httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <>
Subject Re: [users@httpd] HTTPOxy vulnerability not posted to announce list?
Date Wed, 04 Jan 2017 17:41:42 GMT

was the first release addressing the question by httpd project.

Announce@ lists are used to broadcast release availability, making them
less than ideal channels for this foundation-wide response;

There are a number of lists, such as bugtraq, which chronical vulnerability



On Dec 21, 2016 1:20 PM, "Jim Allison" <>

> Hi,
> We recently had a site fail a PCI DSS scan due to the HTTPOxy
> vulnerability and we only received notice of Apache 2.4.25 yesterday. We
> are using 2.2 and a patch has not yet been released for that version.
> Going through the history of the announce list, it seems that the advisory
> for HTTPOxy was not posted there. I can see that it was posted to the users
> list back in the summer, but we were only subscribed to the announce list.
> I can see that other vulnerabilities were posted to the announce list last
> year; just not HTTPOxy.
> Was this just an oversight, or should we have been subscribed to the users
> list as well to get all the advisories?
> Thanks,
> Jim Allison | Technical Product Lead | 1-888-400-9185 ext 2214
> SpeedLine Solutions Inc.
> the leader in innovative solutions for pizza and delivery point of sale
> Studies show trees live longer when they're not cut down. Please consider
> before printing.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message