Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 26 Oct 2011 18:02:00 +0200
From: Marcus Meissner <>
To: OSS Security List <>
Subject: CVE-2011-3368 suggested patch incomplete for apache2 < 2.2.18


during our QA we noticed that the mod_proxy fix for CVE-2011-3368
was incomplete for HTTP 0.9 style requests.

to cross check, with the RewriteRules setup as in the exploit:

$ telnet testhost 80
GET @www.otherhost/foo.png
... should give a 400 error, and not the 404 code from www.otherhost

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.