Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9AF8911DA2 for ; Tue, 15 Jul 2014 00:36:56 +0000 (UTC) Received: (qmail 15279 invoked by uid 500); 15 Jul 2014 00:36:55 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 15222 invoked by uid 500); 15 Jul 2014 00:36:55 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 15212 invoked by uid 99); 15 Jul 2014 00:36:55 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 15 Jul 2014 00:36:55 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of covener@gmail.com designates 209.85.220.176 as permitted sender) Received: from [209.85.220.176] (HELO mail-vc0-f176.google.com) (209.85.220.176) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 15 Jul 2014 00:36:53 +0000 Received: by mail-vc0-f176.google.com with SMTP id ik5so8677959vcb.21 for ; Mon, 14 Jul 2014 17:36:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=BYxY7WBk7/ArFLzExRziJ0RE6OkUh7AQy+BXGtgQ5Ag=; b=K7L4V2qEPL6CKi9zddGIiuXqUTaSrEUX3xs/a/7aZoz+XgPSd68RYWv5+rM+O3BYkl R38JqXCur4lnaAYuzxk7fHGMcYltNhIibVJDe3xafb7MHA/0TdZVfObeC++8037zX/hx cIplrM3eOenCnEcce/QuvKr10dxm3blquBJ0BdRvUmBK4dvMBLz3fI0TgC77hG3MViMQ 4kSPXgK2/OuLbTqOHYlVuAh5qVozvZ+chg+UVVnl6uqZ1dGf9JezDLwyDe2+/44NPKJ3 x6F/49MD5GQyKwUPfB8ciT2piDM5E+dHFaZrdp2qctr8qJm7M27Xrksoj+g3Uh/p0/8O 8hlA== MIME-Version: 1.0 X-Received: by 10.52.135.226 with SMTP id pv2mr4384742vdb.33.1405384588425; Mon, 14 Jul 2014 17:36:28 -0700 (PDT) Received: by 10.58.243.73 with HTTP; Mon, 14 Jul 2014 17:36:28 -0700 (PDT) In-Reply-To: References: Date: Mon, 14 Jul 2014 20:36:28 -0400 Message-ID: Subject: Re: [PATCH] did I understand the mod_cgid fix properly? From: Eric Covener To: Apache HTTP Server Development List Content-Type: text/plain; charset=UTF-8 X-Virus-Checked: Checked by ClamAV on apache.org On Mon, Jul 14, 2014 at 5:18 PM, Jeff Trawick wrote: > Index: CHANGES > =================================================================== > --- CHANGES (revision 1610531) > +++ CHANGES (working copy) > @@ -16,8 +16,10 @@ > *) SECURITY: CVE-2014-0231 (cve.mitre.org) > mod_cgid: Fix a denial of service against CGI scripts that do > not consume stdin that could lead to lingering HTTPD child processes > - filling up the scoreboard and eventually hanging the server. Adds > - "CGIDScriptTimeout" directive. > + filling up the scoreboard and eventually hanging the server. By > + default, the client I/O timeout (Timeout directive) now applies to > + communication with scripts. The CGIDScriptTimeout directive can be > + used to set a different timeout for communication with scripts. > [Rainer Jung, Eric Covener, Yann Ylavic] > > *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions > > > Make sense? +1