apache2 update for semi-critical "optionsbleed" bug
Thomas Ward
teward at ubuntu.com
Wed Sep 20 23:18:55 UTC 2017
You won't see an update to 2.4.28 I bet. Instead, you'll see a patched
version of the package uploaded which contains the fix for the CVE -
this is typically what is done to update packages in older releases for
security fixes, by the Security Team.
Refer to the CVE tracker -
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9798.html
- this details what versions are fixed, which are pending upload, etc. -
normally we (that is, Ubuntu and the Security Team, of which I am not a
part) don't upgrade Apache in all releases to a newer version; we patch
them instead.
Thomas
Ubuntu Server Team Member
Launchpad: ~teward
On 09/19/2017 10:30 AM, Glen Willmot wrote:
> Good morning,
>
> Just curious on when we'll see an update on the apache2 release to
> version 2.4.28 to patch against the "Optionsbleed" bug detailed
> by CVE-2017-9798.
> More info on the severity of this bug can be seen at:
> https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
>
> Thank you,
> Glen
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20170920/d5ecf786/attachment.html>
More information about the Ubuntu-devel-discuss
mailing list