On Saturday 09 September 2006 12:35, Loïc Minier wrote: > I think only apache was uploaded for CVE-2006-3918, and not > apache2. Do you intend to issue a DSA for apache2 as well? Or > isn't it affected by the vulnerability? > > This is fixed in apache2 >= 2.0.55-4.1 in unstable.
The issue is less severe for apache2 because it is much more difficult to exploit: apache2 will first wait for the request timeout (usually 5 minutes) before sending the problematic error message. Cheers, Stefan