apache 1.3.26?

[Keary Suska]

on 6/24/02 2:03 PM, icon@phy.duke.edu purportedly said:

> On Mon, 2002-06-24 at 14:32, Keary Suska wrote:
> 
>>> You don't really gain much by wanting 1.3.26. You
>>> can also try rebuilding apache-1.3.23-14 from the 7.3 updates -- it
>>> should work just fine as well without the gotchas of trying to use an
>>> RPM from some other distro or building things from source.
>> 
>> If you don't care that you are running a daemon with a well known remote
>> exploit, then I guess you shouldn't be concerned with the newer version.
>> Being the administrator at a University I would think that you would since
>> University systems are the most often compromised and used to proxy attacks.
>> But then, considering your sentiment about upgrading Apache, it stands to
>> reason.
> 
> Apache-1.3.23-14 is patched for this vulnerability.
> 
> Now please apologize for insulting me.

An apology is in order--and since you said the magic word--I apologize for
making insinuations about your competency in security. You have to admit,
however, that I am not the only one who made the assumption that you were
disregarding the security reason for the Apache update. There are many of us
who don't use RPMs for Apache (at least), and don't track what RH is doing
with them, and couldn't care less in any case. And I am often suspect of RH
updates, especially when they contain misinformation, such as that the
chunked encoding exploit is not exploitable on 32 bit systems, which is
false and well known to be so at the time of the release of 1.3.26. I am
very capable of taking care of these things myself, thank you very much, RH.

In any case, if you had just made the statement above in the first place,
this unpleasantness could have been avoided.

Keary Suska
Esoteritech, Inc.
"Leveraging Open Source for a better Internet"