Ick :( For some reason I thought this was hidden by CORE_PRIVATE, for
On Sun, May 17, 2009 at 11:15:00AM -0400, Jeff Trawick wrote:
> On Tue, May 12, 2009 at 9:17 AM, <email@example.com
> > Author: covener
> > Date: Tue May 12 13:17:29 2009
> > New Revision: 773881
> > URL: http://svn.apache.org/viewvc?rev=773881&view=rev
> > Log:
> > backport 772997, 773322, 773342 from trunk.
> > Reviewed By: jorton, rpluem, covener
> > Security fix for CVE-2009-1195: fix Options handling such that
> > 'AllowOverride Options=IncludesNoExec' does not permit Includes with
> > exec= enabled to be configured in an .htaccess file:
> > * include/http_core.h: Change semantics of Includes/IncludeNoExec
> > options bits to be additive; OPT_INCLUDES now means SSI is enabled
> > without exec=. OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled
> > with exec=.
> Current mod_perl tarballs reference OPT_INC_WITH_EXEC as part of mapping the
> httpd API into perl, and the mod_perl build fails because of this.
> ("modperl_config.c", line 525: undefined symbol: OPT_INCNOEXEC)