Joe Orton wrote:
On Mon, Jan 12, 2004 at 11:43:10PM -0800, Stas Bekman wrote:
[EMAIL PROTECTED] wrote:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26076
[...]
--- Additional Comments From [EMAIL PROTECTED] 2004-01-13 07:18
---
That's not a bug: a $DESTDIR installation is an
I'd like to get some sort of feedback concerning the idea
of having ServerTokens not only adjust what Apache
sends in the Server header, but also allow the directive
to fully set that info.
For example: ServerTokens Set Aporche/3.5
would cause Apache to send Aporche/3.5 as the
Server header. Some
According to Jim Jagielski:
I'd like to get some sort of feedback concerning the idea
of having ServerTokens not only adjust what Apache
sends in the Server header, but also allow the directive
to fully set that info.
I tend to be -1 on this for the following reasons:
- It's only security
Jim Jagielski wrote:
I'd like to get some sort of feedback concerning the idea
of having ServerTokens not only adjust what Apache
sends in the Server header, but also allow the directive
to fully set that info.
For example: ServerTokens Set Aporche/3.5
would cause Apache to send Aporche/3.5 as
On Tue, Jan 13, 2004 at 03:04:30PM +0100, Lars Eilebrecht wrote:
- It's only security by obscurity and providing such a
security feature may be misleading for our users.
- We don't want people to obfuscate the server name, do we?
It's a terrible terrible terrible idea, and makes auditing
On Tue, Jan 13, 2004 at 08:53:38AM -0500, Jim Jagielski wrote:
I'd like to get some sort of feedback concerning the idea
of having ServerTokens not only adjust what Apache
sends in the Server header, but also allow the directive
to fully set that info.
For example: ServerTokens Set
* Ivan Ristic [EMAIL PROTECTED] wrote:
I like the idea. Right now you either have to
change the source code or use mod_security to achieve
this, but I think the feature belongs to the server core.
But I think a new server directive is a better solution.
As Lars said (and I
Colm MacCarthaigh wrote:
On Tue, Jan 13, 2004 at 03:04:30PM +0100, Lars Eilebrecht wrote:
- It's only security by obscurity and providing such a
security feature may be misleading for our users.
- We don't want people to obfuscate the server name, do we?
It's a terrible terrible
I like the idea. Right now you either have to
change the source code or use mod_security to achieve
this, but I think the feature belongs to the server core.
But I think a new server directive is a better solution.
As Lars said (and I agree), it has nothing to do with security. Why do you
* Ivan Ristic [EMAIL PROTECTED] wrote:
I like the idea. Right now you either have to
change the source code or use mod_security to achieve
this, but I think the feature belongs to the server core.
But I think a new server directive is a better solution.
As Lars said (and
Ivan Ristic wrote:
As Lars said (and I agree), it has nothing to do with security. Why do you
provide such a feature then?
Because I believe that changing the signature prevents some
automated tools from attacking the server.
So, the signature
does matter.
Without a
According to Ivan Ristic:
I recently changed the signature of the Apache running on
modsecurity.org (to pretend to be IIS5). As a result, I've started
getting more IIS-related attacks than before. So, the signature
does matter.
I'm getting IIS-related attacks on my servers even
* On Tue, Jan 13, 2004 at 02:25:36PM +, Ivan Ristic wrote:
Because I believe that changing the signature prevents some
automated tools from attacking the server.
This is a valid point.
I recently changed the signature of the Apache running on
modsecurity.org (to pretend to be
According to Jim Jagielski:
I didn't propose this to create (yet another) heated discussion,
too late ;)
simply to suggest that we take ServerTokens to its logical
conclusion based on some requests I've seen. :)
Sorry, but I don't see this as the logical conclusion of
the ServerTokens
Lars Eilebrecht wrote:
According to Jim Jagielski:
I didn't propose this to create (yet another) heated discussion,
too late ;)
simply to suggest that we take ServerTokens to its logical
conclusion based on some requests I've seen. :)
Sorry, but I don't see this as the logical
Mads Toftum wrote:
On Tue, Jan 13, 2004 at 09:35:15AM -0500, Jim Jagielski wrote:
Without a doubt. Look at how many exploits grep on not only
the name of the server but also the version.
So it is ok to be vulnerable - as long as it isn't obvious?
Of course not.
--
Rather than using multiple symbols (HAVE_SYS_PRCTL_H, HAVE_PRCTL), which
would add to the CFLAGS, there is a single symbol HAVE_SET_DUMPABLE
which is defined via CFLAGS if all prerequisites are met.
testing:
Fedora Core 1: verified that feature was recognized and that the new
code was
I recently changed the signature of the Apache running on
modsecurity.org (to pretend to be IIS5). As a result, I've started
getting more IIS-related attacks than before. So, the signature
does matter.
And what was the security advantage?
