Re: Attempts to push spam through apache

From: Alex Butcher, ISC/ISYS (Alex.Butcher_at_bristol.ac.uk)
Date: 08/24/04

  • Next message: Raistlin Majere: "Reverse SSH tunelling" 
    Date: Tue, 24 Aug 2004 15:55:07 +0100
To: David Benfell <benfell@parts-unknown.org>, focus-linux@securityfocus.com

    --On 22 August 2004 23:02 -0700 David Benfell <benfell@parts-unknown.org>
    wrote:

    > On Sat, 21 Aug 2004 23:51:47 -0500, Gabriel Orozco wrote:
    >>
    >> I know there are other, newer apache versions, but SuSE doesn't have
    >> them. I disabled apache until the client authorizes the fix proposed
    >> (upgrade from sources).
    >>
    > SuSE, and other distributors, commonly preserve the version number of
    > software even as they patch the versions they offer to fix
    > vulnerabilities. It's a headache because it means you have to look at
    > their README files and other documentation to see if they've fixed the
    > vulnerabilities you're looking for.
    >
    > But apparently, it avoids breaking their package management systems.

    This is because they backport the security fixes to older versions. This
    means that you can have more confidence that applying the updates won't
    break other functionality that you're relying upon. So it's not so much
    avoiding breaking their package management systems, as it is avoiding
    having to ship new versions of packages that depend upon the updated
    packages, and in turn breaking things all over the place.

    <http://www.redhat.com/advice/speaks_backport.html>

    Best Regards,
    Alex. 

    -- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
  • Next message: Raistlin Majere: "Reverse SSH tunelling"