https://bz.apache.org/bugzilla/show_bug.cgi?id=69743
--- Comment #35 from Joe Orton <[email protected]> --- I expect it's common that for a mature project like httpd, a significant number of the security fixes we ship are not simply correcting programming errors like buffer overflows, but are logical changes. So yes, broadly defined, "fixing a security issues" often entails "rejecting things that previously worked but we've now realised have (potential) security impact". The change discussed here is also far less drastic than the CVE-2025-49812 fix also shipped in 2.4.64, which removed an entire feature! If you'd asked me before we shipped this fix I'd say 99% of TLS connections use SNI so... likely this won't have particularly broad impact. Hyperbole like "cause downtime for no good reason" has no place here. Software gets better when people write patches, and if this bug is going to be complaints and no patches, then we can close it. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
