On Sun, 23 Jun 2002, Joshua Lee wrote:
On Thu, 20 Jun 2002 19:59:20 -0700
Terry Lambert [EMAIL PROTECTED] wrote:
Patrick Thomas wrote:
Is it possible to patch/recompile FreeBSD 4.5 in such a way that your
system is no longer vulnerable to the chunking attack, even if you are
still
Joshua Lee wrote:
Terry Lambert [EMAIL PROTECTED] wrote:
Patrick Thomas wrote:
Is it possible to patch/recompile FreeBSD 4.5 in such a way that your
system is no longer vulnerable to the chunking attack, even if you are
still running a vulnerable apache ?
Not FreeBSD, but it's
On Sun, 23 Jun 2002 02:06:20 -0700
Terry Lambert [EMAIL PROTECTED] wrote:
Joshua Lee wrote:
Terry Lambert [EMAIL PROTECTED] wrote:
The way you would deal with this would be to tell Apache that it
was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature.
I've found a better
Joshua Lee wrote:
[ ... mod_blowchunks ... ]
But if a client uses chunking legitimately, and does so becuase
it believes it's talking to an HTTP server, you've just broken
that client's ability to POST/PUT.
You mean to say it believes it is talking to an HTTP 1.1 server, yes?
Yes.
I
Yeah; this whole thread is premised on working around the
problem without an Apache software change. It's a reasonable
premise (IMO) -- if you've got a custom compilation and a lot
of modules, that can end up being a lot of software. I build
a PHP4+SSL+Apache+IMAP+etc. source tree at one
On Thu, 20 Jun 2002 19:59:20 -0700
Terry Lambert [EMAIL PROTECTED] wrote:
Patrick Thomas wrote:
Is it possible to patch/recompile FreeBSD 4.5 in such a way that your
system is no longer vulnerable to the chunking attack, even if you are
still running a vulnerable apache ?
Not FreeBSD,
On Thu, 20 Jun 2002 19:59:20 -0700
Terry Lambert [EMAIL PROTECTED] wrote:
Patrick Thomas wrote:
Is it possible to patch/recompile FreeBSD 4.5 in such a way that your
system is no longer vulnerable to the chunking attack, even if you are
still running a vulnerable apache ?
Why not upgrade
I think that libsafe would protect against this bug to at least prevent
against any possible malicious code execution. I think it still leaves
the DoS possibility open though... Even some kind of non-exec stack
protection patched into FBSD would only generate a SEGV if it got
triggered[*].
On Thu, Jun 20, 2002 at 07:33:54PM -0700, Frank Mayhar wrote:
Kris Kennaway wrote:
Surely it's easier to just upgrade the apache port, instead of
recompiling your kernel and the entire OS.
Not always. (I'm running an old version of Covalent Raven SSL and I'm
loathe to upgrade. If it
Joshua Lee wrote:
The way you would deal with this would be to tell Apache that it
was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature.
The only place this is an issue is if you need to reuse an HTTP
connection, and that only occurs in HTTP 1.1 when you are doing
pipelining.
On Fri, 21 Jun 2002, Kris Kennaway wrote:
On Thu, Jun 20, 2002 at 07:33:54PM -0700, Frank Mayhar wrote:
Kris Kennaway wrote:
Surely it's easier to just upgrade the apache port, instead of
recompiling your kernel and the entire OS.
Not always. (I'm running an old version of Covalent Raven
On Fri, 21 Jun 2002, Kris Kennaway wrote:
On Thu, Jun 20, 2002 at 07:33:54PM -0700, Frank Mayhar wrote:
Kris Kennaway wrote:
Surely it's easier to just upgrade the apache port, instead of
recompiling your kernel and the entire OS.
Not always. (I'm running an old version of
On Fri, Jun 21, 2002 at 02:29:30AM -0400, Joshua Lee wrote:
On Thu, 20 Jun 2002 19:59:20 -0700
Terry Lambert [EMAIL PROTECTED] wrote:
Patrick Thomas wrote:
Is it possible to patch/recompile FreeBSD 4.5 in such a way that your
system is no longer vulnerable to the chunking attack, even
Kris Kennaway wrote:
On Thu, Jun 20, 2002 at 07:33:54PM -0700, Frank Mayhar wrote:
Kris Kennaway wrote:
Surely it's easier to just upgrade the apache port, instead of
recompiling your kernel and the entire OS.
Not always. (I'm running an old version of Covalent Raven SSL and I'm
Brandon D. Valentine wrote:
However, I would ask Frank if there's a particular reason he needs to
use Covalent Raven SSL. OpenSSL is free, works like gangbusters, and
comes with FreeBSD. I have a feeling he'd be much happier with it if
there's not some other reason he cannot move to it.
As
What none of you has mentioned is the thought I had in mind when I asked
this question, and that is, I have a rd machine with 16 jails on it, each
running apache.
Therefore in a situation like this it would be _much_ easier to just tune
a sysctl or rebuild the kernel, vs. rebuilding 16
On Fri, 21 Jun 2002 10:38:21 +0200
Bernd Walter [EMAIL PROTECTED] wrote:
On Fri, Jun 21, 2002 at 02:29:30AM -0400, Joshua Lee wrote:
On Thu, 20 Jun 2002 19:59:20 -0700
Terry Lambert [EMAIL PROTECTED] wrote:
The way you would deal with this would be to tell Apache that it
was an HTTP
Joshua Lee wrote:
Mozilla has an option to enable http pipelining as a performance option.
I regularly used this, maybe I shouldn't?
It should fallback.
Considering that there's a warning concerning it's use with some servers
maybe it doesn't... Luckily it's not on by default.
On Fri, 21 Jun 2002, Terry Lambert wrote:
THat's not the issue. The issue is that some servers claim to be
1.1 servers, but do not implement pipelining. Older Apache servers
fall into this category.
I have been using pipelining in Mozilla for many months now without
encountering a single,
Is it possible to patch/recompile FreeBSD 4.5 in such a way that your
system is no longer vulnerable to the chunking attack, even if you are
still running a vulnerable apache ?
I ask because I see in one of the chunking exploits that:
* Remote OpenBSD/Apache exploit for the chunking
On Thu, Jun 20, 2002 at 02:17:41PM -0700, Patrick Thomas wrote:
Is it possible to patch/recompile FreeBSD 4.5 in such a way that your
system is no longer vulnerable to the chunking attack, even if you are
still running a vulnerable apache ?
Surely it's easier to just upgrade the apache
Kris Kennaway wrote:
Surely it's easier to just upgrade the apache port, instead of
recompiling your kernel and the entire OS.
Not always. (I'm running an old version of Covalent Raven SSL and I'm
loathe to upgrade. If it works, don't fix it and there are only so
many hours in a day.)
--
Patrick Thomas wrote:
Is it possible to patch/recompile FreeBSD 4.5 in such a way that your
system is no longer vulnerable to the chunking attack, even if you are
still running a vulnerable apache ?
Not FreeBSD, but it's possible to reconfigure Apache.
The way you would deal with this would
23 matches
Mail list logo
