On 9/25/2018 4:26 PM, Barry Pollard wrote:
I'm confused.
Why are there no changes to mod_http2 mentioned in:
http://www.apache.org/dist//httpd/CHANGES_2.4.35
<http://mirrors.whoishostingthis.com/apache//httpd/CHANGES_2.4.35> to
presumably address this CVE?
Or does one of the other changes cover this? (No as far as I can see but
could be wrong).
In previous changes files (e.g.
<http://mirrors.whoishostingthis.com/apache//httpd/CHANGES_2.4.34>http://www.apache.org/dist//httpd/CHANGES_2.4.34)
these were listed at the top of the changes file.
Also should this not be mentioned in:
https://httpd.apache.org/security/vulnerabilities_24.html?
Apologies if I've jumped the gun and this is still in progress.
...
FWIW, it *is* mentioned in
<https://httpd.apache.org/security/vulnerabilities_24.html>, which as a
last modification date of September 25...
Best regards, Julian