> -----Original Message----- > From: William A. Rowe Jr. [mailto:[email protected]] > Sent: Dienstag, 25. Oktober 2011 18:44 > To: [email protected] > Subject: Re: CVE-2011-3368 not fully fixed? > > On 10/25/2011 11:21 AM, "Plüm, Rüdiger, VF-Group" wrote: > > I did some further analysis. While the patch for trunk is still fine > > as it shortens the path for bailing out the behaviour was > already correct > > with trunk and 2.2.21. So the HTTP/0.9 behaviour you see > does NOT happen with > > 2.2.x >= 2.2.18 (plus patch) and trunk. You are affected by > an old logic that > > was changed in r1100200 and hence changed since 2.2.18. > > Should the contents of www.a.o/dist/httpd/patches/apply_to_2.2... > be updated? > >
No. We only supply this patch for 2.2.21 and everything later then 2.2.18 does not show the behaviour mentioned here. Or to put it the other way around 2.2.21 plus the patch we supply behaves well with HTTP/0.9 requests. Regards Rüdiger
