retitle 629899 ap_get_local_host is broken (can't always determine the server's FQDN) severity 629899 important thanks
with potential security implications (depending on what Apache does with the FQDN). After reading the source, it appears that the ap_get_local_host function in server/util.c is broken: it uses apr_sockaddr_info_get to get the FQDN (thus does a network access) instead of using gethostbyname (possibly an APR limitation); if gethostbyname is not available on some systems, Apache could still use the current method. On my machine, the FQDN is specified via /etc/hosts, thus doesn't depend on the network being set up. For instance, here we apparently have dynamic DNS set-up, so that resolving the host name during the boot via the DNS system may fail because the request is done too early after the DHCP client has started. Moreover, from a security point of view, it is a bad idea to use the DNS system when the FQDN is defined locally, because the DNS system may give incorrect information (e.g. when connecting via a public access point). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <http://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org