Re: apache security issue (with upstream new release)

To: debian-security@lists.debian.org
Cc: willy@www.linux.org.uk
Subject: Re: apache security issue (with upstream new release)
From: Lupe Christoph <lupe@lupe-christoph.de>
Date: Fri, 31 Oct 2003 15:07:26 +0100
Message-id: <[🔎] 1067609246.3fa26c9e2262b@www.lupe-christoph.de>
In-reply-to: <[🔎] 20031031052234.GA21747@zionlth.org>
References: <[🔎] 200310291513.h9TFDcB23039@mms-r00.iijmio.jp> <[🔎] 20031030060940.GA6350@dijkstra.csh.rit.edu> <[🔎] 200310300804.h9U84ma21199@mms-r00.iijmio.jp> <[🔎] 20031030163443.GD6350@dijkstra.csh.rit.edu> <44749.80.58.1.46.1067532574.squirrel@www.hosting-seguridad.com> <20031030172109.GJ6350@dijkstra.csh.rit.edu> <[🔎] cgn2qv8ri3g7dcqarjd8vi248pm5952c9i@4ax.com> <[🔎] 20031031052234.GA21747@zionlth.org>

Quoting Phillip Hofmeister <plhofmei@zionlth.org>:

> I believe your justification can be found:

> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=218188

> I'm not saying I agree fully with it...but I do understand it...

Given that some of the affected directives can be used in .htaccess
files, the potential for an ordinary user to exploit this is there.
This allows access to the user the Apache work processes run as. Not
much, but depending on local setup, this can be harmful.

So I believe it should be fixed.

Lupe Christoph
-- 
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze                         |
| "Thief of Time", Terry Pratchett                                       |


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Reply to:

Follow-Ups:
- Re: apache security issue (with upstream new release)
  - From: Matthew Wilcox <willy@debian.org>

References:
- apache security issue (with upstream new release)
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: apache security issue (with upstream new release)
  - From: Matt Zimmerman <mdz@debian.org>
- Re: apache security issue (with upstream new release)
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: apache security issue (with upstream new release)
  - From: Matt Zimmerman <mdz@debian.org>
- Re: apache security issue (with upstream new release)
  - From: Roman Medina <roman@rs-labs.com>
- Re: apache security issue (with upstream new release)
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

Prev by Date: Re: apache security issue (with upstream new release)
Next by Date: Re: apache security issue (with upstream new release)
Previous by thread: Re: apache security issue (with upstream new release)
Next by thread: Re: apache security issue (with upstream new release)
Index(es):
- Date
- Thread