> This patch should be sufficient to fix the security hole for most > versions of Apache httpd 1.2. Should we put it up on dist/httpd?
It turns out that this small patch is sufficient to plug the hole on all 1.2 and 1.3.* versions up until 1.3.24 if mod_proxy is in use. I have placed it in the relevant dist/httpd/patches directories. It probably should have been sent to CERT along with the advisory, or at least linked from our info file. I'll leave that to others. ....Roy
