httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Hyde <bh...@pobox.com>
Subject Re: CAN-2002-0392 : what about older versions of Apache?
Date Tue, 25 Jun 2002 02:44:54 GMT

Some wrote...
 > ...

I must say I'm mystified by this discussion.  It seems to be an
odd argument between this good practice vs that good practice.

Roy's patch is simple, safe, and reduces the exposure substantially to a
known threat.  I can't see any reason to defer letting it out;
particularly now that people have been given a few days to give voice to
any technical concerns about it.  The worst outcome is that we are
embaressed - we can handle that.

Certainly it's a good thing to be careful.  Giving the right folks
a chance to look over a patch for stuff like this is a good thing.
Careful is good.  It's a lot easier to be careful before the exploit
becomes widely known.

Leaving the users with no option but to stay exposed, write their own
patch, or upgrade is pretty stern medicine for us to be proscribing.  It
is very hard for some sites to upgrade.

Let's put the patch back.  

 - ben

Mime
View raw message