Hi, I have been looking at backporting the cookie issue fix, and it looks to me that it was introduced in
http://svn.apache.org/viewvc?view=revision&revision=r1374538 http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/loggers/mod_log_config.c?r1=1374538&r2=1374537&pathrev=1374538 which would mean that versions before 2.2.23 are not affected. Can anyone verify this? I couldn't produce a segfault even with 2.2.23, but with 2.2.22 the access log always contains the "-" for no value, while with the above commit, it logs an empty value. This probably means that in my setup, there is by coincidence always another NUL byte after the end of string NUL byte. This would be consistent with the reporter stating that he only saw it a few times in a month on a busy server. If I am correct, the version list at http://httpd.apache.org/security/vulnerabilities_22.html should be adjusted. Cheers, Stefan
