Mailing List Archive

HTTPOxy vulnerability not posted to announce list?
Hi,

We recently had a site fail a PCI DSS scan due to the HTTPOxy vulnerability and we only received notice of Apache 2.4.25 yesterday. We are using 2.2 and a patch has not yet been released for that version.

Going through the history of the announce list, it seems that the advisory for HTTPOxy was not posted there. I can see that it was posted to the users list back in the summer, but we were only subscribed to the announce list. I can see that other vulnerabilities were posted to the announce list last year; just not HTTPOxy.

Was this just an oversight, or should we have been subscribed to the users list as well to get all the advisories?

Thanks,

Jim Allison | Technical Product Lead | 1-888-400-9185 ext 2214
SpeedLine Solutions Inc.
the leader in innovative solutions for pizza and delivery point of sale

www.speedlinesolutions.com

Studies show trees live longer when they're not cut down. Please consider before printing.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: HTTPOxy vulnerability not posted to announce list? [ In reply to ]
On 12/21/2016 11:20 AM, Jim Allison wrote:
> Going through the history of the announce list, it seems that the advisory for HTTPOxy was not posted there. I can see that it was posted to the users list back in the summer, but we were only subscribed to the announce list. I can see that other vulnerabilities were posted to the announce list last year; just not HTTPOxy.

Just a guess -- it may have been to avoid confusion, since HTTPoxy is a
vulnerability in the CGI backends, not the server itself. (But it's
simple to *mitigate* that vulnerability directly in the server, which is
why a patch was released.)

--Jacob

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: HTTPOxy vulnerability not posted to announce list? [ In reply to ]
https://lists.apache.org/list.html?announce@httpd.apache.org:lte=1y:Httpoxy

was the first release addressing the question by httpd project.

Announce@ lists are used to broadcast release availability, making them
less than ideal channels for this foundation-wide response;

https://www.apache.org/security/asf-httpoxy-response.txt

There are a number of lists, such as bugtraq, which chronical vulnerability
disclosures.

Cheers,

Bill

On Dec 21, 2016 1:20 PM, "Jim Allison" <JAllison@speedlinesolutions.com>
wrote:

> Hi,
>
> We recently had a site fail a PCI DSS scan due to the HTTPOxy
> vulnerability and we only received notice of Apache 2.4.25 yesterday. We
> are using 2.2 and a patch has not yet been released for that version.
>
> Going through the history of the announce list, it seems that the advisory
> for HTTPOxy was not posted there. I can see that it was posted to the users
> list back in the summer, but we were only subscribed to the announce list.
> I can see that other vulnerabilities were posted to the announce list last
> year; just not HTTPOxy.
>
> Was this just an oversight, or should we have been subscribed to the users
> list as well to get all the advisories?
>
> Thanks,
>
> Jim Allison | Technical Product Lead | 1-888-400-9185 ext 2214
> SpeedLine Solutions Inc.
> the leader in innovative solutions for pizza and delivery point of sale
>
> www.speedlinesolutions.com
>
> Studies show trees live longer when they're not cut down. Please consider
> before printing.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>