Re: HTTPOxy vulnerability not posted to announce list?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://lists.apache.org/list.html?announce@xxxxxxxxxxxxxxxx:lte=1y:Httpoxy

was the first release addressing the question by httpd project.

Announce@ lists are used to broadcast release availability, making them less than ideal channels for this foundation-wide response;

https://www.apache.org/security/asf-httpoxy-response.txt

There are a number of lists, such as bugtraq, which chronical vulnerability disclosures.

Cheers,

Bill

On Dec 21, 2016 1:20 PM, "Jim Allison" <JAllison@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,

We recently had a site fail a PCI DSS scan due to the HTTPOxy vulnerability and we only received notice of Apache 2.4.25 yesterday. We are using 2.2 and a patch has not yet been released for that version.

Going through the history of the announce list, it seems that the advisory for HTTPOxy was not posted there. I can see that it was posted to the users list back in the summer, but we were only subscribed to the announce list. I can see that other vulnerabilities were posted to the announce list last year; just not HTTPOxy.

Was this just an oversight, or should we have been subscribed to the users list as well to get all the advisories?

Thanks,

Jim Allison | Technical Product Lead | 1-888-400-9185 ext 2214
SpeedLine Solutions Inc.
the leader in innovative solutions for pizza and delivery point of sale

www.speedlinesolutions.com

Studies show trees live longer when they're not cut down. Please consider before printing.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux