Re: Off-list question

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On 1/10/2012 12:54 PM, Mark J Cox wrote:
>> This is untrue.  There is no mechanism for the remote attacker to exploit
>> creating malicious .htaccess files.
> Do we want to put up our statement on why we think these CVE are not
> vulnerablities?  I don't think the current vulnerabilities xslt could
> handle it, but I probably still have a login to NVD and can update a
> vendor statement directly into the NVD page.  I won't have change to
> craft a statement this week though.

I'm not likely to have a lot of time, but I just wanted to put this out as a reminder that
there is community interest.

Why don't we use the current vulnerabilities with a severity of 'none'?  It isn't that there
is no security concern, it is simply a security concern of the administrator.

My planned 1st step are the appropriate edits to the httpd manual.  After the docs
pages are modified, we have something to point users at, much like the section on
how followsymlinks is not a secure feature.