This was an interesting security patch that marked the first time in my memory that updating Apache led to an immediate regression. A few hours after taking this upgrade many systems experienced such strange timeout errors. Connections were low and couldn't pinpoint the misleading behavior that looked like a slowloris attack, with no connections.
Half a day later with no resolution in research a new patch [1] was available and problem resolved.
It might be because they had patch cycle commitments. Ideally you want this stuff to be tucked into the regular release cycle. It costs companies a shit load of money to release and out of band update, esp when security related
I’m replying to you because the parent is flagged.
I’m not a security guy, but I am a serious generalist and I’ll try my hand at anything.
Except security.
As finely as I try to hone my craft, as much discipline as I bring to it, and as many great results as I’ve produced: computer security is a completely different ballgame.
The guys and gals who are as sophisticated, and diligent, and dedicated, and ultimately humble enough to be serious security pros are a breed apart, and my hat is off to them.
Half a day later with no resolution in research a new patch [1] was available and problem resolved.
[1] https://github.com/apache/httpd/commit/8720881b0634383145e87...