https://issues.apache.org/bugzilla/show_bug.cgi?id=57580
D. Stussy <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID |--- --- Comment #2 from D. Stussy <[email protected]> --- Maybe so, but regardless of the fix in BASH, the Apache HTTPD server should still not be passing the value to a(ny) command interpreter - and THAT is a bug in this software. Relying on a patch in software under different authorship is akin to "security via obscurity" -- it is NOT a fix. The HTTPD server is cooperating with another program to cause the exploit, which means that BOTH programs should be fixed, even if fixing the other by itself closes the exploit. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
