http://httpd.apache.org/security/vulnerabilities_20.html
states that Apache 2.0.52 is 4 years old and the latest version is 2.0.68. i am no longer a httpd expert, but at least one of the security fixes involves XSS attacks via malformed ftp commands. I also realize that redhat / centos may patch things separately from Apache and that the sysadmin has a great deal to do with how secure things are, but almost 5 years?
Does the sysadmin for www.centos.org get paid?
Am 22.03.2009 um 20:40 schrieb Rob Townley:
http://httpd.apache.org/security/vulnerabilities_20.html
states that Apache 2.0.52 is 4 years old and the latest version is 2.0.68. i am no longer a httpd expert, but at least one of the security fixes involves XSS attacks via malformed ftp commands. I also realize that redhat / centos may patch things separately from Apache and that the sysadmin has a great deal to do with how secure things are, but almost 5 years?
Download the src-RPM and make a checklist which CVEs are fixed and which not. (It's in a changelog-file somewhere - I don't remember the details, it's a while that I actually looked)
Then, return here.
Best Regards, Rainer
Rainer Duffner wrote:
Am 22.03.2009 um 20:40 schrieb Rob Townley:
http://httpd.apache.org/security/vulnerabilities_20.html
states that Apache 2.0.52 is 4 years old and the latest version is 2.0.68. i am no longer a httpd expert, but at least one of the security fixes involves XSS attacks via malformed ftp commands. I also realize that redhat / centos may patch things separately from Apache and that the sysadmin has a great deal to do with how secure things are, but almost 5 years?
Download the src-RPM and make a checklist which CVEs are fixed and which not. (It's in a changelog-file somewhere - I don't remember the details, it's a while that I actually looked)
Then, return here.
Try:
rpm -q --changelog httpd |less to see if it includes what you want to know before bothering with src rpms.
On Sun, Mar 22, 2009 at 3:29 PM, Les Mikesell lesmikesell@gmail.com wrote:
Rainer Duffner wrote:
Am 22.03.2009 um 20:40 schrieb Rob Townley:
http://httpd.apache.org/security/vulnerabilities_20.html
states that Apache 2.0.52 is 4 years old and the latest version is 2.0.68. i am no longer a httpd expert, but at least one of the security fixes involves XSS attacks via malformed ftp commands. I also realize that redhat / centos may patch things separately from Apache and that the sysadmin has a great deal to do with how secure things are, but almost 5 years?
Download the src-RPM and make a checklist which CVEs are fixed and which not. (It's in a changelog-file somewhere - I don't remember the details, it's a while that I actually looked)
Then, return here.
Try:
rpm -q --changelog httpd |less to see if it includes what you want to know before bothering with src rpms.
Thank You Les, that is an awesome info.
-- Les Mikesell lesmikesell@gmail.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 3/22/09, Rob Townley rob.townley@gmail.com wrote:
http://httpd.apache.org/security/vulnerabilities_20.html states that Apache 2.0.52 is 4 years old and the latest version is 2.0.68. i am no longer a httpd expert, but at least one of the security fixes involves XSS attacks via malformed ftp commands. I also realize that redhat / centos may patch things separately from Apache and that the sysadmin has a great deal to do with how secure things are, but almost 5 years?
This is an Enterprise Distro and very rarely has the latest and greatest. It is supported for a long time and security updates are backported. The life is 7 years. Much longer than the life of a Distro with the latest and greatest.
Does the sysadmin for www.centos.org get paid?
The CentOS team work for free on this project and they do an outstanding job. They also have full times jobs, so they are very busy.
If you want the latest and greatest, you can install it yourself, but if it breaks, it's your problem. Decide which you want; (a) Long life, stability and security or (b) latest and greatest stuff.
-
Lanny Marcus -
Les Mikesell -
Rainer Duffner -
Rob Townley