Mark J. Cox

Missing date and affects

Another mistake

Actually these were fixed in 2.4.41

Fix mistake in html

Merge new vulnerability info

Fix the vulnerable versions to match our announcement for CVE-2019-0196

Missing update to vulns-xml

Remove affects 2.4.30 as that was an unreleased version (noticed by Tomas Hoger)

Add missing details for CVE-2016-4975 which was mitigated by other changes

We got some questions about http/2 support, clarify

add 2.3.34 vulns that were fixed
Since 2.4.30 was never released we really ought to show that 2.4.33 which was the first release

with these fixes was the fixed version

Add details of the extra step needed for security releases, updating vulnerabilities-httpd.xml. This

got missed in the past and Eric reminded me to add some details about this here.

Add suggested text from wrowe

Link to the restored old vuln pages

We want to create the 1.3 and 2.0 vuln pages again as this info is lost otherwise, but with a big

flashing "don't use this" warning

    • ?
    /site/trunk/content/security/vulnerabilities_13.sh
    • ?
    /site/trunk/content/security/vulnerabilities_20.sh
Make it more explicit that while this page was correct as of EOL, it's no longer being updated.

Link back to the historical 2.2 vuln list. I want to restore the 2.0 and 1.3 lists too

as this information is otherwise lost but useful to folks who are still running older

releases (or who are using older releases supported by some third party).

Update the vulnerability XML to have one CVE per issue which means altering the

way we specify which issues are affected and merging the descriptions and vulnerable

versions. This will allow us to reuse the XML to generate our mailing list announcements

and Mitre JSON submission and be future proof to work for future major parallel releases.

Also cleanup the httpd xml a little replacing any dead links, upgrading links to https from

http.

We still generate the 2.2 page (and should generate the 2.0 and 1.3 legacy ones too) so

note in big letters that it's unsupported now

There is no level medium so align to our published defined levels, and fix a couple of older bad indexes into the severity level
Write up lua issue (quickly) but also note the things which were 11-dev are now in released 12

Write up 2 fixed vulns

Bring 2.0.65 vuln page up to date

Add EOL notices to security pages

Update vulndb for 2.2.24, 2.2.25, 2.4.6. Still to do 2.0.65

Correct some data errors and missing details from archives

Mistake noticed by Alan Amesbury Oct 2012

Typo

Quick document of CVE-2012-4557