The upgrade to 2.4.2 is non-trivial in my environment (particularly due to the config changes) and if 2.2.23 is going to patch it, I'd just as soon wait. Thus the request for some guess at release date.
But that's likely not forthcoming, so I'll reconsider the upgrade. --- Bibliopolis, LLC Berkeley | Pittsburgh http://www.bibliopolis.com On May 24, 2012, at 1:17 PM, John Iliffe wrote: > I got caught the same way in March (re PCI scanning). Guess my guy is more > up to date than yours! > > There should be no reason that I found not to update to 2.4.2 BUT BE > CAREFUL OF THE CONFIG FILE CHANGES! For example the "order deny allow" > format directives no longer work in 2.4.*. There are a few other changes. > > Also, do not be tempted to update to PHP 5.4.0 as it will cause segfaults > in all the child processes for reasons that escape me completely. Use a > 5.3.x version. This may be my problem but someone on this list was able to > confirm the issue and said that it is a PHP issue. It may be resolved by > now. > > Hope that's useful. > > John > ====================================== > On Thursday 24 May 2012 13:05:10 Luke Lozier wrote: >> One of the PCI scanning companies is demanding an upgrade to 2.4.2 due >> to the issues described in this CVE: Changes with Apache 2.2.23 >> >> *) SECURITY: CVE-2012-0883 (cve.mitre.org) >> envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead >> to the current working directory to be searched for DSOs. [Stefan >> Fritsch] Is there any idea when 2.2.23 will be released? I'd rather not >> upgrade to 2.4.2 >> >> Apologies if this is the wrong list for this. >> >> Best, >> >> Luke Lozier >> >> --- >> >> Bibliopolis, LLC >> Berkeley | Pittsburgh >> >> http://www.bibliopolis.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org >
