httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject Re: CVE-2003-1418 - still affects apache 2 current
Date Mon, 05 Sep 2011 13:21:05 GMT
On Thu, Sep 01, 2011 at 06:27:35PM +0200, "Plüm, Rüdiger, VF-Group" wrote:
> Can't find the discussion either, but I remember that it was not seen 
> as a security issue. For those still concerned about this, the advice 
> was as you said "FileETag -INode". So IMHO no need for a patch here 
> except for documentation and default config

Ah - I found the discussion, it was on security@.

Tomas (CC'ed) pointed out that CVE-2003-1418 also covers the fact that 
the byterange filter leaks pids.  I don't think that is worth treating 
as a vulnerability, either; but I changed it in r1165268 anyway - that 
is still leaking some MPM-specific data, but it doesn't seem worth going 
to any more effort.


Is there consensus to treat the issues described there as not being 
security-sensitive?  If so we can probably put tihs on the vulnerability 
list is as a not-a-bug as an "official statement".

Regards, Joe

View raw message