From: "Steven Levine" Received: from [192.168.100.201] (HELO mail.2rosenthals.com) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTPS id 2902002 for ecs-isp@2rosenthals.com; Tue, 28 Dec 2021 22:37:22 -0500 Received: from [192.168.200.201] (port=40143 helo=mail2.2rosenthals.com) by mail.2rosenthals.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n2Pm2-00030u-2w for ecs-isp@2rosenthals.com; Tue, 28 Dec 2021 22:37:10 -0500 Received: from mta-201a.oxsus-vadesecure.net ([51.81.229.180]:54727 helo=nmtao201.oxsus-vadesecure.net) by mail2.2rosenthals.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1n2Plq-0001gw-3B for ecs-isp@2rosenthals.com; Tue, 28 Dec 2021 22:36:59 -0500 DKIM-Signature: v=1; a=rsa-sha256; bh=JiTi7OKPYvyHOvO3kI5q50G1Qx3lsOJCGiNXto MzGAM=; c=relaxed/relaxed; d=earthlink.net; h=from:reply-to:subject: date:to:cc:resent-date:resent-from:resent-to:resent-cc:in-reply-to: references:list-id:list-help:list-unsubscribe:list-subscribe:list-post: list-owner:list-archive; q=dns/txt; s=dk12062016; t=1640749017; x=1641353817; b=foInCDOJZTFIeoA3Z3tKRMwFgAo9UUAP7cVkMvRulFklZ5iR0EDLJ4t Hs0W/LpHhoP/uVVF5RqYGIlV3auNvYMjKBkIFY9bnQZT0ArjpyOvvEQldMivpAHWvc0zwob oQf33yPHkMuDvBkz+634oT20aTQx2hI50kqhKdJhgOjDj91djZr81hVUYWScj3o2ZxHQLfk TIU8QLUXzz7yoqN+3ZBkmmf3EzE4i4QUAjBjUj96p4fYoMQ1YkgUl1uVlQ2mOcpDRDGf8ZD P/WH3aOv5ZZaY7/4G+VouWLXryQhFb+hDvP+URLNgi3El3tYAX8iksMJOZdlsp0lrZAXqh4 lNA== Received: from slamain ([108.193.254.190]) by smtp.oxsus-vadesecure.net ESMTP oxsus2nmtao01p with ngmta id 639b8737-16c51c89dbd29265; Wed, 29 Dec 2021 03:36:57 +0000 Date: Tue, 28 Dec 2021 19:32:14 -0800 To: "eCS ISP Mailing List" In-Reply-To: Subject: Re: [eCS-ISP] Apache update needed new CVE's reported. X-Mailer: MR/2 Internet Cruiser Edition for OS/2 v3.00.11.21 BETA/60 Message-ID: In , on 12/29/21 at 09:29 AM, "Paul Smedley" said: Hi Paul, >My personal opinion is that these are almost no risk for OS/2 - we >don't have mod_lua, so that rules out CVE-2021-44790; and >CVE-2021-44224 is only for a specific use case (forward proxy >configurations). FWIW, I came to the same conclusion when I first read the CVEs. They were not sufficiently interesting to be worth discussing on the apache list. Now, the Log4J CVE, even though it doesn't affect our platform, is more than a litte interesting. Steven -- ---------------------------------------------------------------------- "Steven Levine" Warp/DIY/BlueLion etc. www.scoug.com www.arcanoae.com www.warpcave.com ----------------------------------------------------------------------