Ron and David have understood the real utility of mod_blowchunks:
On Tue, 25 Jun 2002, Cliff Woolley wrote: > On Tue, 25 Jun 2002, David Marshall wrote: > > For those of you working to patch your production Apache installations. > > I have tested and verified Cris Bailiff's interim fix. (see > > http://online.securityfocus.com/archive/1/278281/2002-06-21/2002-06-27/ > >0). > > That's way overkill. Please see > > http://www.apache.org/dist/httpd/patches/apply_to_1.3.22/SECURITY_chunk_s >ize_patch.txt Cliff, If you actually read the text of http://online.securityfocus.com/archive/1/278281/2002-06-21/2002-06-27/ you'll see that I agree with you - upgrade your apache as soon as you can, or if you can at least re-compile, add the ASF patch! In the meantime, mod_blowchunks.c/BlowChunks.pl is designed to be a simple to install tweak to your current version, because upgrading and testing all 21+ million apache sites is a non-atomic operation. In many large organisations, with mission-critical apps, BlowChunks.pl (or even mod_blowchunks.c) could be in place in minutes as a minor (reversible) config change, rather than leaving systems vulnerable during an (expedited) 2-3 week change management process (or longer!). On Wed, 26 Jun 2002 15:14, R. DuFresne wrote: > The problem has been that walking through the steps to upgrade > apache/mod-ssl in the older versions of apache has always been quite > complicated, and taken sometime to grab up apache, ssl, mm, and all that, > let alone configure it all together. Precisely, and that's if it's a binary you built yourself in the first place. I've had many thank-you's from people with IBM HTTP Server, ensim, cobalt, Windows users (who often only have binaries and no compiler), etc. who have gained breathing room. (I've also had replies from many people using it in addition to the upgrade, just to log potential attacks :-) ) Of course, YMMV ;-) Cris Bailiff [EMAIL PROTECTED] - http://www.awayweb.com ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
