--------- Original Message --------- Subject: Re: Re: CVE-2013-5704 fix breaks
mod_wsgi
From: "Graham Dumpleton" <grah...@apache.org>
Date: 1/12/15 11:34 pm
To: "dev@httpd.apache.org" <dev@httpd.apache.org>
> But the damage has been done for some months on 2.2, and we are noticing
> this, now? All distros still shipping Apache 2.2 still are using older
> mod_wsgi 3.X versions
Makes sense...
which I don't at this point believe are affected by this issue.
And why not?
https://github.com/GrahamDumpleton/mod_wsgi/blob/stable/3.X/mod_wsgi.c
/* Create and populate our own request object. */
apr_pool_create(&p, c->pool); r = apr_pcalloc(p,
sizeof(request_rec));
People who build stuff from source code themselves would be using latest
Apache 2.4.
So the big hit on mod_wsgi will come with Apache 2.4.11.
From securityspace, 2.08% are already on 2.2.29, .51% are on 2.4.10 (of those
who do not partially or completely truncate the server name).
I don't see any hit, since these are users who *can* and *do* build stuff
themselves, and will have little to no difficulty updating mod_wsgi, as 2.2
users already needed to.
