Apache Friends Support Forum

[holly10sun]

Need to know how often and how quickly XAMPP is patched to keep up with Apache patches for CVE's. Have an ACAS hit and these are not things we can let go for extended periods. If XAMPP does not keep up with Apache releases will need to find another option.

Thanks!

[Altrea]

Can you please describe the impact of CVE-2023-31122 on a local test and development environment?

If up to date top notch updated components and security assessments are your focus, xampp is not made for you.

[Nobbie]

If XAMPP does not keep up with Apache releases will need to find another option

So what?

[holly10sun]

Wow! Rude! Thanks for all the help - yes security is a priority where I work. I guess we will explore better options!

[Altrea]

XAMPP is meant for beginners not able to install the needed single components on their own.
The disadvantage is that you are completely dependend on new releases for the whole XAMPP bundle.
You are much more free in updatability if you install the single components on your own.

[Nobbie]

I guess we will explore better options!

And dont forget to get all your money back....

[holly10sun]

XAMPP is meant for beginners not able to install the needed single components on their own.
The disadvantage is that you are completely dependent on new releases for the whole XAMPP bundle.
You are much more free in updatability if you install the single components on your own.

Altrea, thank you for not being arrogant and rude! I am not an Apache or PHP expert. The software we are using can run on IIS or Apache. We were running it on IIS but for some reason a coworker felt it would be more stable on Apache and the vendor of the software recommends XAMPP. However we live in an IT world that is required to stay current and not have ACAS hits. The CVE is stating multiple vulnerabilities as stated in the 2.4.58 advisory. I imagine I could figure out how to get this rolling by installing the components myself but not sure how much time it will take.

I see Out of bounds read vulnerability, DoS, HTTP/2 stream memory not reclaimed all listed.

I understand this is free open source. I really just wanted to know what the "normal" time for patching is so that I can request an exception or make a different decision. We do get some leeway with exceptions but not much.