On Thu, Aug 16, 2018 at 05:12:11PM +1000, Brian May wrote: > Note: This is only being sent to debian-LTS. > > > I am currently investigating CVE-2016-4975 for Apache2. The issue is > > already two years old but was only made public yesterday. [1] I skimmed > > through old commit messages but I could not isolate the fixing commit. > > However I found this changelog entry [2] from December 13th, 2016 and > > you are listed as one of the upstream committers who apparently fixed > > this vulnerability. > > Does this warrant an entry in dla-needed.txt?
I don't think so, I suggest to tag it <postponed> and bundle it up the next time there's a DLA for Apache. > I also wonder why it takes almost 2 years for a security vulnerability > to become public... They had a crazy backlog :-) See https://twitter.com/iamamoose/status/1029360920970125312 Cheers, Moritz
