Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 15 Nov 2011 13:57:59 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vincent Danen <vdanen@...hat.com>
Subject: Re: CVE-2011-3368 suggested patch incomplete for apache2
 < 2.2.18

On 11/15/2011 01:31 PM, Vincent Danen wrote:
> * [2011-10-26 18:02:00 +0200] Marcus Meissner wrote:
>
>> during our QA we noticed that the mod_proxy fix for CVE-2011-3368
>> was incomplete for HTTP 0.9 style requests.
>>
>> https://bugzilla.novell.com/show_bug.cgi?id=722545
>>
>> to cross check, with the RewriteRules setup as in the exploit:
>>
>> $ telnet testhost 80
>> GET @www.otherhost/foo.png
>> ... should give a 400 error, and not the 404 code from www.otherhost
>
> Did this ever get a CVE name (aka "incomplete fix of CVE-2011-3368")?
>
The second fix for this issue was assigned CVE-2011-3639

-- 

-Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.