httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hollstein, Mathias" <mathias.hollst...@destatis.de>
Subject Apche 2.4 docs /wr to CVE-2014-0098 log_cookie directive
Date Mon, 24 Mar 2014 10:43:30 GMT
Hello everyone,

after reading CVE-2014-0098 ([L1]) one of my colleagues came up with the
conclusion that "log_cookie" function in file "mod_log_config.c" is not
used in Apache 2.4 anymore.

However the documents ([L2]) are somehow not reflecting the codebase
([L3]) as far as I can see. The SVN repository clearly indicates the
code actually does exist.

Now I ask my self whether the official documentation is wrong (missing
CookieLog Directive for "current") or the code is deactivated somehow. I
also ask myself whether the CVE applies to Apache 2.4 or not at all. So
far all certs worldwide tell me/us so but the documents do not reflect
that. During apache test we receive "Invalid command 'CookieLog',
perhaps misspelled or defined by a module not included in the server
configuration". But again, it's in the SVN code repository.

Your help is appreciated. Thanks in advance! :)

[L1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0098
[L2] http://httpd.apache.org/docs/current/mod/mod_log_config.html
[L3]
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/loggers/mod_log_config.c?r1=1575394&r2=1575400&diff_format=h


Kind regards

Mathias Hollstein
______________________
Mathias Hollstein

Referat BIT II 5 (Wiesbaden)

Telefon: +49 (0) 611 75 2549
Telefax: +49 (0) 611 72 4000

Email: Mathias.Hollstein@bva.bund.de
Email: mathias.hollstein@destatis.de

Internet: www.bundesverwaltungsamt.de
          www.bit.bund.de
          www.destatis.de

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message