Manuel Bouyer <bouyer@antioche.lip6.fr> wrote:
> On Fri, Jun 21, 2002 at 05:09:04PM +0200, Ing.,BcA. Ivan Dolezal wrote:

> > June 19, 2002
> > 
> > - FBI's National Infrastructure Protection Center Advisory
> > - Linux Weekly News report
> > - Apache releases 1.3.26
> > - Debian, Red Hat Linux release their packages (for free)
> > - "Package apache-1.3.24 has a remote-root-shell vulnerability"
> >    message from audit-packages
> > 
> > June 20, 2002
> > 
> > - Gobbles aka apache_scalp.c presented
> > 
> > 
> > June 21, 2002
> > 
> > ...problem still not mentioned at netbsd.org/Security/
> 
> apache is not part of the base system, so NetBSD has no reasons to issue
> an advisatory for it. audit-package will catch it, and point to the
> appropriate advisatory.
> 
> > ...problem still not mentioned at
> > ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/www/apache/README.html
> > (last audit from Jun 6 05:00)
> 
> This is a description of the package, I can't see why secrity issues should
> be discussed here. Refer to the software home page for security infos.
> 
> > ...insecure 1.3.24 still available from the package collection
> 
> No, the apache and apache2 packages have been updated on Jun, 19. 
> Check the cvs logs.

In addition, I'd like to point out (again) that there *was* a note on
the netbsd.org main page indicating the availability of the new and
fixed apache packages.  This announcement was made public on June 19th.

-Jan

-- 
http://www.netbsd.org -
         Multiarchitecture OS, no hype required.