Re: [Full-disclosure] Apache suEXEC privilege elevation / inform
On Aug 13, 2013, at 3:55 AM, Reindl Harald <h.reindl@thelounge.net> =
wrote:
> Am 13.08.2013 00:42, schrieb Brandon M. Graves:
>> I hate to come late to the party, but following all of this, it is =
kind of
>> ridiculous.
>>=20
>> I have to agree with those before in saying software should ship =
secure.
>> in my environment whenever we are given a new bit to add to our
>> infrastructure, be it a new server, new version of an OS, or new =
version
>> of a software, either A) it comes to us from those at our =
distribution
>> point pre templated to be unusable due to security, or B) we first =
make
>> it unusable by configuring every possible security setting to be as =
tight
>> as possible...
>=20
> nobody said anything else
>=20
> but "Apache suEXEC privilege elevation" is *not* a suEXEC
> problem and that's the whole point - people in this thread
> mixing a lot of different things partly with no clue
Precisely. This entire thread is filled with people who not only do not =
know how Apache works, but how Bugtraq works either. That said, this =
issue is of course not a bug, but a feature-- a feature which if used, =
opens a mild to moderate vulnerability which can be corrected on the =
substrate in any number of ways.
So y'all need to sit down.
James.=
討論串 (同標題文章)
完整討論串 (本文為第 26 之 32 篇):