httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: CVE-2007-6203
Date Mon, 17 Dec 2007 21:26:16 GMT
Joe Orton wrote:
> On Sun, Dec 16, 2007 at 08:37:08PM +0100, Stefan Fritsch wrote:
>>  *) http_protocol: Escape request method in 413 error reporting.
>>      Determined to be not generally exploitable, but a flaw in any case.
>>      PR 44014 [Victor Stinner <victor.stinner inl.fr>]
>>
>> This is CVE-2007-6203. Maybe you should add the reference to the CHANGES file?
> 
> I don't think that's a good idea since we don't want to mislead users 
> into thinking a security issue exists here.

it potentially does, just not of httpd's creation.  I liked the text
for the autoindex issue;

   *) mod_autoindex: Add in Type and Charset options to IndexOptions
      directive. This allows the admin to explicitly set the
      content-type and charset of the generated page and is therefore
      a viable workaround for buggy browsers affected by CVE-2007-4465
      (cve.mitre.org). [Jim Jagielski]

I'd use the phrase "hypothetically buggy clients" in this case, since
there is not a single proof on this incident.



Mime
View raw message