Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AFFB310AE2 for ; Wed, 26 Jun 2013 20:11:42 +0000 (UTC) Received: (qmail 43297 invoked by uid 500); 26 Jun 2013 20:11:42 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 43259 invoked by uid 500); 26 Jun 2013 20:11:41 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 43251 invoked by uid 99); 26 Jun 2013 20:11:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Jun 2013 20:11:41 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE X-Spam-Check-By: apache.org Received-SPF: error (nike.apache.org: local policy) Received: from [64.202.165.34] (HELO m1plsmtpa01-06.prod.mesa1.secureserver.net) (64.202.165.34) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Jun 2013 20:11:34 +0000 Received: from hub ([76.252.112.72]) by m1plsmtpa01-06.prod.mesa1.secureserver.net with id t8Aq1l0011Zmh9Y018Aqrw; Wed, 26 Jun 2013 13:10:52 -0700 Date: Wed, 26 Jun 2013 15:10:48 -0500 From: "William A. Rowe Jr." To: dev@httpd.apache.org Cc: trawick@gmail.com Subject: Re: Tagging 2.0.65... Message-ID: <20130626151048.01ae604c@hub> In-Reply-To: References: <20130626104205.038f4394@hub> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.13; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On Wed, 26 Jun 2013 13:30:25 -0400 Jeff Trawick wrote: > > Did anyone else have a chance to think about wrowe's suggested > addendum to the CHANGES entry for CVE-2011-3607? I've tweaked this slightly, please holler if anyone has some better wording to offer; Changes with Apache 2.0.65 *) SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. [Stefan Fritsch, Greg Ames] NOTE: it remains possible to exhaust all memory using a carefully crafted .htaccess rule, which will not be addressed in 2.0; enabling processing of .htaccess files authored by untrusted users is the root of such security risks. Upgrade to httpd 2.2.25 or later to limit this specific risk.