icing commented on PR #10: URL: https://github.com/apache/httpd-site/pull/10#issuecomment-1759885476
> OK, so in testing Apache 2.4.57 (with the same nghttp2) I can no longer reproduce the OOM condition. I suggest rather than using `Apache HTTP Server is not impacted`, perhaps `As of version <version>, Apache HTTP Server is not impacted`. Assuming you know when this protection was put in place. I'd also possibly reconsider using the `long-standing measures we have in place` language, especially depending on which version has protections against [CVE-2023-44487](https://github.com/advisories/GHSA-qppj-fm5r-hxr3). > Thanks for verifying. I agree that the currently proposed language might not be helpful. The counter-measure against the attack is indeed in place since 2016ish, but there might be other side effects that trigger a DoS in earlier versions. > e.g. if the protections came into play with 2.4.55 (as an example... I don't know if this is when protections were put in place), then Apache might only be protected against [CVE-2023-44487](https://github.com/advisories/GHSA-qppj-fm5r-hxr3) for less than a year. Which wouldn't count as long-standing by a stretch. This can also be misleading. The 2.4.52 in Ubuntu LTS is most certainly not the 2.4.52 as we released it. Distros apply patches of their own which we do not know about. The responsibility, in my mind, lies with the maintainers of the LTS foremost. So, we can find the earlier versions of *our* releases that protect, but if that helps customers is questionable. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@httpd.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
