[Bug 394350] [NEW] RLimitCPU has no effect in Apache
Neil Van Dyke
neil at neilvandyke.org
Wed Jul 1 16:25:15 BST 2009
*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: apache2
The Apache "RLimitCPU" directive has no effect on in the Ubuntu
packaging of Apache 2.2.8. We have reproduced this problem on multiple
Ubuntu 8.04 systems, including a freshly-installed one.
We have verified that it *does* work on the same machine when using an
unmodified upstream source build of 2.2.8. We have also verified that
it works on Debian "stable" (using Debian packaging of Apache 2.2.9).
This arguably constitutes a DoS security vulnerabilitys, since the
Ubuntu packaging of Apache is not preventing a runaway process from
taking down the server as a correctly operating Apache (including
upstream) does.
The cause appears to be in either Ubuntu-specific (or Debian-specific)
patches to 2.2.8 in the Ubuntu/Debian-specific configuration setup in
Ubuntu packaging of 2.2.8.
If the problem can be fixed in the Ubuntu packaging of Apache as an
update to 8.04, so that we could use it on our server, that would be
great. Otherwise, we will have to move to a build of upstream Apache or
move away from Ubuntu.
Thank you.
Description: Ubuntu 8.04.2
Release: 8.04
ii apache2 2.2.8-1ubuntu0.9 Next generation, scalable, extendable web server
ii apache2-mpm-worker 2.2.8-1ubuntu0.9 High speed threaded model for Apache HTTPD
ii apache2-utils 2.2.8-1ubuntu0.9 utility programs for webservers
ii apache2.2-common 2.2.8-1ubuntu0.9 Next generation, scalable, extendable web server
** Affects: apache2 (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
RLimitCPU has no effect in Apache
https://bugs.launchpad.net/bugs/394350
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in ubuntu.
More information about the Ubuntu-server-bugs
mailing list