You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Nick Kew <ni...@webthing.com> on 2009/07/05 00:23:46 UTC

Re: svn commit: r790587 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy_http.c

jorton@apache.org wrote:

>  Changes with Apache 2.3.3
>  
> +  *) SECURITY: CVE-2009-1890 (cve.mitre.org) 
> +     Fix a potential Denial-of-Service attack against mod_proxy in a
> +     reverse proxy configuration, where a remote attacker can force a
> +     proxy process to consume CPU time indefinitely.  [Nick Kew, Joe Orton]

I thought in this instance, the original reporter's diagnostic
work contributed more to the patch than we did.  I think he
should be credited in the changelog here.

-- 
Nick Kew

Re: svn commit: r790587 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy_http.c

Posted by Joe Orton <jo...@redhat.com>.

On Sat, Jul 04, 2009 at 11:23:46PM +0100, Nick Kew wrote:
> jorton@apache.org wrote:
>
>>  Changes with Apache 2.3.3
>>  +  *) SECURITY: CVE-2009-1890 (cve.mitre.org) +     Fix a potential 
>> Denial-of-Service attack against mod_proxy in a
>> +     reverse proxy configuration, where a remote attacker can force a
>> +     proxy process to consume CPU time indefinitely.  [Nick Kew, Joe Orton]
>
> I thought in this instance, the original reporter's diagnostic
> work contributed more to the patch than we did.  I think he
> should be credited in the changelog here.

Lots of people help out with diagnosis of many bugs, we typically credit 
in CHANGES only those who came up with the patches.  I certainly should 
have given credit to the reporter in the commit message though, I will 
fix that.

Regards, Joe

Re: svn commit: r790587 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy_http.c

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

Nick Kew wrote:
> jorton@apache.org wrote:
> 
>>  Changes with Apache 2.3.3
>>  
>> +  *) SECURITY: CVE-2009-1890 (cve.mitre.org) +     Fix a potential
>> Denial-of-Service attack against mod_proxy in a
>> +     reverse proxy configuration, where a remote attacker can force a
>> +     proxy process to consume CPU time indefinitely.  [Nick Kew, Joe
>> Orton]
> 
> I thought in this instance, the original reporter's diagnostic
> work contributed more to the patch than we did.  I think he
> should be credited in the changelog here.

+1, and absolutely first credit, he nailed the bug on nose :)