Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Apache Software

Apache 1.3.26 and 2.0.39 Released 138

Posted by krow from the would-you-like-fries-with-that dept.
cliffwoolley writes "The Apache Software Foundation has released new versions of both Apache 1.3 and 2.0. These versions are both security and bug-fix releases. They address and fix the issues noted in CAN-2002-0392 [CERT VU#944335] regarding a vulnerability in the handling of chunked transfer encoding. You can download the new releases here." This of course is for the exploit that we reported yesterday. It is hard to complain about a 24-hour response time for a bug.
This discussion has been archived. No new comments can be posted.

Apache 1.3.26 and 2.0.39 Released More

Apache 1.3.26 and 2.0.39 Released

Comments Filter:

  • 24 is nice... (Score:5, Insightful)

    by jeffy124 ( 453342 ) on Tuesday June 18, 2002 @07:52PM (#3725756) Homepage Journal
    ... but it certainly would've been better if ISS had allowed it, or even writeup a proper patch or give the right info on who's vulnerable.

    Personally, their argument about not contacting the Apache Foundation because some of them work for Red Hat is complete bullshit, plus the fact that they could've contacted CERT about it instead. CERT would've made sure RH didnt take credit, since that's among ISS's fears, and also would've told them that the issue was known and being worked on.
    • Apache exploits are pretty hard to come by these days. Miss this one and it will be a long dry spell until anybody finds another one. Like a media feeding frenzy, rationality seems to vanish. Two hour notice and a broken patch, judging from other posts. ISS comes off looking pretty juvenile. There seems to be some indications that Apache was aware of this from another source, so there is some possibility that ISS jumped the gun to avoid being shunted out of the limelight.

      Overall Apache comes out smelling like a rose.

      "On the Windows and Netware platforms, Apache runs one multithreaded child
      process to service requests. The teardown and subsequent setup time to
      replace the lost child process presents a significant interruption of
      service. As the Windows and Netware ports create a new process and reread
      the configuration, rather than fork a child process, this delay is much
      more pronounced than on other platforms."
      "... Using any multithreaded model, all concurrent requests currently served by the affected child process will be lost."

      Sounds like a good reason to run Apache on Linux/BSD/UNIX.
      (Well they did claim that Apache 1.3 wasn't really stable on Microsoft Windows;)

  • Complaints Timescale (Score:5, Insightful)

    by 4of12 ( 97621 ) on Tuesday June 18, 2002 @08:00PM (#3725807) Homepage Journal

    It is hard to complain about a 24-hour response time for a bug.

    No, it's not:)

    Seriously, though, it's a pretty impressive turn around time and should give some credence to those of us making arguments that the support is really there for open source projects like Apache, even though there's no "1-800-HELPME" number nor an expensive maintenance and support agreement.

    • so what are you complainging about?

      24hours granted there isnt a help line but you just type it in a search engin and you get help for nearly anything oss related.

      ms you get tiny bits of obscure help and months for a patch and help costs.

      • Re:Complaints Timescale (Score:5, Funny)

        by 4of12 ( 97621 ) on Tuesday June 18, 2002 @08:53PM (#3726067) Homepage Journal

        just type it in a search engine...

        What are you asking, man! I'd have to learn how to read, write and think to do that.

        Can't I just get a warm fuzzy feeling by buying a large support agreement from Microsoft?

        Besides, I'll be among a large herd of IIS users - who could possibly know and want to `sploit me with Code Red?

        Most buyers at my site are using fradulent credit card numbers anyway, so if the database gets owned it's not all that big a deal.

      • Seriously, though, it's a pretty impressive turn around time and should give some credence to those of us making arguments that the support is really there for open source projects like Apache, even though there's no "1-800-HELPME" number nor an expensive maintenance and support agreement.

      You can have your maintenance and support agreement, complete with 24x7 support line, if that's what you need, by contracting with someone like Covalent [covalent.com]. Covalent will be providing those patches pretty soon [covalent.net] for their releases, it seems.

      • Re:Complaints Timescale (Score:1, Informative)

        by Anonymous Coward
        Is this the same Covalent who had the gall to tell me today when I telephoned (before that notice was up) for support on one of their SSL products that they had assessed the vulnerability and it wasn't all that big a problem, as Apache handled it pretty well and the child processes would die off?

