httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: CVE-2003-1418 - still affects apache 2 current
Date Thu, 01 Sep 2011 16:27:35 GMT
 

> -----Original Message-----
> From: Joe Orton [mailto:jorton@redhat.com] 
> Sent: Donnerstag, 1. September 2011 16:46
> To: Marcus Meissner
> Cc: dev@httpd.apache.org
> Subject: Re: CVE-2003-1418 - still affects apache 2 current
> 
> On Thu, Sep 01, 2011 at 02:39:11PM +0200, Marcus Meissner wrote:
> > Hi,
> > 
> > CVE-2003-1418, a minor security issue, is still affecting 
> the current codebase.
> > 
> > someone opened a tracker bug a year ago without feedback:
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
> > 
> > Do you have a statement?
> 
> Use "FileETag -INode" if you care about leaking inode numbers.
> 
> I think there was consensus that the default should be 
> changed to that, 
> but I can't find the discussion.

Can't find the discussion either, but I remember that it was not seen as a security issue.
For those still concerned about this, the advice was as you said "FileETag -INode".
So IMHO no need for a patch here except for documentation and default config

Regards

Rüdiger


Mime
View raw message