Subject: Re: Not really an advocacy :-(
To: None <email@example.com>
From: Jan Schaumann <firstname.lastname@example.org>
Date: 06/25/2002 11:01:52
Manuel Bouyer <email@example.com> wrote:
> On Fri, Jun 21, 2002 at 05:09:04PM +0200, Ing.,BcA. Ivan Dolezal wrote:
> > June 19, 2002
> > - FBI's National Infrastructure Protection Center Advisory
> > - Linux Weekly News report
> > - Apache releases 1.3.26
> > - Debian, Red Hat Linux release their packages (for free)
> > - "Package apache-1.3.24 has a remote-root-shell vulnerability"
> > message from audit-packages
> > June 20, 2002
> > - Gobbles aka apache_scalp.c presented
> > June 21, 2002
> > ...problem still not mentioned at netbsd.org/Security/
> apache is not part of the base system, so NetBSD has no reasons to issue
> an advisatory for it. audit-package will catch it, and point to the
> appropriate advisatory.
> > ...problem still not mentioned at
> > ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/www/apache/README.html
> > (last audit from Jun 6 05:00)
> This is a description of the package, I can't see why secrity issues should
> be discussed here. Refer to the software home page for security infos.
> > ...insecure 1.3.24 still available from the package collection
> No, the apache and apache2 packages have been updated on Jun, 19.
> Check the cvs logs.
In addition, I'd like to point out (again) that there *was* a note on
the netbsd.org main page indicating the availability of the new and
fixed apache packages. This announcement was made public on June 19th.
Multiarchitecture OS, no hype required.