On 9/12/02 23:06 "Jeanfrancois Arcand" <[EMAIL PROTECTED]> wrote: > Pier Fumagalli wrote: > >> On 9/12/02 17:14 "Jeanfrancois Arcand" <[EMAIL PROTECTED]> wrote: >> >>> Youy don't need to learn JSP/Admin Tool if you don't use it. The actual >>> Tomcat installation doesn't require you to learn the Admin Tool or JSP.... >> >> As I said 6 or so months ago... That "thing" is a security hole as big as >> > Can you give me an example of a security hole? I would be interested to > fix those holes....
They come up every now and then... That's why Costin wanted that all-private for your eyes only noone who is not cross checked with the FBI gets in security mailing list, right?... Want a list of the past ones? http://search.cert.org/query.html?col=certadv&col=incnotes&col=vulnotes&ht=0 &qp=&qt=tomcat&qs=&qc=&pw=100%25&ws=1&la=en&qm=0&st=1&nh=25&lk=1&rf=2&rq=0&s i=1 (err, page 1 out of 24)... >> the Empire State Building... As most of the stuff that make up "tomcat"... >> We have some bugs in JSR-154, few in Jasper, few in JSSI, few in CGI... All >> together it makes a ****load of em... >> > Yes, you are right (think about Windoses). Is the reason to have an only > 154 distribution is security? That a very different story... For me it is... For others it might be a different reason... I joined Apache because of a friend, you because of your employer... SO? Reasons are different, outcome is the same... >> If someone can come up with a Servlet-only distribution, at least I won't >> get holes from all the other (totally useless) components... >> > True. But if Jasper/AdminTool/etc. are secure, then that doesn't that no > a good reason IMO. Ehemm... With 24 pages of vulnerability notes? Ha.. Hahaha.... Hahahaha! :-) Rule of the thumb #1... Not even public class Main public static void Main(String argv[]) { System.out.println("This program doesn't have a bug"); } } Doesn't have a bug, allright? Because to execute that little statement my proc actually does some bazillion operations, and god knows how many INC, ADD, SUB and MUL my proc does to get that out... So, rule of the thumb #2. No software ever written is _ever_ secure (Just consider that the Boeing 777 "software" - which is the most secure OS on this planet as far as research goes - Has only one bug every 180.000 lines of code)... Now, don't tell me that ALL that collection of cruft doesn't have a bug... It's just that we are lucky and noone found them yet (given enough eyes... Linus says)... To sum up: rule of the thumb #3, less code, less bugs (you folks from Sun preach that all over your Solaris Blueprints stuff, I learnt it when your employer was paying my salary). So, please, donšt come up on a mailing list saying "that is secure", just say that "noone has found a bug yet", because that (and only that) is the truth... Pier -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
