From owner-freebsd-apache@FreeBSD.ORG  Tue Jun 12 16:09:14 2012
Return-Path: <owner-freebsd-apache@FreeBSD.ORG>
Delivered-To: apache@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 977B6106564A
	for <apache@freebsd.org>; Tue, 12 Jun 2012 16:09:14 +0000 (UTC)
	(envelope-from feld@feld.me)
Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 4282D8FC15
	for <apache@freebsd.org>; Tue, 12 Jun 2012 16:09:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me;
	s=blargle; 
	h=Message-Id:From:Content-Transfer-Encoding:Mime-Version:Date:Subject:To:Content-Type;
	bh=ea3meSJGBe3mqRxG8OE/pEr4w8TkKd27Iy/K/RVl4xU=; 
	b=lEn8HafRvc8oFEoDyCPRd+z34sHHRJAxbUUn/T+RUKVLA1c8pK3dcudKfMohoe0cIpkTTI756QLMAWnFtiIIfqVVuSRerR6fLkx06fNQRh9drk5kPC5UHVMSIRW9bUiJ;
Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org)
	by feld.me with esmtp (Exim 4.77 (FreeBSD))
	(envelope-from <feld@feld.me>) id 1SeTeW-000BUO-Do
	for apache@freebsd.org; Tue, 12 Jun 2012 11:09:13 -0500
Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4)
	with esmtpa id 1339517342-26372-26371/5/70; Tue, 12 Jun 2012 16:09:02
	+0000
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
To: apache@freebsd.org
Date: Tue, 12 Jun 2012 11:09:01 -0500
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Mark Felder <feld@feld.me>
Message-Id: <op.wfsshbx834t2sn@tech304>
User-Agent: Opera Mail/11.64 (FreeBSD)
X-SA-Score: -1.0
Cc: 
Subject: Apache 2.2.22 and CVE-2012-0883
X-BeenThere: freebsd-apache@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Support of apache-related ports  <freebsd-apache.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-apache>, 
	<mailto:freebsd-apache-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-apache>
List-Post: <mailto:freebsd-apache@freebsd.org>
List-Help: <mailto:freebsd-apache-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-apache>,
	<mailto:freebsd-apache-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2012 16:09:14 -0000

Is there a reason why Apache 2.2.22 was skipped for CVE-2012-0883? =
Clearly =20
it should be marked as vulnerable.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2012-0883

Apache 2.4.2 fixing the issue: =20
http://svn.apache.org/viewvc?view=3Drevision&revision=3D1296428

Apache 2.2.22 with it still vuln: =20
http://svn.apache.org/viewvc/httpd/httpd/tags/2.2.22/support/envvars-std.=
in?revision=3D1235965&view=3Dmarkup&pathrev=3D1296428


Can we agree to get this into VUXML and prod upstream to actually do =20
something about this? We have annoying customers with (as expected) =
awful =20
PCI compliance scans that are picking this up (because they liberally =20
allow anyone to know what version they run) and demanding they upgrade =
to =20
the nonexistant 2.2.23.


Thanks!