Re: Apache2 CVE-2016-4975

To: Brian May <bam@debian.org>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Apache2 CVE-2016-4975
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 16 Aug 2018 10:12:12 +0200
Message-id: <[🔎] 20180816081212.557hmlp7qrjz7nke@inutil.org>
In-reply-to: <[🔎] 87k1oqg4z8.fsf@silverfish.pri>
References: <[🔎] 2295c321-24ce-5e08-ac56-dd78094ecbf7@debian.org> <[🔎] 87k1oqg4z8.fsf@silverfish.pri>

On Thu, Aug 16, 2018 at 05:12:11PM +1000, Brian May wrote:
> Note: This is only being sent to debian-LTS.
> 
> > I am currently investigating CVE-2016-4975 for Apache2. The issue is
> > already two years old but was only made public yesterday. [1] I skimmed
> > through old commit messages but I could not isolate the fixing commit.
> > However I found this changelog entry [2] from December 13th, 2016 and
> > you are listed as one of the upstream committers who apparently fixed
> > this vulnerability.
> 
> Does this warrant an entry in dla-needed.txt?

I don't think so, I suggest to tag it <postponed> and bundle it up the next
time there's a DLA for Apache.

> I also wonder why it takes almost 2 years for a security vulnerability
> to become public...

They had a crazy backlog :-)

See https://twitter.com/iamamoose/status/1029360920970125312

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: Apache2 CVE-2016-4975
  - From: Jan Ingvoldstad <jan-debian-lts-2014@oyet.no>

References:
- Apache2 CVE-2016-4975
  - From: Markus Koschany <apo@debian.org>
- Re: Apache2 CVE-2016-4975
  - From: Brian May <bam@debian.org>

Prev by Date: Mosquitto / CVE-2017-7654
Next by Date: Re: Apache2 CVE-2016-4975
Previous by thread: Re: Apache2 CVE-2016-4975
Next by thread: Re: Apache2 CVE-2016-4975
Index(es):
- Date
- Thread