Apologies if i missed this on the list but is there a fix for this available to 6.0?
https://rhn.redhat.com/errata/RHSA-2011-1245.html
thanks
Hi Tom
On 22 September 2011 18:21, Tom Brown tom@ng23.net wrote:
Apologies if i missed this on the list but is there a fix for this available to 6.0?
https://rhn.redhat.com/errata/RHSA-2011-1245.html
thanks
Please see below the response from Karanbir.
Regards, Andy.
---------- Forwarded message ---------- From: Karanbir Singh mail-lists@karan.org Date: 1 September 2011 12:39 Subject: Re: [CentOS] Apache warns Web server admins of DoS attack tool To: CentOS mailing list centos@centos.org
Thanks Tom,
On 09/01/2011 02:05 AM, Tom Lanyon wrote:
For EL 4, 5, 6: https://rhn.redhat.com/errata/RHSA-2011-1245.html
rpms for C5 are pushed into the 5.6/cr/ repo; the c6 build is running now, we will have the cr stuff up for that today and get this into there as well.
Unless Tru gets to it before me, I'll get the c4 builds out as well in a bit.
- KB _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 23 September 2011 15:15, Spook ZA spookza@gmail.com wrote:
Hi Tom
Please see below the response from Karanbir.
Regards, Andy.
rpms for C5 are pushed into the 5.6/cr/ repo; the c6 build is running now, we will have the cr stuff up for that today and get this into there as well.
Yes but CR for 6.0 is empty no ?
thanks
What are you trying to say? Karanbirs response is three weeks old and AFAICS the 6.0/cr repo is still empty on the mirrors so there is no package for that problem available.
If there are problems getting 6.0/cr going then fine but in that case fixes for such dangerous bugs should be made available in some other way for example by uploading a package to some temporary location until things are working as they should.
Regards, Dennis
On 09/23/2011 04:15 PM, Spook ZA wrote:
Hi Tom
On 22 September 2011 18:21, Tom Browntom@ng23.net wrote:
Apologies if i missed this on the list but is there a fix for this available to 6.0?
https://rhn.redhat.com/errata/RHSA-2011-1245.html
thanks
Please see below the response from Karanbir.
Regards, Andy.
---------- Forwarded message ---------- From: Karanbir Singhmail-lists@karan.org Date: 1 September 2011 12:39 Subject: Re: [CentOS] Apache warns Web server admins of DoS attack tool To: CentOS mailing listcentos@centos.org
Thanks Tom,
On 09/01/2011 02:05 AM, Tom Lanyon wrote:
For EL 4, 5, 6: https://rhn.redhat.com/errata/RHSA-2011-1245.html
rpms for C5 are pushed into the 5.6/cr/ repo; the c6 build is running now, we will have the cr stuff up for that today and get this into there as well.
Unless Tru gets to it before me, I'll get the c4 builds out as well in a bit.
- KB
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, 23 Sep 2011, Dennis Jacobfeuerborn wrote:
What are you trying to say? Karanbirs response is three weeks old and AFAICS the 6.0/cr repo is still empty on the mirrors so there is no package for that problem available.
If there are problems getting 6.0/cr going then fine but in that case fixes for such dangerous bugs should be made available in some other way for example by uploading a package to some temporary location until things are working as they should.
Yes it'd be nice.
Until then, you can always grab the redhat srpm, or get a binary rpm from SL.
jh
On 09/23/2011 04:30 PM, John Hodrien wrote:
On Fri, 23 Sep 2011, Dennis Jacobfeuerborn wrote:
What are you trying to say? Karanbirs response is three weeks old and AFAICS the 6.0/cr repo is still empty on the mirrors so there is no package for that problem available.
If there are problems getting 6.0/cr going then fine but in that case fixes for such dangerous bugs should be made available in some other way for example by uploading a package to some temporary location until things are working as they should.
Yes it'd be nice.
Until then, you can always grab the redhat srpm, or get a binary rpm from SL.
