httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: CVE-2011-3368 not fully fixed?
Date Tue, 25 Oct 2011 16:53:14 GMT
 

> -----Original Message-----
> From: "Plüm, Rüdiger, VF-Group" [mailto:ruediger.pluem@vodafone.com] 
> Sent: Dienstag, 25. Oktober 2011 18:48
> To: dev@httpd.apache.org
> Subject: RE: CVE-2011-3368 not fully fixed?
> 
>  
> 
> > -----Original Message-----
> > From: William A. Rowe Jr. [mailto:wrowe@rowe-clan.net] 
> > Sent: Dienstag, 25. Oktober 2011 18:44
> > To: dev@httpd.apache.org
> > Subject: Re: CVE-2011-3368 not fully fixed?
> > 
> > On 10/25/2011 11:21 AM, "Plüm, Rüdiger, VF-Group" wrote:
> > > I did some further analysis. While the patch for trunk is 
> still fine
> > > as it shortens the path for bailing out the behaviour was 
> > already correct
> > > with trunk and 2.2.21. So the HTTP/0.9 behaviour you see 
> > does NOT happen with
> > > 2.2.x >= 2.2.18 (plus patch) and trunk. You are affected by 
> > an old logic that
> > > was changed in r1100200 and hence changed since 2.2.18.
> > 
> > Should the contents of www.a.o/dist/httpd/patches/apply_to_2.2...
> > be updated?
> > 
> > 
> 
> No. We only supply this patch for 2.2.21 and everything later 
> then 2.2.18
> does not show the behaviour mentioned here.
> Or to put it the other way around 2.2.21 plus the patch we 
> supply behaves well
> with HTTP/0.9 requests.

Or further put: My patch on trunk is an optimization, but not a change in
behaviour. I do not even consider it worth backporting to 2.2.x.

Regards

Rüdiger

Mime
View raw message