Hi Yann/Eric.
- We have ported the changes for CVE -2016-8743. into apache 2.2 on
HP-UX
But while testing we find that HTTPProtocolOption Unsafe tested
with GET /HTTP 1.0/\n\n responds with BAD Request, when it is suppose to
succeed.
However after making changes as mentioned in
https://bz.apache.org/bugzilla/show_bug.cgi?id=60704, Unsafe
option responds with a success.
Is the below change valid for 2.2?
in 2.2.32:
static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
{
core_server_config *base = (core_server_config *)basev;
core_server_config *virt = (core_server_config *)virtv;
core_server_config *conf;
conf = (core_server_config *)apr_pmemdup(p, base,
sizeof(core_server_config));
in 2.4.25:
static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
{
core_server_config *base = (core_server_config *)basev;
core_server_config *virt = (core_server_config *)virtv;
core_server_config *conf = (core_server_config *)
apr_pmemdup(p, base, sizeof(core_server_config));
Please advise.
Thanks
Rashmi
