The process used to be submitted through the developer’s mailing list and a bug database.
The process is now automated through the bug database Bugzilla:
The basic requirements for Bugzilla:
(Process is from: https://httpd.apache.org/dev/patches.html)
-Must have a Bugzilla account; Process found here:
-Fill in a bug report
-Must specify APR(if the patch is for srclib/apr or srclib/apr-util)
-Carefully explain the process of reproducing the bug and how the patch has been tested
-Edit the bug report to have a “PatchAvailable” keyword with a patch attached as the final step
If the patch is ignored:
-Be persist but polite
-Get other Apache users to review the patch
-Make the patch easy to read and apply
-Research if there are any current or similar patches already being discussed in the community
-Help with other bugs to gain recognition in the community
This is a small community as stated by Apache.
An example is from (https://httpd.apache.org/security/vulnerabilities_24.html)
mod_md, DoS via Coredumps on specially crafted requests (CVE-2018-8011)
-Reported on 29 Jun 2018
-Update Released on 15 Jul 2018
Basically the exploit can cause the child process to crash from the remote user.
The process seems relatively fast (About half a month). First the process has to be found by a community user and reported (In this case it was through: https://www.securitytracker.com/id/1041401). The patch is tested through Bugzilla and sent to be released.
The process to patching seems straightforward but will not be fast if I were to start as a newcomer of the community.