apache 1.3.26?

[Stefan Jeglinski]

>  >	Apache is trivial enough simply to build from source yourself.
>
>I wouldn't recommend doing this at all. In fact, I'd recommend grabbing
>an src.rpm from the 7.2 updates and rebuilding it -- there are some
>things in the redhat version of apache, such as default user being
>apache vs. nobody and several other patches, not to mention an
>integrated mod_ssl.

Yes, I can build from the tarball, but these are at least some of the 
gotchas I'm worried about. This is on a production server and I need 
this to be as clean an update as possible. I'm going to first put it 
offline to be overly safe, but I don't have a lot of time to spend 
with it either. Is it safe to assume that the config file with 1.3.12 
(my current version) will just go?

>You don't really gain much by wanting 1.3.26. You
>can also try rebuilding apache-1.3.23-14 from the 7.3 updates -- it
>should work just fine as well without the gotchas of trying to use an
>RPM from some other distro or building things from source.

Unfortunately, a comment in the chunk-size-reads security patch itself says:

::Apache httpd 1.3.23 through 1.3.25 require a more extensive patch
::and should [sic] upgrade to the latest version of Apache httpd.


With the recent proof of exploit by Gobbles, the Apache Software 
Foundation now states that the risk is high. I'd have hoped for 
comment from YellowDog on this by now...


Stefan Jeglinski