oss-sec mailing list archives
Re: CVE-2011-3368 suggested patch incomplete for apache2 < 2.2.18
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 15 Nov 2011 13:57:59 -0700
On 11/15/2011 01:31 PM, Vincent Danen wrote:
* [2011-10-26 18:02:00 +0200] Marcus Meissner wrote:during our QA we noticed that the mod_proxy fix for CVE-2011-3368 was incomplete for HTTP 0.9 style requests. https://bugzilla.novell.com/show_bug.cgi?id=722545 to cross check, with the RewriteRules setup as in the exploit: $ telnet testhost 80 GET @www.otherhost/foo.png ... should give a 400 error, and not the 404 code from www.otherhostDid this ever get a CVE name (aka "incomplete fix of CVE-2011-3368")?
The second fix for this issue was assigned CVE-2011-3639 -- -Kurt Seifried / Red Hat Security Response Team
Current thread:
- CVE-2011-3368 suggested patch incomplete for apache2 < 2.2.18 Marcus Meissner (Oct 26)
- Re: CVE-2011-3368 suggested patch incomplete for apache2 < 2.2.18 Vincent Danen (Nov 15)
- Re: CVE-2011-3368 suggested patch incomplete for apache2 < 2.2.18 Kurt Seifried (Nov 15)
- Re: CVE-2011-3368 suggested patch incomplete for apache2 < 2.2.18 Vincent Danen (Nov 15)