| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Aug 2011 07:34:13 +0200 From: "HI-TECH ." <isowarez.isowarez.isowarez@...glemail.com> To: Michal Zalewski <lcamtuf@...edump.cx> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Apache Killer Yeah you are correct. It does not really matter. It's just a DoS things should move on. I do that for fun, seeing things break, not more not less, the hype on the media right now makes no difference, but I must admit listening to Johannes Ullrich in the daily stormcast reporting about the postings is quite fun. 2011/8/25 Michal Zalewski <lcamtuf@...edump.cx>: >> just for the record I have the impression that this not the same vulnerability >> you outlined in your advisory a while back. It is more that the idea >> for this vulnerability originated from your advisory, not the same bug. > > I don't think this even matters, and I really don't disagree... > > In 2007, I noticed that their Range handling is silly, and may prompt > them to generate very large responses. > > I casually proposed a window scaling-based attack back then, and > nothing happened. > > My understanding is that your exploit is based on the same principle > (I don't think they fixed this in any way), but combines it with > protocol-level compression to force the server to waste some memory > and CPU resources to compress the response beforehand. > > But in any case, life goes on, it's just a DoS. Good that they're fixing it... > > /mz > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists