Note: This is only being sent to debian-LTS. > I am currently investigating CVE-2016-4975 for Apache2. The issue is > already two years old but was only made public yesterday. [1] I skimmed > through old commit messages but I could not isolate the fixing commit. > However I found this changelog entry [2] from December 13th, 2016 and > you are listed as one of the upstream committers who apparently fixed > this vulnerability.
Does this warrant an entry in dla-needed.txt? I also wonder why it takes almost 2 years for a security vulnerability to become public... -- Brian May <[email protected]>
