This has been released for Lucid now
http://www.ubuntu.com/usn/usn-990-1
http://www.ubuntu.com/usn/usn-990-2
** Changed in: apache2 (Ubuntu)
Status: Confirmed = Fix Released
--
consider a newer version of apache2 for lucid or backport some changes
https://bugs.launchpad.net/bugs/551221
I am not sure how wise it is to make a release that is supported for 5
years and does not contain the fix for CVE-2009-3555 (unless you mean to
add it later). Clients may change their behaviour and refuse to connect
to insecure servers at some time in the future.
The improved protection for
Thanks Stefan for the heads up about what's going on in Debian.
According to the Debian changelog 2.2.15 requires openssl 0.9.8m which
is not available in lucid. I'm not sure we could update to this version
of openssl in Lucid.
2.2.14-6 also introduces a bunch of new features which would require
openssl 0.9.8m is not in lucid yet for compatibility reasons. It is
pretty late in the dev cycle to update to 0.9.8m now. It would risk
breaking renegotiation for servers that need it.
For that reason, I don't think pulling in apache 2.2.15 would be
feasible at this time.
--
consider a newer