---------- Forwarded message ---------- From: Anssi Johansson Date: Saturday, August 24, 2013 Subject: EPEL Lighttpd vulnerability still unfixed after 9 months To: epel-devel@lists.fedoraproject.org
The bug was filed in November 2012, or approximately nine months ago. EPEL still ships a vulnerable version 1.4.31 for both EL5 and EL6. I think it'd be high time to release a fixed version, especially as exploiting the vulnerability is rather trivial: