Hi Alberto, hi Thomas On Sat, Apr 06, 2013 at 10:50:43AM +0200, Alberto Gonzalez Iniesta wrote: > On Sat, Apr 06, 2013 at 02:43:39PM +0800, Thomas Goirand wrote: > > Hi, > > > > I installed mod_security with the patch I backported, made sure the > > module was loaded by Apache, and tested to query "http://localhost";, > > then I could see the "It works!" default Debian Apache page. > > > > So, I'd say: so far so good, Apache doesn't crash. > > > > Salvatore, could you tell how you find out about this CVE, and are you > > sure that the commit you linked is fixing the problem (which I do not > > understand fully...)? If you confirm that you are sure it fixes the CVE, > > then I believe I could NMU the fixed package in the delayed queue. > > Hi Thomas and Salvatore, > > Thanks for the heads-up. Strangely I didn't get the first mail (the bug > report), but luckily got Thomas' mails. I'll check this ASAP and make an > upload accordingly.
Bad you have not got the inital mail trough the BTS. :( Thank you for preparing the update. For the new option the default value is Off, if I understand it correctly, but configurable to On/Off. Could you also add a bit of Documentation for it? Could you also prepare an update for squeeze-security for ? Please target there squeeze-security (instead of stable-security) in case the update will happen just when wheezy get's released ;-) to prepare for an update to security-master? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
