httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Affected versions for CVE-2014-0098
Date Sun, 30 Mar 2014 10:13:20 GMT
Hi,

I have been looking at backporting the cookie issue fix, and it looks 
to me that it was introduced in

http://svn.apache.org/viewvc?view=revision&revision=r1374538
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/loggers/mod_log_config.c?r1=1374538&r2=1374537&pathrev=1374538

which would mean that versions before 2.2.23 are not affected. Can 
anyone verify this?

I couldn't produce a segfault even with 2.2.23, but with 2.2.22 the 
access log always contains the "-" for no value, while with the above 
commit, it logs an empty value. This probably means that in my setup, 
there is by coincidence always another NUL byte after the end of 
string NUL byte. This would be consistent with the reporter stating 
that he only saw it a few times in a month on a busy server.

If I am correct, the version list at
http://httpd.apache.org/security/vulnerabilities_22.html
should be adjusted.

Cheers,
Stefan


Mime
View raw message