httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: [users@httpd] HTTPOxy vulnerability not posted to announce list?
Date Wed, 04 Jan 2017 17:41:42 GMT
https://lists.apache.org/list.html?announce@httpd.apache.org:lte=1y:Httpoxy

was the first release addressing the question by httpd project.

Announce@ lists are used to broadcast release availability, making them
less than ideal channels for this foundation-wide response;

https://www.apache.org/security/asf-httpoxy-response.txt

There are a number of lists, such as bugtraq, which chronical vulnerability
disclosures.

Cheers,

Bill

On Dec 21, 2016 1:20 PM, "Jim Allison" <JAllison@speedlinesolutions.com>
wrote:

> Hi,
>
> We recently had a site fail a PCI DSS scan due to the HTTPOxy
> vulnerability and we only received notice of Apache 2.4.25 yesterday. We
> are using 2.2 and a patch has not yet been released for that version.
>
> Going through the history of the announce list, it seems that the advisory
> for HTTPOxy was not posted there. I can see that it was posted to the users
> list back in the summer, but we were only subscribed to the announce list.
> I can see that other vulnerabilities were posted to the announce list last
> year; just not HTTPOxy.
>
> Was this just an oversight, or should we have been subscribed to the users
> list as well to get all the advisories?
>
> Thanks,
>
> Jim Allison | Technical Product Lead | 1-888-400-9185 ext 2214
> SpeedLine Solutions Inc.
> the leader in innovative solutions for pizza and delivery point of sale
>
> www.speedlinesolutions.com
>
> Studies show trees live longer when they're not cut down. Please consider
> before printing.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message