httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: [users@httpd] Buffer overrun in Apache 2.4.7-2.4.17
Date Wed, 16 Dec 2015 06:26:02 GMT
On Tue, Dec 15, 2015 at 2:34 PM, Mike Pastore <mike@oobak.org> wrote:

> Hi folks,
>
> I believe I've found a buffer overrun affecting (at least) Apache 2.4.7
> and 2.4.17. I don't know enough about this sort of thing to determine how
> serious it is and whether or not it is a potential security vulnerability.
> If someone would please work with me to validate my findings and help me
> handle it responsibly, I would greatly appreciate it.
>

The only maintained version is 2.4.x branch, which corresponds to 2.4.18
right now, or 2.2.31.  Anything older that is no longer vulnerable we treat
as non-sequitur, potentially a problem but not applicable to the shipping
flavors..

We would love for you to reproduce and share at security@httpd.apache.org
to confirm or reject the suggested exploit, and we do appreciate responsible
disclosure.

Mime
View raw message