oss-sec mailing list archives
Re: CVE Request: "LuaAuthzProvider" in Apache HTTP Server mixes up arguments
From: cve-assign () mitre org
Date: Fri, 28 Nov 2014 15:36:27 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://issues.apache.org/bugzilla/show_bug.cgi?id=57204
We're not sure that this crosses privilege boundaries. http://httpd.apache.org/docs/2.4/mod/mod_lua.html#luaauthzprovider says Context: server config Apparently you're trying to use it in a directory context and finding that it doesn't work correctly. At least in theory, this could have been resolved by reporting an error when LuaAuthzProvider is found in a directory context, rather than by using the actual https://issues.apache.org/bugzilla/show_bug.cgi?id=57204#c2 approach to add the functionality. So, it may be reasonable to interpret this as a non-security bug that occurs when an administrator intentionally enters httpd.conf content that is, according to the documentation, invalid. We notice that https://issues.apache.org/bugzilla/show_bug.cgi?id=57204#c4 says "waiting to see if a CVE should be assigned." The usual process for CVE assignments for Apache Software Foundation products is: http://www.apache.org/security/committers.html Here, we realize that the issue was sent directly to the oss-security list, but MITRE doesn't have enough information to make a final decision. The Apache Software Foundation can decide whether the erroneous LuaAuthzProvider handling is a vulnerability from the perspective of their security policy. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUeNxsAAoJEKllVAevmvmsk0EH/jbz+IQmwX2D+htr3yIdS77p Wk2jlSG+qjJC1it4YLlYR/lbKkRub6V4w7asFslw0oP0+Ex+PcGlO661ucTxHcIi CGFhiWNXXq6XhiY1027hhcEvJ2rKGWmsctmN1XmqR2OlGPtSicrKVYLuujLQOJsE fvFDVYbEhXQzw+PEfSgTXBBEUbqiVAJp6r6xyJKyiwd1hf3EumSI80g4x1xKPaEc CKYv9SmSvGs5VOTueEsZuMgQPUv0/Q7ED9FmVlNhl5sZKMA2SuWX1wzsa1zSu1eL 6DGWoHJoP4+WFQeRxCxZa+bdskf7P3joGJ/GwrJfDYYX46x4y9wi+lTB7I1piow= =cmIE -----END PGP SIGNATURE-----
Current thread:
- CVE Request: "LuaAuthzProvider" in Apache HTTP Server mixes up arguments Eric Covener (Nov 28)
- Re: CVE Request: "LuaAuthzProvider" in Apache HTTP Server mixes up arguments cve-assign (Nov 28)
- Re: CVE Request: "LuaAuthzProvider" in Apache HTTP Server mixes up arguments Eric Covener (Nov 28)
- Re: CVE Request: "LuaAuthzProvider" in Apache HTTP Server mixes up arguments cve-assign (Nov 28)
- Re: CVE Request: "LuaAuthzProvider" in Apache HTTP Server mixes up arguments Eric Covener (Nov 28)
- Re: CVE Request: "LuaAuthzProvider" in Apache HTTP Server mixes up arguments cve-assign (Nov 28)