Hi, On Fri, 21 Feb 2003, Steve Grubb wrote: > > > Hello, > > I noticed a problem with apache 2.x back in October and contacted the > apache security team with the problem. They've had about 4 months to do > something with the problem but haven't seen fit to fix it yet. The last > time I tried to status their progress no one replied to my query. > > I was playing around with env_audit studying various properties of > environments created for child processes. (Study is here - > http://www.web-insights.net/env_audit/environments.pdf ) Out of this, I > noticed that apache 2.x leaks 2 open descriptors for each website on a > machine and the main access & error log for the daemon. These open > descriptors go to the access and error log of each website. > > It appears that every cgi environment has this problem. For example put > this in a .shtml file: there is a proposed fix for this in http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17206 the bug seems to have been in apache for quite some time but only appeared after a typo in the apr library was fixed for apache 2.0.40. We have also not had a reaction from the apache group yet. Greetings Christian Kratzer CK Software GmbH -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ckat_private Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here!
This archive was generated by hypermail 2b30 : Sun Feb 23 2003 - 15:44:11 PST