Re: Reconciling security advisories

[Mike Rumph <mike.rumph@xxxxxxxxxx>]

Hello Michael,

I cannot speak for Red Hat, but the difference between the 2.4 and 2.2 vulnerabilities page is clear.
The fix for CVE-2014-0226 was announced with the release of Apache httpd 2.4.10.
The fix will also be included in Apache httpd 2.2.28 which has not yet been released.
- http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
The fix for this was applied to the 2.2 branch with revision 1610515.
- http://svn.apache.org/viewvc?view=revision&revision=r1610515

Thanks,

Mike Rumph

On 7/29/2014 9:08 AM, Michael.Beadle@xxxxxxxxxxxx wrote:

If a vulnerability is listed on the 2.4 page (https://httpd.apache.org/security/vulnerabilities_24.html) - let's pick on CVE-2014-0226 for mod_status and it is listed as affecting 2.4.9 down to 2.4.1, would 2.2.x also be vulnerable? It is not specifically listed on the 2.2 vulnerability page (https://httpd.apache.org/security/vulnerabilities_22.html).


To add to any confusion, we are using the RHEL 6 RPM install of httpd, which is based on 2.2.15 with fixes added. So they have a versioning scheme of 2.2.15-## (currently 30). A new update was released stating that CVE-2014-0226 is corrected.

Did Red Hat re-engineer the 2.4 fix for 2.2?

Thank you for any input anyone may have.

---

Mike Beadle
Engineer - Collaborative Systems, Information Technology  •  Securian Financial Group
400 Robert Street North  •  St. Paul, MN 55101-2098
651-665-7620
michael.beadle@xxxxxxxxxxxx  •  www.securian.com

Securian Financial Group – Financial security for the long run ®


This email transmission and any file attachments may contain confidential information intended solely for the use of the individual or entity to whom it is addressed. If you have received this email message in error, please notify the sender and delete this email from your system. If you are not the intended recipient, you may not disclose, copy, or distribute the contents of this email.