[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Bug: svnserve fail to detect it is already running

From: Stefan Sperling <stsp_at_elego.de>
Date: Fri, 9 Jul 2010 18:45:20 +0200

On Fri, Jul 09, 2010 at 11:40:59AM -0500, Peter Samuelson wrote:
>
> [Stefan Sperling]
> > "Before the SO_EXCLUSIVEADDRUSE socket option was introduced, there was
> > very little a network application developer could do to prevent a
> > malicious program from binding to the port on which the network
> > application had its own sockets bound."
> >
> > So not using SO_EXCLUSIVEADDR means the denial-of-service still works?
>
> Well, the same article describes the changes made in Windows Server
> 2003: now this seems to be true only if the malicious app is running as
> the same user as svnserve.

Yes, Server 2003 should be OK without SO_EXCLUSIVEADDR.
It's the older Windows systems that will still have problems,
and I don't think we should be ignoring them (as much as I'd love
it if everyone just ditched Windows for good).

Stefan
Received on 2010-07-09 18:46:23 CEST

This is an archived mail posted to the Subversion Dev mailing list.