On 2014-08-05 15:21, Mark Blackman wrote: > Hi, > > This might be more of user than dev question, but as the discussions about > timing were here, I’ll go with here. > > http://mail-archives.apache.org/mod_mbox/httpd-dev/201407.mbox/<20140721075315.ec908e91c20de17e6e448089a4bc3ed2.f963b4ea46.wbe%40email11.secureserver.net> > > suggested the 2.2.28 tagging and presumably release is imminent, > however, http://svn.apache.org/repos/asf/httpd/httpd/tags/2.2.28 is still a > 404. > > I understand the mechanics of open source projects, so this is not a > “hurry-up”, > it’s just a "can I get Apache 2.2.28 into my next hosting platform release or > not”, > the contents of which will be frozen on Aug. 15. > > I’m mostly interested in the CVE updates, so I can tell users we’re clear of > them. > If the 2.2.28 release is not likely before Aug. 15, that’s fine, I just > wanted to be sure. > > Cheers, > Mark
Hi Mark, I suspect almost all distributions ship already patched the Apache 2.2 packages/ports. In case you build Apache yourself just use the patches from the upstream SVN, http://svn.apache.org/viewvc?view=revision&revision=1611185 http://svn.apache.org/viewvc?view=revision&revision=1610515 http://svn.apache.org/viewvc?view=revision&revision=1611185 Or from the FreeBSD svn as set of three patch files: http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-CVE-2014-0118__mod_deflate.c?revision=362845&view=co http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-CVE-2014-0226__scoreboard.c?revision=362845&view=co http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-CVE-2014-0231__mod_cgid.c?revision=362845&view=co I hope the list of CVE patches is complete, else I'm happy to get additional hints from the Apache devs to integrate missing fixes. -- olli
