On Mon, Jan 2, 2017 at 11:48 PM, William A Rowe Jr <[email protected]> wrote: > So, Jacob and I... He did most of the grunt work, I only pushed off the > underlying premise... Have a very very long list of real and potential > security patches. > > I am asking publicly of (often obstanant) httpd pmc folks, do we proceed > without a 2.2 mitigation? Those in the know, already know. > > Happy to RM Wed a.m. if we have the votes.
Sorry, I totally missed that you had completed/proposed the backport of the showstopper to 2.2.x. I should have reviewed it earlier but I will work on it Tuesday. My preference would be to proceed with the release once the current showstopper is in, and not to wait for further mitigations or patches. I don't think undisclosed vulnerability fixes are imminent and we have an important, disclosed CVE to ship. -- Eric Covener [email protected]
