Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 15 Jun 2009 21:45:30 +0200
From: Stefan Fritsch <>
Subject: CVE request for old Apache 2.2 issue


in Apache 2.2.x before 2.2.9, there was a issue very similar to 
CVE-2009-1195 that allowed local users to override all options in 
.htaccess, even if only one option was allowed by the AllowOverride 
directive. It was fixed as PR 44262 in 2.2.9 in June 2008, but the 
security relevance was not made clear.


For Apache before 2.2.9, it does not make sense to fix CVE-2009-1195 
without fixing PR 44262, too. Therefore I think this issue should get 
a separate CVE id.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.