Hello Michael,
I cannot speak for Red Hat, but the difference between the 2.4 and 2.2
vulnerabilities page is clear.
The fix for CVE-2014-0226 was announced with the release of Apache httpd
2.4.10.
The fix will also be included in Apache httpd 2.2.28 which has not yet
been released.
-
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
The fix for this was applied to the 2.2 branch with revision 1610515.
- http://svn.apache.org/viewvc?view=revision&revision=r1610515
Thanks,
Mike Rumph
On 7/29/2014 9:08 AM, michael.bea...@securian.com wrote:
If a vulnerability is listed on the 2.4 page
(https://httpd.apache.org/security/vulnerabilities_24.html) - let's
pick on CVE-2014-0226 for mod_status and it is listed as affecting
2.4.9 down to 2.4.1, would 2.2.x also be vulnerable? It is not
specifically listed on the 2.2 vulnerability page
(https://httpd.apache.org/security/vulnerabilities_22.html).
To add to any confusion, we are using the RHEL 6 RPM install of httpd,
which is based on 2.2.15 with fixes added. So they have a versioning
scheme of 2.2.15-## (currently 30). A new update was released stating
that CVE-2014-0226 is corrected.
Did Red Hat re-engineer the 2.4 fix for 2.2?
Thank you for any input anyone may have.
------------------------------------------------------------------------
*Mike Beadle*
Engineer - Collaborative Systems, Information Technology • Securian
Financial Group
400 Robert Street North • St. Paul, MN 55101-2098
651-665-7620
michael.bea...@securian.com <mailto:michael.bea...@securian.com> •
www.securian.com
Securian Financial Group – Financial security /for the long run /®
This email transmission and any file attachments may contain
confidential information intended solely for the use of the individual
or entity to whom it is addressed. If you have received this email
message in error, please notify the sender and delete this email from
your system. If you are not the intended recipient, you may not
disclose, copy, or distribute the contents of this email.
