On 12/21/2016 11:20 AM, Jim Allison wrote:
Going through the history of the announce list, it seems that the advisory for HTTPOxy was not posted there. I can see that it was posted to the users list back in the summer, but we were only subscribed to the announce list. I can see that other vulnerabilities were posted to the announce list last year; just not HTTPOxy.
Just a guess -- it may have been to avoid confusion, since HTTPoxy is a vulnerability in the CGI backends, not the server itself. (But it's simple to *mitigate* that vulnerability directly in the server, which is why a patch was released.)
--Jacob --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
