> -----Original Message----- > From: "Plüm, Rüdiger, VF-Group" [mailto:ruediger.pl...@vodafone.com] > Sent: Dienstag, 25. Oktober 2011 18:48 > To: dev@httpd.apache.org > Subject: RE: CVE-2011-3368 not fully fixed? > > > > > -----Original Message----- > > From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net] > > Sent: Dienstag, 25. Oktober 2011 18:44 > > To: dev@httpd.apache.org > > Subject: Re: CVE-2011-3368 not fully fixed? > > > > On 10/25/2011 11:21 AM, "Plüm, Rüdiger, VF-Group" wrote: > > > I did some further analysis. While the patch for trunk is > still fine > > > as it shortens the path for bailing out the behaviour was > > already correct > > > with trunk and 2.2.21. So the HTTP/0.9 behaviour you see > > does NOT happen with > > > 2.2.x >= 2.2.18 (plus patch) and trunk. You are affected by > > an old logic that > > > was changed in r1100200 and hence changed since 2.2.18. > > > > Should the contents of www.a.o/dist/httpd/patches/apply_to_2.2... > > be updated? > > > > > > No. We only supply this patch for 2.2.21 and everything later > then 2.2.18 > does not show the behaviour mentioned here. > Or to put it the other way around 2.2.21 plus the patch we > supply behaves well > with HTTP/0.9 requests.
Or further put: My patch on trunk is an optimization, but not a change in behaviour. I do not even consider it worth backporting to 2.2.x. Regards Rüdiger
