httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hollstein, Mathias" <>
Subject Apche 2.4 docs /wr to CVE-2014-0098 log_cookie directive
Date Mon, 24 Mar 2014 10:43:30 GMT
Hello everyone,

after reading CVE-2014-0098 ([L1]) one of my colleagues came up with the
conclusion that "log_cookie" function in file "mod_log_config.c" is not
used in Apache 2.4 anymore.

However the documents ([L2]) are somehow not reflecting the codebase
([L3]) as far as I can see. The SVN repository clearly indicates the
code actually does exist.

Now I ask my self whether the official documentation is wrong (missing
CookieLog Directive for "current") or the code is deactivated somehow. I
also ask myself whether the CVE applies to Apache 2.4 or not at all. So
far all certs worldwide tell me/us so but the documents do not reflect
that. During apache test we receive "Invalid command 'CookieLog',
perhaps misspelled or defined by a module not included in the server
configuration". But again, it's in the SVN code repository.

Your help is appreciated. Thanks in advance! :)


Kind regards

Mathias Hollstein
Mathias Hollstein

Referat BIT II 5 (Wiesbaden)

Telefon: +49 (0) 611 75 2549
Telefax: +49 (0) 611 72 4000



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message