On Tue, Dec 15, 2015 at 2:34 PM, Mike Pastore <m...@oobak.org> wrote:
> Hi folks, > > I believe I've found a buffer overrun affecting (at least) Apache 2.4.7 > and 2.4.17. I don't know enough about this sort of thing to determine how > serious it is and whether or not it is a potential security vulnerability. > If someone would please work with me to validate my findings and help me > handle it responsibly, I would greatly appreciate it. > The only maintained version is 2.4.x branch, which corresponds to 2.4.18 right now, or 2.2.31. Anything older that is no longer vulnerable we treat as non-sequitur, potentially a problem but not applicable to the shipping flavors.. We would love for you to reproduce and share at secur...@httpd.apache.org to confirm or reject the suggested exploit, and we do appreciate responsible disclosure.
