On Wed, 26 Jun 2013 13:30:25 -0400
Jeff Trawick <[email protected]> wrote:
>
> Did anyone else have a chance to think about wrowe's suggested
> addendum to the CHANGES entry for CVE-2011-3607?
I've tweaked this slightly, please holler if anyone has some better
wording to offer;
Changes with Apache 2.0.65
*) SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif
module is enabled, could allow local users to gain privileges via
a .htaccess file. [Stefan Fritsch, Greg Ames]
NOTE: it remains possible to exhaust all memory using a carefully
crafted .htaccess rule, which will not be addressed in 2.0;
enabling processing of .htaccess files authored by untrusted
users is the root of such security risks. Upgrade to httpd
2.2.25 or later to limit this specific risk.
