--------- Original Message --------- Subject: Re: Re: CVE-2013-5704 fix breaks mod_wsgi From: "Graham Dumpleton" <grah...@apache.org> Date: 1/12/15 11:34 pm To: "dev@httpd.apache.org" <dev@httpd.apache.org>
> But the damage has been done for some months on 2.2, and we are noticing > this, now? All distros still shipping Apache 2.2 still are using older > mod_wsgi 3.X versions Makes sense... which I don't at this point believe are affected by this issue. And why not? https://github.com/GrahamDumpleton/mod_wsgi/blob/stable/3.X/mod_wsgi.c /* Create and populate our own request object. */ apr_pool_create(&p, c->pool); r = apr_pcalloc(p, sizeof(request_rec)); People who build stuff from source code themselves would be using latest Apache 2.4. So the big hit on mod_wsgi will come with Apache 2.4.11. From securityspace, 2.08% are already on 2.2.29, .51% are on 2.4.10 (of those who do not partially or completely truncate the server name). I don't see any hit, since these are users who *can* and *do* build stuff themselves, and will have little to no difficulty updating mod_wsgi, as 2.2 users already needed to.