On Tue, Jan 22, 2019 at 7:57 PM Dan Ehrlich <dan@xxxxxxxxxxxxxxxxx> wrote: > > Is this true? > > https://github.com/hannob/apache-uaf/blob/master/README.md > > Was this security vulnerability really treated with such disregard by Apache HTTPD devs? I would personally characterize it differently, without calling what is written above "fake" or even misleading. There was no (absolute) disregard, large amounts of time from a half-dozen people were involved in the original report. But nonetheless there was a failure to solve (all) of the reported problems in the report. - A large and changing set of symptoms was reported in a build with two layers of non-production memory diagnostics enabled. - The project team solved some bugs that may have been in the right neighborhood, but nowhere near complete. - After communications problems, both sides went silent. - The reporter recognized this impasse and notified us he would publish his work w/o fixes (nor exploits) for the problem. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|