Smaller number of attack attempts made
On Tue, Jan 13, 2004 at 03:28:24PM +, Ivan Ristic wrote:
Also, imagine I have a PHP application (I chose PHP because
it runs on Windows and on Unix), and that someone is trying
to find a hole in the app. If they think I'm running Windows
they'll try to run Windows-specific
Jean-Jacques Clar wrote:
I never used any profiling
tools on Linux,
but will like to learn as much as possible in that field.
Since I have to start from scratch, Is oprofile the best one or do you
have any
other suggestions?
oprofile is my favorite for Linux because:
* it's open source and the
On Mon, Jan 12, 2004 at 12:38:59PM -0500, Jeff Trawick wrote:
2.x already does this
Of course. 500's should always be logged if generated by Apache.
+1.
Martin
--
[EMAIL PROTECTED] | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany
On Tue, Jan 13, 2004 at 09:54:45AM -0500, Jeff Trawick wrote:
Rather than using multiple symbols (HAVE_SYS_PRCTL_H, HAVE_PRCTL), which
would add to the CFLAGS, there is a single symbol HAVE_SET_DUMPABLE
which is defined via CFLAGS if all prerequisites are met.
testing:
Fedora Core 1:
On Tue, Jan 13, 2004 at 09:35:15AM -0500, Jim Jagielski wrote:
I didn't propose this to create (yet another) heated discussion,
simply to suggest that we take ServerTokens to its logical
conclusion based on some requests I've seen. :)
Yes. I agree with Lars that security by obscurity is not
+1
On Jan 13, 2004, at 9:54 AM, Jeff Trawick wrote:
Rather than using multiple symbols (HAVE_SYS_PRCTL_H, HAVE_PRCTL),
which would add to the CFLAGS, there is a single symbol
HAVE_SET_DUMPABLE which is defined via CFLAGS if all prerequisites are
met.
Offlist, please contact me regarding suggestions on
various (incoming) FAX-to-Email solutions. Not the
normal send a FAX by sending an Email but
receive an incoming FAX, image-ize it (TIFF, JPG,
whatever) and send via Email to someone.
tia.
I've installed mod_log_forensic to test (from the CVS, 1.3 branch)
but the shell script check_forensic does not work for me. It fails
because the xargs binary does not implement the -I placeholder
parameter.
Checked on RH, Suse and Cygwin, all running the GNU version
of xargs. On which platforms
On 13.01.2004, at 22:08, Ivan Ristic wrote:
Checked on RH, Suse and Cygwin, all running the GNU version
of xargs. On which platforms does it work?
Works for me on FreeBSD and OS X and would work with -i on RH8.0's GNU
version of xargs.
Cheers,
Erik
Günter,
Just so that everyone is on the same page, 2.1.0 will be an -alpha. If and when
we think we are about done with post 2.0 development, we will finally release
a 2.1.x-beta. That will become the codebase (after an iteration or few) of the
Apache 2.2 release. We are moving twords the
Perhaps this is none of Apache's business, but should be a very specific
result from the various apr_poll setup functions that invoke select()?
Bill
At 08:53 AM 1/6/2004, Brian Akins wrote:
Call me stupid, put why in various places does Apache do things like this:
if (csd = FD_SETSIZE) {
???
Well, I think you are asking a docs question so I'm forwarding there. But this
is nothing more than adding an appropriate LoadModule command, so it is
likely documented there.
Actually causing a loaded module (so, sl, dll or dylib) to actually do anything
productive would be the
Checked on RH, Suse and Cygwin, all running the GNU version
of xargs. On which platforms does it work?
Works for me on FreeBSD and OS X and would work with -i on RH8.0's GNU
version of xargs.
You're right, I missed that. After replacing -I xx with -ixx the
script works fine.
Hello, Apache folk. After showing this bug to gstein, iholsman, and
others in IRC, I fear I may have found a real bug. It has something
to do with SSL, but it's not clear whether this is a bug in the Neon
library, OpenSSL, mod_ssl, or httpd itself.
Client is: Redhat 9, svn 0.36.0 using neon
Hi Bill,
thanks for your reply!
Just so that everyone is on the same page, 2.1.0 will be an -alpha. If
sure - I'm aware of this (and it's on my site too);
but nevertheless there are now a lot of new things in 2.1-dev which people would
already like to play with
and when
we think we are
Woha...
At 11:50 AM 1/8/2004, [EMAIL PROTECTED] wrote:
bnicholes2004/01/08 09:50:03
Modified:server core.c
Log:
If large file support is enabled allow the file to be split into AP_MAX_SENDFILE
sized buckets. Otherwise Apache will be unable to send files larger than 2 gig due
On Tue, Jan 13, 2004 at 04:43:07PM -0600, Ben Collins-Sussman wrote:
Hello, Apache folk. After showing this bug to gstein, iholsman, and
others in IRC, I fear I may have found a real bug. It has something
to do with SSL, but it's not clear whether this is a bug in the Neon
library,
Hi ,
I am creating a module similar to mod_proxy, but has some different
functions. I want to find the definition of the function
ap_proxy_make_fake_req, and the
source code for it. Moreover, I found in one of the posts that this
function calls, core_create_req.
