You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe Jr." <wr...@rowe-clan.net> on 2011/12/20 10:25:09 UTC
[Result] [Vote] .htaccess logic abuse
On 11/18/2011 4:38 PM, William A. Rowe Jr. wrote:
> After several prods, it seems the security@ and hackathon participants
> can't be drawn out of their shells on to dev@. So I'll simply call for
> a majority vote on the following statement...
>
> Resource abuse of an .htaccess config in the form of cpu/memory/bandwidth;
>
> [ ] Is not a security defect
Carries with Issac, Joe, Rüdiger, Reindl, Eric, Stefan and myself in support,
and Graham and Noel opposed. (6 x +1/1 x -1)
As previously pointed out...
> This would obviously need to be clarified in the associated .htaccess
> documentation, be associated with an advisory and affect the conclusion
> of several recent defect reports, both embargoed and discussed plainly
> here on this list.
We should start updating any relevant docs to point out that enabling
.htaccess *does* introduce the ability for an untrusted user to consume
an inordinate amount of server resources. I don't think we need to go
into the details discovered by our security team to make that point.
Re: [Result] [Vote] .htaccess logic abuse
Posted by Joe Orton <jo...@apache.org>.
On Tue, Dec 20, 2011 at 03:25:09AM -0600, William Rowe wrote:
> On 11/18/2011 4:38 PM, William A. Rowe Jr. wrote:
> > After several prods, it seems the security@ and hackathon participants
> > can't be drawn out of their shells on to dev@. So I'll simply call for
> > a majority vote on the following statement...
> >
> > Resource abuse of an .htaccess config in the form of cpu/memory/bandwidth;
> >
> > [ ] Is not a security defect
>
> Carries with Issac, Joe, Rüdiger, Reindl, Eric, Stefan and myself in support,
> and Graham and Noel opposed. (6 x +1/1 x -1)
Thanks Bill - that consensus means that we do not consider CVE-2011-4415
to be a security vulnerability in httpd.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4415
Regards, Joe
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: [Result] [Vote] .htaccess logic abuse
Posted by Joe Orton <jo...@apache.org>.
On Tue, Dec 20, 2011 at 03:25:09AM -0600, William Rowe wrote:
> On 11/18/2011 4:38 PM, William A. Rowe Jr. wrote:
> > After several prods, it seems the security@ and hackathon participants
> > can't be drawn out of their shells on to dev@. So I'll simply call for
> > a majority vote on the following statement...
> >
> > Resource abuse of an .htaccess config in the form of cpu/memory/bandwidth;
> >
> > [ ] Is not a security defect
>
> Carries with Issac, Joe, Rüdiger, Reindl, Eric, Stefan and myself in support,
> and Graham and Noel opposed. (6 x +1/1 x -1)
Thanks Bill - that consensus means that we do not consider CVE-2011-4415
to be a security vulnerability in httpd.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4415
Regards, Joe