On Tue, Aug 21, 2012 at 11:30 AM, Rainer Jung <[email protected]> wrote: > Now that 2.4.3 is released and annouced I'm in the process of updating the > security page (the xml file with the known vulnerabilities) to include the > two issues that are in CHANGES. > > The XSS mod_negotitation issues I think is clearly of severity level 4 > (low), but I'm a bit uncertain about the mod_proxy_ajp problem. > > It can be triggered by remote and leads to response mixups, so a privacy > issue (all disclosed via Bugzilla before the release, so no need to discuss > privately). > > I'd go for a "Important" but would like to get more opinions. The > definitions are at:
+1 for "Important" > > http://httpd.apache.org/security/impact_levels.html > > Regards, > > Rainer -- Born in Roswell... married an alien... http://emptyhammock.com/
