https://lists.apache.org/[email protected]:lte=1y:Httpoxy
was the first release addressing the question by httpd project. Announce@ lists are used to broadcast release availability, making them less than ideal channels for this foundation-wide response; https://www.apache.org/security/asf-httpoxy-response.txt There are a number of lists, such as bugtraq, which chronical vulnerability disclosures. Cheers, Bill On Dec 21, 2016 1:20 PM, "Jim Allison" <[email protected]> wrote: > Hi, > > We recently had a site fail a PCI DSS scan due to the HTTPOxy > vulnerability and we only received notice of Apache 2.4.25 yesterday. We > are using 2.2 and a patch has not yet been released for that version. > > Going through the history of the announce list, it seems that the advisory > for HTTPOxy was not posted there. I can see that it was posted to the users > list back in the summer, but we were only subscribed to the announce list. > I can see that other vulnerabilities were posted to the announce list last > year; just not HTTPOxy. > > Was this just an oversight, or should we have been subscribed to the users > list as well to get all the advisories? > > Thanks, > > Jim Allison | Technical Product Lead | 1-888-400-9185 ext 2214 > SpeedLine Solutions Inc. > the leader in innovative solutions for pizza and delivery point of sale > > www.speedlinesolutions.com > > Studies show trees live longer when they're not cut down. Please consider > before printing. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