        When I pointed out that this was exactly WHY I needed the patch, as our webservers are actually important to us and we'd rather not have them DoS'd, she mumbled something about adding us to a alert list for when the patches were ready.

    • Please note that the apache_1.3.26.tar.gz file was on their server (according to their server) at 11:24 am PDT time!

      I had it downloaded and installed on my box at work at about 6pm PDT.

      Output from HEAD on apache_1.3.26.tar.gz:

      Connected to www.apache.org.
      Escape character is '^]'.
      HEAD /dist/httpd/apache_1.3.26.tar.gz HTTP/1.1
      Host: www.apache.org

      HTTP/1.1 200 OK
      Date: Wed, 19 Jun 2002 04:00:49 GMT
      Server: Apache/2.0.39 (Unix)
      Cache-Control: max-age=86400
      Expires: Thu, 20 Jun 2002 04:00:49 GMT
      Last-Modified: Tue, 18 Jun 2002 18:24:15 GMT
      ETag: "cbbee-2324ab-73a911c0"
      Accept-Ranges: bytes
      Content-Length: 2303147
      Content-Type: application/x-tar
      Content-Encoding: x-gzip

      Connection closed by foreign host.

  • 24 Hour Response Time (Score:4, Insightful)

    by PeekabooCaribou ( 544905 ) <slashdot@bwerp.net> on Tuesday June 18, 2002 @08:09PM (#3725853) Homepage Journal

    It is hard to complain about a 24-hour response time for a bug.

    I think this is the real advantage of OSS. It's people that make Apache, not some group of nameless programmers in a high-rise somewhere. The Apache programmers use Apache on a daily basis, so they stand to gain just as much as the rest of us do by releasing a quick fix. I honestly think they care about making it a good, bug-free product. I put much more trust into the open-source projects than I do for any closed source commercial package.

    • Well i think the 24 hour response time is a good thing.. However to play devils advocate for a second - if Microsoft had resolved an issue (i know stop laughing and read on) in 24 hours would it have been posted on here in this manner?? I suspect it would have had a different slant to it...

      I only ask this in the light of the fact that ALL software has bugs and issues and exploits but all software eventually gets patched - I find open source more responsive in some cases and worse in others - its not a given that something will get fixed every time faster but on average it is - this is an advantage of open source software for me. The disadvantage of course lies in people who claim open source software never has a bug or exploit at all - all software HAS these things but some softwqare gets fixed faster than others.

      Good one to the apache team.

      • if Microsoft had resolved an issue (i know stop laughing and read on) in 24 hours would it have been posted on here in this manner?? I suspect it would have had a different slant to it
        Considering it took something over three days before a search for Code Red on microsoft.com returned anything when microsoft apparently already had a patch for a couple of weeks, methinks the slant would be incredulity.

        ALL software has bugs and issues and exploits
        Agreed, with the possible exception of some stuff by Donald Knuth.
        but all software eventually gets patched
        Nope. dBASE5 for DOS has a serious bug which will never be patched. (Under certain conditions, "reading" a file will cause the initial 6 bytes of several other files to be reqritten with stale cached data. Ugly.)

  • Win32 MSI Installer Broken (Score:3, Informative)

    by tyrione ( 134248 ) on Tuesday June 18, 2002 @08:52PM (#3726060) Homepage
    Downloaded a moment ago and the package is broken so I reverted to downloading the bloated non-msi executable and it works just fine.

  • 24 hour response? (Score:2, Informative)

    by xswl0931 ( 562013 )
    Doesn't anyone actually read the articles anymore? Apache was aware of the issue before ISS posted their advisory.

  • 24 Hours - unreasonable and dangerous (Score:2, Insightful)

    by Anonymous Coward
    Givng Apache 24 hours to make a bug fix imposed an unreasonable deadline, and also encouraged the fix to be quick and dirty. Any time code is patched, it could cause other bugs to show, or introduce new ones. Developers need a certain amount of time to do testing once changes are made to make sure they didn't break anything! Kudos to the apache developers for meeting the deadline, but anti-kudos to (i'm not sure who) those imposed it.

