[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache2 CVE-2016-4975

On 2018-08-16 10:12, Moritz Muehlenhoff wrote:
On Thu, Aug 16, 2018 at 05:12:11PM +1000, Brian May wrote:
Note: This is only being sent to debian-LTS.

I am currently investigating CVE-2016-4975 for Apache2. The issue is
already two years old but was only made public yesterday. [1] I skimmed
through old commit messages but I could not isolate the fixing commit.
However I found this changelog entry [2] from December 13th, 2016 and
you are listed as one of the upstream committers who apparently fixed
this vulnerability.

Does this warrant an entry in dla-needed.txt?

I don't think so, I suggest to tag it <postponed> and bundle it up the next
time there's a DLA for Apache.

I also wonder why it takes almost 2 years for a security vulnerability
to become public...

They had a crazy backlog :-)

Yeah, CVE-2011-2767 is not yet addressed, for instance.


Reply to: