httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Tagging 2.0.65...
Date Wed, 26 Jun 2013 20:10:48 GMT
On Wed, 26 Jun 2013 13:30:25 -0400
Jeff Trawick <trawick@gmail.com> wrote:
> 
> Did anyone else have a chance to think about wrowe's suggested
> addendum to the CHANGES entry for CVE-2011-3607?

I've tweaked this slightly, please holler if anyone has some better
wording to offer;

Changes with Apache 2.0.65

  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
     Fix integer overflow in ap_pregsub() which, when the mod_setenvif
     module is enabled, could allow local users to gain privileges via
     a .htaccess file. [Stefan Fritsch, Greg Ames]

       NOTE: it remains possible to exhaust all memory using a carefully
       crafted .htaccess rule, which will not be addressed in 2.0;
       enabling processing of .htaccess files authored by untrusted
       users is the root of such security risks.  Upgrade to httpd
       2.2.25 or later to limit this specific risk.


Mime
View raw message