httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [users@httpd] Apache Fake Story?
Date Wed, 23 Jan 2019 02:44:22 GMT
On Tue, Jan 22, 2019 at 7:57 PM Dan Ehrlich <dan@ehrlichserver.com> wrote:
>
> Is this true?
>
> https://github.com/hannob/apache-uaf/blob/master/README.md
>
> Was this security vulnerability really treated with such disregard by Apache HTTPD devs?

I would personally characterize it differently, without calling what
is written above "fake" or even misleading.

There was no (absolute) disregard, large amounts of time from a
half-dozen people were involved in the original report.
But nonetheless there was a failure to solve (all) of the reported
problems in the report.

- A large and changing set of symptoms was reported in a build with
two layers of non-production memory diagnostics enabled.
- The project team solved some bugs that may have been in the right
neighborhood, but nowhere near complete.
- After  communications problems, both sides went silent.
- The reporter recognized this impasse and notified us he would
publish his work w/o fixes (nor exploits) for the problem.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message