Am 03.01.2017 um 23:19 schrieb Good guy:
On 03/01/2017 21:31, Development Manager wrote:CVE-2016-8743 was patched/mitigated in Apache 2.4 but is still an outstanding issue in 2.2, according to https://security-tracker.debian.org/tracker/CVE-2016-8743. Is there a plan to rebase it to 2.2? If so, do you know when? The reason I ask is PCI DSS requires that we have all vulnerabilities patched within 30 days, and it's been 2 weeks since 2.4 was patched.2.2 is dead and finished. It is time to move to 2.4. Nobody is working on 2.2 as far as I know.
The backport vote for the fix is ongoing and likely there will be a release soon after the fix will have been voted into 2.2. But it might be it will be published after your 30 days deadline.
In general "yes": if you can, you should migrate to 2.4. Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|