I cannot find any definition for
At 04:51 PM 1/13/2004, Günter Knauf wrote:
do you still expect massive changes with APR 1.0 ?
I have the sense that folks want to see:
* platform neutral apr_poll() that works on apr_file_t's as well, since so many
daemons and other applications will require this. Non trivial - but we may
I don't think so because the split into multiple bucket code was
only enabled if both large_file and send_file was enabled. Which meant
that on a non-large_file build the check for ENABLE_SENDFILE_OFF wasn't
there anyway. If they have large_file support and don't have send_file
(ie.
Hi.
I've been building and using what will be httpd-2.1 for months. Just
within the last week or two, my builds have all failed when I try to run
them. As others are certainly running the CVS head builds without
problems, I'm hoping for a bit of guidance to see if someone can suggest
a fix.
Do you know of any cases that actually require mpm_state to be updated in ap_signal_parent()? Setting
winnt_mpm_state to AP_MPMQ_STOPPING in child main should be sufficient unless I am missing something.
Bill
[EMAIL PROTECTED] wrote:
trawick 2003/12/16 18:16:44
Modified:
At 07:05 PM 1/13/2004, Brad Nicholes wrote:
I don't think so because the split into multiple bucket code was
only enabled if both large_file and send_file was enabled. Which meant
that on a non-large_file build the check for ENABLE_SENDFILE_OFF wasn't
there anyway. If they have large_file
Someone remarked to me yesterday that their out-of-box 2.0.48 tarball would
not build under SuSe...
I noticed a brand new change to the libdl detection logic that drops -ldl from the
linkage list on unix. Would you please check that the generated LDFLAGS
did or did not include the -ldl argument
On Thu, Jan 08, 2004 at 12:57:43PM -0800, Stas Bekman wrote:
It's really hard to guess what did you do. As suggested below if you could
create a sample package which reproduces the problem, upload it somewhere
and post the URL here, we could be much more helpful. You should be able to
---BeginMessage---
Maybe it will be helpful, see the attachment, bugreport.txt
To: [EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
Subject: bug report about Apache::Test module
Dear Stas Bekman
I am not sure if you are the Author of Apache::Test module, maybe the
information is helpful for
On Sun, 11 Jan 2004, Stas Bekman wrote:
Randy Kobes wrote:
[ ... ]
my Apache is D:\Apache2\bin\Apache.exe, which would
get reported as d:\apache2\bin\apache.exe. If there isn't
an easy way to preserve the case yet still remove such
duplicates, I'll do that - it's not a big deal.
Randy,
Geoffrey Young wrote:
I think the patch below handles that fine for any mp2 builds.
I've done some more digging - this patch seems to be required.
How does it map on the thought from my previous email:
Let's see if we can stay without making a modperl-2.0 build special. Why?
Because it should
Geoffrey Young wrote:
Stas Bekman wrote:
Geoffrey Young wrote:
I think the patch below handles that fine for any mp2 builds.
I've done some more digging - this patch seems to be required.
How does it map on the thought from my previous email:
Let's see if we can stay without making a
On Tue, 13 Jan 2004, Stas Bekman wrote:
Geoffrey Young wrote:
[ ... ]
what I do know, however, is that my nightly builds start
with 2.1 then move to 2.0, issuing 'make realclean'
between each. for the past few nights, the 2.0 tests
don't run because it's loading TestConfigData.pm from
Randy Kobes wrote:
On Tue, 13 Jan 2004, Stas Bekman wrote:
Geoffrey Young wrote:
[ ... ]
what I do know, however, is that my nightly builds start
with 2.1 then move to 2.0, issuing 'make realclean'
between each. for the past few nights, the 2.0 tests
don't run because it's loading
Randy Kobes wrote:
On Sun, 11 Jan 2004, Stas Bekman wrote:
Randy Kobes wrote:
[ ... ]
my Apache is D:\Apache2\bin\Apache.exe, which would
get reported as d:\apache2\bin\apache.exe. If there isn't
an easy way to preserve the case yet still remove such
duplicates, I'll do that - it's not a big
On Tue, 13 Jan 2004, Stas Bekman wrote:
Randy Kobes wrote:
I haven't worked through this yet, but I find a similar
problem ... I have two Perls, both of which have mp2
installed, but one has the CPAN Apache-Test and the other
has the cvs Apache-Test installed. In building the
cvs
The question was due to a typo in a hastily written description;
At 08:55 PM 1/8/2004, Donald Doane wrote:
The following comment is from apr_lib.h:
* apr_vformatter does not call out to any other code, it is entirely
* self-contained. This allows the callers to do things which are
*
52 matches
Mail list logo
