The Apache Haus Forum

Forum Topics => Apache 2.2 => Topic started by: Gregg on June 24, 2017, 02:54:48 AM

Title: 2.2.33 Final-er?
Post by: Gregg on June 24, 2017, 02:54:48 AM
There has been a 2.2.33 tagged today and provided nothing new is found wrong there will be a 2.2.33 release in about 4 days (3 days for voting + 1 to wait for mirrors catch up). If 2.2.33 is released I will provide it but only for a short time as 2.2 goes EOL next Saturday at 0:00 UTC. If 2.2.33 fails, I will patch 2.2.32 with the security only fixes and put it our for a short time (2 weeks).

So if you're still in the dark ages ;D (I know the various reasons why people are) watch the Announcement board here for it as you will only have a short window to get it.

Pardon my English but what scares the shit out of me is there are ~24k 2.2.32s that have been downloaded. While this is not an exact science the good news in this number is that it's roughly 1/5 of 2.3.31 not counting the openssl updates/downgrades that were roughly another 23k.

One must remember any nasty remotely exploitable vulnerability that is found down the road in 2.4 may also exist in 2.2. While this was before 2.4 the ranges exploit KillApache by Kingcope for example was in both 2.0 and 2.2. This vulnerability for those that haven't heard about it not only would bring down Apache but the entire system as well on all OSs Apache can run on. People being attacked were having to reboot the server not just restart Apache. The only folks that need not worry were running 1.3. Food for thought.

While I don't remember what versions the fix was included in if you can find a prior version in the wild running on Windows (they're out there), you can bring them down easily with the exploit.

2.2.32 was supposed to be Final but it introduced a couple new CVEs.