Hello Stefan, I am currently investigating CVE-2016-4975 for Apache2. The issue is already two years old but was only made public yesterday. [1] I skimmed through old commit messages but I could not isolate the fixing commit. However I found this changelog entry [2] from December 13th, 2016 and you are listed as one of the upstream committers who apparently fixed this vulnerability. Do you remember the fixing commit for CVE-2016-4975 and could you point me to it? I assume this is the related changelog entry. Validate HTTP response header grammar defined by RFC7230, resulting in a 500 error in the event that invalid response header contents are detected when serving the response, to avoid response splitting and cache pollution by malicious clients, upstream servers or faulty modules. [Stefan Fritsch, Eric Covener, Yann Ylavic] Regards, Markus [1] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975 [2] https://github.com/apache/httpd/commit/147550f23fa5d3ca970d49c23a06901d5bccdb2e
Attachment:
signature.asc
Description: OpenPGP digital signature