*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: apache2 The Apache "RLimitCPU" directive has no effect on in the Ubuntu packaging of Apache 2.2.8. We have reproduced this problem on multiple Ubuntu 8.04 systems, including a freshly-installed one. We have verified that it *does* work on the same machine when using an unmodified upstream source build of 2.2.8. We have also verified that it works on Debian "stable" (using Debian packaging of Apache 2.2.9). This arguably constitutes a DoS security vulnerabilitys, since the Ubuntu packaging of Apache is not preventing a runaway process from taking down the server as a correctly operating Apache (including upstream) does. The cause appears to be in either Ubuntu-specific (or Debian-specific) patches to 2.2.8 in the Ubuntu/Debian-specific configuration setup in Ubuntu packaging of 2.2.8. If the problem can be fixed in the Ubuntu packaging of Apache as an update to 8.04, so that we could use it on our server, that would be great. Otherwise, we will have to move to a build of upstream Apache or move away from Ubuntu. Thank you. Description: Ubuntu 8.04.2 Release: 8.04 ii apache2 2.2.8-1ubuntu0.9 Next generation, scalable, extendable web server ii apache2-mpm-worker 2.2.8-1ubuntu0.9 High speed threaded model for Apache HTTPD ii apache2-utils 2.2.8-1ubuntu0.9 utility programs for webservers ii apache2.2-common 2.2.8-1ubuntu0.9 Next generation, scalable, extendable web server ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public -- RLimitCPU has no effect in Apache https://bugs.launchpad.net/bugs/394350 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs