If a vulnerability is listed on the 2.4 page (
https://httpd.apache.org/security/vulnerabilities_24.html) - let's pick on
CVE-2014-0226 for mod_status and it is listed as affecting 2.4.9 down to
2.4.1, would 2.2.x also be vulnerable? It is not specifically listed on
the 2.2 vulnerability page (
Hello Michael,
I cannot speak for Red Hat, but the difference between the 2.4 and 2.2
vulnerabilities page is clear.
The fix for CVE-2014-0226 was announced with the release of Apache httpd
2.4.10.
The fix will also be included in Apache httpd 2.2.28 which has not yet
been released.
-
