Hi,
Can anyone please help me to get the patch for the CVE-2016-4975.
Or if you want to avoid the TLS 1.3 enhancement, you may want to obtain 2.4.35
shortcomings of the patch you note below.)
I have found the below link for patch from internet.
However this contains many changes.
There were further changes. The branch of all changes you are asking for is;
Please let me know if we need to port all changes mentioned in above patch OR please let me know if specific revision can be ported to fix CVE-2016-4975
This particular CVE is easily addressed by a patch to encode the mod_userdir
inputs. Not using mod_userdir external redirects is equally simple and similarly
solves the issue . Avoiding mod_alias as well as mod_rewrite is quite challenging..
Unfortunately this class of vulnerabilities could not be addressed in a simple fix.
The entire patch is needed to protect the client / proxy / backend from malicious
input. We refactored the way request and response text was handled to guard
against this entire class of exploits.