oss-sec mailing list archives
CVE request for old Apache 2.2 issue
From: Stefan Fritsch <sf () sfritsch de>
Date: Mon, 15 Jun 2009 21:45:30 +0200
Hi, in Apache 2.2.x before 2.2.9, there was a issue very similar to CVE-2009-1195 that allowed local users to override all options in .htaccess, even if only one option was allowed by the AllowOverride directive. It was fixed as PR 44262 in 2.2.9 in June 2008, but the security relevance was not made clear. Bugzilla. https://issues.apache.org/bugzilla/show_bug.cgi?id=44262 For Apache before 2.2.9, it does not make sense to fix CVE-2009-1195 without fixing PR 44262, too. Therefore I think this issue should get a separate CVE id. Cheers, Stefan
Current thread:
- CVE request for old Apache 2.2 issue Stefan Fritsch (Jun 15)