Date: Tue, 12 Jun 2012 11:09:01 -0500 From: Mark Felder <feld@feld.me> To: apache@freebsd.org Subject: Apache 2.2.22 and CVE-2012-0883 Message-ID: <op.wfsshbx834t2sn@tech304>
index | next in thread | raw e-mail
Is there a reason why Apache 2.2.22 was skipped for CVE-2012-0883? Clearly it should be marked as vulnerable. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883 Apache 2.4.2 fixing the issue: http://svn.apache.org/viewvc?view=revision&revision=1296428 Apache 2.2.22 with it still vuln: http://svn.apache.org/viewvc/httpd/httpd/tags/2.2.22/support/envvars-std.in?revision=1235965&view=markup&pathrev=1296428 Can we agree to get this into VUXML and prod upstream to actually do something about this? We have annoying customers with (as expected) awful PCI compliance scans that are picking this up (because they liberally allow anyone to know what version they run) and demanding they upgrade to the nonexistant 2.2.23. Thanks!help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.wfsshbx834t2sn>