httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Allison <>
Subject [users@httpd] HTTPOxy vulnerability not posted to announce list?
Date Wed, 21 Dec 2016 19:20:33 GMT

We recently had a site fail a PCI DSS scan due to the HTTPOxy vulnerability and we only received
notice of Apache 2.4.25 yesterday. We are using 2.2 and a patch has not yet been released
for that version.

Going through the history of the announce list, it seems that the advisory for HTTPOxy was
not posted there. I can see that it was posted to the users list back in the summer, but we
were only subscribed to the announce list. I can see that other vulnerabilities were posted
to the announce list last year; just not HTTPOxy.

Was this just an oversight, or should we have been subscribed to the users list as well to
get all the advisories?


Jim Allison | Technical Product Lead | 1-888-400-9185 ext 2214
SpeedLine Solutions Inc. 
the leader in innovative solutions for pizza and delivery point of sale

Studies show trees live longer when they're not cut down. Please consider before printing.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message