On Wed, Dec 16, 2015 at 12:26 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> On Tue, Dec 15, 2015 at 2:34 PM, Mike Pastore <m...@oobak.org> wrote: > >> Hi folks, >> >> I believe I've found a buffer overrun affecting (at least) Apache 2.4.7 >> and 2.4.17. I don't know enough about this sort of thing to determine how >> serious it is and whether or not it is a potential security vulnerability. >> If someone would please work with me to validate my findings and help me >> handle it responsibly, I would greatly appreciate it. >> > > The only maintained version is 2.4.x branch, which corresponds to 2.4.18 > right now, or 2.2.31. Anything older that is no longer vulnerable we > treat > as non-sequitur, potentially a problem but not applicable to the shipping > flavors.. > Confirmed that the problem is still present in 2.4.18. > We would love for you to reproduce and share at secur...@httpd.apache.org > to confirm or reject the suggested exploit, and we do appreciate > responsible > disclosure. > I have a separate thread going with the security mailing list but I haven't heard from them in a while. I'll ping them again today. Thank you!
