You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2010/03/09 18:15:04 UTC
Re: svn commit: r113 - /release/httpd/patches/apply_to_2.0.63/CVE-2010-0425.patch
On Tue, Mar 9, 2010 at 11:52 AM, <wr...@apache.org> wrote:
> Author: wrowe
> Date: Tue Mar 9 11:52:32 2010
> New Revision: 113
>
> Log:
> For 2.0 patch available, note different line numbers
I will continue working on the related vulnerabilities-httpd.xml
update unless you've already started ;)
Re: svn commit: r113 - /release/httpd/patches/apply_to_2.0.63/CVE-2010-0425.patch
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 3/9/2010 2:51 PM, Joe Orton wrote:
> On Tue, Mar 09, 2010 at 02:43:08PM -0600, William Rowe wrote:
>> On 3/9/2010 11:15 AM, Jeff Trawick wrote:
>>> On Tue, Mar 9, 2010 at 11:52 AM, <wr...@apache.org> wrote:
>>>> Author: wrowe
>>>> Date: Tue Mar 9 11:52:32 2010
>>>> New Revision: 113
>>>>
>>>> Log:
>>>> For 2.0 patch available, note different line numbers
>>>
>>> I will continue working on the related vulnerabilities-httpd.xml
>>> update unless you've already started ;)
>>
>> Be my guest, I was just moving the single entry and see you had jumped
>> into the 2.0 security report xml. I was just going back over source code
>> to verify the age of the flaw.
>
> Has anybody looked into whether CVE-2010-0434 affects 2.0.x too, on the
> subject of security and 2.0.x? The r->headers_in table issue looks the
> same but I didn't manage to get a test case working for 2.2.x to be able
> to reproduce it.
Yes, but the patch is trivial. See the next status commit. If accepted
I'll be happy to add to apply_to_2.0.63
Re: svn commit: r113 - /release/httpd/patches/apply_to_2.0.63/CVE-2010-0425.patch
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 3/9/2010 2:51 PM, Joe Orton wrote:
> On Tue, Mar 09, 2010 at 02:43:08PM -0600, William Rowe wrote:
>> On 3/9/2010 11:15 AM, Jeff Trawick wrote:
>>> On Tue, Mar 9, 2010 at 11:52 AM, <wr...@apache.org> wrote:
>>>> Author: wrowe
>>>> Date: Tue Mar 9 11:52:32 2010
>>>> New Revision: 113
>>>>
>>>> Log:
>>>> For 2.0 patch available, note different line numbers
>>>
>>> I will continue working on the related vulnerabilities-httpd.xml
>>> update unless you've already started ;)
>>
>> Be my guest, I was just moving the single entry and see you had jumped
>> into the 2.0 security report xml. I was just going back over source code
>> to verify the age of the flaw.
>
> Has anybody looked into whether CVE-2010-0434 affects 2.0.x too, on the
> subject of security and 2.0.x? The r->headers_in table issue looks the
> same but I didn't manage to get a test case working for 2.2.x to be able
> to reproduce it.
Cross-request pollution "reproduction" cases are a pita.
Re: svn commit: r113 -
/release/httpd/patches/apply_to_2.0.63/CVE-2010-0425.patch
Posted by Joe Orton <jo...@redhat.com>.
On Tue, Mar 09, 2010 at 02:43:08PM -0600, William Rowe wrote:
> On 3/9/2010 11:15 AM, Jeff Trawick wrote:
> > On Tue, Mar 9, 2010 at 11:52 AM, <wr...@apache.org> wrote:
> >> Author: wrowe
> >> Date: Tue Mar 9 11:52:32 2010
> >> New Revision: 113
> >>
> >> Log:
> >> For 2.0 patch available, note different line numbers
> >
> > I will continue working on the related vulnerabilities-httpd.xml
> > update unless you've already started ;)
>
> Be my guest, I was just moving the single entry and see you had jumped
> into the 2.0 security report xml. I was just going back over source code
> to verify the age of the flaw.
Has anybody looked into whether CVE-2010-0434 affects 2.0.x too, on the
subject of security and 2.0.x? The r->headers_in table issue looks the
same but I didn't manage to get a test case working for 2.2.x to be able
to reproduce it.
Regards, Joe
Re: svn commit: r113 - /release/httpd/patches/apply_to_2.0.63/CVE-2010-0425.patch
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 3/9/2010 11:15 AM, Jeff Trawick wrote:
> On Tue, Mar 9, 2010 at 11:52 AM, <wr...@apache.org> wrote:
>> Author: wrowe
>> Date: Tue Mar 9 11:52:32 2010
>> New Revision: 113
>>
>> Log:
>> For 2.0 patch available, note different line numbers
>
> I will continue working on the related vulnerabilities-httpd.xml
> update unless you've already started ;)
Be my guest, I was just moving the single entry and see you had jumped
into the 2.0 security report xml. I was just going back over source code
to verify the age of the flaw.