Still the fact that centos is leaving its users exposed to this kind of thing is...problematic. What's even more perplexing is that according the Karanbir the package was ready to go yet since then there is a sudden radio silence for three weeks. If there are still problems with building the updates ok but then they could have at least pushed this package out or put it on some server for people to download manually and if that is a problem too then they should have put out a message the next day that there are still problems and that people are better off building the updated package themselves. At least that would have given the users some information to act on.
Regards, Dennis
On 09/23/2011 09:53 AM, Dennis Jacobfeuerborn wrote:
On 09/23/2011 04:30 PM, John Hodrien wrote:
On Fri, 23 Sep 2011, Dennis Jacobfeuerborn wrote:
What are you trying to say? Karanbirs response is three weeks old and AFAICS the 6.0/cr repo is still empty on the mirrors so there is no package for that problem available.
If there are problems getting 6.0/cr going then fine but in that case fixes for such dangerous bugs should be made available in some other way for example by uploading a package to some temporary location until things are working as they should.
Yes it'd be nice.
Until then, you can always grab the redhat srpm, or get a binary rpm from SL.
Still the fact that centos is leaving its users exposed to this kind of thing is...problematic. What's even more perplexing is that according the Karanbir the package was ready to go yet since then there is a sudden radio silence for three weeks. If there are still problems with building the updates ok but then they could have at least pushed this package out or put it on some server for people to download manually and if that is a problem too then they should have put out a message the next day that there are still problems and that people are better off building the updated package themselves. At least that would have given the users some information to act on.
What other packages inside the system might be impacted by changing the httpd executable?
What shared libraries might needed to run the new version of httpd that were built on the 6.1 tree and may not work without the other updates.
One package can not be built and pushed in a totally different tree and then released.
It requires testing.
We are doing the best we can.
On 09/23/2011 07:12 PM, Johnny Hughes wrote:
On 09/23/2011 09:53 AM, Dennis Jacobfeuerborn wrote:
On 09/23/2011 04:30 PM, John Hodrien wrote:
On Fri, 23 Sep 2011, Dennis Jacobfeuerborn wrote:
What are you trying to say? Karanbirs response is three weeks old and AFAICS the 6.0/cr repo is still empty on the mirrors so there is no package for that problem available.
If there are problems getting 6.0/cr going then fine but in that case fixes for such dangerous bugs should be made available in some other way for example by uploading a package to some temporary location until things are working as they should.
Yes it'd be nice.
Until then, you can always grab the redhat srpm, or get a binary rpm from SL.
Still the fact that centos is leaving its users exposed to this kind of thing is...problematic. What's even more perplexing is that according the Karanbir the package was ready to go yet since then there is a sudden radio silence for three weeks. If there are still problems with building the updates ok but then they could have at least pushed this package out or put it on some server for people to download manually and if that is a problem too then they should have put out a message the next day that there are still problems and that people are better off building the updated package themselves. At least that would have given the users some information to act on.
What other packages inside the system might be impacted by changing the httpd executable?
What shared libraries might needed to run the new version of httpd that were built on the 6.1 tree and may not work without the other updates.
One package can not be built and pushed in a totally different tree and then released.
It requires testing.
We are doing the best we can.
And this is really appreciated believe me but here is the problem: Three week ago Karanbir announced an imminent release for the httpd package. Since then nothing happened. Let's assume for a moment a major problem was discovered that somehow prevent the new package from being released. Let's also assume that everyone who could address the problem is really busy with really important stuff.
Why wasn't it possible for anyone to send out an announcement basically saying: "For reasons we don't want disclose we cannot push out an updated httpd package anytime soon. Please build your own updated versions or find someone who can do it for you."
At least people would know what the situation is.
*THAT* is the issue here. I can understand that all this stuff is complicated but sending an email is not and so that is always something you could and should fall back on in the absence of any better options.
Regards, Dennis
-
Dennis Jacobfeuerborn -
John Hodrien -
Johnny Hughes -
Spook ZA -
Tom Brown