosut/   http://www.apache.org/