I was asked privately whether I found a solution. We wasted too much
time trying to convince people that we had a credible problem report,
and then it seemed that no one was prepared to actually do anything with
the information. After that time waste, we decided to give up on
RLimitCPU on
I was asked privately whether I found a solution. We wasted too much
time trying to convince people that we had a credible problem report,
and then it seemed that no one was prepared to actually do anything with
the information. After that time waste, we decided to give up on
RLimitCPU on
Here is the virtual host config from the procedure documented in:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/394350/comments/15
It is file:
/etc/apache2/sites-available/default
** Attachment added: default
http://launchpadlibrarian.net/29096236/default
--
RLimitCPU has no
Here is the virtual host config from the procedure documented in:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/394350/comments/15
It is file:
/etc/apache2/sites-available/default
** Attachment added: default
http://launchpadlibrarian.net/29096236/default
--
RLimitCPU has no
I have just reproduced the problem with a fresh install with latest
updates, and kept a detailed log as I did so. Perhaps someone can spot
something I am doing wrong? I would assume that I'm doing something
wrong, except comparable things work on Debian and with upstream, and my
users also
I have just reproduced the problem with a fresh install with latest
updates, and kept a detailed log as I did so. Perhaps someone can spot
something I am doing wrong? I would assume that I'm doing something
wrong, except comparable things work on Debian and with upstream, and my
users also
I appreciate the attempts Ubuntu people have made to reproduce the
problem, and I'm baffled that myself and my users are still easily
reproducing the problem.
I once again reproduced the problem on one of my Ubuntu configurations,
and observed through /proc/pid/limits that the limits are
Why is the status of this still Incomplete?
I realize that the holiday weekend here in the US probably interrupted
work, but it's now almost a week idling on what appears to be an Ubuntu-
specific security/stability problem for Apache servers.
I really need to know if Ubuntu has an imminent
* Simply take a fresh Ubuntu 8.04 install (which gets Apache 2.2.8), add
RLimitCPU 2 2 to the default Apache site file, drop the script above
into the cgi-bin dir, and run the CGI. You'll see that the CGI
process is *not* killed.
* Do the same thing on a Debian stable system (which gets Apache
(I had not seen Kees Cook's failure to reproduce before I posted my last
message.)
I have just reproduced the problem with a fresh install of 9.04 on an
X86 box. (I do not have a fresh 8.04 install at the moment.)
I am at a loss to explain why Kees Cook could not reproduce the problem.
I wonder
Why is the status of this still Incomplete?
I realize that the holiday weekend here in the US probably interrupted
work, but it's now almost a week idling on what appears to be an Ubuntu-
specific security/stability problem for Apache servers.
I really need to know if Ubuntu has an imminent
* Simply take a fresh Ubuntu 8.04 install (which gets Apache 2.2.8), add
RLimitCPU 2 2 to the default Apache site file, drop the script above
into the cgi-bin dir, and run the CGI. You'll see that the CGI
process is *not* killed.
* Do the same thing on a Debian stable system (which gets Apache
(I had not seen Kees Cook's failure to reproduce before I posted my last
message.)
I have just reproduced the problem with a fresh install of 9.04 on an
X86 box. (I do not have a fresh 8.04 install at the moment.)
I am at a loss to explain why Kees Cook could not reproduce the problem.
I wonder
I just verified that Ubuntu's 9.04's packaging of Apache 2.2.11 also
exhibits this problem.
Looking through the Ubuntu patches to upstream Apache 2.2.8 (where we
initially noticed the problem), I haven't yet found an obvious cause.
The people who did the packaging or patches on this would be
I just verified that Ubuntu's 9.04's packaging of Apache 2.2.11 also
exhibits this problem.
Looking through the Ubuntu patches to upstream Apache 2.2.8 (where we
initially noticed the problem), I haven't yet found an obvious cause.
The people who did the packaging or patches on this would be
Chuck Short wrote at 07/02/2009 09:51 AM:
Do you have a script or a cgi that tests this bug?
The following cgi-bin script can be used to trigger RLimitCPU in a
correctly functioning Apache. Setting the limits to 2 seconds of CPU
time typically permits around 10 seconds of real time to
Chuck Short wrote at 07/02/2009 09:51 AM:
Do you have a script or a cgi that tests this bug?
The following cgi-bin script can be used to trigger RLimitCPU in a
correctly functioning Apache. Setting the limits to 2 seconds of CPU
time typically permits around 10 seconds of real time to
*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: apache2
The Apache RLimitCPU directive has no effect on in the Ubuntu
packaging of Apache 2.2.8. We have reproduced this problem on multiple
Ubuntu 8.04 systems, including a freshly-installed one.
*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: apache2
The Apache RLimitCPU directive has no effect on in the Ubuntu
packaging of Apache 2.2.8. We have reproduced this problem on multiple
Ubuntu 8.04 systems, including a freshly-installed one.
19 matches
Mail list logo
