Re: Apache2 CVE-2016-4975
On Thu, Aug 16, 2018 at 05:12:11PM +1000, Brian May wrote:
> Note: This is only being sent to debian-LTS.
>
> > I am currently investigating CVE-2016-4975 for Apache2. The issue is
> > already two years old but was only made public yesterday. [1] I skimmed
> > through old commit messages but I could not isolate the fixing commit.
> > However I found this changelog entry [2] from December 13th, 2016 and
> > you are listed as one of the upstream committers who apparently fixed
> > this vulnerability.
>
> Does this warrant an entry in dla-needed.txt?
I don't think so, I suggest to tag it <postponed> and bundle it up the next
time there's a DLA for Apache.
> I also wonder why it takes almost 2 years for a security vulnerability
> to become public...
They had a crazy backlog :-)
See https://twitter.com/iamamoose/status/1029360920970125312
Cheers,
Moritz
Reply to: