apache2 update for semi-critical "optionsbleed" bug

Glen Willmot gwillmot at gmail.com
Wed Sep 20 23:56:51 UTC 2017


Ah, nice. I wasn't aware of the process.

Thank you, Robie and Thomas. I had run apt update before they were
released, but I see them now and have updated.

Glen

On Wed, Sep 20, 2017 at 7:18 PM, Thomas Ward <teward at ubuntu.com> wrote:

> You won't see an update to 2.4.28 I bet.  Instead, you'll see a patched
> version of the package uploaded which contains the fix for the CVE - this
> is typically what is done to update packages in older releases for security
> fixes, by the Security Team.
>
> Refer to the CVE tracker - https://people.canonical.com/~
> ubuntu-security/cve/2017/CVE-2017-9798.html - this details what versions
> are fixed, which are pending upload, etc. - normally we (that is, Ubuntu
> and the Security Team, of which I am not a part) don't upgrade Apache in
> all releases to a newer version; we patch them instead.
>
> Thomas
> Ubuntu Server Team Member
> Launchpad: ~teward
>
> On 09/19/2017 10:30 AM, Glen Willmot wrote:
>
> Good morning,
>
> Just curious on when we'll see an update on the apache2 release to version
> 2.4.28 to patch against the "Optionsbleed" bug detailed by CVE-2017-9798.
> More info on the severity of this bug can be seen at:
> https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-
> OPTIONS-method-can-leak-Apaches-server-memory.html
>
> Thank you,
> Glen
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20170920/0da479d5/attachment.html>


More information about the Ubuntu-devel-discuss mailing list