httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51878] 2.2.21 is not compliant for byterange 0- returning 200 instead of 206
Date Wed, 21 Mar 2012 12:04:32 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51878

Eric Covener <covener@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |FIXED

--- Comment #11 from Eric Covener <covener@gmail.com> 2012-03-21 12:04:32 UTC ---
(In reply to comment #10)
> When "killapache.pl" script is executed against Opensource Apache 2.2.22
> Windows binary, it shows "host seems vuln" message. This behaviour was not
> observed in Apache 2.2.21 version. Whether this means CVE-2011-3192
> vulnerability is re-introduced in Opensource Apache 2.2.22 version while fixing
> the below byterange regression?
> 
> *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
> A range of '0-' will now return 206 instead of 200. PR 51878.
> [Jim Jagielski]

No, it means killapache.pl has crude detection for vulnerable hosts.  It flags
any system that responds to range headers.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message