Hello, I think we may have discovered an issue with mod_proxy that 'could' be used as an exploit to render an Apache server useless. I normally report more benign bugs via the normal bug reporting interface. However, this one bug is quite easy to create an exploit for so I am looking for guidance on how to report this issue. Should I report this on the apache bug tool (which will make this info publicly available) ?
What I have so far 1. a confirmed repro of the bug 2. a general area where we think the offending line in the code is causing the problem 3. attempted to fix the bug and created a patch but to no avail (we aren't familiar with the apr* modules and various ap* functions.) In addition I have scanned through the bug DB and found several instances of similar symptoms that we have observed around issues with mod_proxy. None of the bug a repro. I believe we could have found a repro case that consistently causes a lockup in Apache. Because of the sensitivity of this bug and its relative ease to craft an exploit, let me know how to proceed. We are willing to work with one or more individuals on the apache team who are familiar with the code to repro and test one or more patches. If the normal procedure is to report the bug via the Apache bug db, please let me know. Thanks in advance. PS: During our discovery, we also found another bug but it's more benign and I will file it as a separate bug
