On Tue, Jan 22, 2019 at 7:57 PM Dan Ehrlich <d...@ehrlichserver.com> wrote: > > Is this true? > > https://github.com/hannob/apache-uaf/blob/master/README.md > > Was this security vulnerability really treated with such disregard by Apache > HTTPD devs?
I would personally characterize it differently, without calling what is written above "fake" or even misleading. There was no (absolute) disregard, large amounts of time from a half-dozen people were involved in the original report. But nonetheless there was a failure to solve (all) of the reported problems in the report. - A large and changing set of symptoms was reported in a build with two layers of non-production memory diagnostics enabled. - The project team solved some bugs that may have been in the right neighborhood, but nowhere near complete. - After communications problems, both sides went silent. - The reporter recognized this impasse and notified us he would publish his work w/o fixes (nor exploits) for the problem. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org