You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Brian King <br...@gmail.com> on 2016/10/24 15:15:03 UTC

Release date for Apache 2.2.32

Is there a planned target date for the release of apache 2.2.32?

Security scanning products (E.g. Rapid7) are recommending upgrading apache
to 2.2.32 because of the July announcement regarding httpoxy:

http://marc.info/?l=apache-httpd-dev&m=146885266605438&w=2
https://www.apache.org/security/asf-httpoxy-response.txt

Thank you,
 Brian

Re: Release date for Apache 2.2.32

Posted by William A Rowe Jr <wr...@rowe-clan.net>.

On Mon, Oct 24, 2016 at 10:15 AM, Brian King <br...@gmail.com> wrote:

> Is there a planned target date for the release of apache 2.2.32?
>
> Security scanning products (E.g. Rapid7) are recommending upgrading apache
> to 2.2.32 because of the July announcement regarding httpoxy:
>
> http://marc.info/?l=apache-httpd-dev&m=146885266605438&w=2
> https://www.apache.org/security/asf-httpoxy-response.txt
>

As pointed out in that second link, the issue is trivial to resolve, sadly
scanning projects rarely test for vulnerabilities, so you might just
patch your 2.2.31 to report itself as 2.2.32 and be done with it for now.

Back to your first question, 2.2.32 will be prepared at the same time
as we prepare the 2.4.24 release, but there is no calendar/schedule
per se.  Current conversations about 2.4.24 are pointing towards
the end of this month, that discussion is right here on this list.