[Secure-testing-team] Bug#530834: CVE-2009-1195: Apache HTTP Server AllowOverride Options Security Bypass
Giuseppe Iuculano
giuseppe at iuculano.it
Thu May 28 06:50:33 UTC 2009
Package: apache2
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
redhat recently patched apache2.
CVE-2009-1195 is still reserved, but is disclosed in RHSA-2009-1075[1]
A security issue has been reported in Apache HTTP Server, which can be exploited
by malicious, local users to bypass certain security restrictions.
The security issue is caused due to an error when processing "AllowOverride"
directives and certain "Options" arguments in ".htaccess" files, which can be
exploited to e.g. execute commands via Server Side Includes.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
[1]https://rhn.redhat.com/errata/RHSA-2009-1075.html
For further information see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
https://bugzilla.redhat.com/show_bug.cgi?id=489436
Patch: http://svn.apache.org/viewvc?view=rev&revision=772997
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoeNDUACgkQNxpp46476aqz6QCgiucSQYvA8tWz3uSq4ps49ZaR
hEEAoJeOa+VFCuH2ZcC+DIhhPRtitElP
=nVX9
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list