Hi Yann, To port the fix for CVE-2016-8743 to 2.2.29, is it ok to port the changes from http://svn.apache.org/viewvc?view=revision&revision=1777405 Would that suffice? Please advise.
regards, Rashmi On Fri, Feb 10, 2017 at 1:30 PM, Rashmi Srinivasan < rashmisrinivasan2...@gmail.com> wrote: > Thank a lot for the patch Yann, > I will check if this fits in. > > regards, > Rashmi > > On Wed, Jan 25, 2017 at 6:04 PM, Yann Ylavic <ylavic....@gmail.com> wrote: > >> Hi, >> >> On Wed, Jan 25, 2017 at 9:17 AM, Rashmi Srinivasan >> <rashmisrinivasan2...@gmail.com> wrote: >> >> > We are trying to port the fix for CVE (CVE-2016-8743) to 2.4.18. Tried >> > checking the revision on git for the list of files fixed for this CVE. >> > There are lots of changes related to RFC7320 and was difficult to >> figure out >> > the files changed for this CVE as We couldnt find the CVE-2016-8743 in >> the >> > log either. >> >> The branch [1] collects all the related changes between versions >> 2.4.25 (latest) and 2.4.23 (previous). >> >> Attached is the output of: >> $ svn diff -x-p >> https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@r1767912 >> https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x- >> merge-http-strict >> >httpd-2.4.23-CVE-2016-8743.patch >> >> It should apply cleanly to 2.4.23, though it may not to 2.4.18 >> (possibly more work needed...). >> >> Hope this helps. >> >> Regards, >> Yann. >> >> [1] https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x- >> merge-http-strict >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> > >