Re: Apache Win32 8192 string bug

From: Jay D. Dyson (jdysonat_private)
Date: Thu Apr 12 2001 - 11:27:38 PDT

Next message: Auriemma Luigi: "Windows DoS testing"

Previous message: Bram Shirani: "Re: Looking for exploits"
Next in thread: Sebastian Wells: "Re: Apache Win32 8192 string bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 11 Apr 2001, Marc Slemko wrote:

> > 	I'm a bit surprised at the attention this bug in Win32 Apache is
> > getting.  If memory serves, the Apache crew themselves state that Win32
> > Apache should be considered beta grade at best.  Thus, anyone who's using
> > it in a production environment is really hanging their balls out for a
> > hammer-happy clown.
> >
> > 	Of course, the same is true for IIS, but Microsoft doesn't have
> > the decency to call their crap "beta."
>
> Just because someone may not be using it in a production environment
> doesn't mean that security doesn't matter.

	A DoS is more of a PITA than a genuine security issue, especially
when we're talking about non-production environments.

> Yes, there are lots of issues with running webservers in Win32.  Many of
> them have come up in virtually every Win32 webserver out there since
> they are due to nasty "features" in the underlying OS.  Certainly, due
> to the (unnecessary, IMHO) complexity of parts of the OS, it is a lot
> more likely that new issues will be found with Apache on Win32 than
> Apache on Unix.  But that doesn't provide any excuse for not treating
> issues that are found with the proper severity.

	I just find it hard to get excited about a DoS possibility in an
admittedly beta product.  Sure, it should be looked into and reported to
the Apache team, but the whole matter of whether or not a beta product has
bugs is wholly academic.

- -Jay

  (    (                                                          _______
  ))   ))   .- "There's always time for a good cup of coffee" -.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) |    = |-'
 `--' `--'  `---------- "Si vis pacem, para bellum." ----------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBOtXlkNCClfiU/BIVAQFHRAQApMiQ1Kw9xcy1202pL+s3DDpUe8PPTFyx
2GoSvE35znFFyHWYisSAewvpmHLsylNK8NW1z/TbpunnGpD4lFBk78aur+RdODRp
akcY/9BFjX5jtqJ75HuEznvQNkKePr8RcRfcYzUnACN40EqjapqC0zAhHH8hq8sj
9QPZx1CWNkM=
=0xzS
-----END PGP SIGNATURE-----

Next message: Auriemma Luigi: "Windows DoS testing"
Previous message: Bram Shirani: "Re: Looking for exploits"
Next in thread: Sebastian Wells: "Re: Apache Win32 8192 string bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 16:26:16 PDT