[Mod_gzip] any idea about security bugs reported on oreillyne t.com

Jin Zhao mod_gzip@lists.over.net
Thu, 5 Jun 2003 18:50:16 -0500 

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C32BBC.FA518B80
Content-Type: text/plain;
	charset="iso-8859-1"

Just looked at the source code of mod_gzip -1.3.26.1a. and learned that
'debug' is turned off by default. Thus the security bug mentioned in my last
email should not be a problem to most users.  

For those who turned debug on, comment the 'MOD_GZIP_DEBUG1' declaration
line, recompile and it will be fine. 

Jin 

On Thursday, June 5, 2003, at 01:01  PM, Jin Zhao wrote: 


> Hi folks, 
> 
> 
> Any idea about these security bugs reported in the following aritcle? 
> 
> 
> 
> http://linux.oreillynet.com/pub/a/linux/2003/06/04/insecurities.html 
> 
> 
> The mentioned article suggestsed recompile mod_gzip to the 'normal' mode
> instead of the 'debug' mode. After reading this, I looked at the Make file
> of mod_gzip-1.3.26.1a, but found no targets specifically for 'debug' or
> 'normal'. 
> 
> 
> My question about this issue is this: Should turning off mod_gzip logging
> is enough to fix the problem? or must I remove mod_gzip_debug.c on
> compiling? 
> 
> 
> Thanks, 
> 
> 
> Jin 
> 
> 
> 
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
* * * * * * * * * * * * * * * * * * * * * * * * * * * 
This email contains privileged and confidential information intended 
only for use of the intended recipient and is the property of Qcorps 
Residential, Inc.   Any review, use, distribution or disclosure by 
others is strictly prohibited. If you are not the intended recipient of 
this email, please immediately reply to sender and delete all copies of 
this email along with all attachments. Thank you. 
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
* * * * * * * * * * * * * * * * * * * * * * * * * * * 


------_=_NextPart_001_01C32BBC.FA518B80
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD>

<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<TITLE>Re: [Mod_gzip] any idea about security bugs reported on =
oreillynet.com</TITLE>
</HEAD>
<BODY>

<P>Just looked at the source code of mod_gzip<U></U><U><FONT =
COLOR=3D"#800080" FACE=3D"Geneva"> -1.3.26.1a. and learned that 'debug' =
is turned off by default. Thus the security bug mentioned in my last =
email should not be a problem to most users.  </FONT></U></P>
<BR>

<P><U><FONT COLOR=3D"#800080" FACE=3D"Geneva">For those who turned =
debug on, comment the 'MOD_GZIP_DEBUG1' declaration line, recompile and =
it will be fine. </FONT></U></P>
<BR>

<P><U><FONT COLOR=3D"#800080" FACE=3D"Geneva">Jin </FONT></U></P>
<BR>

<P>On Thursday, June 5, 2003, at 01:01  PM, Jin Zhao wrote: </P>
<BR>

<P><B><FONT COLOR=3D"#0000FF" FACE=3D"Lucida Grande">Hi =
folks,</FONT></B><B></B><B></B> </P>
<BR>
<BR>

<P><B><FONT COLOR=3D"#0000FF" FACE=3D"Lucida Grande">Any idea about =
these security bugs reported in the following =
aritcle?</FONT></B><B></B><B></B> </P>
<BR>
<BR>
<BR>

<P><U><FONT COLOR=3D"#800080" =
FACE=3D"Geneva">http://linux.oreillynet.com/pub/a/linux/2003/06/04/insec=
urities.html</FONT></U><U></U><U></U> </P>
<BR>
<BR>

<P><U><FONT COLOR=3D"#800080" FACE=3D"Geneva">The mentioned article =
suggestsed recompile mod_gzip to the 'normal' mode instead of the =
'debug' mode. After reading this, I looked at the Make file of =
mod_gzip-1.3.26.1a, but found no targets specifically for 'debug' or =
'normal'.</FONT></U><U></U><U></U> </P>
<BR>
<BR>

<P><U><FONT COLOR=3D"#800080" FACE=3D"Geneva">My question about this =
issue is this: Should turning off mod_gzip logging is enough to fix the =
problem? or must I remove mod_gzip_debug.c on =
compiling?</FONT></U><U></U><U></U> </P>
<BR>
<BR>

<P><U><FONT COLOR=3D"#800080" =
FACE=3D"Geneva">Thanks,</FONT></U><U></U><U></U> </P>
<BR>
<BR>

<P><U><FONT COLOR=3D"#800080" =
FACE=3D"Geneva">Jin</FONT></U><U></U><U></U> </P>
<BR>
<BR>

<P>* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * =
* * </P>

<P>* * * * * * * * * * * * * * * * * * * * * * * * * * * </P>

<P>This email contains privileged and confidential information intended =
</P>

<P>only for use of the intended recipient and is the property of Qcorps =
</P>

<P>Residential, Inc.   Any review, use, distribution or disclosure by =
</P>

<P>others is strictly prohibited. If you are not the intended recipient =
of </P>

<P>this email, please immediately reply to sender and delete all copies =
of </P>

<P>this email along with all attachments. Thank you. </P>

<P>* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * =
* * </P>

<P>* * * * * * * * * * * * * * * * * * * * * * * * * * * </P>
<BR>

</BODY>
</HTML>
------_=_NextPart_001_01C32BBC.FA518B80--