httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Eissing <stefan.eiss...@greenbytes.de>
Subject Re: [proposed] 2.4 Maintenance SIG
Date Thu, 19 Jan 2017 10:45:24 GMT

> Am 19.01.2017 um 10:08 schrieb Reindl Harald <h.reindl@thelounge.net>:
> Am 19.01.2017 um 08:22 schrieb Stefan Eissing:
>> Distros seem to have realized the problem long ago and make their own httpd versions.
First time I realized my "httpd 2.4.7" is not the 2.4.7 release was a WTF moment.
> 
> no, that applies to LTS distros and in that case of nearly any piece of software and
has nothing to do with httpd or the problems you are talking about
> 
> httpd-2.4.6-45.el7.centos.x86_64
> mod_security-2.7.3-5.el7.x86_64
> 
> php-5.4.16-42.el7.x86_64:
> * Fr Aug 05 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-42
> - bz2: fix improper error handling in bzread() CVE-2016-5399
> 
> * Mo Aug 01 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-41
> - gd: fix integer overflow in _gd2GetHeader() resulting in
>  heap overflow CVE-2016-5766
> - gd: fix integer overflow in gdImagePaletteToTrueColor()
>  resulting in heap overflow CVE-2016-5767
> - mbstring: fix double free in _php_mb_regex_ereg_replace_exec
>  CVE-2016-5768
> 
> * Fr Jul 22 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-40
> - don't set environmental variable based on user supplied Proxy
>  request header CVE-2016-5385

Yes and no. The LTS releases try to do, what should (IMO) be a stable release branch from
our side. The problem seems to me that our stable branch 2.2.x is too old for many and our
only other releases, 2.4.x, has too many new, experimental and dangerous changes. So the LTS
releases create a hybrid that is totally not managed by the httpd project. I have no clue
what a httpd-2.4.6-45 really is.


Stefan Eissing

<green/>bytes GmbH
Hafenstrasse 16
48155 M√ľnster
www.greenbytes.de


Mime
View raw message