httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rashmi Srinivasan <rashmisrinivasan2...@gmail.com>
Subject [users@httpd] HTTPProtoco Options Apache 2.2
Date Tue, 13 Jun 2017 18:19:42 GMT
Hi Yann/Eric.
-        We have ported the changes for CVE -2016-8743. into apache 2.2 on
HP-UX
           But while testing we find that HTTPProtocolOption Unsafe tested
with GET /HTTP 1.0/\n\n responds with BAD Request, when it is suppose to
succeed.

           However after making changes as mentioned in
           https://bz.apache.org/bugzilla/show_bug.cgi?id=60704, Unsafe
option responds with a success.

Is the below change valid for 2.2?

in 2.2.32:
static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
{
    core_server_config *base = (core_server_config *)basev;
    core_server_config *virt = (core_server_config *)virtv;
    core_server_config *conf;

    conf = (core_server_config *)apr_pmemdup(p, base,
sizeof(core_server_config));

in 2.4.25:
static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
{
    core_server_config *base = (core_server_config *)basev;
    core_server_config *virt = (core_server_config *)virtv;
    core_server_config *conf = (core_server_config *)
                               apr_pmemdup(p, base, sizeof(core_server_config));


Please advise.

Thanks
Rashmi

Mime
View raw message