diff options
author | William A. Rowe Jr <wrowe@apache.org> | 2013-06-26 17:28:06 +0000 |
---|---|---|
committer | William A. Rowe Jr <wrowe@apache.org> | 2013-06-26 17:28:06 +0000 |
commit | 222df331d804e0a615fb0c18bc39ba1f7a853b9b (patch) | |
tree | 299a4d4ae691e4093e2eb1a34428ab31ac339075 | |
parent | eb608f61c21894fe8796735c578a3c9c2f6de677 (diff) | |
download | httpd-222df331d804e0a615fb0c18bc39ba1f7a853b9b.tar.gz |
Note related risk at the end of the SECURITY CHANGES list for 2.0.65
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1497013 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | CHANGES | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -28,6 +28,12 @@ Changes with Apache 2.0.65 is enabled, could allow local users to gain privileges via a .htaccess file. [Stefan Fritsch, Greg Ames] + NOTE: it remains possible to exhaust all memory using a carefully + crafted .htaccess rule, which will not be addressed in 2.0; enabling + processing of .htaccess files authored by untrusted users is the root + of such security risks. Upgrade to httpd 2.2.25 or later to limit + this specific risk. + *) core: Add MaxRanges directive to control the number of ranges permitted before returning the entire resource, with a default limit of 200. [Eric Covener, Rainer Jung] |