[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache2 CVE-2016-4975

On Thu, Aug 16, 2018 at 05:12:11PM +1000, Brian May wrote:
> Note: This is only being sent to debian-LTS.
> > I am currently investigating CVE-2016-4975 for Apache2. The issue is
> > already two years old but was only made public yesterday. [1] I skimmed
> > through old commit messages but I could not isolate the fixing commit.
> > However I found this changelog entry [2] from December 13th, 2016 and
> > you are listed as one of the upstream committers who apparently fixed
> > this vulnerability.
> Does this warrant an entry in dla-needed.txt?

I don't think so, I suggest to tag it <postponed> and bundle it up the next
time there's a DLA for Apache.

> I also wonder why it takes almost 2 years for a security vulnerability
> to become public...

They had a crazy backlog :-)

See https://twitter.com/iamamoose/status/1029360920970125312


Reply to: