Re: Bug#381376: Status of CVE-2006-3918 #381376
On Saturday 09 September 2006 12:35, Loïc Minier wrote:
> I think only apache was uploaded for CVE-2006-3918, and not
> apache2. Do you intend to issue a DSA for apache2 as well? Or
> isn't it affected by the vulnerability?
> This is fixed in apache2 >= 2.0.55-4.1 in unstable.
The issue is less severe for apache2 because it is much more difficult
to exploit: apache2 will first wait for the request timeout (usually
5 minutes) before sending the problematic error message.