I did a first try on backporting the CVE-2009-3555 patch to 2.0: http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_2_0_x.patch
I hadn't yet time for intensive testing, but first tests looked OK. I noticed I couldn't log the SSL_SESSION_ID, but maybe that was a Windows thing. Hadn't yet time and access to test on Unix resp. test on Windows without patch. I'll be unfortunately offline for about 10 hours not responding to comments. Regards, Rainer
