This issue is moderate severity as the status page is not enabled by default,
and the suggested configuration protects the status page by hostname (therefore
limiting the scope of the XSS to sites that have made their status page public
or only against site administrators)
apply patches: http://marc.info/?l=apache-cvs&m=119892119829161&w=2
maintainers - please provide an updated ebuild
fixed in 2.2.6-r7, see #204838
this one is ready
I vote NO.
voting NO too, and closing.