httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arliss, Noah" <>
Subject RE: CAN-2002-0392 : what about older versions of Apache?
Date Tue, 25 Jun 2002 21:05:44 GMT
Hopefully this is not a redundant question.. Does this patch cover issues in
mod_proxy as well, or were the issues introduced in 1.3.23 and later?


-----Original Message-----
From: Bill Stoddard []
Sent: Tuesday, June 25, 2002 9:44 AM
Subject: Re: CAN-2002-0392 : what about older versions of Apache?

> Some wrote...
>  > ...
> I must say I'm mystified by this discussion.  It seems to be an
> odd argument between this good practice vs that good practice.
> Roy's patch is simple, safe, and reduces the exposure substantially to a
> known threat.  I can't see any reason to defer letting it out;
> particularly now that people have been given a few days to give voice to
> any technical concerns about it.  The worst outcome is that we are
> embaressed - we can handle that.
> Certainly it's a good thing to be careful.  Giving the right folks
> a chance to look over a patch for stuff like this is a good thing.
> Careful is good.  It's a lot easier to be careful before the exploit
> becomes widely known.
> Leaving the users with no option but to stay exposed, write their own
> patch, or upgrade is pretty stern medicine for us to be proscribing.  It
> is very hard for some sites to upgrade.
> Let's put the patch back.  



View raw message