Hi,
We recently had a site fail a PCI DSS scan due to the HTTPOxy vulnerability and we only received notice of Apache 2.4.25 yesterday. We are using 2.2 and a patch has not yet been released for that version.
Going through the history of the announce list, it seems that the advisory for HTTPOxy was not posted there. I can see that it was posted to the users list back in the summer, but we were only subscribed to the announce list. I can see that other vulnerabilities were posted to the announce list last year; just not HTTPOxy.
Was this just an oversight, or should we have been subscribed to the users list as well to get all the advisories?
Thanks,
Jim Allison | Technical Product Lead | 1-888-400-9185 ext 2214
SpeedLine Solutions Inc.
the leader in innovative solutions for pizza and delivery point of sale
www.speedlinesolutions.com
Studies show trees live longer when they're not cut down. Please consider before printing.
------------------------------------------------------------ ---------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx