[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Apache2 CVE-2016-4975

Hello Stefan,

I am currently investigating CVE-2016-4975 for Apache2. The issue is
already two years old but was only made public yesterday. [1] I skimmed
through old commit messages but I could not isolate the fixing commit.
However I found this changelog entry [2] from December 13th, 2016 and
you are listed as one of the upstream committers who apparently fixed
this vulnerability.

Do you remember the fixing commit for CVE-2016-4975 and could you point
me to it?

I assume this is the related changelog entry.

Validate HTTP response header grammar defined by RFC7230, resulting
in a 500 error in the event that invalid response header contents are
detected when serving the response, to avoid response splitting and
cache pollution by malicious clients, upstream servers or faulty
modules. [Stefan Fritsch, Eric Covener, Yann Ylavic]



[1] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: