Re: Apache Fake Story?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: Apache Fake Story?
From: Yehuda Katz <yehuda@xxxxxxxxxx>
Date: Tue, 22 Jan 2019 20:14:41 -0500
In-reply-to: <699B9D5C-513F-4876-8D31-9C143C42DE02@ehrlichserver.com>
Reply-to: users@xxxxxxxxxxxxxxxx

Check the bugzilla thread for all the details: https://bz.apache.org/bugzilla/show_bug.cgi?id=63098

The short version is that HTTPD developers found that the bug can only be reproduced under specific conditions with debugging options turned on, which is not the way people usually run the server (with the exception of OpenBSD ports distribution which had another mitigating factor).

There is also a post about h2 specifically: https://icing.github.io/mod_h2/pool-debugging.html

- Y

On Tue, Jan 22, 2019 at 7:57 PM Dan Ehrlich <dan@xxxxxxxxxxxxxxxxx> wrote:

Is this true?

https://github.com/hannob/apache-uaf/blob/master/README.md

Was this security vulnerability really treated with such disregard by Apache HTTPD devs?

I am aware the work that they do is free, but I contribute to plenty of open source for free and take the responsibility very seriously.

This is extremely disturbing and we should all be concerned.

If there was an oversight I made or this story changed please respond and correct me and I apologize in advance.

References:
- Apache Fake Story?
  - From: Dan Ehrlich

Prev by Date: Apache Fake Story?
Next by Date: Re: Reverse proxy stalling forever
Previous by thread: Apache Fake Story?
Next by thread: Re: Apache Fake Story?
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]