httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] Where to download a windows executable installation version of Apache 1.3.12 ?
Date Fri, 26 May 2006 20:06:31 GMT
Sean Conner wrote:
>>>>Why would you want to go back in time?
>>>
>>>  Any number of reasons, including size restrictions, custom modules that
>>>haven't been ported to 2.x, support issues, etc. etc.
>>
>>A burning desire to expose oneself to security problems?
>>http://httpd.apache.org/security/vulnerabilities_13.html
> 
>   Maybe.  Maybe not.  It depends on which modules are in use, platforms
> used, etc. etc.  (I'm running 1.3.31 on a server---the bugs listed past
> 1.3.31 don't affect the server at all since I'm not using the modules in
> question, or the conditions don't apply).  
> 
>   -spc (Again, if it ain't broke, don't fix it)

Exactly Sean; you answered your own statement.  If you read that list of
vulnerabilites_13 and compare your two paragraphs above, you will prove
yourself the fool, considering that core itself on windows was vulnerable
(a 'module' that's impossible to work around) and the inquiry was for Windows
version 1.3.12, so they determined the platform in use and the target version
they desired to install.

You are right in the sense that features-not-in-use aren't a vulnerability.
But it overlooks the fact that when you install a version with vulnerabilities,
and then you (or another admin) later enable the feature-with-vulnerability,
you prove your original 'legacy install' was a poor choice in the first place.

Anyways, Shai answered the poster's question, heaven help him :)  But hey, what
is one more windows zombie box anyways?  A raindrop in the hurricane doesn't
make all that much difference :

Besides vulnerabilities, do be aware that much smaller, but sometimes bugs that
affect you, do get stealth fixes without hitting CHANGES.  The only way to see
all the changes is to review all the commits between versions.  The developers
try to mention most of the big stuff that folks will frequently notice, but if
your server isn't behaving correctly - using the latest version (**especially**
for fresh installs!) will get you faster results from a bug report.  The devs
often ignore bug reports against 2 year old versions of the software.  Those
are your problem, trunk (or the current releases) is what the devs feel some
pride and ownership of.

Bill

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message