> Am 19.01.2017 um 10:08 schrieb Reindl Harald <h.rei...@thelounge.net>: > Am 19.01.2017 um 08:22 schrieb Stefan Eissing: >> Distros seem to have realized the problem long ago and make their own httpd >> versions. First time I realized my "httpd 2.4.7" is not the 2.4.7 release >> was a WTF moment. > > no, that applies to LTS distros and in that case of nearly any piece of > software and has nothing to do with httpd or the problems you are talking > about > > httpd-2.4.6-45.el7.centos.x86_64 > mod_security-2.7.3-5.el7.x86_64 > > php-5.4.16-42.el7.x86_64: > * Fr Aug 05 2016 Remi Collet <rcol...@redhat.com> - 5.4.16-42 > - bz2: fix improper error handling in bzread() CVE-2016-5399 > > * Mo Aug 01 2016 Remi Collet <rcol...@redhat.com> - 5.4.16-41 > - gd: fix integer overflow in _gd2GetHeader() resulting in > heap overflow CVE-2016-5766 > - gd: fix integer overflow in gdImagePaletteToTrueColor() > resulting in heap overflow CVE-2016-5767 > - mbstring: fix double free in _php_mb_regex_ereg_replace_exec > CVE-2016-5768 > > * Fr Jul 22 2016 Remi Collet <rcol...@redhat.com> - 5.4.16-40 > - don't set environmental variable based on user supplied Proxy > request header CVE-2016-5385
Yes and no. The LTS releases try to do, what should (IMO) be a stable release branch from our side. The problem seems to me that our stable branch 2.2.x is too old for many and our only other releases, 2.4.x, has too many new, experimental and dangerous changes. So the LTS releases create a hybrid that is totally not managed by the httpd project. I have no clue what a httpd-2.4.6-45 really is. Stefan Eissing <green/>bytes GmbH Hafenstrasse 16 48155 Münster www.greenbytes.de
