From owner-freebsd-security Wed Aug 12 08:23:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA10349 for freebsd-security-outgoing; Wed, 12 Aug 1998 08:23:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gilgamesch.bik-gmbh.de (gilgamesch.bik-gmbh.de [194.233.237.91]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA10341 for ; Wed, 12 Aug 1998 08:23:11 -0700 (PDT) (envelope-from cracauer@gilgamesch.bik-gmbh.de) Received: (from cracauer@localhost) by gilgamesch.bik-gmbh.de (8.8.8/8.7.3) id RAA15921; Wed, 12 Aug 1998 17:24:34 +0200 (MET DST) Message-ID: <19980812172433.A15544@cons.org> Date: Wed, 12 Aug 1998 17:24:33 +0200 From: Martin Cracauer To: Brett Glass , security@FreeBSD.ORG Subject: Re: DOS exploit in Apache References: <199808111816.MAA18952@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.1i In-Reply-To: <199808111816.MAA18952@lariat.lariat.org>; from Brett Glass on Tue, Aug 11, 1998 at 12:13:06PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In <199808111816.MAA18952@lariat.lariat.org>, Brett Glass wrote: > All recent versions of Apache can be made to demand virtually unlimited > amounts of memory if they are fed large numbers of HTML request headers. I > haven't seen a fix for FreeBSD yet; have the published package and port > been patched yet? This is one of the (rare, IHMO) cases where FreeBSD's conservative resource limit defaults do something good. So on FreeBSD you can't launch a denial-of-service attack for the whole machine this way. Martin -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Martin Cracauer http://www.cons.org/cracauer BSD User Group Hamburg, Germany http://www.bsdhh.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message