Date: Tue, 15 Nov 2011 13:31:31 -0700 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2011-3368 suggested patch incomplete for apache2 < 2.2.18 * [2011-10-26 18:02:00 +0200] Marcus Meissner wrote: >during our QA we noticed that the mod_proxy fix for CVE-2011-3368 >was incomplete for HTTP 0.9 style requests. > >https://bugzilla.novell.com/show_bug.cgi?id=722545 > >to cross check, with the RewriteRules setup as in the exploit: > >$ telnet testhost 80 >GET @www.otherhost/foo.png >... should give a 400 error, and not the 404 code from www.otherhost Did this ever get a CVE name (aka "incomplete fix of CVE-2011-3368")? -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.