Gregor can you elucidate any documented security holes in Apache HTTPD?
Martin ______________________________________________ Verzicht und Vertraulichkeitanmerkung / Disclaimer and confidentiality note Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. This message is confidential and may be privileged. If you are not the intended recipient, we kindly ask you to please inform the sender. Any unauthorised dissemination or copying hereof is prohibited. This message serves for information purposes only and shall not have any legally binding effect. Given that e-mails can easily be subject to manipulation, we can not accept any liability for the content provided. > Date: Wed, 1 Apr 2009 17:31:34 +0200 > Subject: Re: redirection > From: rc4...@googlemail.com > To: users@tomcat.apache.org > > Peter, > > On Wed, Apr 1, 2009 at 4:58 PM, Peter Crowther > <peter.crowt...@melandra.com> wrote: > > > And, indeed, *assuming* that Apache + mod_security + mod_jk + Tomcat has > > fewer vulnerabilities than just Tomcat. > > > > I'd also be very interested to see the evidence (either way) on that. > > > See, I believe in the statement that the more components you're adding > to an environment, the more possibilities there are for a > security-hole. However, to believe is not to know... > > However, when I check full-disclosure and other security-lists, I see > few issues referring to Tomcat, but I see quite some issues referring > to HTTPD and it's modules. > > I guess if you're once able to break HTTPD and found your way into the > box, harm is on it's way. I further /believe/ that from this point it > makes sense to use as few components as possible. > > Anyhow, that's what I believe, not what I know. > > Cheers > > Gregor > -- > just because your paranoid, doesn't mean they're not after you... > gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 > gpgp-key available > @ http://pgpkeys.pca.dfn.de:11371 > @ http://pgp.mit.edu:11371/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > _________________________________________________________________ Rediscover Hotmail®: Get quick friend updates right in your inbox. http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Updates1_042009