Date: Mon, 15 Jun 2009 21:45:30 +0200 From: Stefan Fritsch <sf@...itsch.de> To: oss-security@...ts.openwall.com Subject: CVE request for old Apache 2.2 issue Hi, in Apache 2.2.x before 2.2.9, there was a issue very similar to CVE-2009-1195 that allowed local users to override all options in .htaccess, even if only one option was allowed by the AllowOverride directive. It was fixed as PR 44262 in 2.2.9 in June 2008, but the security relevance was not made clear. Bugzilla. https://issues.apache.org/bugzilla/show_bug.cgi?id=44262 For Apache before 2.2.9, it does not make sense to fix CVE-2009-1195 without fixing PR 44262, too. Therefore I think this issue should get a separate CVE id. Cheers, Stefan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.