CVE request for old Apache 2.2 issue

[Stefan Fritsch <sf () sfritsch de>]

Hi,

in Apache 2.2.x before 2.2.9, there was a issue very similar to 
CVE-2009-1195 that allowed local users to override all options in 
.htaccess, even if only one option was allowed by the AllowOverride 
directive. It was fixed as PR 44262 in 2.2.9 in June 2008, but the 
security relevance was not made clear.

Bugzilla.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44262

For Apache before 2.2.9, it does not make sense to fix CVE-2009-1195 
without fixing PR 44262, too. Therefore I think this issue should get 
a separate CVE id.

Cheers,
Stefan