Skip to content
  1. May 19, 2009
  2. May 17, 2009
  3. May 15, 2009
  4. May 14, 2009
  5. May 13, 2009
  6. May 12, 2009
    • Eric Covener's avatar
      move SECURITY to top · ee37c95f
      Eric Covener authored
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773882 13f79535-47bb-0310-9956-ffa450edef68
      ee37c95f
    • Eric Covener's avatar
      backport 772997, 773322, 773342 from trunk. · bd3a7c90
      Eric Covener authored
      Reviewed By: jorton, rpluem, covener
      
      Security fix for CVE-2009-1195: fix Options handling such that
      'AllowOverride Options=IncludesNoExec' does not permit Includes with
      exec= enabled to be configured in an .htaccess file:
      
      * include/http_core.h: Change semantics of Includes/IncludeNoExec
       options bits to be additive; OPT_INCLUDES now means SSI is enabled
       without exec=.  OPT_INCLUDES|OPT_INC_WITH_EXEC means SSI is enabled
       with exec=.
      
      * server/core.c (create_core_dir_config): Remove defunct OPT_INCNOEXEC
       from default override_opts; no functional change.
       (merge_core_dir_configs): Update logic to ensure that exec= is
       disabled in a context where IncludesNoexec is configured, even if
       Includes-with-exec is permitted in the inherited options set.
       (set_allow_opts, set_options): Update to reflect new semantics
       of OPT_INCLUDES, OPT_INC_WITH_EXEC.
      
      * server/config.c: Update to remove OPT_INCNOEXEC from default
       override_opts; no functional change.
      
      * modules/filters/mod_include.c (includes_filter): Update to reflect
       new options semantics - disable exec= support if the
       OPT_INC_WITH_EXEC bit is not set.
      
      Submitted by: Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>,
               jorton
      Thanks to: Vincent Danon <vdanon redhat.com>
      
      
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773881 13f79535-47bb-0310-9956-ffa450edef68
      bd3a7c90
    • Eric Covener's avatar
      vote & promote CVE-2009-1195 · 444b2b97
      Eric Covener authored
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@773880 13f79535-47bb-0310-9956-ffa450edef68
      444b2b97
  7. May 10, 2009
  8. May 08, 2009
  9. May 06, 2009
  10. May 05, 2009
  11. May 04, 2009
  12. May 03, 2009
  13. Apr 30, 2009