httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: Aug project status to board
Date Mon, 17 Aug 2009 16:27:22 GMT
Jim Jagielski wrote:
> Also, 2.2.13 was released.... not sure why :)

There was significant input from httpd PMC members to declare this flaw
a vulnerability in the first place.  (I certainly don't feel this is an
APR vulnerability, but it was shown to conceivably lead to escalation of
severity of vulnerabilities in insecure software written by others.)
Given that httpd is deployed as often for third party modules from others
as it is for just the base httpd itself, it was prudent to react to this
flaw before exploits of third party modules were identified.

Refer to the lengthy Message-ID: <> thread
on security@httpd between Sander, Ruediger, Bojan, and myself on (which occured outside of public view prior
to any public discussion of the apr issue), in which the concensus was
that 2.2.12 could not be repackaged with a new apr library version.

Then refer to Ruediger's support for my suggestion for testing such a
replacement candidate, followed by the usual vote with +1's from
Ruediger, Eric, and myself, and nonbinding votes from Dan and Gregg.
I may have mis-read Guenter's observations as a +1.

So, I'm not sure why not :-)  What is the nature of your doubt?

View raw message