Skip to content
  1. May 17, 2009
  2. May 15, 2009
  3. May 14, 2009
  4. May 13, 2009
  5. May 12, 2009
    • Eric Covener's avatar
      move SECURITY to top · ee37c95f
      Eric Covener authored
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773882 13f79535-47bb-0310-9956-ffa450edef68
      ee37c95f
    • Eric Covener's avatar
      backport 772997, 773322, 773342 from trunk. · bd3a7c90
      Eric Covener authored
      Reviewed By: jorton, rpluem, covener
      
      Security fix for CVE-2009-1195: fix Options handling such that
      'AllowOverride Options=IncludesNoExec' does not permit Includes with
      exec= enabled to be configured in an .htaccess file:
      
      * include/http_core.h: Change semantics of Includes/IncludeNoExec
       options bits to be additive; OPT_INCLUDES now means SSI is enabled
       without exec=.  OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled
       with exec=.
      
      * server/core.c (create_core_dir_config): Remove defunct OPT_INCNOEXEC
       from default override_opts; no functional change.
       (merge_core_dir_configs): Update logic to ensure that exec= is
       disabled in a context where IncludesNoexec is configured, even if
       Includes-with-exec is permitted in the inherited options set.
       (set_allow_opts, set_options): Update to reflect new semantics
       of OPT_INCLUDES, OPT_INC_WITH_EXEC.
      
      * server/config.c: Update to remove OPT_INCNOEXEC from default
       override_opts; no functional change.
      
      * modules/filters/mod_include.c (includes_filter): Update to reflect
       new options semantics - disable exec= support if the
       OPT_INC_WITH_EXEC bit is not set.
      
      Submitted by: Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>,
               jorton
      Thanks to: Vincent Danon <vdanon redhat.com>
      
      
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773881 13f79535-47bb-0310-9956-ffa450edef68
      bd3a7c90
    • Eric Covener's avatar
      vote & promote CVE-2009-1195 · 444b2b97
      Eric Covener authored
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773880 13f79535-47bb-0310-9956-ffa450edef68
      444b2b97
  6. May 10, 2009
  7. May 08, 2009
  8. May 06, 2009
  9. May 05, 2009
  10. May 04, 2009
  11. May 03, 2009
  12. Apr 30, 2009
  13. Apr 27, 2009
  14. Apr 25, 2009