    • Re:24 Hours - unreasonable and dangerous (Score:5, Insightful)

      by buffy ( 8100 ) <buffy@p a r a p e t .net> on Wednesday June 19, 2002 @01:56AM (#3727276) Homepage
      Givng Apache 24 hours to make a bug fix imposed an unreasonable deadline, and also encouraged the fix to be quick and dirty. Any time code is patched, it could cause other bugs to show, or introduce new ones. Developers need a certain amount of time to do testing once changes are made to make sure they didn't break anything! Kudos to the apache developers for meeting the deadline, but anti-kudos to (i'm not sure who) those imposed it.

      You kind-of missed how this went down. Nobody "imposed" a 24-hour window for the bug to be fixed. Had IIS not been a bunch of boneheads and prematurely (as in ejaculation) released information regarding the vulnerability, the programmers involved could've taken a little bit more time to develop the fix, ensuring better quality.

      The commendations re: the 24-hour turn around is simply referencing the ability of a lose-knit group of open source programmers to rapidly respond to a bad situation. Had Microsoft been in the same spot (they have been before--people have screwed them, too--and they most certainly will be again) it still would've taken them a lot longer to kick out the fix, and even longer to get it into their distribution channels.

  • Folks at ISS (Score:5, Insightful)

    by Anonymous Coward on Tuesday June 18, 2002 @10:21PM (#3726511)
    <rant>
    ISS is full of shit. They have no respect for the way things work. Due to being connected with the security team of my company, I knew about the bug for a few days. And also that the Apache group was working to correct it. But not, the pricks at ISS had to release it with a whopping two hour notice, not only that but they released a broken patch.

    And on top of all of that their stock goes up. What a crock of shit.
    </rant>
  • Props to the Apache team for a quick and thorough fix. Now this, THIS is what I call quality control and customer service. This outruns and outguns Microsoft's see no evil, speak no evil policy on security hotfixes. Hands down.
  • Anybody know when an updated version of mod_ssl will be released for this latest release of Apache? I know it's probably too soon to ask, but the mod_ssl homepage (http://www.modssl.org) still shows version 2.8.8 for Apache 1.3.24.

    Or will this old version patch successfully against the latest Apache release? I haven't tried mixing versions.

    • It's there now. Make sure you reload the page.

      I'm already running it in our staging environment, to test it before loading the whole kit-and-caboodle to our production servers.

  • mod_ssl? (Score:3, Interesting)

    by Phroggy ( 441 ) <slashdot3@ p h roggy.com> on Tuesday June 18, 2002 @10:34PM (#3726565) Homepage
    Anyone know the status of mod_ssl for 1.3.26?

    • Re:mod_ssl? (Score:5, Informative)

      by jonabbey ( 2498 ) <jonabbey@ganymeta.org> on Tuesday June 18, 2002 @10:54PM (#3726668) Homepage

      mod_ssl is baked into the Apache releases 2.0.35 and later, and is _far_ easier to compile and install than the old Apache 1.3 + external mod_ssl was.

      Get to Apache 2.0.x when you can.

      • Would love to, but support for many modules including PHP is flaky at best at this time.
      • Unfortunatly this isn't an option for all. I'll migrate to 2.X whenever possible, but until all PHP-odditys with the 2.X version is worked out I'll stick with my trusty 1.3.X version.

        There are actually some valid reasons not to upgrade sometimes.

        .haeger
      • No need to go 2.0.x for modssl, go to http://www.delouw.ch/linux/Apache-Compile-HOWTO/ht ml/apache.html [delouw.ch] for a patch to use the 1.3.24 mod_ssl release.

        Rene
      • They original poster probably has very good reasons for using Apache 1.3.
        If I take my car to the mechanic for a tune-up, the answer I'm not looking to hear is "forget about the tune-up. why don't you just buy a BMW M1?". In the meantime, I've got an otherwise perfectly fine car just like the original poster likely has a perfectly fine setup (perhaps with apps built and tested under Apache 1.3) and the latest and greatest isn't the answer for them.

        • Sure, of course. I did say 'when you can'. And it is far easier to compile and link with a 2.0.x version than it was with 1.3, being as it does come with mod_ssl, and all of the build scripts are integrated.

          There is a lot that doesn't yet go so well on 2.0.x, mostly in the form of third party modules that have not been ported and/or certified for use with 2.0.x.

          It'll be a better world when they are, though.

