Re: Attempts to push spam through apache
From: Alex Butcher, ISC/ISYS (Alex.Butcher_at_bristol.ac.uk)
Date: Tue, 24 Aug 2004 15:55:07 +0100 To: David Benfell <email@example.com>, firstname.lastname@example.org
--On 22 August 2004 23:02 -0700 David Benfell <email@example.com>
> On Sat, 21 Aug 2004 23:51:47 -0500, Gabriel Orozco wrote:
>> I know there are other, newer apache versions, but SuSE doesn't have
>> them. I disabled apache until the client authorizes the fix proposed
>> (upgrade from sources).
> SuSE, and other distributors, commonly preserve the version number of
> software even as they patch the versions they offer to fix
> vulnerabilities. It's a headache because it means you have to look at
> their README files and other documentation to see if they've fixed the
> vulnerabilities you're looking for.
> But apparently, it avoids breaking their package management systems.
This is because they backport the security fixes to older versions. This
means that you can have more confidence that applying the updates won't
break other functionality that you're relying upon. So it's not so much
avoiding breaking their package management systems, as it is avoiding
having to ship new versions of packages that depend upon the updated
packages, and in turn breaking things all over the place.
-- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9