wdormann commented on PR #10: URL: https://github.com/apache/httpd-site/pull/10#issuecomment-1759858696
OK, so in testing Apache 2.4.57 (with the same nghttp2) I can no longer reproduce the OOM condition. I suggest rather than using `Apache HTTP Server is not impacted`, perhaps `As of version <version>, Apache HTTP Server is not impacted`. Assuming you know when this protection was put in place. I'd also possibly reconsider using the `long-standing measures we have in place` language, especially depending on which version has protections against CVE-2023-44487. e.g. if the protections came into play with 2.4.55 (as an example... I don't know if this is when protections were put in place), then Apache might only be protected against CVE-2023-44487 for less than a year. Which wouldn't count as long-standing by a stretch. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@httpd.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
