Apache 2.2.22 and CVE-2012-0883
Mark Felder
feld at feld.me
Tue Jun 12 16:09:14 UTC 2012
Is there a reason why Apache 2.2.22 was skipped for CVE-2012-0883? Clearly
it should be marked as vulnerable.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883
Apache 2.4.2 fixing the issue:
http://svn.apache.org/viewvc?view=revision&revision=1296428
Apache 2.2.22 with it still vuln:
http://svn.apache.org/viewvc/httpd/httpd/tags/2.2.22/support/envvars-std.in?revision=1235965&view=markup&pathrev=1296428
Can we agree to get this into VUXML and prod upstream to actually do
something about this? We have annoying customers with (as expected) awful
PCI compliance scans that are picking this up (because they liberally
allow anyone to know what version they run) and demanding they upgrade to
the nonexistant 2.2.23.
Thanks!
More information about the freebsd-apache
mailing list