Re: HTTPOxy vulnerability not posted to announce list?

[William A Rowe Jr <wrowe@xxxxxxxxxxxxx>]

https://lists.apache.org/list.html?announce@xxxxxxxxxxxxxxxx:lte=1y:Httpoxy

was the first release addressing the question by httpd project.

Announce@ lists are used to broadcast release availability, making them less than ideal channels for this foundation-wide response;

https://www.apache.org/security/asf-httpoxy-response.txt

There are a number of lists, such as bugtraq, which chronical vulnerability disclosures.

Cheers,

Bill

On Dec 21, 2016 1:20 PM, "Jim Allison" <JAllison@xxxxxxxxxxxxxxxxxxxxxx> wrote:

Hi,

We recently had a site fail a PCI DSS scan due to the HTTPOxy vulnerability and we only received notice of Apache 2.4.25 yesterday. We are using 2.2 and a patch has not yet been released for that version.

Going through the history of the announce list, it seems that the advisory for HTTPOxy was not posted there. I can see that it was posted to the users list back in the summer, but we were only subscribed to the announce list. I can see that other vulnerabilities were posted to the announce list last year; just not HTTPOxy.

Was this just an oversight, or should we have been subscribed to the users list as well to get all the advisories?

Thanks,

Jim Allison | Technical Product Lead | 1-888-400-9185 ext 2214
SpeedLine Solutions Inc.
the leader in innovative solutions for pizza and delivery point of sale

www.speedlinesolutions.com

Studies show trees live longer when they're not cut down. Please consider before printing.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx