httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [PATCH] did I understand the mod_cgid fix properly?
Date Tue, 15 Jul 2014 00:36:28 GMT
On Mon, Jul 14, 2014 at 5:18 PM, Jeff Trawick <trawick@gmail.com> wrote:
> Index: CHANGES
> ===================================================================
> --- CHANGES (revision 1610531)
> +++ CHANGES (working copy)
> @@ -16,8 +16,10 @@
>    *) SECURITY: CVE-2014-0231 (cve.mitre.org)
>       mod_cgid: Fix a denial of service against CGI scripts that do
>       not consume stdin that could lead to lingering HTTPD child processes
> -     filling up the scoreboard and eventually hanging the server. Adds
> -     "CGIDScriptTimeout" directive.
> +     filling up the scoreboard and eventually hanging the server.  By
> +     default, the client I/O timeout (Timeout directive) now applies to
> +     communication with scripts.  The CGIDScriptTimeout directive can be
> +     used to set a different timeout for communication with scripts.
>       [Rainer Jung, Eric Covener, Yann Ylavic]
>
>    *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
>
>
> Make sense?

+1

Mime
View raw message