<![CDATA[Aftermath: people, running Debian httpd 2.4.66, started complaining when they’ll get the 2.4.67 update to fix this RCE vulnerability.]]>RE: https://chaos.social/@icing/116526903529846107

Aftermath: people, running Debian httpd 2.4.66, started complaining when they’ll get the 2.4.67 update to fix this RCE vulnerability. Which they already were protected from, but did not know. Because the CVE was not public at the time the fix was shipped.

[...]

Two security researchers found the vulnerability independently. Just scanning the 2.4.66 source code. This means the bad guys can no longer be kept in the dark. Coordinated disclosure no longer works.

]]>https://board.circlewithadot.net/topic/b388331e-a1bb-4aa5-a036-7f10dd2d650e/aftermath-people-running-debian-httpd-2.4.66-started-complaining-when-they-ll-get-the-2.4.67-update-to-fix-this-rce-vulnerability.RSS for NodeFri, 15 May 2026 04:57:19 GMTWed, 06 May 2026 12:08:04 GMT60<![CDATA[Reply to Aftermath: people, running Debian httpd 2.4.66, started complaining when they’ll get the 2.4.67 update to fix this RCE vulnerability. on Wed, 06 May 2026 14:48:04 GMT]]>@DaveMWilburn Not disagreeing - I think Eissing is using "responsible" here on purpose, rather than "coordinated"

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/tychotithonus/statuses/116528177784135672https://board.circlewithadot.net/post/https://infosec.exchange/users/tychotithonus/statuses/116528177784135672Wed, 06 May 2026 14:48:04 GMT<![CDATA[Reply to Aftermath: people, running Debian httpd 2.4.66, started complaining when they’ll get the 2.4.67 update to fix this RCE vulnerability. on Wed, 06 May 2026 13:41:48 GMT]]>@tychotithonus

Eh... This isn't a particularly new issue. Doesn't even require source code, either. Bindiff is a couple decades old at this point.

Just because coordinated disclosure is hard and messy and flawed doesn't mean we should give up on the idea of protecting downstream users like the jerks behind the copy.fail disclosure did.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/DaveMWilburn/statuses/116527917226014318https://board.circlewithadot.net/post/https://infosec.exchange/users/DaveMWilburn/statuses/116527917226014318Wed, 06 May 2026 13:41:48 GMT