www-mirrors mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thom May <t...@positive-internet.com>
Subject Re: Mirror Update time
Date Thu, 24 Oct 2002 16:49:20 GMT
* Ken Smith (kensmith@cse.Buffalo.EDU) wrote :
> On Thu, Oct 24, 2002 at 05:00:23PM +0100, Thom May wrote:
> > * myfriend.is.not.my.enemies.org (ikmal_ahmad@yahoo.com) wrote :
> > > 
> > > Actually Andrew concern is about security for all apache mirror.
> > > I think this can seatle if every administrator/maintainer apply pathes for
their Apache webserver.  But how we know's which Apache have been patch or not.  I think that's
why Andrew want to do like that.
> > >  
> > Apache may suggest that the best practise would be to run 1.3.26 or better;
> > but it's a decision that is _entirely_ up to the server admins who are
> > _freely_ donating time and resources.
> > -Thom
> 
> The counterpoint to that being Apache has the "responsibility" of
> making their distribution channel as free of potential tampering
> as possible.  httpd versionf older than 1.3.26 have known security
> issues that can allow remote attackers access to the machine and
> the opportunity to tamper with the files being distributed.
> 
Unpatched versions, yes. As I said earlier in the thread, most distributions
backport patches to older versions rather than introduce new versions in
stable distributions. How are you planning to test for this?

> If the mirror admins are interested in helping out Apache by donating
> their time and resources perhaps they can extend that interest enough
> to help make the distribution mechanism as trustworthy (hack-proof)
> as possible.  In this day and age of "the bad guys" playing games
> with attacking the root DNS servers and whatnot IMO it isn't out of
> line for Apache to request the *official* mirrors be secure within
> reason.
>
I think running an older version with the correct patchset is totally within
reason.
-Thom
 

Mime
View raw message