Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 57BC0115B9 for ; Wed, 30 Jul 2014 00:17:18 +0000 (UTC) Received: (qmail 51893 invoked by uid 500); 30 Jul 2014 00:17:12 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 51861 invoked by uid 500); 30 Jul 2014 00:17:11 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 51851 invoked by uid 99); 30 Jul 2014 00:17:11 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Jul 2014 00:17:11 +0000 X-ASF-Spam-Status: No, hits=-0.1 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mike.rumph@oracle.com designates 156.151.31.81 as permitted sender) Received: from [156.151.31.81] (HELO userp1040.oracle.com) (156.151.31.81) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Jul 2014 00:17:05 +0000 Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s6U0Gh6f016390 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 30 Jul 2014 00:16:44 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s6U0GgWo014570 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 30 Jul 2014 00:16:43 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id s6U0GfCP010649 for ; Wed, 30 Jul 2014 00:16:42 GMT Received: from [10.159.160.68] (/10.159.160.68) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 29 Jul 2014 17:16:41 -0700 Message-ID: <53D83968.8070703@oracle.com> Date: Tue, 29 Jul 2014 17:16:40 -0700 From: Mike Rumph Organization: Oracle Corporation User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: users@httpd.apache.org References: In-Reply-To: Content-Type: multipart/alternative; boundary="------------000404090900000500010008" X-Source-IP: acsinet21.oracle.com [141.146.126.237] X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Reconciling security advisories --------------000404090900000500010008 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hello Michael, I cannot speak for Red Hat, but the difference between the 2.4 and 2.2 vulnerabilities page is clear. The fix for CVE-2014-0226 was announced with the release of Apache httpd 2.4.10. The fix will also be included in Apache httpd 2.2.28 which has not yet been released. - http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup The fix for this was applied to the 2.2 branch with revision 1610515. - http://svn.apache.org/viewvc?view=revision&revision=r1610515 Thanks, Mike Rumph On 7/29/2014 9:08 AM, Michael.Beadle@securian.com wrote: > If a vulnerability is listed on the 2.4 page > (https://httpd.apache.org/security/vulnerabilities_24.html) - let's > pick on CVE-2014-0226 for mod_status and it is listed as affecting > 2.4.9 down to 2.4.1, would 2.2.x also be vulnerable? It is not > specifically listed on the 2.2 vulnerability page > (https://httpd.apache.org/security/vulnerabilities_22.html). > > > To add to any confusion, we are using the RHEL 6 RPM install of httpd, > which is based on 2.2.15 with fixes added. So they have a versioning > scheme of 2.2.15-## (currently 30). A new update was released stating > that CVE-2014-0226 is corrected. > > Did Red Hat re-engineer the 2.4 fix for 2.2? > > Thank you for any input anyone may have. > > > ------------------------------------------------------------------------ > *Mike Beadle* > Engineer - Collaborative Systems, Information Technology • Securian > Financial Group > 400 Robert Street North • St. Paul, MN 55101-2098 > 651-665-7620 > michael.beadle@securian.com • > www.securian.com > > Securian Financial Group – Financial security /for the long run /® > > > This email transmission and any file attachments may contain > confidential information intended solely for the use of the individual > or entity to whom it is addressed. If you have received this email > message in error, please notify the sender and delete this email from > your system. If you are not the intended recipient, you may not > disclose, copy, or distribute the contents of this email. --------------000404090900000500010008 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit Hello Michael,

I cannot speak for Red Hat, but the difference between the 2.4 and 2.2 vulnerabilities page is clear.
The fix for CVE-2014-0226 was announced with the release of Apache httpd 2.4.10.
The fix will also be included in Apache httpd 2.2.28 which has not yet been released.
- http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
The fix for this was applied to the 2.2 branch with revision 1610515.
- http://svn.apache.org/viewvc?view=revision&revision=r1610515

Thanks,

Mike Rumph


On 7/29/2014 9:08 AM, Michael.Beadle@securian.com wrote:
If a vulnerability is listed on the 2.4 page (https://httpd.apache.org/security/vulnerabilities_24.html) - let's pick on CVE-2014-0226 for mod_status and it is listed as affecting 2.4.9 down to 2.4.1, would 2.2.x also be vulnerable? It is not specifically listed on the 2.2 vulnerability page (https://httpd.apache.org/security/vulnerabilities_22.html).


To add to any confusion, we are using the RHEL 6 RPM install of httpd, which is based on 2.2.15 with fixes added. So they have a versioning scheme of 2.2.15-## (currently 30). A new update was released stating that CVE-2014-0226 is corrected.

Did Red Hat re-engineer the 2.4 fix for 2.2?

Thank you for any input anyone may have.


Mike Beadle
Engineer - Collaborative Systems, Information Technology  •  Securian Financial Group
400 Robert Street North  •  St. Paul, MN 55101-2098
651-665-7620
michael.beadle@securian.com  •  www.securian.com

Securian Financial Group – Financial security for the long run ®


This email transmission and any file attachments may contain confidential information intended solely for the use of the individual or entity to whom it is addressed. If you have received this email message in error, please notify the sender and delete this email from your system. If you are not the intended recipient, you may not disclose, copy, or distribute the contents of this email.

--------------000404090900000500010008--