[PATCH] did I understand the mod_cgid fix properly?
Index: CHANGES === --- CHANGES (revision 1610531) +++ CHANGES (working copy) @@ -16,8 +16,10 @@ *) SECURITY: CVE-2014-0231 (cve.mitre.org) mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes - filling up the scoreboard and eventually hanging the server. Adds - CGIDScriptTimeout directive. + filling up the scoreboard and eventually hanging the server. By + default, the client I/O timeout (Timeout directive) now applies to + communication with scripts. The CGIDScriptTimeout directive can be + used to set a different timeout for communication with scripts. [Rainer Jung, Eric Covener, Yann Ylavic] *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions Make sense? -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
Re: [PATCH] did I understand the mod_cgid fix properly?
On Mon, Jul 14, 2014 at 5:18 PM, Jeff Trawick traw...@gmail.com wrote: Index: CHANGES === --- CHANGES (revision 1610531) +++ CHANGES (working copy) @@ -16,8 +16,10 @@ *) SECURITY: CVE-2014-0231 (cve.mitre.org) mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes - filling up the scoreboard and eventually hanging the server. Adds - CGIDScriptTimeout directive. + filling up the scoreboard and eventually hanging the server. By + default, the client I/O timeout (Timeout directive) now applies to + communication with scripts. The CGIDScriptTimeout directive can be + used to set a different timeout for communication with scripts. [Rainer Jung, Eric Covener, Yann Ylavic] *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions Make sense? +1