    • I tried checking their site, but it appears down - a few mirrors I found online didn't show any sign of a 1.3.26 release and the ftp.modssl.org site didn't show any 1.3.26 tarball under 'source' ... so, in short, not yet, I guess.

      Too bad - I was going to update everything tonight, but I cannot without mod_ssl.

    • Re:mod_ssl? (Score:3, Informative)

      by accessdeniednsp ( 536678 )
      Argh..I posted a comment but it was replied to the wrong thread by accident. Crap.. Anyway, here's what I had to say. Hope it helps. (I hope I'm not going to get flamed for anything on this but I probably will).

      Me and woolley chatted on irc tonite and i verified his patch [theaimsgroup.com] does indeed work. You will have to manually adjust apache_1.3.26/src/ap/Makefile.tmpl to add the three object files to line 7:

      ap_hook.o ap_ctx.o ap_mm.o

      The patch will cause a rejection due to modifications between 1.3.24 and 1.3.26 to the file.

      The patch applies to apache-1.3.24, btw. And be sure to use mod_ssl-2.8.8-1.3.24 and add --force on the mod_ssl configure line.

      Woolley's patch works great.

      • Oh, shit, --force. Thanks for posting something actually useful (and you won't get karma for it so just don't start whining ;-)

        Actually Useful and Intelligent +0

    • It's at modssl.org [modssl.org]. Thanks, Ralph!
  • First I must say good work the the apache team, but the must stop and remind everyone the work is not done. Now this patch needs to be applied to all affected systems, now it is time for the SA's and the what not of the world to step up. Lets not forget this fact because even MS releases patchs sooner or later (ok later), but it seems that many boxes stay effected for ever due to bad admining on said MS box(en).

  • *NIX is in the clear. (Score:3, Insightful)

    by red5 ( 51324 ) <gired5@gm a i l.com> on Tuesday June 18, 2002 @10:54PM (#3726666) Homepage Journal
    This advisory is for the multi-threaded version on apache only. So sites running 1.3.x on *nix are unaffected.

    Had me worried there for a minute as I admin quite a few of those.
    • Me and woolley chatted on irc tonite and i verified his patch [theaimsgroup.com] does indeed work. You will have to manually adjust apache_1.3.26/src/ap/Makefile.tmpl to add the three object files to line 7:

      ap_hook.o ap_ctx.o ap_mm.o

      The patch will cause a rejection due to modifications between 1.3.24 and 1.3.26 to the file.

      The patch applies to apache-1.3.24, btw. And be sure to use mod_ssl-2.8.8-1.3.24 and add --force on the mod_ssl configure line.

      Woolley's patch works great.
    • Just updated Apache on my Solaris Box from Source.
      Took about about 10 seconds to install. SHutdown apache, make install, start apache.
      That was easy!
      • well it takes a bit longer when you have mod_perl, php, and mod_gzip to compile into it. Heading off to do that now....
      • What I did was:

        Copy the config.status from the old apache install directory.
        Copy modules (I have 'fastcgi' and 'php4') in src/modules from the old directory.
        Call config.status, type 'make'.
        Make a backup copy of the old httpd
        Type 'make install'
        'apachectl stop' and 'apachectl start'

        This worked (for me).

        • Just try that in Microsoft Windows.
          Webserver downtime what? About 10 or 15 seconds, I'd guess.

          Copy the config.status from the old apache install directory.
          Copy modules (I have 'fastcgi' and 'php4') in src/modules from the old directory.
          Call config.status, type 'make'.
          Make a backup copy of the old httpd
          Type 'make install'
          'apachectl stop' and 'apachectl start'

          Ok, ok, I'm a newbie and still not quite used to the idea of replacing a program while it's still running. Kudos on the ordering of the steps. Murphy's Law might get the better of you, but it will have to work pretty hard to do it.
    • 32 bit unix that is.

      Quoth the advisory:
      However on 64-bit platforms the overflow
      can be controlled and so for platforms that store return addresses on the
      stack it is likely that it is further exploitable. This could allow
      arbitrary code to be run on the server as the user the Apache children are
      set to run as.

  • Any idea when the fix will be in the woody packages?

    • Any idea when the fix will be in the woody packages?

      What the hell?! You need this fix in a wooden package?! With cockade and stuff? Would the express FedEx delivery be OK, Your Majesty? Can't you just download it from the 'net like other people?! Geez...

