On 2018-08-16 10:12, Moritz Muehlenhoff wrote:
On Thu, Aug 16, 2018 at 05:12:11PM +1000, Brian May wrote:
Note: This is only being sent to debian-LTS.
I am currently investigating CVE-2016-4975 for Apache2. The issue is
already two years old but was only made public yesterday. [1] I skimmed
through old commit messages but I could not isolate the fixing commit.
However I found this changelog entry [2] from December 13th, 2016 and
you are listed as one of the upstream committers who apparently fixed
this vulnerability.
Does this warrant an entry in dla-needed.txt?
I don't think so, I suggest to tag it <postponed> and bundle it up the next
time there's a DLA for Apache.
I also wonder why it takes almost 2 years for a security vulnerability
to become public...
They had a crazy backlog :-)
Yeah, CVE-2011-2767 is not yet addressed, for instance.
--
Cheers,
Jan
