Greetings, Our security guy noticed this alert about a XSS vulnerability in mod_negotiation: http://www.mindedsecurity.com/MSA01150108.html. According to the link, it applies to apache <= 2.2.6, so no worries for 2.2.8.
However, when I double-check the changelog for 2.2.8 (http://www.apache.org/dist/httpd/CHANGES_2.2.8) there is no specific mention of a patch in mod_negotiation... >From a quick inspection of the source code, there was no change to mod_negotiation.c between 2.2.6 and 2.2.8 so can I conclude that the vulnerability is still present in 2.2.8? (ie, can it have been handled at a higher level?) Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.