    • Quite funny (well, not funny actually) that this reqest is just underneath a post saying:

      "Now this patch needs to be applied to all affected systems, now it is time for the SA's and the what not of the world to step up"

      An ill administered *nix box is much more useful for a hacker than an ill administered Windows box.

      To pkplex; it is your responsibility to the public internet to go fetch a copy and compile it yourself. If you're new to that, then don't worry, it's not too difficult, and there are plenty of HOWTO's etc on the web.

  • CERT got it slightly wrong? (Score:3, Interesting)

    by Jobe_br ( 27348 ) <bdruth@gmailCOUGAR.com minus cat> on Tuesday June 18, 2002 @11:03PM (#3726709)

    I'm not sure, since I don't closely follow CERT myself - but an acquaintance e-mailed me the CERT advisory today and I noticed that the 1.3.x version of apache it cites is not 1.3.26 - its 1.3.25:

    Upgrade to the latest version

    The Apache Software Foundation has released two new versions of Apache that correct this vulnerability. System administrators can prevent the vulnerability from being exploited by upgrading to Apache version 1.3.25 or 2.0.39.

    I noticed that a 1.3.25 doesn't actually exist anywhere ... was there a failed release?

    • I noticed that a 1.3.25 doesn't actually exist anywhere ... was there a failed release?


      Yes that was a tad premature. In the end 1.3.25 was abandoned and they went straight to 2.3.26.
    • CERT didn't get it wrong, things changed.

      The Apache team told CERT that the next 1.3 version would be 1.3.25. This was the plan right up until a couple of hours before release. At this point, 1.3.25 was up for testing, and for some reason (I'm sure it was a good one), 1.3.25 was abandoned and they went to 1.3.26. I'm sure that the changelog will reveal all.
    • Indeed, apparently one last thing needed to be done to fix the CERT advisory bug:

      Changes with Apache 1.3.26

      *) Potential NULL referencing fixed in the CGI module. It had
      been there for 5 years. [Justin Erenkrantz]

      *) Ensure that we set the result value in ap_strtol before
      we return it. [The whole gang again]

      Changes with Apache 1.3.25

      *) Code changes required to address and close the security
      issues in CAN-2002-0392 (mitre.org) [CERT VU#944335].
      To support this, we utilize the ANSI functionality of
      strtol, and provide ap_strtol for completeness.
      [The whole gang]

      [many other 1.3.25 changes snipped]

  • See, I told you so. (Score:5, Interesting)

    by rice_burners_suck ( 243660 ) on Tuesday June 18, 2002 @11:11PM (#3726746)

    Need I point out my earlier comment [slashdot.org]? I'll save you the trouble of looking it up:

    I have to say, the Apache web server is quite a high quality piece of work. The fact that an obscure security issue has been found is a good sign that developers and users are on top of things in the constant struggle against remote exploiters.
    I am confident that a fix will be available very shortly. Serious sysadmins will have their servers patched sooner than any serious damage takes place. I don't have the same confidence when it comes to Microsoft's products.

    I believe it was Dark Helmet who once said, "Evil will always triumph because good is dumb." But in the case of software, it's pretty clear that free will always triumph because commercial is dumb. Honestly, software developed out of a desire to:

    • Learn,
    • Do good,
    • Have fun in the process...

    is simply going to be better software than something that's developed out of the runaway greed rampant in the inferior competition.

  • PHP now broken? (Score:2, Interesting)

    by Zeekamotay ( 115667 )
    Oh sweat. Is this just me, or does 1.3.26 break PHP? I recompiled PHP 4.2.1 from source, but I still get this message when trying to start Apache:

    API module structure `php4_module' in file /usr/local/apache/libexec/libphp4.so is garbled - perhaps this is not an Apache module DS
    O?

    • I regressed to PHP 4.1.2 (the last version that I used sucessfully), and as soon as I did that, it worked like a peach. Perhaps it's a PHP problem; I never used PHP 4.2.x with Apache 1.3.24, so I don't know.

