On Fri, Nov 18, 2011 at 04:38:14PM -0600, William Rowe wrote: > After several prods, it seems the security@ and hackathon participants > can't be drawn out of their shells on to dev@. So I'll simply call for > a majority vote on the following statement...
Thanks for the prod! > Resource abuse of an .htaccess config in the form of cpu/memory/bandwidth; > > [ ] Represents a security defect > [X] Is not a security defect I agree for resource consumption attacks. I think there's still a good case for treating bugs which allow escalation of privileges as security issues (i.e. something which gets you from an .htaccess file to arbitrary code execution in the httpd child). Regards, Joe
