You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2010/03/09 18:15:04 UTC

Re: svn commit: r113 - /release/httpd/patches/apply_to_2.0.63/CVE-2010-0425.patch

On Tue, Mar 9, 2010 at 11:52 AM,  <wr...@apache.org> wrote:
> Author: wrowe
> Date: Tue Mar  9 11:52:32 2010
> New Revision: 113
>
> Log:
> For 2.0 patch available, note different line numbers

I will continue working on the related vulnerabilities-httpd.xml
update unless you've already started ;)

Re: svn commit: r113 - /release/httpd/patches/apply_to_2.0.63/CVE-2010-0425.patch

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.

On 3/9/2010 2:51 PM, Joe Orton wrote:
> On Tue, Mar 09, 2010 at 02:43:08PM -0600, William Rowe wrote:
>> On 3/9/2010 11:15 AM, Jeff Trawick wrote:
>>> On Tue, Mar 9, 2010 at 11:52 AM,  <wr...@apache.org> wrote:
>>>> Author: wrowe
>>>> Date: Tue Mar  9 11:52:32 2010
>>>> New Revision: 113
>>>>
>>>> Log:
>>>> For 2.0 patch available, note different line numbers
>>>
>>> I will continue working on the related vulnerabilities-httpd.xml
>>> update unless you've already started ;)
>>
>> Be my guest, I was just moving the single entry and see you had jumped
>> into the 2.0 security report xml.  I was just going back over source code
>> to verify the age of the flaw.
> 
> Has anybody looked into whether CVE-2010-0434 affects 2.0.x too, on the 
> subject of security and 2.0.x?  The r->headers_in table issue looks the 
> same but I didn't manage to get a test case working for 2.2.x to be able 
> to reproduce it.

Yes, but the patch is trivial.  See the next status commit.  If accepted
I'll be happy to add to apply_to_2.0.63

Re: svn commit: r113 - /release/httpd/patches/apply_to_2.0.63/CVE-2010-0425.patch

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.

On 3/9/2010 2:51 PM, Joe Orton wrote:
> On Tue, Mar 09, 2010 at 02:43:08PM -0600, William Rowe wrote:
>> On 3/9/2010 11:15 AM, Jeff Trawick wrote:
>>> On Tue, Mar 9, 2010 at 11:52 AM,  <wr...@apache.org> wrote:
>>>> Author: wrowe
>>>> Date: Tue Mar  9 11:52:32 2010
>>>> New Revision: 113
>>>>
>>>> Log:
>>>> For 2.0 patch available, note different line numbers
>>>
>>> I will continue working on the related vulnerabilities-httpd.xml
>>> update unless you've already started ;)
>>
>> Be my guest, I was just moving the single entry and see you had jumped
>> into the 2.0 security report xml.  I was just going back over source code
>> to verify the age of the flaw.
> 
> Has anybody looked into whether CVE-2010-0434 affects 2.0.x too, on the 
> subject of security and 2.0.x?  The r->headers_in table issue looks the 
> same but I didn't manage to get a test case working for 2.2.x to be able 
> to reproduce it.

Cross-request pollution "reproduction" cases are a pita.

Re: svn commit: r113 - /release/httpd/patches/apply_to_2.0.63/CVE-2010-0425.patch

Posted by Joe Orton <jo...@redhat.com>.

On Tue, Mar 09, 2010 at 02:43:08PM -0600, William Rowe wrote:
> On 3/9/2010 11:15 AM, Jeff Trawick wrote:
> > On Tue, Mar 9, 2010 at 11:52 AM,  <wr...@apache.org> wrote:
> >> Author: wrowe
> >> Date: Tue Mar  9 11:52:32 2010
> >> New Revision: 113
> >>
> >> Log:
> >> For 2.0 patch available, note different line numbers
> > 
> > I will continue working on the related vulnerabilities-httpd.xml
> > update unless you've already started ;)
> 
> Be my guest, I was just moving the single entry and see you had jumped
> into the 2.0 security report xml.  I was just going back over source code
> to verify the age of the flaw.

Has anybody looked into whether CVE-2010-0434 affects 2.0.x too, on the 
subject of security and 2.0.x?  The r->headers_in table issue looks the 
same but I didn't manage to get a test case working for 2.2.x to be able 
to reproduce it.

Regards, Joe

Re: svn commit: r113 - /release/httpd/patches/apply_to_2.0.63/CVE-2010-0425.patch

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.

On 3/9/2010 11:15 AM, Jeff Trawick wrote:
> On Tue, Mar 9, 2010 at 11:52 AM,  <wr...@apache.org> wrote:
>> Author: wrowe
>> Date: Tue Mar  9 11:52:32 2010
>> New Revision: 113
>>
>> Log:
>> For 2.0 patch available, note different line numbers
> 
> I will continue working on the related vulnerabilities-httpd.xml
> update unless you've already started ;)

Be my guest, I was just moving the single entry and see you had jumped
into the 2.0 security report xml.  I was just going back over source code
to verify the age of the flaw.