httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacob Champion <champio...@gmail.com>
Subject Re: [users@httpd] HTTPOxy vulnerability not posted to announce list?
Date Wed, 21 Dec 2016 23:29:10 GMT
On 12/21/2016 11:20 AM, Jim Allison wrote:
> Going through the history of the announce list, it seems that the advisory for HTTPOxy
was not posted there. I can see that it was posted to the users list back in the summer, but
we were only subscribed to the announce list. I can see that other vulnerabilities were posted
to the announce list last year; just not HTTPOxy.

Just a guess -- it may have been to avoid confusion, since HTTPoxy is a 
vulnerability in the CGI backends, not the server itself. (But it's 
simple to *mitigate* that vulnerability directly in the server, which is 
why a patch was released.)

--Jacob

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message