On 1/17/2012 2:01 PM, Eric Covener wrote: > On Tue, Jan 17, 2012 at 2:58 PM, William A. Rowe Jr. > <[email protected]> wrote: >> On 1/17/2012 1:56 PM, Eric Covener wrote: >>>> I'd suggest that patches/apply_to_x.y.z/ is a clumsy notation. It seems >>>> more efficient to set these up as patches/CVE-yyyy-iiii/ with individual >>>> files for actively (or semi-actively) maintained versions. If there is >>>> one patch which applies to 2.2.n < 2.2.17, and a second patch for 2.2.17 >>>> and higher, it would be easier to differentiate these all within one >>>> directory. >>> >>> The current scheme has one benefit in that a responsible user on the >>> latest release has a one-stop shop for "What do I need to add?". >>> >>> With the CVE as the directory, they'd have to start with some other >>> resource/hint or browse through the descriptions/patches. >> >> I'm not sure about that. If I have 2.2.18, what do I apply? If there >> were patches in .21 how do I know they apply to me? >> > > Cross your fingers and visit three directories full of patches -- the > farther back you stay, the more work you've got in store for you. > > I don't think you're in much better shape tracking down e.g. 7 CVEs though.
Actually, I think you are (now). http://httpd.apache.org/security/vulnerabilities_22.html
