httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: Includes vs IncludesNoExec security issue - help needed
Date Fri, 08 May 2009 14:45:42 GMT
On Tue, Apr 28, 2009 at 02:48:52PM +0100, Joe Orton wrote:
> 5) I'll post an updated patch soon which fixes the behaviour of "Options 
> Includes"/"Options +IncludesNoExec" such that SSI is permitted without 
> exec, as is the current 2.2.x behaviour, since that seems to be the 
> rough consensus.  Jon also spotted a minor logic flaw in the patch which 
> I'll fix too.

Rather than posting another round, I've committed the updated patch 
which includes those changes:

   http://svn.apache.org/viewvc?rev=772997&view=rev

Along with a test suite:

   http://svn.apache.org/viewvc?rev=773001&view=rev

For reference, this issue has been assigned CVE name CVE-2009-1195.

Thanks a lot to everybody who has helped out with this issue.

Regards, Joe

Mime
View raw message