[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request for old Apache 2.2 issue
From:       Stefan Fritsch <sf () sfritsch ! de>
Date:       2009-06-15 19:45:30
Message-ID: 200906152145.31126.sf () sfritsch ! de
[Download RAW message or body]

Hi,

in Apache 2.2.x before 2.2.9, there was a issue very similar to 
CVE-2009-1195 that allowed local users to override all options in 
.htaccess, even if only one option was allowed by the AllowOverride 
directive. It was fixed as PR 44262 in 2.2.9 in June 2008, but the 
security relevance was not made clear.

Bugzilla.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44262

For Apache before 2.2.9, it does not make sense to fix CVE-2009-1195 
without fixing PR 44262, too. Therefore I think this issue should get 
a separate CVE id.

Cheers,
Stefan


[prev in list] [next in list] [prev in thread] [next in thread]