Date: Tue, 12 Jun 2012 11:09:01 -0500 From: Mark Felder <feld@feld.me> To: apache@freebsd.org Subject: Apache 2.2.22 and CVE-2012-0883 Message-ID: <op.wfsshbx834t2sn@tech304>
next in thread | raw e-mail | index | archive | help
Is there a reason why Apache 2.2.22 was skipped for CVE-2012-0883? = Clearly =20 it should be marked as vulnerable. http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2012-0883 Apache 2.4.2 fixing the issue: =20 http://svn.apache.org/viewvc?view=3Drevision&revision=3D1296428 Apache 2.2.22 with it still vuln: =20 http://svn.apache.org/viewvc/httpd/httpd/tags/2.2.22/support/envvars-std.= in?revision=3D1235965&view=3Dmarkup&pathrev=3D1296428 Can we agree to get this into VUXML and prod upstream to actually do =20 something about this? We have annoying customers with (as expected) = awful =20 PCI compliance scans that are picking this up (because they liberally =20 allow anyone to know what version they run) and demanding they upgrade = to =20 the nonexistant 2.2.23. Thanks!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.wfsshbx834t2sn>