Re: Vulnerability in NCSA HTTPD 1.3

[ckd () loiosh kei com (Christopher Davis)]

RMH> == Robert M Haas <rhaas () cygnus arc nasa gov>

 ckd> CERN's httpd seems to be a bit smarter about this sort of thing, but
 ckd> it's SO huge that even if they have only 10% as many bugs per K,
 ckd> they're worse than NCSA.

 RMH> Are there known bugs in CERN's httpd? Is there a buglist? If so I
 RMH> would appreciate a copy...

I don't know of any bugs in CERN's httpd, and I haven't seen a buglist.  I
just noted the huge difference in code size (it's a very coarse metric, I
know, but I find it a useful rule of thumb).

 RMH> I'm running CERN's httpd chroot'd, figuring that gives me a little
 RMH> room for error. Am I kidding myself?

Probably not.  At least chroot() will help matters somewhat.

ObBug1: wn/0.97a and earlier has the same problem as NCSA httpd.  Get 0.98.

ObBug2: Netscape doesn't like the WWW-Link http header on images; it'll
show a broken image instead.  wn will emit this header.  I #ifdef'ed it
out for now (and reported the bug to Netscape Communications).