On Tue, Nov 17, 2015 at 3:50 PM, Yann Ylavic <[email protected]> wrote: > On Tue, Nov 17, 2015 at 10:48 AM, <[email protected]> wrote: >> >> Modified: httpd/httpd/branches/2.4.x/STATUS >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1714742&r1=1714741&r2=1714742&view=diff >> ============================================================================== >> --- httpd/httpd/branches/2.4.x/STATUS (original) >> +++ httpd/httpd/branches/2.4.x/STATUS Tue Nov 17 09:48:54 2015 >> @@ -161,6 +161,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: >> 2.4.x patch: >> http://people.apache.org/~ylavic/httpd-2.4.x-check_pipeline_blank_lines.patch >> (trunk works, meant to ease review) >> +1: ylavic, minfrin >> + icing: test 3 fails for me in t/security/CVE-2005-3357.t > > I can't reproduce this (with 2.4.x and this patch only)...
Finally got it. The problem was about "HTTP spoken on HTTPS port" handling in ssl_io_filter_input() not prepared to AP_MODE_INIT from process_connection() and AP_MODE_SPECULATIVE read for H2Direct. I fixed it in r1715023 by extending the NON_SSL_* state machine, please review...
