I thought this request felt under the below wording in https://wiki.ubuntu.com/StableReleaseUpdates :
<quote> Stable release updates will, in general, only be issued in order to fix high-impact bugs. Examples of such bugs include: Bugs which may, under realistic circumstances, directly cause a security vulnerability. These are done by the security team and are documented at SecurityTeam/UpdateProcedures. ... </quote> I believe this threat is very realistic ( http://blog.ivanristic.com/2013/06/ssl-labs-deploying-forward-secrecy.html ). I guess the metrics to determine what warrants an exception are up to you for sure but as far as I can tell the privacy cost of this vulnerability justifies the upgrade for apache servers *only* or the usage of a PPA like https://launchpad.net/~derek-morton/+archive/apache-2.4 if you decide to trust it or simply building apache 2.4 from scratch. If the server is not running apache clearly there is nothing to be worry about. Thanks for the statement because at least the wait is over. Best, - Nestor -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1197884 Title: apache2.2 SSL has no forward-secrecy: need ECDHE keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1197884/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
