httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Purl Gurl <purlg...@purlgurl.net>
Subject Re: [users@httpd] Re: Bug Versions 1.3.28/29 Fixed In 1.3.31 Or Not?
Date Mon, 17 May 2004 13:35:02 GMT
Martin Lomas wrote:

(snipped)

(Topic: near fatal bugs in versions 1.3.28/29/31 Apache)

(Apache Org Claimed:)

> > "Yes, this is a bug in 1.3.28/1.3.29 which does a preventative
> >  close on socket fd's. Under Win32 this is unneeded and is not done,
> >  but Apache thinks this is an error.

> >  Bumping up LogLevel past warn will prevent the errors from filling
> >  error_log. This will be fixed in 1.3.30"

> > Has this bug been fixed or not? Anyone know?


> I'm running v1.3.31 on Win32 and that bug is defintely NOT fixed. Further,
> as with previous versions, no LogLevel stops the errors filling the log.
> Most annoying. Other than that, v1.3.31 is running fine.


Thanks Martin. I am, of course, disappointed.

Yes, my findings are no log level setting will prevent
massive log flooding despite a claim to the contrary
coming out of Apache.

Martin, I will spread the word to others to continue
using Apache 1.3.27 version. Clearly later versions
are so buggy they cannot be used.

Here is the true problem which Apache Org has yet
to realize, and has actually denied a number of
times despite my best efforts through bug reports,
discussion and rational reasoning.

Apache 1.3.x versions allow "any" request method,
regardless if compliant or not. This WebDav exploit,
which all of us suffer daily, is allowed through
and logs an entry ranging from eight kilobytes
to fifty-thousand kilobytes depending on what
transaction limit length is set for Apache.

Having both this socket closure bug and this
request method bug, nearly renders Apache
completely useless; an administrator has
no choice but to cope with megabytes of
log entries, daily, which amount to nothing
more than garbage. Having Apache logs grow
ten megabytes, twenty megabytes on a daily
basis, because of bugs, is most unacceptable
and causes serious problems; gigabyte size 
files very quickly.

WebDav exploits cannot be stopped. There are
no known methods to prevent these massive
log entries, literally no known methods,
including an inability to ip block offenders.
Same with the socket closure bug. Absolutely
nothing can be done about either bug.

I have tried many times to convince Apache to
repair these extremely serious bugs with no
luck; they claim these are not bugs. This
concerns me to know Apache has no plans to
correct near fatal bugs. I hold opinion
Apache is the best server, to date, but
now question if the quality of Apache is
not very quickly falling to a point of
rendering Apache useless. Certainly there
are those now considering making use of
other web server types to avoid problems.

Currently, I am hacking Apache's protocol
files, protocol.c and protocol.h with hopes
of curing this serious WebDav bug which
Apache believes is a non-issue.

On this socket closure bug, I have yet to
step through compiled Apache to discover
where this bug is located.

As a temporary measure, I am plugging in
a transparent firmware appliance to stop
the WebDav exploits. Avoiding the socket
closure bug is accomplished by using
only 1.3.27 version Apache.

I tried Apache version 2.x and found it is
more buggy than recent 1.3.28/31 versions.

Apache is the best server, no question.
However, many will be very disappointed
to learn Apache is becoming more buggy
with new releases. Surprises me Apache
has jumped to version 2.x without first
reparing near fatal bugs in 1.3.x versions.

Thanks again, Martin. I will spread the word
to avoid versions 1.3.28 through 1.3.31 Apache.

Should I come up with a viable solution via
hacking Apache source files, I will share 
this. However, any solution I develop will
require custom files and compilation, which
will leave most unable to correct bugs; few
know how to use Microsoft C++ compiler to
create a Win32 binary.

Martin, thanks again for this information.
You have saved me from having to suffer all
the problems of installing a new version
of Apache, only to discover a need to
downgrade to upgrade. Ironic.

I will let others know of this problem so
they can avoid a major headache caused by
often fatal bugs in Apache's Win32 msi
installer and excutable installer.


Kira

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message