httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: CVE-2003-1418 - still affects apache 2 current
Date Mon, 05 Sep 2011 13:33:34 GMT
 

> -----Original Message-----
> From: Joe Orton [mailto:jorton@redhat.com] 
> Sent: Montag, 5. September 2011 15:21
> To: dev@httpd.apache.org
> Cc: thoger@redhat.com
> Subject: Re: CVE-2003-1418 - still affects apache 2 current
> 
> On Thu, Sep 01, 2011 at 06:27:35PM +0200, "Plüm, Rüdiger, 
> VF-Group" wrote:
> > Can't find the discussion either, but I remember that it 
> was not seen 
> > as a security issue. For those still concerned about this, 
> the advice 
> > was as you said "FileETag -INode". So IMHO no need for a patch here 
> > except for documentation and default config
> 
> Ah - I found the discussion, it was on security@.
> 
> Tomas (CC'ed) pointed out that CVE-2003-1418 also covers the 
> fact that 
> the byterange filter leaks pids.  I don't think that is worth 
> treating 
> as a vulnerability, either; but I changed it in r1165268 
> anyway - that 
> is still leaking some MPM-specific data, but it doesn't seem 
> worth going 
> to any more effort.
> 
> => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
> 
> Is there consensus to treat the issues described there as not being 
> security-sensitive?  If so we can probably put tihs on the 
> vulnerability 
> list is as a not-a-bug as an "official statement".
> 

+1

Regards

Rüdiger


Mime
View raw message