Joe Orton wrote:
On Sun, Dec 16, 2007 at 08:37:08PM +0100, Stefan Fritsch wrote:
*) http_protocol: Escape request method in 413 error reporting.
Determined to be not generally exploitable, but a flaw in any case.
PR 44014 [Victor Stinner <victor.stinner inl.fr>]
This is CVE-2007-6203. Maybe you should add the reference to the CHANGES file?
I don't think that's a good idea since we don't want to mislead users
into thinking a security issue exists here.
it potentially does, just not of httpd's creation. I liked the text
for the autoindex issue;
*) mod_autoindex: Add in Type and Charset options to IndexOptions
directive. This allows the admin to explicitly set the
content-type and charset of the generated page and is therefore
a viable workaround for buggy browsers affected by CVE-2007-4465
(cve.mitre.org). [Jim Jagielski]
I'd use the phrase "hypothetically buggy clients" in this case, since
there is not a single proof on this incident.
