You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Nick Kew <ni...@webthing.com> on 2009/07/05 00:23:46 UTC
Re: svn commit: r790587 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy_http.c
jorton@apache.org wrote:
> Changes with Apache 2.3.3
>
> + *) SECURITY: CVE-2009-1890 (cve.mitre.org)
> + Fix a potential Denial-of-Service attack against mod_proxy in a
> + reverse proxy configuration, where a remote attacker can force a
> + proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
I thought in this instance, the original reporter's diagnostic
work contributed more to the patch than we did. I think he
should be credited in the changelog here.
--
Nick Kew
Re: svn commit: r790587 - in /httpd/httpd/trunk: CHANGES
modules/proxy/mod_proxy_http.c
Posted by Joe Orton <jo...@redhat.com>.
On Sat, Jul 04, 2009 at 11:23:46PM +0100, Nick Kew wrote:
> jorton@apache.org wrote:
>
>> Changes with Apache 2.3.3
>> + *) SECURITY: CVE-2009-1890 (cve.mitre.org) + Fix a potential
>> Denial-of-Service attack against mod_proxy in a
>> + reverse proxy configuration, where a remote attacker can force a
>> + proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
>
> I thought in this instance, the original reporter's diagnostic
> work contributed more to the patch than we did. I think he
> should be credited in the changelog here.
Lots of people help out with diagnosis of many bugs, we typically credit
in CHANGES only those who came up with the patches. I certainly should
have given credit to the reporter in the commit message though, I will
fix that.
Regards, Joe
Re: svn commit: r790587 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy_http.c
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Nick Kew wrote:
> jorton@apache.org wrote:
>
>> Changes with Apache 2.3.3
>>
>> + *) SECURITY: CVE-2009-1890 (cve.mitre.org) + Fix a potential
>> Denial-of-Service attack against mod_proxy in a
>> + reverse proxy configuration, where a remote attacker can force a
>> + proxy process to consume CPU time indefinitely. [Nick Kew, Joe
>> Orton]
>
> I thought in this instance, the original reporter's diagnostic
> work contributed more to the patch than we did. I think he
> should be credited in the changelog here.
+1, and absolutely first credit, he nailed the bug on nose :)