BugTraq
PHP security (or the lack thereof) Jun 16 2006 11:21AM
Darren Reed (avalon caligula anu edu au) (4 replies)
Re: PHP security (or the lack thereof) Jun 22 2006 12:15PM
john mullee (jmullee yahoo com) (1 replies)
Re: PHP security (or the lack thereof) Jun 24 2006 10:42PM
Darren Reed (avalon caligula anu edu au) (2 replies)
Re: PHP security (or the lack thereof) Jun 27 2006 05:47AM
Tonnerre Lombard (tonnerre lombard sygroup ch) (1 replies)
Re: PHP security (or the lack thereof) Jun 27 2006 10:27AM
Darren Reed (avalon caligula anu edu au)
In some mail from Tonnerre Lombard, sie said:
> Salut,
>
> On Sun, 2006-06-25 at 08:42 +1000, Darren Reed wrote:
> > There have barely a *handful* of JRE/JVM security problems.
>
> I know for the fact that there are quite some though. Also, what should
> one think about a company that didn't manage to fix a simple path
> traversal vulnerability in their jar(1) utility in almost a year? The
> same goes for the serialization DoS.

Depends on who you are and how much noise you make about the problem
and whether or not it is a problem or....details.

> I really like Sun Fire servers, but I can't agree that Java is the
> bug-free issue-free big white horse. Especially not if you need a couple
> of hundreds of megabytes of RAM just to run java -version...
>
> As to useable Java applications: there are such nice things like Tomcat,
> the Java web server. The funniest thing about it is that it starts up so
> unbelievably slowly, and while everyone tells you that the JIT business
> is going to optimize the slowness away in just a day or two, it needs a
> restart every 20 hours or it will stop responding. Maybe this is the
> -fomit-instructions optimization the Gentoo people are so fond of?
>
> The same goes for my java.core collection. I keep it right next to my
> bash.core and cc1.core files.
>
> So, by "free of issues", are you talking about a Java implementation
> from a parallel universe?

I've seen enterprise class applications written and run for extended
periods of time (days), dealing with huge amounts of data, that have
not suffered from slowness, much to the chagrin of Sun sales people
who realise they can't sell an E25K to run it.

So I don't accept that all Java programs are either slow or need to
consume 100s of megabytes of RAM for no reason. A poorly written
one may, yes. Maybe it is just easier to write applications (such
as Tomcat) that perform badly than it is to write good ones, in the
same way it is easy to write insecure PHP.

Darren

[ reply ]
Re: PHP security (or the lack thereof) Jun 27 2006 03:38AM
Ronald Chmara (ron Opus1 COM) (1 replies)
Re: PHP security (or the lack thereof) Jul 05 2006 04:17PM
Dan Falconer (dan avsupport com) (1 replies)
Re: PHP security (or the lack thereof) Jul 06 2006 06:47AM
Darren Reed (avalon caligula anu edu au)
Re: PHP security (or the lack thereof) Jun 19 2006 05:07PM
Neil Neely (neil frii com) (1 replies)
RE: [lists] Re: PHP security (or the lack thereof) Jul 16 2006 11:26PM
Curt Purdy (purdy tecman com)
Re: PHP security (or the lack thereof) Jun 17 2006 01:50AM
Jose Nazario (jose monkey org) (1 replies)
Re: PHP security (or the lack thereof) Jun 17 2006 06:06PM
Geo. (geoincidents nls net) (2 replies)
Re: PHP security (or the lack thereof) Jun 22 2006 01:01AM
Crispin Cowan (crispin novell com)
Re: PHP security (or the lack thereof) Jun 20 2006 04:54AM
kicktd (cooljay1804ml bellsouth net) (1 replies)
Re: PHP security (or the lack thereof) Jun 20 2006 10:02AM
Geo. (geoincidents nls net)
Re: PHP security (or the lack thereof) Jun 16 2006 11:06PM
Bojan Zdrnja (bojan zdrnja gmail com) (1 replies)
Re: PHP security (or the lack thereof) Jun 17 2006 05:08PM
Jessica Hope (jessicasaulhope googlemail com)


 

Privacy Statement
Copyright 2010, SecurityFocus