httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Rumph <mike.ru...@oracle.com>
Subject Re: [users@httpd] Reconciling security advisories
Date Wed, 30 Jul 2014 00:16:40 GMT
Hello Michael,

I cannot speak for Red Hat, but the difference between the 2.4 and 2.2 
vulnerabilities page is clear.
The fix for CVE-2014-0226 was announced with the release of Apache httpd 
2.4.10.
The fix will also be included in Apache httpd 2.2.28 which has not yet 
been released.
- 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
The fix for this was applied to the 2.2 branch with revision 1610515.
- http://svn.apache.org/viewvc?view=revision&revision=r1610515

Thanks,

Mike Rumph


On 7/29/2014 9:08 AM, Michael.Beadle@securian.com wrote:
> If a vulnerability is listed on the 2.4 page 
> (https://httpd.apache.org/security/vulnerabilities_24.html) - let's 
> pick on CVE-2014-0226 for mod_status and it is listed as affecting 
> 2.4.9 down to 2.4.1, would 2.2.x also be vulnerable? It is not 
> specifically listed on the 2.2 vulnerability page 
> (https://httpd.apache.org/security/vulnerabilities_22.html).
>
>
> To add to any confusion, we are using the RHEL 6 RPM install of httpd, 
> which is based on 2.2.15 with fixes added. So they have a versioning 
> scheme of 2.2.15-## (currently 30). A new update was released stating 
> that CVE-2014-0226 is corrected.
>
> Did Red Hat re-engineer the 2.4 fix for 2.2?
>
> Thank you for any input anyone may have.
>
>
> ------------------------------------------------------------------------
> *Mike Beadle*
> Engineer - Collaborative Systems, Information Technology  •  Securian 
> Financial Group
> 400 Robert Street North  •  St. Paul, MN 55101-2098
> 651-665-7620
> michael.beadle@securian.com <mailto:michael.beadle@securian.com> • 
> www.securian.com
>
> Securian Financial Group – Financial security /for the long run /®
>
>
> This email transmission and any file attachments may contain 
> confidential information intended solely for the use of the individual 
> or entity to whom it is addressed. If you have received this email 
> message in error, please notify the sender and delete this email from 
> your system. If you are not the intended recipient, you may not 
> disclose, copy, or distribute the contents of this email.


Mime
View raw message