[users@httpd] Apache Fake Story?

[Dan Ehrlich <da...@ehrlichserver.com>]

Is this true?

https://github.com/hannob/apache-uaf/blob/master/README.md

Was this security vulnerability really treated with such disregard by Apache HTTPD devs? 

I am aware the work that they do is free, but I contribute to plenty of open source for free and take the responsibility very seriously. 

This is extremely disturbing and we should all be concerned. 

If there was an oversight I made or this story changed please respond and correct me and I apologize in advance.

Re: [users@httpd] Apache Fake Story?

[Yehuda Katz <ye...@ymkatz.net>]

Check the bugzilla thread for all the details:
https://bz.apache.org/bugzilla/show_bug.cgi?id=63098
The short version is that HTTPD developers found that the bug can only be
reproduced under specific conditions with debugging options turned on,
which is not the way people usually run the server (with the exception of
OpenBSD ports distribution which had another mitigating factor).

There is also a post about h2 specifically:
https://icing.github.io/mod_h2/pool-debugging.html

- Y

On Tue, Jan 22, 2019 at 7:57 PM Dan Ehrlich <da...@ehrlichserver.com> wrote:

> Is this true?
>
> https://github.com/hannob/apache-uaf/blob/master/README.md
>
> Was this security vulnerability really treated with such disregard by
> Apache HTTPD devs?
>
> I am aware the work that they do is free, but I contribute to plenty of
> open source for free and take the responsibility very seriously.
>
> This is extremely disturbing and we should all be concerned.
>
> If there was an oversight I made or this story changed please respond and
> correct me and I apologize in advance.
>
>
>
>

Re: [users@httpd] Apache Fake Story?

[Eric Covener <co...@gmail.com>]

On Tue, Jan 22, 2019 at 7:57 PM Dan Ehrlich <da...@ehrlichserver.com> wrote:
>
> Is this true?
>
> https://github.com/hannob/apache-uaf/blob/master/README.md
>
> Was this security vulnerability really treated with such disregard by Apache HTTPD devs?

I would personally characterize it differently, without calling what
is written above "fake" or even misleading.

There was no (absolute) disregard, large amounts of time from a
half-dozen people were involved in the original report.
But nonetheless there was a failure to solve (all) of the reported
problems in the report.

- A large and changing set of symptoms was reported in a build with
two layers of non-production memory diagnostics enabled.
- The project team solved some bugs that may have been in the right
neighborhood, but nowhere near complete.
- After  communications problems, both sides went silent.
- The reporter recognized this impasse and notified us he would
publish his work w/o fixes (nor exploits) for the problem.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org