Jim Jagielski wrote: > > Also, 2.2.13 was released.... not sure why :)
There was significant input from httpd PMC members to declare this flaw a vulnerability in the first place. (I certainly don't feel this is an APR vulnerability, but it was shown to conceivably lead to escalation of severity of vulnerabilities in insecure software written by others.) Given that httpd is deployed as often for third party modules from others as it is for just the base httpd itself, it was prudent to react to this flaw before exploits of third party modules were identified. Refer to the lengthy Message-ID: <[email protected]> thread on secur...@httpd between Sander, Ruediger, Bojan, and myself on [email protected] (which occured outside of public view prior to any public discussion of the apr issue), in which the concensus was that 2.2.12 could not be repackaged with a new apr library version. Then refer to Ruediger's support for my suggestion for testing such a replacement candidate, followed by the usual vote with +1's from Ruediger, Eric, and myself, and nonbinding votes from Dan and Gregg. I may have mis-read Guenter's observations as a +1. So, I'm not sure why not :-) What is the nature of your doubt?
