httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <>
Subject Re: [users@httpd] Re: CVE-2019-0211/0215/0217
Date Sun, 07 Apr 2019 21:26:24 GMT
In general, problems which stretch back to the initial 2.4.1 or commonly
deployed 2.4.3 might also affect 2.2.x or 2.0.x. As users have had almost a
decade to adjust and these versions are EOL, the project seems unlikely to
care, and notices are everywhere that the old flavors are no longer
evaluated for the impact of any defects, security or otherwise. Vendors who
support older flavors are on their own to make such evaluations themselves.

And in general, when a later, specific flavor of 2.4.x (e.g. 2.4.17) is
cited as the first version impacted, that version is expected to be the one
where a defect was introduced.

There is the edge case that a problem could exist, then be fixed or masked
sometime before 2.4.1, and later be reintroduced during 2.4.x, but the
rules above should generally apply.

On Sun, Apr 7, 2019, 02:38 @lbutlr <> wrote:

> On 6 Apr 2019, at 08:59, Sunhux G <> wrote:
> > Are above CVEs affecting Apache httpd (ie web servers) 2.4.x  only
> > & other lower versions (eg: our Solaris 10's  Apache/2.0.63) are not
> > affected?
> The CVE lists, explicitly, what versions are affected.
> "The flaw was discovered by Charles Fol and impacts all Apache HTTP Server
> releases from 2.4.17 to 2.4.38. The issue has been addressed with the
> release of Apache httpd 2.4.39"
> Also, as you should be aware, Apache 2.0 and Apache 2.2 are both
> End-of-life and not supported any longer.
> --
> Love is like oxygen / You get too much / you get too high / Not enough
> and you're gonna die
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message