On Mon, Mar 24, 2014 at 6:43 AM, Hollstein, Mathias
<mathias.hollst...@destatis.de> wrote:
> Hello everyone,
>
> after reading CVE-2014-0098 ([L1]) one of my colleagues came up with the
> conclusion that "log_cookie" function in file "mod_log_config.c" is not
> used in Apache 2.4 anymore.
>
> However the documents ([L2]) are somehow not reflecting the codebase
> ([L3]) as far as I can see. The SVN repository clearly indicates the
> code actually does exist.
>
> Now I ask my self whether the official documentation is wrong (missing
> CookieLog Directive for "current") or the code is deactivated somehow
The vulnerability is not related to the archaic CookieLog directive.
It's in the impl of logformat %{cookie-name}C.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org
For additional commands, e-mail: docs-h...@httpd.apache.org
