On Sat, Apr 4, 2020 at 10:23 AM Daniel Ruggeri <drugg...@primary.net> wrote:
> Hi, all; > I'm not sure what mechanism is used to generate > https://httpd.apache.org/security/vulnerabilities_24.html from > > https://svn.apache.org/repos/asf/httpd/site/trunk/content/security/vulnerabilities-httpd.xml > , > https://svn.apache.org/repos/asf/httpd/site/trunk/content/security/vulnerabilities-httpd.page/securitydb.xsl > an anomaly has been reported to me in response to the security > announcements from last release. > > For both CVE-2020-1934 and CVE-2020-1927, the source file says > "Apache HTTP Server versions 2.4.0 to 2.4.41" in the description, but > the rendered result is "Apache HTTP Server versions 2.4.0 to 2.41". If > anyone has pointers on how the site build happens, I can look into it > further. > Something in that xslt translation is treating the revision number numerically, and not as a string. > If it's too complicated a fix, I'm OK with removing that line from > the description. The CVE reports must include the version vulnerability > info in the description, but it's not really a requirement for the site > (I was just keeping them consistent). > > -- > Daniel Ruggeri > >