Date: Wed, 26 Oct 2011 18:02:00 +0200 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com> Subject: CVE-2011-3368 suggested patch incomplete for apache2 < 2.2.18 Hi, during our QA we noticed that the mod_proxy fix for CVE-2011-3368 was incomplete for HTTP 0.9 style requests. https://bugzilla.novell.com/show_bug.cgi?id=722545 to cross check, with the RewriteRules setup as in the exploit: $ telnet testhost 80 GET @www.otherhost/foo.png ... should give a 400 error, and not the 404 code from www.otherhost Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.