icing commented on PR #10:
URL: https://github.com/apache/httpd-site/pull/10#issuecomment-1759885476

   > OK, so in testing Apache 2.4.57 (with the same nghttp2) I can no longer 
reproduce the OOM condition. I suggest rather than using `Apache HTTP Server is 
not impacted`, perhaps `As of version <version>, Apache HTTP Server is not 
impacted`. Assuming you know when this protection was put in place. I'd also 
possibly reconsider using the `long-standing measures we have in place` 
language, especially depending on which version has protections against 
[CVE-2023-44487](https://github.com/advisories/GHSA-qppj-fm5r-hxr3).
   > 
   
   Thanks for verifying. I agree that the currently proposed language might not 
be helpful. The counter-measure against the attack is indeed in place since 
2016ish, but there might be other side effects that trigger a DoS in earlier 
versions.
   
   > e.g. if the protections came into play with 2.4.55 (as an example... I 
don't know if this is when protections were put in place), then Apache might 
only be protected against 
[CVE-2023-44487](https://github.com/advisories/GHSA-qppj-fm5r-hxr3) for less 
than a year. Which wouldn't count as long-standing by a stretch.
   
   This can also  be misleading. The 2.4.52 in Ubuntu LTS is most certainly not 
the 2.4.52 as we released it. Distros apply patches of their own which we do 
not know about. The responsibility, in my mind, lies with the maintainers of 
the LTS foremost.
   
   So, we can find the earlier versions of *our* releases that protect, but if 
that helps customers is questionable.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@httpd.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to