httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <>
Subject Re: Tagging 2.0.65...
Date Wed, 26 Jun 2013 20:10:48 GMT
On Wed, 26 Jun 2013 13:30:25 -0400
Jeff Trawick <> wrote:
> Did anyone else have a chance to think about wrowe's suggested
> addendum to the CHANGES entry for CVE-2011-3607?

I've tweaked this slightly, please holler if anyone has some better
wording to offer;

Changes with Apache 2.0.65

  *) SECURITY: CVE-2011-3607 (
     Fix integer overflow in ap_pregsub() which, when the mod_setenvif
     module is enabled, could allow local users to gain privileges via
     a .htaccess file. [Stefan Fritsch, Greg Ames]

       NOTE: it remains possible to exhaust all memory using a carefully
       crafted .htaccess rule, which will not be addressed in 2.0;
       enabling processing of .htaccess files authored by untrusted
       users is the root of such security risks.  Upgrade to httpd
       2.2.25 or later to limit this specific risk.

View raw message