httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Security status of apache 1.3.X
Date Fri, 09 Sep 2005 17:58:43 GMT
[Jumping lists]
Jim Jagielski wrote:
> William A. Rowe, Jr. wrote:
>>
>>We should reroll 1.3.33 to protect php, cgi, isapi, etc.  The patches
>>are already backported.
> 
> I was planning on doing a 1.3.34 with the next week or so...

Ok, just a thought;

When we released 1.3.33, we had a thundering herd of folks backporting
to 1.3 from their 2.0 installations.  I suspect strongly that folks are
misinterpreting which version is 'safest' or 'most reliable'.  See,
for example,

http://www.securityspace.com/s_survey/data/man.200501/srvch.html?server=Apache&revision=Apache%2F1.3.33

Can we roll these all up by Monday and let folks start testing 1.3.34,
2.0.55, and 2.1.8-dev, and announce them all -at the same time-?  This
way, our users won't be misinformed.

I'm rolling the 2.0.55 (with +1's on the showstoppers) and the prereq
1.2.2 APR[-util] libraries for 2.1.8 on Sunday.  If, Jim, you will roll
the 1.3.33, and someone else would like to roll 2.1.8, we can probably
announce these all next week, simultaniously.

Bill

Mime
View raw message