Re: Apache 2.x leaked descriptors

[Christian Kratzer <ck () cksoft de>]

Hi,

On Fri, 21 Feb 2003, Steve Grubb wrote:

> Hello,
>
> I noticed a problem with apache 2.x back in October and contacted the
> apache security team with the problem. They've had about 4 months to do
> something with the problem but haven't seen fit to fix it yet. The last
> time I tried to status their progress no one replied to my query.
>
> I was playing around with env_audit studying various properties of
> environments created for child processes. (Study is here -
> http://www.web-insights.net/env_audit/environments.pdf ) Out of this, I
> noticed that apache 2.x leaks 2 open descriptors for each website on a
> machine and the main access & error log for the daemon. These open
> descriptors go to the access and error log of each website.
>
> It appears that every cgi environment has this problem. For example put
> this in a .shtml file:

there is a proposed fix for this in

        http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17206

the bug seems to have been in apache for quite some time but only
appeared after a typo in the apr library was fixed for apache 2.0.40.
We have also not had a reaction from the apache group yet.

Greetings
Christian Kratzer
CK Software GmbH

-- 
CK Software GmbH
Christian Kratzer,              Schwarzwaldstr. 31, 71131 Jettingen
Email:  ck () cksoft de
Phone:  +49 7452 889-135        Open Software Solutions, Network Security
Fax:    +49 7452 889-136        FreeBSD spoken here!