Vulnerability Development mailing list archives
Re: Apache 2.x leaked descriptors
From: Christian Kratzer <ck () cksoft de>
Date: Sat, 22 Feb 2003 13:43:54 +0100 (CET)
Hi, On Fri, 21 Feb 2003, Steve Grubb wrote:
Hello, I noticed a problem with apache 2.x back in October and contacted the apache security team with the problem. They've had about 4 months to do something with the problem but haven't seen fit to fix it yet. The last time I tried to status their progress no one replied to my query. I was playing around with env_audit studying various properties of environments created for child processes. (Study is here - http://www.web-insights.net/env_audit/environments.pdf ) Out of this, I noticed that apache 2.x leaks 2 open descriptors for each website on a machine and the main access & error log for the daemon. These open descriptors go to the access and error log of each website. It appears that every cgi environment has this problem. For example put this in a .shtml file:
there is a proposed fix for this in http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17206 the bug seems to have been in apache for quite some time but only appeared after a typo in the apr library was fixed for apache 2.0.40. We have also not had a reaction from the apache group yet. Greetings Christian Kratzer CK Software GmbH -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck () cksoft de Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here!
Current thread:
- Apache 2.x leaked descriptors Steve Grubb (Feb 21)
- Re: Apache 2.x leaked descriptors Christian Kratzer (Feb 23)
- Re: Apache 2.x leaked descriptors jon schatz (Feb 23)
- Re: Apache 2.x leaked descriptors David M. Wilson (Feb 24)
- Re: Apache 2.x leaked descriptors Christian Kratzer (Feb 25)
- Re: Apache 2.x leaked descriptors Brian Hatch (Feb 25)
- Re: Apache 2.x leaked descriptors Christian Kratzer (Feb 25)
- Re: Apache 2.x leaked descriptors Bjoern A. Zeeb (Feb 28)
- Re: Apache 2.x leaked descriptors David M. Wilson (Feb 24)
- <Possible follow-ups>
- Re: Apache 2.x leaked descriptors Steve Grubb (Feb 24)
- RE: Apache 2.x leaked descriptors Michael Wojcik (Feb 25)
- Re: Apache 2.x leaked descriptors Steve Grubb (Feb 25)