httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pier Fumagalli <p...@betaversion.org>
Subject Re: CAN-2002-0392 : what about older versions of Apache?
Date Tue, 25 Jun 2002 15:07:57 GMT
Bill Stoddard <bill@wstoddard.com> wrote:

> 
>> 
>> Some wrote...
>>> ...
>> 
>> I must say I'm mystified by this discussion.  It seems to be an
>> odd argument between this good practice vs that good practice.
>> 
>> Roy's patch is simple, safe, and reduces the exposure substantially to a
>> known threat.  I can't see any reason to defer letting it out;
>> particularly now that people have been given a few days to give voice to
>> any technical concerns about it.  The worst outcome is that we are
>> embaressed - we can handle that.
>> 
>> Certainly it's a good thing to be careful.  Giving the right folks
>> a chance to look over a patch for stuff like this is a good thing.
>> Careful is good.  It's a lot easier to be careful before the exploit
>> becomes widely known.
>> 
>> Leaving the users with no option but to stay exposed, write their own
>> patch, or upgrade is pretty stern medicine for us to be proscribing.  It
>> is very hard for some sites to upgrade.
>> 
>> Let's put the patch back.
> 
> +1

Yes please... As Bill knows we have a problem with the WebSphere module
which is only supposed to run on 1.3.6 (with our version of WebSphere,
anyway)... Given that we're sending that baby in retirement in 2 months, we
didn't renew with IBM, sooo... We're bummed! :) :) :)

    Pier (we - my employer and I)

--
[Perl] combines all the worst aspects of C and Lisp:  a billion of different
sublanguages in  one monolithic executable.  It combines the power of C with
the readability of PostScript. [Jamie Zawinski - DNA Lounge - San Francisco]


Mime
View raw message