      Any other /.ers have this experience?
    • odd. I just recompiled everything and:

      Server: Apache/1.3.26 (Unix) mod_gzip/1.3.19.1a mod_perl/1.27 PHP/4.2.1

      Tested most of my sites and everything seems to work just fine, including PHP sites that use PostgreSQL.
    • The php4apache2.dll module with PHP 4.2.1 won't work at all with the 2.0.39 server. Comes up with an error that the module isn't for this version of Apache. Once that LoadModule is commented out, all works fine.
    • I have yet to get php4.2.x to work properly with Apache 1.3.x under Solaris 8 or 9, and last night's release is no exception.

      It all compiles fine - but php simply won't pass form variables, even in a $PHP_SELF.

      Have had to stay away from 4.2.x until I can get around to going to Apache 2.0.x
      • PHP now has register_globals turned off by default -- don't you remember those big compile-time warnings that said, "PHP NOW HAS REGISTER_GLOBALS OFF BY DEFAULT!" :)

        What you're seeing is correct behavior. You need to either use the $_SERVER, $_GET, and $_POST variables or set register_globals=on in your php.ini file.
        • "PHP now has register_globals turned off by default"
          This is to prevent malicious browsers from setting what are supposed to be program variables. info.php as <?phpinfo()?%gt is your friend.
  • It is hard to complain about a 24-hour response time for a bug.

    How can you? It's called "A Patchy" [apache.org] server, after all.

  • FUD (Score:5, Informative)

    by Vainglorious Coward ( 267452 ) on Wednesday June 19, 2002 @01:14AM (#3727145) Journal
    This of course is for the exploit [slashdot.org] that we reported yesterday

    Um, surely you mean vulnerability ?

  • Semi relevant.... upgrading my freebsd 4.6 box to apache 2.0.39 of course required recompiling php.

    installing php 4.2.1 from ports again, it dies with:

    Making all in apache2filter
    /bin/sh /usr/ports/www/mod_php4/work / hp-4.2.1/libtool --silent --mode=compile cc -I. -I/usr/ports/www/mod_php4/work/php-4.2.
    1/sapi/ap ache2filter -I/usr/ports/www/mod_php4/work/php-4.2.1/main -I/usr/ports/www/mod_php4/work/php-4.2.1 -I/usr/local/inclu
    de/apache2 -I/usr/ports/www/mod_php4/work/php-4.2.1/Zend -I/usr/local/include -I/usr/local/include/mysql -I/usr/ports/www/mod_
    php4/work/php-4.2.1/ext/xml /expat -D_REENTRANT -D_THREAD_SAFE -I/usr/ports/www/mod_php4/work/php-4.2.1/TSRM -I/usr/local/incl
    ude/pth -O -pipe -march=pentiumpro -I/usr/local/include -I/usr/local/include/pgsql -pthread -DZTS -prefer-pic -c php_function
    s.c
    php_functions.c:93: syntax error
    *** Error code 1

    Anyone else have the problem?

    thanks in advance ;)
    smash.
  • Geez, how unprofessional. They knew about the vuln, they were working on it, then someone stupidly spilled the beans and they had to pull an all-nighter so their users wouldn't be exposed any longer than necessary.

    Anyone knows that a real, professional company [microsoft.com] would sit on the vuln report for a few weeks, until the finder got fed up and went public with it, then they'd complain about irresponsible disclosure and take two weeks to release a fix.

  • hmm. the new version of the apache advisory doesn't mention ISS's "faulty" patch. retraction? http://httpd.apache.org/info/security_bulletin_200 20617.txt
  • Did anyone else notice that the Makefile is missing from the 1.3.26 release? I can't find it anywhere. I was going to upgrade real quick but this rather important piece of the puzzle is missing.

  • Actually... (Score:3, Insightful)

    by SuiteSisterMary ( 123932 ) <slebrunNO@SPAMgmail.com> on Wednesday June 19, 2002 @10:31AM (#3728918) Journal
    It is hard to complain about a 24-hour response time for a bug.
    Actually, it's easy. Watch. Gee, I wonder what sort of regression testing they did. Or anything along the lines of QA, other than 'it compiles with only warnings.'
  • PHP 4.2.1 doesn't seem to work with Apache 2.0.39. You need to upgrade to the CVS version of PHP; see the bug report [php.net]
  • I just followed the links, and, if i'm not crazy, you can now run 2.0.x on Windows 98...

    Any verification of this?

    (its not for me - its for a guy i support... i'm running off of OpenBSD myself)

Slashdot Top Deals

UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn

Close