On Thu, Sep 01, 2011 at 06:27:35PM +0200, "Plüm, Rüdiger, VF-Group" wrote: > Can't find the discussion either, but I remember that it was not seen > as a security issue. For those still concerned about this, the advice > was as you said "FileETag -INode". So IMHO no need for a patch here > except for documentation and default config
Ah - I found the discussion, it was on security@. Tomas (CC'ed) pointed out that CVE-2003-1418 also covers the fact that the byterange filter leaks pids. I don't think that is worth treating as a vulnerability, either; but I changed it in r1165268 anyway - that is still leaking some MPM-specific data, but it doesn't seem worth going to any more effort. => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418 Is there consensus to treat the issues described there as not being security-sensitive? If so we can probably put tihs on the vulnerability list is as a not-a-bug as an "official statement". Regards, Joe
