Is it just this and the SSLPassPhraseDialog exec command-line parameter
change? I dunno.
-- Forwarded message --
From: Jesse Defer jesse.de...@asu.edu
Date: Thu, Apr 10, 2014 at 4:34 PM
Subject: [users@httpd] 2.4.9 expecting DH PARAMETERS
To: us...@httpd.apache.org
SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f
are vulnerable to CVE-2014-0160, the so called Heartbleed Bug.
No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server
configuration change besides disabling SSL/TLS completely can resolve this.
Instead,
On Fri, Apr 11, 2014 at 8:38 AM, Jeff Trawick traw...@gmail.com wrote:
SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f
are vulnerable to CVE-2014-0160, the so called Heartbleed Bug.
No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server
On Apr 11, 2014, at 14:38 , Jeff Trawick traw...@gmail.com wrote:
SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f
are vulnerable to CVE-2014-0160, the so called Heartbleed Bug.
No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server
Hello
I'm trying to protect a webserver from DDoS attacks. The plan for this is
to not publish its IP address anywhere public. DNS records point to a CDN
service like CloudFlare. The CDN will sync to the webserver via a random
entry in the zone, making it undiscoverable.
The issue I'm facing is
Am 11.04.2014 15:34, schrieb Andre Nathan:
I'm trying to protect a webserver from DDoS attacks. The plan for this is to
not publish its IP address anywhere
public. DNS records point to a CDN service like CloudFlare. The CDN will sync
to the webserver via a random entry
in the zone, making
Would it be a good idea to allow SERVER_ADDR to optionally not be set? I
could work on a patch to do this if the idea is considered valid.
I think it's a reasonable switch to add, for the concern of
inadvertent disclosure from a script. Maybe just an environment
variable or note rather than a
Hello,
I am Amit Vasudevan, a scientist at CyLab, Carnegie Mellon University with
a research focus on hypervisors and trusted computing technologies. I am
also
the principal force behind the open-source eXtensible and Modular
Hypervisor
Framework (http://xmhf.org), a framework for developing new
On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan
rainer.cana...@sevenval.com wrote:
On Apr 11, 2014, at 14:38 , Jeff Trawick traw...@gmail.com wrote:
SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL
1.0.1a-f are vulnerable to CVE-2014-0160, the so called Heartbleed Bug.
I am writing to this developer's list regarding the recent heartbleed bug.
[...]
We have in the past developed a XMHF hypapp called TrustVisor at CMU
where we propose to keep the OpenSSL private key inside an isolated
execution envionment within the apache web server. This would have
Heartbleed allows for disclosure of memory, which is by far not limited
to the x509 keypair or the symmetric session key. A privilege boundary
supported by the processor (TXT, ...) that helps protecting assets
private to openssl by means of separation is therefore clearly
nsufficient.
Along with
On Fri, Apr 11, 2014 at 10:18 AM, Jeff Trawick traw...@gmail.com wrote:
On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan
rainer.cana...@sevenval.com wrote:
On Apr 11, 2014, at 14:38 , Jeff Trawick traw...@gmail.com wrote:
SSL/TLS-enabled configurations of Apache HTTP Server with
On 11.04.2014 18:05, Jeff Trawick wrote:
On Fri, Apr 11, 2014 at 10:18 AM, Jeff Trawick traw...@gmail.com
mailto:traw...@gmail.com wrote:
On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan
rainer.cana...@sevenval.com mailto:rainer.cana...@sevenval.com
wrote:
On Apr
Hi,
I want to use :
ap_mpm_query(AP_MPMQ_MAX_DAEMON_USED, num_children)
at runtime (in a module) to take some maintenance actions accordingly.
Unfortunately, this (retained) data are updated by the parent process
without any visibility from the children.
So I wrote the attached patch to put
On Fri, Apr 11, 2014 at 12:47 PM, Rainer Jung rainer.j...@kippdata.dewrote:
On 11.04.2014 18:05, Jeff Trawick wrote:
On Fri, Apr 11, 2014 at 10:18 AM, Jeff Trawick traw...@gmail.com
mailto:traw...@gmail.com wrote:
On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan
On 27 Mar 2014, at 14:16, Mike Rumph mike.ru...@oracle.com wrote:
Hello all,
I have been doing some testing on the results of httpd restart with
configuration errors.
This gave me some interesting results.
For these tests I build httpd trunk with APR trunk on Linux using the
following
On Fri, Apr 11, 2014 at 11:01 AM, Eric Covener cove...@gmail.com wrote:
I think it's a reasonable switch to add, for the concern of
inadvertent disclosure from a script. Maybe just an environment
variable or note rather than a directive since that directive would be
in the core.
Thanks. I
On Fri, Apr 11, 2014 at 12:28 PM, Andre Nathan andre...@gmail.com wrote:
On Fri, Apr 11, 2014 at 11:01 AM, Eric Covener cove...@gmail.com wrote:
I think it's a reasonable switch to add, for the concern of
inadvertent disclosure from a script. Maybe just an environment
variable or note rather
On Fri, Apr 11, 2014 at 3:31 PM, Eric Covener cove...@gmail.com wrote:
Should have been more clear, I meant a per-request environment
variable from r-subprocess_env (SetEnvIf/SetEnv) not a native one
I have a working patch for this too, but this would allow a user to use
UnsetEnv in his
On Fri, Apr 11, 2014 at 1:00 PM, Andre Nathan andre...@gmail.com wrote:
On Fri, Apr 11, 2014 at 3:31 PM, Eric Covener cove...@gmail.com wrote:
Should have been more clear, I meant a per-request environment
variable from r-subprocess_env (SetEnvIf/SetEnv) not a native one
I have a working
On Fri, Apr 11, 2014 at 3:00 PM, Andre Nathan andre...@gmail.com wrote:
On Fri, Apr 11, 2014 at 3:31 PM, Eric Covener cove...@gmail.com wrote:
Should have been more clear, I meant a per-request environment
variable from r-subprocess_env (SetEnvIf/SetEnv) not a native one
I have a working
Am 11.04.2014 21:15, schrieb Jeff Trawick:
On Fri, Apr 11, 2014 at 3:00 PM, Andre Nathan andre...@gmail.com
mailto:andre...@gmail.com wrote:
On Fri, Apr 11, 2014 at 3:31 PM, Eric Covener cove...@gmail.com
mailto:cove...@gmail.com wrote:
Should have been more clear, I meant
22 matches
Mail list logo
